From what I understood, they were using the guise of the Center for Missing and Exploited Children to send advertisements that supposedly benefited the cause, simply because non-profits are exempt from some of the limitations. I understood the poster to be saying that the faxes they were receiving were not, in fact, posters of missing children.
It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.
From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?
"OSS "vendors" will have to warranty thier software to do something, and do it a certain way, or else."
Or else... what? Refund the purchase price +10%?
It all depends on what you warranty and what you promise if the user collects on the warranty. It also depends on who is required to warranty software... would make sense that only commercial vendors would have to. Even the big Linux distros aren't "sold," rather, you can buy a CD with the free software and a manual to go with it, or you can download it all for free.
Besides, what is the likelihood that someone will spend $2000 on Win2k Server and licenses for their little office and be unsatisfied that the software does what it warrants, vs. the likelihood that they'll spend $100 on the deluxe RedHat package with a year of phone support and be unsatisfied that the software does what it warrants?
Of course, this only works insofar as people know that you have to hit ctrl-alt-del to log in, and that if they have a login prompt without hitting that, there's something wrong.
I've never seen much effort on the part of MS to get this across to folks, so this bit of security is pretty much wasted.
I wasn't clear from the bulletin on whether this vulnerability is only an issue if you use gopher, or if it can be abused by a malicious system even if you don't use gopher.
It's irresponsible to advise people to read the EULA on software before installing it? How does that work? The reaction to the comment was based on people's past experiences with MS EULAs, not the general idea that you should read the EULA. I'm sure that if you told some MS executive that a major geek site posted a note about these new releases, and reminded people to read the EULA before installing, they'd actually be somewhat reassured. (unless of course, they're counting on people not reading it...)
People are leery of the EULA and the patch because it comes from Microsoft, which has nothing to do with the post, and everything to do with MS's history./. isn't responsible for that history, MS is.
That link scared me at first, then I followed it, and found out that it was a known problem for a couple of days, then fixed immediately. Furthermore, It's ONE problem. IE just patched *SIX* problems, and that's not even half of them. And finally, even serious vulnerabilities in other browsers have less potential for harm than IE vulnerabilities, because they don't have direct access to system components like IE does.
Hm, what kind of internal apps? Unless they're Active-X based, you should be able to change how Mozilla identifies itself (to IE version whatever) and end-run around most of that stuff.
Oh, that was the bane of our existence at my old job. We had a running list of everyone who had the issue, and everything we'd tried to fix it (starting with the MS "fix"). We even had a couple folks where their computers were installed from the same disk image, and one had the problem while the other didn't (on the same model machine).
Eventually, we upgraded those folks to Win2k first. Solved it for almost everyone.
#4: Turn off all the stuff that shouldn't have been on by default to make the system run better and more secure. #5: Download and install all the security patches you need.
So, there's another half an hour or so right there...
People who have "training" but lack skill or experience are desperate to show you what they know. You can ask a very simple question, and they'll throw out names of tools they think might be relevant, and buzz words they've heard. They're unlikely to give you the simplest answer.
I once was asked in an interview for a DSL installation tech job, "if you installed a memory upgrade into a laptop, and upon boot up the new memory wasn't recognized, what would you do next?"
I felt kind of foolish saying "Well, I'd open up the laptop, reseat the memory, and try again." But the interviewer nearly wept... he'd been interviewing people with all kinds of "qualifications" all day, and I was the first person who had given this answer. He told me how everyone else had said "Well, I'd start up Tech Tool..." or "I'd get out a memory tester and..." without even checking that the installation had been done right in the first place.
That, of course, is not a comprehensive method for finding a good person for a job, but it might make your technical questions a little more effective.
Wouldn't it be more effective to identify the superset, thus ensuring that you don't overlook good programmers who don't meet your more restrictive criteria?
Not usually.
Logic is all well and good, but for those who haven't noticed, it tends to break down a bit where human beings are concerned. When we are in a position of evaluating other people, we necessarily rely on certain prejudices based on our prior experiences or information gained from other people. In some cases, the prejudices are unjustified (eg: I don't like people with beards because I was mugged by a guy with a beard once) and sometimes, they are justified (eg: among the people I've worked with over the years, the ones who are willing to correct me tend to be more intelligent and resourceful). Regardless of the genesis of the prejudice, however, you will *always* eliminate some people who otherwise fit your criteria.
