In the first place, there are too many patches. At some point, you gotta blame the sloppy code. Maybe more than one major vulnerability per month this year is below your threshold, but it's above mine.
As evidence for the unreasonableness of the patching burden, the MS download site was itself hit "hacked by Chinese" during the Code Red outbreak. If the contractors running that site can't keep up, the product is too flawed for Joe Admin out in the sticks.
The steps to reduce the burden of patching have been awful. Windows Update fails silently, or falsely reports success in many cases. After the SQL worm, many admins are wary of blindly patching.
I think the technet article was July 16, one month ago.
It sets up a virtual pop server, which you point your email client at. When the client contacts the pop server, the pop server cycles through your yahoo mail and turns the web pages into real email messages.
Once a month or so I run it and empty out my webmail.
Just hit the support.microsoft.com site and start counting.
For me, I'm content with the approximation "many", or possibly "too many", or "way too fsking many"
Other OS's that I'm familiar with have many vulnerabilities in programs that run on them, but relatively few in the OS itself. With the various flavors of Windows, there isn't a significant difference. When IIS is installed by default, an IIS flaw is an OS flaw. When Apache is not installed by default, its flaws should not be counted with those of the OS.
Don't count every buffer overflow in every chat client on source forge. DO count every flaw in IE and outlook express, because getting rid of them is impractical. You could probably throw in media player as well.
I agree that you have to stay on top of the updates, but in my environment the many linux and OpenBSD boxes are much less trouble than the few windows boxes - both proportionally and absolutely.
She said he got demoted to mere lead programmer or something around nt 4.0 MS has a weird habit of giving 25 year olds executive authority over some major projects. The PM's were not the best coders who had been promoted.
On the other hand, they sometimes value the programmer much more than the programmer's supervisor. The place is a political snake pit, but they do avoid some Peter Principle issues.
Anyway, she noted seeing his sports car (ferrari?) in the parking lot on weekends when she was about the only other person there. He worked long hours even after NT went someone else's way.
Admins should patch, no question. And there are some basic things we should all do no matter what platforms we use. My net does not allow outbound packets unless the source address is our net. That kind of thing.
I guess I think it's reasonable to get caught flat-footed once in a while by this stuff. Even the microsoft download site - where you could get the patch to prevent Code Red - was itself nuked by Code Red. If they can't do it all the time, it's not reasonable to expect everyone else to.
I think the real solution is to migrate to better platforms. "Better" includes considerations besides how fast a half-trained web lackey can smack out a superficially functional.asp page.
I don't know how the liability would play out. Seems it's hard enough to punish deliberate, manual crackers and fraudsters, even when you locate them for the authorities. There's been enough of this stuff that to my mind the common custom ==> common law is that you don't have grounds to sue, since millions of people haven't. Dunno. And if you got infected, aren't you guilty of the same negligence? I suppose if you got hit with a side-effect, like the DOS that will hit the Windows Update site, that's different.
I had not heard any claims of a complete rewrite. To me, it looks like warmed over nt4 with the substantive changes divided being cosmetic, gratuitous UI alterations (so the admin applets are in a new spot, just to annoy) and more radical new ways for other machines to interact with the system.
A little hardware support - they had a USB driver for nt 4 widely deployed all over the redmond campus, but not released so users would have a reason to buy a new os.
I don't know if it is better code/design than nt 4 or better drivers or my anecdotal impression of better stability is incorrect. I think security is worse.
XP added a lot of lines to win2k, but it still uses a lot of the same crap.
In the consumer OS evolution, there wasn't much difference between win95 osr2 and win98. Throw in some patches and you have a more complete evolutionary chain than we have for human descent. Which is another way of saying we all got charged for bug fixes.
The windows world isn't even close to handling a whole class of vulnerabilities - services running with inappropriate priviledge. Ouch! No chrooting, priviledge separation, etc.
It's amazing how little they seem to learn from better OS's. That and your point reminds me of a sig I saw a little while ago: "If I am near-sighted, it's because I stand on the shoulders of midgets."
I am running 3-4 linux servers for each windows box. They have better update routines and many fewer updates are required.
And I have a couple of OpenBSD boxes with very specific roles. It's fun thinking about how little I have to think about them.
So yeah - they're properly administered and they take much less time. Your mileage may vary, of course. If you have a RH 7.3 "with everything" then you have a problem, maybe.
Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
Maintaining this crap is taking way too much fsking time. I have a lot of other projects that I could advance but instead I get to hit slashdot while watching patch progress bars randomly increment.
This is not good, it's not acceptable, and I am moving toward not accepting it. Screw em. Lousy products, massively offensive licensing terms (both in dollar amount and provisions), and smarmy, arrogant execs. Piss on them.
A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.
That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!
The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...
Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way: http://www.ntbugtraq.com/default.asp?pid=36& sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=93 40
They need to start over. Maybe if they start clean they can come up with something that compares to Linux.
