In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?
Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)
I won't mod you as flamebait (no mod points today), but I will respond to this bit:
Macs crash just like a Windows computer. Macs experience hardware issues. Macs, if you use them heavily, need regular maintenance to keep them running smoothly.
You're one for three, in my experience. Hardware issues: yeah, I've had a few. But my Mac just never crashes. And I have no idea what you're talking about when you say that "heavy usage" implies "regular maintenance". My Mac runs smoothly all the time, and the only "maintenance" I do is backing it up regularly.
Sure, there may be lots of infringement, but equally sure, my rights to use my legally-purchased media matter a bit, too. If, to protect my rights, an unintended consequence is that infringement becomes easier, that's not necessarily out of the question.
Here's an analogy that will probably get me in a lot of trouble and that a lot of people won't get: we've got another high-profile acronymized law in the U.S.: the ADA. We've decided it's really important that handicapped people have access to every public place. So if you own a public place, you have to make it handicap-accessible, whether or not you know of any handicapped people visiting your place today.
Now, a consequence of that law is that there are an awful lot of handicap ramps being built, and handicap-accessible restrooms being built, and handicapped parking spots being set aside, that aren't ever being used by handicapped people. So it wouldn't be too much of a stretch to say, "Let's not be disingenuous here, the primary effect of the ADA will be that a bunch of architects and contractors make some extra money doing ADA compliance work."
(But before the howls of protest begin: I did not just say that we should scrap the ADA, or that the rights of the handicapped aren't important. What I did just say is that the rights of legitimate media purchasers are important.)
Yeah, yeah, obvious as hell, but the surprise here -- and it's a pretty huge one -- is that someone from Microsoft is saying this. What's up with that?
Unfortunately, it most certainly is not contained within the MS ghetto. I don't run any Microsoft software anywhere, but my inbox is overflowing with spam, much of it sent via those botnets. So I would very much like to get the botnet problem fixed, not to be nice to the hapless Windows users, but out of pure self-interest.
All thought this debate are statements like "Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it if premium content is present." (That's straight from Gutman's paper under "Decreased Playback Quality".) Now, I can understand downgrading premium content if it hasn't been paid for, or if it's passing through an unprotected output path which might allow unauthorized copying, but these statements make it sound like premium content always has to be degraded. So what's premium content for? Are there any circumstances under which it can be viewed undegraded? (I'm sure there are; I'm sure I'm missing something here.)
...unless there was a defect in the product which caused it.
Aha.
It happens, but it's your fault, just like accidentally hitting the accelerator instead of the brake is your fault.
Depends. How many people accidentally hit the accelerator instead of the brake last year?
How many people clicked on unsafe attachments and got pwned last year?
How many people didn't die in car crashes last year because they were saved by air bags?
Other industries have learned that "blame the user" is, under some circumstances, a misguided strategy. Humans are imperfect, and if there's a class of mistakes they're guaranteed to make with regularity, systems must be designed (or redesigned) to protect against those mistakes, or minimize their impact.
the blame lies with the person who follows unsafe computing practices.
Right. But in my hypothetical story, who was that?
I maintain that you should have to have a license to use the Internet, and that you should have that license revoked for unsafe use.
Let's take that ball and run with it for a moment.
Presumably one of the lessons in the "safe computing" course you'd have to take before getting your Internet driver's license would be not to open unsafe attachments.
Suppose I knew myself well enough to know that I was likely to accidentally click on an attachment from time to time without verifying it to be safe. Suppose I went to my sysadmin and said, "I would like you to configure my mail app so that clicking on attachments will only launch file viewers for data attachments, but will never launch code runners for executable attachments." Suppose my sysadmin said, "That's impossible, it can't be configured that way, and anyway, having executable attachments run when you click on them is a useful feature that people want, that's why Microsoft set things up to make it easy."
Now, whose license should be revoked for unsafe practices?
I'm tired of people not taking responsibility for the things they should be responsible for.
Me, too. But I don't think that's the appropriate focus of the debate.
