"Geez, you can't have the updated virus definitions automatically install themselves?"
The guy who wrote this is the guy who writes the virus definitions, not the one who installs them. Furthermore, it's the antivirus software that updates itself, not Windows. You sir, are an idiot.
Andrew,
Have you ever read an M$ EULA? There's not a chance in hell that you could get a refund for losses caused by M$'s code, much less losses caused by security holes in M$' products exploited by a virus written by a 12-year old with a kit. M$ only has to worry about their reputation, not their liability...
I'm not TOO familiar with the GPL... could someone please explain:
Can/would/does the GPL prevent the government from creating their own, proprietary distros and not publishing the code?
What are the rules about sharing the bins w/o sharing the source?
Under the terms of the GPL, what is the definition of an "entity"?
I have yet to see a thorough and definitive post on what is and isn't in the GPL. It's easy to see that the troll who wrote this report has taken an extremist/alarmist view on the subject, but just how far out of context are his/her arguments?
I can't remember where I saw the write-up on this (Wired maybe), but some folks from Colorado setup a COOP to do something like this... http://www.rric.net/
M$ is the only org that can view its source code, yet they never seem to find any of these problems on their own - it's always security companies or WhiteHats and they find them on an extraordinarily regular basis.
How many little bugs like this have been discovered by parties not so eager to publish their findings so M$ can create a fix for it?
What would happen someone with know-how and malicious intent had 8-or-so new buffer overflows and decided to write a new NIMDA-like concept virus?
No offense to the security firms and WhiteHats out there, but it doesn't appear to be TOO impossible of a task to find holes in M$' products... that's why I brought up the 'christ, its been here since IE was originally coded' comment - well, that and it indicates that M$ never went back to check the more obscure parts of their OS code (and let's admit it, IE is part of the OS) when Bill 'discovered' security earlier this year.
Really it's the sheer volume of holes that pisses me off - it says to me that M$ doesn't give a damn about the code they throw together and charge us out the a$$ for because they believe if no one can access the source code they can get away with it...
How about this for the *really serious* problem...
Internet Explorer, Outlook Express, and Windows Media Player are on virtually every M$ machine in a given network - they can't be removed. According to you... when a problem like this comes along, "Admins who are on the ball" need to go around to every desktop and server on their network, apply the patch, and (unless it's the odd 1 out of 1,000) reboot the machine.
The fact of the matter is that most "administrators who are on the ball" wouldn't install Outlook Express and Windows Media Player in the first place if they were given a choice. Furthermore, I might argue that some would prefer to deploy a more secure browser for desktop users, or uninstall IE completely from their servers. Honestly, why does a server need a browser anyway?
The real problem (or at least one of them;) lies with M$ bundling unnecessary, unsecure software with server and desktop OS releases - it means admins have to scramble to keep up with updates to software that they never wanted in the first place.
I do use and manage M$' "latest and greatest" on a daily basis and still hate them. The fact of the matter is that the hole is there, has always been there, and there's a good chance that it would still be there if M$' "Security through Obscurity" doctrine actually worked.
BTW, a security hole is a security hole is a security hole. If I remember correctly, NIMDA used 4 different M$ vulnerabilities to propogate. Are you implying that we should ignore this until someone figures out how to write a virus that uses this exploit? I don't believe you can disable the GOPHER protocol, can you?
What gets me is how much publicity this article has generated - it's all over SlashDot, Linux.com, and Wired just to name a few... The backlash is well deserved (they are full of it), but it almost seems like we're stoking the fire instead of letting this announcement sputter out in anonimity.
Did anyone else notice that this preview press release came out the day after Nader came out to the government in favor of Open Source - even though they aren't releasing it for another week? Coincidence?
I think we all can agree that this is M$ paid-for-schlock that will be ignored by anyone who knows their a$$ from a hole in the ground (much like their paid-for-'experts' in the anti-trust trial). What remains to be seen is how much credibility government leaders, the mainstream press, and business executives (i.e. those who don't necessarilly know their a$$ from a hole in the ground) will give this report...