Did you see the recent story where XP was only slightly easier to use than KDE? Which means KDE is likely easier to use than Win95/95OSR2/98/98se/me/nt 4.0 etc.
In other words, usability is at least as high as what linux has been compared to for years.
My boss's boss, not a propeller head, just bought a used laptop with a linux distro. She couldn't recall the name, but it works fine for her.
Primetime, baby.
They weren't interested in taxation period
on
Linking Dangerously
·
· Score: 1
Whether or not it came with representation. They would have had a sufficient number of seats in parliament to assure things went as they liked, and the future revolutionaries knew it.
I-lookup hijacked a neighbor's IE. A porn popup trap every time she started IE, with a new popup every five minutes if she successfully closed out of the trap, whether or not IE was still running.
You don't see that with the lizard.
You also don't hear about Sobig email worm equivalents for Mozilla. This is a cute one: all you have to do is have this one arrive on top of your list of mail in outlook or outlook express and if you have a preview window, you are now a spam proxy!
How did this factually accurate description merit 3 troll mods?
"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men--the right to be let alone."
-JUSTICE LOUIS D. BRANDEIS
Governments at various levels pass laws against nuisances all the time. They are correct to do so. Most communities have a means to compell a resident to deal with dogs that bark constantly.
I don't think I'd compare myself to Pinkertons if I were starting a business. They ran the intelligence operations for the Union in the U.S. Civil War and were 0wn3d by the confederacy. They protected Lincoln into an early grave ("Apart from that, Mrs. Lincoln, how did you enjoy the show?").
They made their money by providing strike-breaking mercenaries back in the day when advocating limited children to 50 hours a week was a dangerous, radical notion.
I've been changing my neighbors over as they have problems with Intestinal Exploder and Outhouse Excess. Stuff like the ease of browser hijacking by porn sites (who are obviously getting paid by the hit and not for any customer goodwill they generate!) and the email worms that set up spam proxies makes it pretty easy to close the deal.
Slashdot Mirror
There was a Dilbert about rewarding employees for finding bugs. Naturally, this didn't drive careful coding.
In the first place, there are too many patches. At some point, you gotta blame the sloppy code. Maybe more than one major vulnerability per month this year is below your threshold, but it's above mine.
As evidence for the unreasonableness of the patching burden, the MS download site was itself hit "hacked by Chinese" during the Code Red outbreak. If the contractors running that site can't keep up, the product is too flawed for Joe Admin out in the sticks.
The steps to reduce the burden of patching have been awful. Windows Update fails silently, or falsely reports success in many cases. After the SQL worm, many admins are wary of blindly patching.
I think the technet article was July 16, one month ago.
It sets up a virtual pop server, which you point your email client at. When the client contacts the pop server, the pop server cycles through your yahoo mail and turns the web pages into real email messages.
Once a month or so I run it and empty out my webmail.
As far as I know, there is no way to force receipt of text only in OE, and the directions I have for Outlook 2000 do not work.
The same post comes up with every *BSD article. The 17 meg file copy has taken at least 2 months.
Like how to mount a native floppy. Stuff so basic it never occurred to anybody to put in an obvious form.
I usually put my questions in the form: "I know this is basic, and here's what steps I've taken to find the answer....any clues to share?"
I may have just lucked out or caught people at propitious times in their meds routine.
My big project at the moment is setting up some sparc boxes with the newest rev. with some lovely anti stack-smashing, not avail on x86.
I'm glad I made a good impression, though!
Just hit the support.microsoft.com site and start counting.
For me, I'm content with the approximation "many", or possibly "too many", or "way too fsking many"
Other OS's that I'm familiar with have many vulnerabilities in programs that run on them, but relatively few in the OS itself. With the various flavors of Windows, there isn't a significant difference. When IIS is installed by default, an IIS flaw is an OS flaw. When Apache is not installed by default, its flaws should not be counted with those of the OS.
Don't count every buffer overflow in every chat client on source forge. DO count every flaw in IE and outlook express, because getting rid of them is impractical. You could probably throw in media player as well.
I agree that you have to stay on top of the updates, but in my environment the many linux and OpenBSD boxes are much less trouble than the few windows boxes - both proportionally and absolutely.
She said he got demoted to mere lead programmer or something around nt 4.0 MS has a weird habit of giving 25 year olds executive authority over some major projects. The PM's were not the best coders who had been promoted.
On the other hand, they sometimes value the programmer much more than the programmer's supervisor. The place is a political snake pit, but they do avoid some Peter Principle issues.
Anyway, she noted seeing his sports car (ferrari?) in the parking lot on weekends when she was about the only other person there. He worked long hours even after NT went someone else's way.
Admins should patch, no question. And there are some basic things we should all do no matter what platforms we use. My net does not allow outbound packets unless the source address is our net. That kind of thing.
.asp page.
