I think it is OK since it gives predictability. For the problems found internally or reported discreetly to Microsoft - there is very little chance that exactly the same problem will be rediscovered in 2 weeks (average of month). Of course, for the problems which were discolsed publicly, or when the exploits were spotted - the critical patch will be issued immediatelly.
It's all good in theory, but when people happily send their credit card number to any random website claiming to seel stuff that does an SSL connection, just what is the point?
The point is that if you connect with SSL - then the website is not "random". I.e. you can verify that whoever pretends to be amazon.com - is really amazon.com. So you know who you are dealing with - you are not giving your credit card to somebody just pretending to be amazon.com.
Also you made sure that nobody could sniff the credit card number while it was traveling from you to amazon.com.
Think about corporate users. They are not computer owners. The computer belongs to the company. Company wants to control its use and apply its policies. Seems like perfect case for DRM.
Actually, they stated that they looked into Fortune 1000 Web sites. And in Fortune 1000 Netscape does have bigger market share then Apache. I cannot prove it to you, but in the subscribers portion of Netcraft, they also track Fortune 1000 and Fortune 500, and the numbers are very similar.
This is very good question. ICF is going to be turned on by default in XP - see this CNET article for more details on how Microsoft is doubling its efforts on security.
Small correction: Those 5 new security problems are not remote root exploits. They are about opening a document (proactive user action) which can cause buffer overflow. Still very serious. However, as we saw with SoBig, one doesn't need to exploit buffer overflows to run arbitrary code on the machine of the user who opens any email attachment.
Imagine a key compromise. Every computer system that used the key could be shut down.
As opposed to what we have today ? Today computers don't have keys, so by your logic any computer can be shut down ? In order to shut computer down, it is not enough to know its key, you will also have to find a way to run some code on that computer.
Self signing my certificates works of course, but just about all browsers make a big fuss about it
This is a joke, right ? Self-signing the certificate defeats the purpose ! I will redirect DNS entry to point to my web site instead, and will use self-signed certificate. How would you know that this is not the genuine site ? The right solution is to roll out your own Certificate Authority (CA) and make it trusted CA on all the client machines which will use the application. Then you can issue certificates signed by this CA.
> I'm pretty sure I was looking at that call in 1991, and maybe even 1990. Is 1992 the filing date, or the date they claim invention
The patent law allows one year since the date of public disclosure until the patent is filed. Therefore if you were looking at it in 1991 and they filed patent in 1992, they are still OK.
> Most recently, an error on Microsoft's Certified Partners page, a Passport service, made usernames and passwords available on the Internet in plain text.(FN10) Anyone could have used this information to gain complete access to others' Passports and Hotmail E-mail accounts.
This is not true. They could see the user name and password to log in into SQL Server database on the machine that was behind firewall, not the Passport user names and passwords. That SQL Server didn't contain any information related to Passport users. And since the machine(s) was behind the firewall, nobody could access it anyway.
Recently Compaq announced that it shipped million'th iPaq. Around the same time Microsoft announced that it shipped million'th version of PocketPC. This have to tell something about success of HP's Jornadas...
Slashdot Mirror
I think it is OK since it gives predictability. For the problems found internally or reported discreetly to Microsoft - there is very little chance that exactly the same problem will be rediscovered in 2 weeks (average of month).
Of course, for the problems which were discolsed publicly, or when the exploits were spotted - the critical patch will be issued immediatelly.
"Retires" means no new sales. However existing customers still will be supported, and bugs will be fixed.
It's all good in theory, but when people happily send their credit card number to any random website claiming to seel stuff that does an SSL connection, just what is the point?
The point is that if you connect with SSL - then the website is not "random". I.e. you can verify that whoever pretends to be amazon.com - is really amazon.com. So you know who you are dealing with - you are not giving your credit card to somebody just pretending to be amazon.com.
Also you made sure that nobody could sniff the credit card number while it was traveling from you to amazon.com.
Think about corporate users. They are not computer owners. The computer belongs to the company. Company wants to control its use and apply its policies. Seems like perfect case for DRM.
Yet neither one of those companies made it to Fortune 1000 list...
Actually, they stated that they looked into Fortune 1000 Web sites. And in Fortune 1000 Netscape does have bigger market share then Apache. I cannot prove it to you, but in the subscribers portion of Netcraft, they also track Fortune 1000 and Fortune 500, and the numbers are very similar.
> WHY wasn't ICF turned on by default in XP Home?
This is very good question. ICF is going to be turned on by default in XP - see this CNET article for more details on how Microsoft is doubling its efforts on security.
Small correction: Those 5 new security problems are not remote root exploits. They are about opening a document (proactive user action) which can cause buffer overflow.
Still very serious. However, as we saw with SoBig, one doesn't need to exploit buffer overflows to run arbitrary code on the machine of the user who opens any email attachment.
Imagine a key compromise. Every computer system that used the key could be shut down.
As opposed to what we have today ?
Today computers don't have keys, so by your logic any computer can be shut down ? In order to shut computer down, it is not enough to know its key, you will also have to find a way to run some code on that computer.
Self signing my certificates works of course, but just about all browsers make a big fuss about it
This is a joke, right ? Self-signing the certificate defeats the purpose ! I will redirect DNS entry to point to my web site instead, and will use self-signed certificate. How would you know that this is not the genuine site ?
The right solution is to roll out your own Certificate Authority (CA) and make it trusted CA on all the client machines which will use the application. Then you can issue certificates signed by this CA.
From the advisory:
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
More high-tech and effective than Slashdot ? Come on...
> I'm pretty sure I was looking at that call in 1991, and maybe even 1990. Is 1992 the filing date, or the date they claim invention
The patent law allows one year since the date of public disclosure until the patent is filed. Therefore if you were looking at it in 1991 and they filed patent in 1992, they are still OK.
> Most recently, an error on Microsoft's Certified Partners page, a Passport service, made usernames and passwords available on the Internet in plain text.(FN10) Anyone could have used this information to gain complete access to others' Passports and Hotmail E-mail accounts.
This is not true. They could see the user name and password to log in into SQL Server database on the machine that was behind firewall, not the Passport user names and passwords. That SQL Server didn't contain any information related to Passport users. And since the machine(s) was behind the firewall, nobody could access it anyway.
Recently Compaq announced that it shipped million'th iPaq. Around the same time Microsoft announced that it shipped million'th version of PocketPC. This have to tell something about success of HP's Jornadas...