The reason we do it this way is simple: because we just can't cope with too much information. The nature of our brains is such that we *have* to simplify input in order to analyze it. We seek patterns (that sometimes aren't there), we prejudge based on past experiences (that sometimes aren't valid), and so on. This is a *human* thing, not a logic thing.
Ideally, I suppose, we should sit down with a committee, come up with all the possible criteria, weight them for a particular position, give the prospective applicants a detailed questionnaire based on the list, enter it all into a database, and have a computer sift through it all to find out who is the BEST applicant for the position. Unfortunately, we're likely to forget something... and that approach doesn't leave room for the applicant to add some surprising detail that puts them over the top.
So until our brains are significantly augmented, we're going to continue using "illogical" methods to cut down the amount of information we use in making decisions. Address complaints to the psychology department of your local research hospital.
"Though anyone who can't grasp the logic of the questions is likely to be unable to program well...;-)"
Actually, anyone who can't grasp the logic of the questions is likely to be unable to HIRE well. You can program quite well without any understanding of how to find good coders... which is probably more or less how this thread got started.
I don't think doctors usually see patients for fun after work hours. I do, however, think that doctors talk to their friends and family about medical concerns, and help them see that they're getting appropriate care... except possibly for doctors who are incompetent or really hate their discipline (maybe they only went to med school for the money).
Fact is, while certain factors (such as marital status, religion, age, etc.) cannot by law be considered as factors in hiring, employers in all fields *do* ask about professional association memberships, related volunteer work or internships, and so on. In some fields, if you haven't done any work for free, there's no way in hell you're going to get paid for work (see: Entertainment Industry for further information). The fact that someone has not contributed to any Open Source projects does not mean they are a bad programmer, but those that have probably will be more enthusiastic about their work, and have more easily verifiable skills.
Hm. Maybe I should tell my friends who are graphic artists that they should put away their portfolios based on this line of reasoning...
It's a very common practice in fields that require not just training but also skill and (gasp) talent to request to see prior work before hiring. Contrary to popular belief, not just any monkey can code properly. If you don't want to show samples of your work before being hired, don't be shocked if you don't get an offer.
It's not just a matter of quality. Digital projection improves the distribution process dramatically. Film is a serial medium; reproducing the film platters has a time footprint that will not shrink very much by throwing more technology at it. Furthermore, they're *heavy*... which makes shipping both more expensive and more difficult to do quickly. At the same time, the movie industry is not a whole lot different from the software industry in being constrained by release dates that have more to do with marketing concerns than how long it takes to generate the finished product. Films are often being cut right up until the last possible moment to send them for reprinting and distribution (i.e. maybe 48 hours before they premiere at "a theatre near you.")
The number of hard drives it takes to save "Attack of the Clones" is not "small," I'd wager, but compared to the size of the film platters, it's tiny. Furthermore, writing data can be done relatively rapidly compared to running prints of a film. With the right RAID setup, you can read and write different sectors to the same disk simultaneously. There's an issue of diminishing returns, but it does respond to throwing more money at it. Furthermore, you can be making multiple copies at one time; a copy of a copy of a copy isn't any different from the master. Most importantly, though, eventually the movie studios won't have to create the media *at all*... they can send the movies via secured broadband feed directly to the theatres.
Unfortunately, you and I probably will never really notice the results of this, so your point is still valid. It does give the theatres greater motivation to upgrade, though.
"IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines."
Ah, Kinko's...
I worked there for several years, most of them running the Computer Services department in one store or another. There's a few things you might not realize about their machines. First of all, at least when I was there, the installation CDs did NOT have all the IM apps on them. I think only MSN Messenger was on there, because of some bribe^H^H^H^H^H promotion from Microsoft. Oh, yeah, and AIM installs with Netscape; can't escape that. But then Yahoo! Messenger and ICQ would mysteriously show up. It was Windows 98se, and while we managed to prevent users from being able to ctrl alt del or shut down the computer, we couldn't seem to prevent them from installing many software applications.
And the pitfall of running Windows in such an environment: if the application froze, there was no recovery. This happened fairly often, because MS Word would choke after a while if you edited a file straight off the A: drive. At that point, we couldn't do Ctrl Alt Del, or even use keyboard shortcuts to get to the regular shutdown... it was all completely locked out. All we could do was hit the power button, sympathize, and advise them to (1) work off the hard drive and (2) save more often than every couple hours.