Here's the question: if Joe Average gets an e-mail saying "click here for an important message from your bank", whose job is it to decide whether clicking on that attachment is safe or not?
If Joe is tired or not paying attention, and accidentally clicks on that link even though he shouldn't have, does that mean he's stupid? Does he bear full responsibility for any and all horrendous consequences of that one single little harmless-seeming mouse click? (Remember, on the web, clicking on things is what you do, all the time.)
Who decided that it was an acceptable risk model for a single accidental click to result in your machine being pwned by a virus writer? Who decided that Joe had to take that risk? Who decided that I have to put up with barrages of botnet-sent spam due to all the Joe Averages out there who accidentally clicked on email attachments they shouldn't have, or downloaded web toolbars or games that they shouldn't have?
I'm not pointing the finger at Microsoft because they're a big company and I'm a responsibility-disavowing individual. I'm pointing the finger at them because, by making it maximally easy to run untrustworthy code, they very carefully and deliberately laid the groundwork for the massive computer security problems we have today. I'm pointing the finger at them because pointing the finger at 100,000,000 Joe Averages may make the Microsoft apologists feel better, but it does not solve the problem.
As a manufacturer, you have a responsibility to design a safe and secure product. And Microsoft has never seriously accepted that responsibility.
So by your logic, we shouldn't need traffic lights, seat belts, air bags, insurance, or speed limits.
If people took the time to learn how to drive more carefully, and stopped having stupid accidents,
we wouldn't need these safety measures.
In any case, we've been blaming the "stupid users" for years now, and it hasn't helped. They're still clicking on those easy-to-click executable attachments...
We're not talking about "will get it right... introducing some practically workable mechanism for allowing only trustworthy code", We're talking talking about a model laid out in.net 1.0 and refined in 2.0 about a year ago.
Neither of us will convince the other on this point, so I won't try.
If, a year or two from now,.net 2.0 (or whatever version it's up to by then) is stable and secure, I will say, "Shit, I was wrong."
I ask only: if, a year or two from now, there is some undreamt-of new "impossible" attack against or subversion of the idea, such that people are clicking once and getting pwned all the time, you do the same.
Steve Ballmer himself has started touting the exact strategy
they need -- "Click Once and Run."
That's just about the worst possible news. Microsoft's strategy of making it all-too-easy to
install and run questionably-trustworthy code is why the email
virus, web browser malware, and -- worst of all -- botnet
problems have become the unsolveable epidemics that they are.
Does anyone believe that Microsoft will actually get it right
this time, in terms of introducing some practically workable
mechanism for allowing only trustworthy code? (Not to mention
the difficulty of meaningfully defining "trustworthy" in this context...)
I've got some nice scissors. I would never use them on thick plastic -- it's not what they're made for, it would spread and deform the joint, and then they wouldn't be good at their job of cutting paper any more.
Most importantly, how do the manufacturers imagine people are supposed to open those things?
I would really like to know the answer to this. (Even better, I'd like somebody like Michael Moore to entrap an executive into a candid, on-camera attempt to open one of his own company's packages using only the everyday household appliances to hand.)
I've sure wondered about this. The only reasonable way I've
found of opening "modern" plastic packaging is with a pair of aviation
snips (i.e. compound-leverage sheet-metal cutters). They work
great, but what do people do who don't have them sitting right
there in the top
compartment of the toolbox in a corner of their living room?
And why haven't there been any personal-injury lawsuits yet from
all the people who've tried using a box-cutter or other sharp
knife, which always gouges out sideways in a wickedly
unpredictable and unsafe way?
Slashdot Mirror
In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?
Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)
Sheesh.
I won't mod you as flamebait (no mod points today), but I will respond to this bit:
Macs crash just like a Windows computer. Macs experience hardware issues. Macs, if you use them heavily, need regular maintenance to keep them running smoothly.
You're one for three, in my experience. Hardware issues: yeah, I've had a few. But my Mac just never crashes. And I have no idea what you're talking about when you say that "heavy usage" implies "regular maintenance". My Mac runs smoothly all the time, and the only "maintenance" I do is backing it up regularly.