I guess I think it's reasonable to get caught flat-footed once in a while by this stuff. Even the microsoft download site - where you could get the patch to prevent Code Red - was itself nuked by Code Red. If they can't do it all the time, it's not reasonable to expect everyone else to.
I think the real solution is to migrate to better platforms. "Better" includes considerations besides how fast a half-trained web lackey can smack out a superficially functional
I don't know how the liability would play out. Seems it's hard enough to punish deliberate, manual crackers and fraudsters, even when you locate them for the authorities. There's been enough of this stuff that to my mind the common custom ==> common law is that you don't have grounds to sue, since millions of people haven't. Dunno. And if you got infected, aren't you guilty of the same negligence? I suppose if you got hit with a side-effect, like the DOS that will hit the Windows Update site, that's different.
I had not heard any claims of a complete rewrite. To me, it looks like warmed over nt4 with the substantive changes divided being cosmetic, gratuitous UI alterations (so the admin applets are in a new spot, just to annoy) and more radical new ways for other machines to interact with the system.
A little hardware support - they had a USB driver for nt 4 widely deployed all over the redmond campus, but not released so users would have a reason to buy a new os.
I don't know if it is better code/design than nt 4 or better drivers or my anecdotal impression of better stability is incorrect. I think security is worse.
XP added a lot of lines to win2k, but it still uses a lot of the same crap.
In the consumer OS evolution, there wasn't much difference between win95 osr2 and win98. Throw in some patches and you have a more complete evolutionary chain than we have for human descent. Which is another way of saying we all got charged for bug fixes.
The windows world isn't even close to handling a whole class of vulnerabilities - services running with inappropriate priviledge. Ouch! No chrooting, priviledge separation, etc.
It's amazing how little they seem to learn from better OS's. That and your point reminds me of a sig I saw a little while ago: "If I am near-sighted, it's because I stand on the shoulders of midgets."
I am running 3-4 linux servers for each windows box. They have better update routines and many fewer updates are required.
And I have a couple of OpenBSD boxes with very specific roles. It's fun thinking about how little I have to think about them.
So yeah - they're properly administered and they take much less time. Your mileage may vary, of course. If you have a RH 7.3 "with everything" then you have a problem, maybe.
Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
Maintaining this crap is taking way too much fsking time. I have a lot of other projects that I could advance but instead I get to hit slashdot while watching patch progress bars randomly increment.
This is not good, it's not acceptable, and I am moving toward not accepting it. Screw em. Lousy products, massively offensive licensing terms (both in dollar amount and provisions), and smarmy, arrogant execs. Piss on them.
Comcast as a whole got blasted, not surprising.
& sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=93 40
A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.
That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!
The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...
Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way:
http://www.ntbugtraq.com/default.asp?pid=36
They need to start over. Maybe if they start clean they can come up with something that compares to Linux.
Did you see the recent story where XP was only slightly easier to use than KDE? Which means KDE is likely easier to use than Win95/95OSR2/98/98se/me/nt 4.0 etc.
In other words, usability is at least as high as what linux has been compared to for years.
My boss's boss, not a propeller head, just bought a used laptop with a linux distro. She couldn't recall the name, but it works fine for her.
Primetime, baby.
Whether or not it came with representation. They would have had a sufficient number of seats in parliament to assure things went as they liked, and the future revolutionaries knew it.
It's people like you what cause unrest!
I-lookup hijacked a neighbor's IE. A porn popup trap every time she started IE, with a new popup every five minutes if she successfully closed out of the trap, whether or not IE was still running.
You don't see that with the lizard.
You also don't hear about Sobig email worm equivalents for Mozilla. This is a cute one: all you have to do is have this one arrive on top of your list of mail in outlook or outlook express and if you have a preview window, you are now a spam proxy!
How did this factually accurate description merit 3 troll mods?
"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men--the right to be let alone."
-JUSTICE LOUIS D. BRANDEIS
Governments at various levels pass laws against nuisances all the time. They are correct to do so. Most communities have a means to compell a resident to deal with dogs that bark constantly.
didn't quite work out, did it?
I don't think I'd compare myself to Pinkertons if I were starting a business. They ran the intelligence operations for the Union in the U.S. Civil War and were 0wn3d by the confederacy. They protected Lincoln into an early grave ("Apart from that, Mrs. Lincoln, how did you enjoy the show?").
They made their money by providing strike-breaking mercenaries back in the day when advocating limited children to 50 hours a week was a dangerous, radical notion.
I've been changing my neighbors over as they have problems with Intestinal Exploder and Outhouse Excess. Stuff like the ease of browser hijacking by porn sites (who are obviously getting paid by the hit and not for any customer goodwill they generate!) and the email worms that set up spam proxies makes it pretty easy to close the deal.
He did have goons that forced people to drink castor oil in large doses. Basically, a country run by high school bullies.
The trains didn't run on time. It was just expedient to SAY they ran on time.