I remember the first time my ex-husband saw our setup. He instantly started telling me how much easier and more efficient it would be if it ran off of a Linux server (it remained a peer to peer network with an AppleTalk clone on the PCs until at least last year). Unfortunately we never could convince HQ.
"Anyway, you can very effectively lock down Win2k..."
You can lock down Win2k. "Effectively" is a subjective term, however; in my (admittedly somewhat shallow) experience, in order to lock truly useful stuff, you end up crippling the user in unforseen ways. (For example, to prevent folks from installing software, it turned out we also prevented them from installing fonts. There didn't appear to be any way to give them permission to load fonts without opening up the system more.)
At any rate, the question at hand is not "Why?" but "How?" The poster didn't ask *if* they should do this, but how to go about it. There may be many reasons, not the least of which is, especially if you work in the public sector, starting the process for upgrading *now* is a good thing to do, even if you aren't planning on actually doing it for two or three or four more years. (Side note: given that MS officially dropped support for Win98 in 2001, and that WinXP can be substituted for most Win2k functions, I don't think it's a safe bet to count on Win2k support for more than another year or so.) Also, it's possible that they got Win2k relatively recently, but that their hardware is outdated... and the costs of upgrading the hardware to run it "properly" made them look at other options.
Because, you know, a large proportion of government agencies mandate use of Windows desktops and servers for "security purposes..."
And, one more time, NO ONE IS BEING OUTLAWED. The proposed legislation does *not* say "Any companies which do not have open source software available at the time of this legislation are out of the question." The proposed requirements are quite simple and straightforward; any company can comply with them, if they're willing to give up Phenomenal Cosmic Power over their software to their customer. And, frankly, I don't want anyone I don't get to vote for to have that kind of power over my government.
Slashdot Mirror
From what I understood, they were using the guise of the Center for Missing and Exploited Children to send advertisements that supposedly benefited the cause, simply because non-profits are exempt from some of the limitations. I understood the poster to be saying that the faxes they were receiving were not, in fact, posters of missing children.
Any number of UCLA attourneys would be rabid at the chance to go after Podunkville, gratis.
Much as I love my alma mater, I think you'd have better luck with the ACLU.
UCLA = University of California at Los Angeles
ACLU = American Civil Liberties Union
There's still a little bit of a difference between them.
It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.
From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?
"OSS "vendors" will have to warranty thier software to do something, and do it a certain way, or else."
Or else... what? Refund the purchase price +10%?
It all depends on what you warranty and what you promise if the user collects on the warranty. It also depends on who is required to warranty software... would make sense that only commercial vendors would have to. Even the big Linux distros aren't "sold," rather, you can buy a CD with the free software and a manual to go with it, or you can download it all for free.
Besides, what is the likelihood that someone will spend $2000 on Win2k Server and licenses for their little office and be unsatisfied that the software does what it warrants, vs. the likelihood that they'll spend $100 on the deluxe RedHat package with a year of phone support and be unsatisfied that the software does what it warrants?
Of course, this only works insofar as people know that you have to hit ctrl-alt-del to log in, and that if they have a login prompt without hitting that, there's something wrong.
I've never seen much effort on the part of MS to get this across to folks, so this bit of security is pretty much wasted.
I wasn't clear from the bulletin on whether this vulnerability is only an issue if you use gopher, or if it can be abused by a malicious system even if you don't use gopher.
It's irresponsible to advise people to read the EULA on software before installing it? How does that work? The reaction to the comment was based on people's past experiences with MS EULAs, not the general idea that you should read the EULA. I'm sure that if you told some MS executive that a major geek site posted a note about these new releases, and reminded people to read the EULA before installing, they'd actually be somewhat reassured. (unless of course, they're counting on people not reading it...)
/. isn't responsible for that history, MS is.
People are leery of the EULA and the patch because it comes from Microsoft, which has nothing to do with the post, and everything to do with MS's history.
That link scared me at first, then I followed it, and found out that it was a known problem for a couple of days, then fixed immediately. Furthermore, It's ONE problem. IE just patched *SIX* problems, and that's not even half of them. And finally, even serious vulnerabilities in other browsers have less potential for harm than IE vulnerabilities, because they don't have direct access to system components like IE does.
All that link does is make IE look even worse.
No, the Office vulnerabilities are completely separate, and addressed in a different TechNet article.
And how do you know that the "trusted" site wasn't hacked and had malicious code installed on it?