Sure, there may be lots of infringement, but equally sure, my rights to use my legally-purchased media matter a bit, too. If, to protect my rights, an unintended consequence is that infringement becomes easier, that's not necessarily out of the question.
Here's an analogy that will probably get me in a lot of trouble and that a lot of people won't get: we've got another high-profile acronymized law in the U.S.: the ADA. We've decided it's really important that handicapped people have access to every public place. So if you own a public place, you have to make it handicap-accessible, whether or not you know of any handicapped people visiting your place today.
Now, a consequence of that law is that there are an awful lot of handicap ramps being built, and handicap-accessible restrooms being built, and handicapped parking spots being set aside, that aren't ever being used by handicapped people. So it wouldn't be too much of a stretch to say, "Let's not be disingenuous here, the primary effect of the ADA will be that a bunch of architects and contractors make some extra money doing ADA compliance work."
(But before the howls of protest begin: I did not just say that we should scrap the ADA, or that the rights of the handicapped aren't important. What I did just say is that the rights of legitimate media purchasers are important.)
Yeah, yeah, obvious as hell, but the surprise here -- and it's a pretty huge one -- is that someone from Microsoft is saying this. What's up with that?
Multiple headlines under Sci/Tech on Google News just now:
- First iPod Virus Detected
- Lab claims first "proof of concept" iPod virus
- Kaspersky discovers an iVirus
This isn't just disgusting, it's disgusting on disgustingly many different levels at once...Answering my own question, in case anyone's still reading:
The situation's not so dire; see this press statement and also this account of where the million bucks goes.
The most recent fund drive raised over a million bucks. Why is there this sense of imminent collapse?
Every song on my iPod is paid for. Why should I be additionally taxed?
Unfortunately, it most certainly is not contained within the MS ghetto. I don't run any Microsoft software anywhere, but my inbox is overflowing with spam, much of it sent via those botnets. So I would very much like to get the botnet problem fixed, not to be nice to the hapless Windows users, but out of pure self-interest.
Yes, very nice. I wish more people could afford it here.
[Microsoft-free since '93]
All thought this debate are statements like "Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it if premium content is present." (That's straight from Gutman's paper under "Decreased Playback Quality".) Now, I can understand downgrading premium content if it hasn't been paid for, or if it's passing through an unprotected output path which might allow unauthorized copying, but these statements make it sound like premium content always has to be degraded. So what's premium content for? Are there any circumstances under which it can be viewed undegraded? (I'm sure there are; I'm sure I'm missing something here.)
In fact, I am sick and tired of sites that need JavaScript just to provide any level of basic functionality.
Amen, brother. There oughta be a law.
Aha.
It happens, but it's your fault, just like accidentally hitting the accelerator instead of the brake is your fault.
Depends. How many people accidentally hit the accelerator instead of the brake last year?
How many people clicked on unsafe attachments and got pwned last year?
How many people didn't die in car crashes last year because they were saved by air bags?
Other industries have learned that "blame the user" is, under some circumstances, a misguided strategy. Humans are imperfect, and if there's a class of mistakes they're guaranteed to make with regularity, systems must be designed (or redesigned) to protect against those mistakes, or minimize their impact.
the blame lies with the person who follows unsafe computing practices.
Right. But in my hypothetical story, who was that?
I maintain that you should have to have a license to use the Internet, and that you should have that license revoked for unsafe use.
Let's take that ball and run with it for a moment.
Presumably one of the lessons in the "safe computing" course you'd have to take before getting your Internet driver's license would be not to open unsafe attachments.
Suppose I knew myself well enough to know that I was likely to accidentally click on an attachment from time to time without verifying it to be safe. Suppose I went to my sysadmin and said, "I would like you to configure my mail app so that clicking on attachments will only launch file viewers for data attachments, but will never launch code runners for executable attachments." Suppose my sysadmin said, "That's impossible, it can't be configured that way, and anyway, having executable attachments run when you click on them is a useful feature that people want, that's why Microsoft set things up to make it easy."