;-)
Especially if it's running on Windows
The registry. It's loaded at boot-up. If you change it, you have to reboot.
The system registry often appears to be the worst idea Microsoft ever had...
Um, folks?
Windows 2000 Server is "expensive software." $859.99 right now on Amazon... for a 5-client license.
Hm, what kind of internal apps? Unless they're Active-X based, you should be able to change how Mozilla identifies itself (to IE version whatever) and end-run around most of that stuff.
Oh, that was the bane of our existence at my old job. We had a running list of everyone who had the issue, and everything we'd tried to fix it (starting with the MS "fix"). We even had a couple folks where their computers were installed from the same disk image, and one had the problem while the other didn't (on the same model machine).
Eventually, we upgraded those folks to Win2k first. Solved it for almost everyone.
#4: Turn off all the stuff that shouldn't have been on by default to make the system run better and more secure.
#5: Download and install all the security patches you need.
So, there's another half an hour or so right there...
... to simple questions.
People who have "training" but lack skill or experience are desperate to show you what they know. You can ask a very simple question, and they'll throw out names of tools they think might be relevant, and buzz words they've heard. They're unlikely to give you the simplest answer.
I once was asked in an interview for a DSL installation tech job, "if you installed a memory upgrade into a laptop, and upon boot up the new memory wasn't recognized, what would you do next?"
I felt kind of foolish saying "Well, I'd open up the laptop, reseat the memory, and try again." But the interviewer nearly wept... he'd been interviewing people with all kinds of "qualifications" all day, and I was the first person who had given this answer. He told me how everyone else had said "Well, I'd start up Tech Tool..." or "I'd get out a memory tester and..." without even checking that the installation had been done right in the first place.
That, of course, is not a comprehensive method for finding a good person for a job, but it might make your technical questions a little more effective.
Wouldn't it be more effective to identify the superset, thus ensuring that you don't overlook good programmers who don't meet your more restrictive criteria?
Not usually.
Logic is all well and good, but for those who haven't noticed, it tends to break down a bit where human beings are concerned. When we are in a position of evaluating other people, we necessarily rely on certain prejudices based on our prior experiences or information gained from other people. In some cases, the prejudices are unjustified (eg: I don't like people with beards because I was mugged by a guy with a beard once) and sometimes, they are justified (eg: among the people I've worked with over the years, the ones who are willing to correct me tend to be more intelligent and resourceful). Regardless of the genesis of the prejudice, however, you will *always* eliminate some people who otherwise fit your criteria.
The reason we do it this way is simple: because we just can't cope with too much information. The nature of our brains is such that we *have* to simplify input in order to analyze it. We seek patterns (that sometimes aren't there), we prejudge based on past experiences (that sometimes aren't valid), and so on. This is a *human* thing, not a logic thing.
Ideally, I suppose, we should sit down with a committee, come up with all the possible criteria, weight them for a particular position, give the prospective applicants a detailed questionnaire based on the list, enter it all into a database, and have a computer sift through it all to find out who is the BEST applicant for the position. Unfortunately, we're likely to forget something... and that approach doesn't leave room for the applicant to add some surprising detail that puts them over the top.
So until our brains are significantly augmented, we're going to continue using "illogical" methods to cut down the amount of information we use in making decisions. Address complaints to the psychology department of your local research hospital.
"Though anyone who can't grasp the logic of the questions is likely to be unable to program well... ;-)"
Actually, anyone who can't grasp the logic of the questions is likely to be unable to HIRE well. You can program quite well without any understanding of how to find good coders... which is probably more or less how this thread got started.
I don't think doctors usually see patients for fun after work hours. I do, however, think that doctors talk to their friends and family about medical concerns, and help them see that they're getting appropriate care... except possibly for doctors who are incompetent or really hate their discipline (maybe they only went to med school for the money).
Fact is, while certain factors (such as marital status, religion, age, etc.) cannot by law be considered as factors in hiring, employers in all fields *do* ask about professional association memberships, related volunteer work or internships, and so on. In some fields, if you haven't done any work for free, there's no way in hell you're going to get paid for work (see: Entertainment Industry for further information). The fact that someone has not contributed to any Open Source projects does not mean they are a bad programmer, but those that have probably will be more enthusiastic about their work, and have more easily verifiable skills.
Hm. Maybe I should tell my friends who are graphic artists that they should put away their portfolios based on this line of reasoning...
It's a very common practice in fields that require not just training but also skill and (gasp) talent to request to see prior work before hiring. Contrary to popular belief, not just any monkey can code properly. If you don't want to show samples of your work before being hired, don't be shocked if you don't get an offer.
It's not just a matter of quality. Digital projection improves the distribution process dramatically. Film is a serial medium; reproducing the film platters has a time footprint that will not shrink very much by throwing more technology at it. Furthermore, they're *heavy*... which makes shipping both more expensive and more difficult to do quickly. At the same time, the movie industry is not a whole lot different from the software industry in being constrained by release dates that have more to do with marketing concerns than how long it takes to generate the finished product. Films are often being cut right up until the last possible moment to send them for reprinting and distribution (i.e. maybe 48 hours before they premiere at "a theatre near you.")
The number of hard drives it takes to save "Attack of the Clones" is not "small," I'd wager, but compared to the size of the film platters, it's tiny. Furthermore, writing data can be done relatively rapidly compared to running prints of a film. With the right RAID setup, you can read and write different sectors to the same disk simultaneously. There's an issue of diminishing returns, but it does respond to throwing more money at it. Furthermore, you can be making multiple copies at one time; a copy of a copy of a copy isn't any different from the master. Most importantly, though, eventually the movie studios won't have to create the media *at all*... they can send the movies via secured broadband feed directly to the theatres.
Unfortunately, you and I probably will never really notice the results of this, so your point is still valid. It does give the theatres greater motivation to upgrade, though.
"IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines."
Ah, Kinko's...
I worked there for several years, most of them running the Computer Services department in one store or another. There's a few things you might not realize about their machines. First of all, at least when I was there, the installation CDs did NOT have all the IM apps on them. I think only MSN Messenger was on there, because of some bribe^H^H^H^H^H promotion from Microsoft. Oh, yeah, and AIM installs with Netscape; can't escape that. But then Yahoo! Messenger and ICQ would mysteriously show up. It was Windows 98se, and while we managed to prevent users from being able to ctrl alt del or shut down the computer, we couldn't seem to prevent them from installing many software applications.
And the pitfall of running Windows in such an environment: if the application froze, there was no recovery. This happened fairly often, because MS Word would choke after a while if you edited a file straight off the A: drive. At that point, we couldn't do Ctrl Alt Del, or even use keyboard shortcuts to get to the regular shutdown... it was all completely locked out. All we could do was hit the power button, sympathize, and advise them to (1) work off the hard drive and (2) save more often than every couple hours.
I remember the first time my ex-husband saw our setup. He instantly started telling me how much easier and more efficient it would be if it ran off of a Linux server (it remained a peer to peer network with an AppleTalk clone on the PCs until at least last year). Unfortunately we never could convince HQ.
"Anyway, you can very effectively lock down Win2k..."
You can lock down Win2k. "Effectively" is a subjective term, however; in my (admittedly somewhat shallow) experience, in order to lock truly useful stuff, you end up crippling the user in unforseen ways. (For example, to prevent folks from installing software, it turned out we also prevented them from installing fonts. There didn't appear to be any way to give them permission to load fonts without opening up the system more.)
At any rate, the question at hand is not "Why?" but "How?" The poster didn't ask *if* they should do this, but how to go about it. There may be many reasons, not the least of which is, especially if you work in the public sector, starting the process for upgrading *now* is a good thing to do, even if you aren't planning on actually doing it for two or three or four more years. (Side note: given that MS officially dropped support for Win98 in 2001, and that WinXP can be substituted for most Win2k functions, I don't think it's a safe bet to count on Win2k support for more than another year or so.) Also, it's possible that they got Win2k relatively recently, but that their hardware is outdated... and the costs of upgrading the hardware to run it "properly" made them look at other options.
You're right. So they should stop it right now.
Because, you know, a large proportion of government agencies mandate use of Windows desktops and servers for "security purposes..."
And, one more time, NO ONE IS BEING OUTLAWED. The proposed legislation does *not* say "Any companies which do not have open source software available at the time of this legislation are out of the question." The proposed requirements are quite simple and straightforward; any company can comply with them, if they're willing to give up Phenomenal Cosmic Power over their software to their customer. And, frankly, I don't want anyone I don't get to vote for to have that kind of power over my government.
Since you're so well informed, can you tell me who makes the software currently used by the USPS and ATC?
If it's not a private company, then your argument evaporates.