Now, whose license should be revoked for unsafe practices?
I'm tired of people not taking responsibility for the things they should be responsible for.
Me, too. But I don't think that's the appropriate focus of the debate.
Here's the question: if Joe Average gets an e-mail saying "click here for an important message from your bank", whose job is it to decide whether clicking on that attachment is safe or not?
If Joe is tired or not paying attention, and accidentally clicks on that link even though he shouldn't have, does that mean he's stupid? Does he bear full responsibility for any and all horrendous consequences of that one single little harmless-seeming mouse click? (Remember, on the web, clicking on things is what you do, all the time.)
Who decided that it was an acceptable risk model for a single accidental click to result in your machine being pwned by a virus writer? Who decided that Joe had to take that risk? Who decided that I have to put up with barrages of botnet-sent spam due to all the Joe Averages out there who accidentally clicked on email attachments they shouldn't have, or downloaded web toolbars or games that they shouldn't have?
I'm not pointing the finger at Microsoft because they're a big company and I'm a responsibility-disavowing individual. I'm pointing the finger at them because, by making it maximally easy to run untrustworthy code, they very carefully and deliberately laid the groundwork for the massive computer security problems we have today. I'm pointing the finger at them because pointing the finger at 100,000,000 Joe Averages may make the Microsoft apologists feel better, but it does not solve the problem.
As a manufacturer, you have a responsibility to design a safe and secure product. And Microsoft has never seriously accepted that responsibility.
In any case, we've been blaming the "stupid users" for years now, and it hasn't helped. They're still clicking on those easy-to-click executable attachments...
Alas, many websites believe that '+' is an illegal character in e-mail addresses, and so disallow these extended addresses.
Neither of us will convince the other on this point, so I won't try.
If, a year or two from now, .net 2.0 (or whatever version it's up to by then) is stable and secure, I will say, "Shit, I was wrong."
I ask only: if, a year or two from now, there is some undreamt-of new "impossible" attack against or subversion of the idea, such that people are clicking once and getting pwned all the time, you do the same.
That's just about the worst possible news. Microsoft's strategy of making it all-too-easy to install and run questionably-trustworthy code is why the email virus, web browser malware, and -- worst of all -- botnet problems have become the unsolveable epidemics that they are. Does anyone believe that Microsoft will actually get it right this time, in terms of introducing some practically workable mechanism for allowing only trustworthy code? (Not to mention the difficulty of meaningfully defining "trustworthy" in this context...)
Now that is absolutely brilliant! A tip o' the hat, clever sir!
I've got some nice scissors. I would never use them on thick plastic -- it's not what they're made for, it would spread and deform the joint, and then they wouldn't be good at their job of cutting paper any more.
Yow!! WTF is *that* for?! (Details, we want more details!)
Most importantly, how do the manufacturers imagine people are supposed to open those things? I would really like to know the answer to this. (Even better, I'd like somebody like Michael Moore to entrap an executive into a candid, on-camera attempt to open one of his own company's packages using only the everyday household appliances to hand.)
I've sure wondered about this. The only reasonable way I've found of opening "modern" plastic packaging is with a pair of aviation snips (i.e. compound-leverage sheet-metal cutters). They work great, but what do people do who don't have them sitting right there in the top compartment of the toolbox in a corner of their living room? And why haven't there been any personal-injury lawsuits yet from all the people who've tried using a box-cutter or other sharp knife, which always gouges out sideways in a wickedly unpredictable and unsafe way?
Based on the pictures at http://www.geocities.com/WestHollywood/9172/enfiel d.html and some exploring in Google Earth, I *think* it is here:
C T&ie=UTF8&z=17&ll=42.008888,-72.516053&spn=0.00490 3,0.012445&t=h&om=1
http://maps.google.com/maps?f=q&hl=en&q=Enfield,+
(But I'm not sure.)