BTW, they describe OSS as "software that inherently requires that its blueprints, source code and architecture is made widely available to any person interested - without discretion." Does anyone know if there is anything that would keep the government from creating their own Linux distro and not releasing the code or bins to "any person interested - without discresssion"?
Slashdot Mirror
"Geez, you can't have the updated virus definitions automatically install themselves?"
The guy who wrote this is the guy who writes the virus definitions, not the one who installs them. Furthermore, it's the antivirus software that updates itself, not Windows. You sir, are an idiot.
I must have missed this one... http://slashdot.org/comments.pl?sid=33949&cid=3674 476
Andrew, Have you ever read an M$ EULA? There's not a chance in hell that you could get a refund for losses caused by M$'s code, much less losses caused by security holes in M$' products exploited by a virus written by a 12-year old with a kit. M$ only has to worry about their reputation, not their liability...
I'm not TOO familiar with the GPL... could someone please explain:
Can/would/does the GPL prevent the government from creating their own, proprietary distros and not publishing the code?
What are the rules about sharing the bins w/o sharing the source?
Under the terms of the GPL, what is the definition of an "entity"?
I have yet to see a thorough and definitive post on what is and isn't in the GPL. It's easy to see that the troll who wrote this report has taken an extremist/alarmist view on the subject, but just how far out of context are his/her arguments?
I can't remember where I saw the write-up on this (Wired maybe), but some folks from Colorado setup a COOP to do something like this... http://www.rric.net/
"between releases you add small bits of functionality and fix bugs"
Wow, how nice would it be if M$ followed this model?
Hmmm... let me rephrase...
M$ is the only org that can view its source code, yet they never seem to find any of these problems on their own - it's always security companies or WhiteHats and they find them on an extraordinarily regular basis.
How many little bugs like this have been discovered by parties not so eager to publish their findings so M$ can create a fix for it?
What would happen someone with know-how and malicious intent had 8-or-so new buffer overflows and decided to write a new NIMDA-like concept virus?
No offense to the security firms and WhiteHats out there, but it doesn't appear to be TOO impossible of a task to find holes in M$' products... that's why I brought up the 'christ, its been here since IE was originally coded' comment - well, that and it indicates that M$ never went back to check the more obscure parts of their OS code (and let's admit it, IE is part of the OS) when Bill 'discovered' security earlier this year.
Really it's the sheer volume of holes that pisses me off - it says to me that M$ doesn't give a damn about the code they throw together and charge us out the a$$ for because they believe if no one can access the source code they can get away with it...
Just about every M$ server I know of is on at least a monthly reboot schedule. Nobody trusts M$ software to stay up and stable longer than that...
How about this for the *really serious* problem...
;) lies with M$ bundling unnecessary, unsecure software with server and desktop OS releases - it means admins have to scramble to keep up with updates to software that they never wanted in the first place.
Internet Explorer, Outlook Express, and Windows Media Player are on virtually every M$ machine in a given network - they can't be removed. According to you... when a problem like this comes along, "Admins who are on the ball" need to go around to every desktop and server on their network, apply the patch, and (unless it's the odd 1 out of 1,000) reboot the machine.
The fact of the matter is that most "administrators who are on the ball" wouldn't install Outlook Express and Windows Media Player in the first place if they were given a choice. Furthermore, I might argue that some would prefer to deploy a more secure browser for desktop users, or uninstall IE completely from their servers. Honestly, why does a server need a browser anyway?
The real problem (or at least one of them
I do use and manage M$' "latest and greatest" on a daily basis and still hate them. The fact of the matter is that the hole is there, has always been there, and there's a good chance that it would still be there if M$' "Security through Obscurity" doctrine actually worked.
BTW, a security hole is a security hole is a security hole. If I remember correctly, NIMDA used 4 different M$ vulnerabilities to propogate. Are you implying that we should ignore this until someone figures out how to write a virus that uses this exploit? I don't believe you can disable the GOPHER protocol, can you?
What gets me is how much publicity this article has generated - it's all over SlashDot, Linux.com, and Wired just to name a few... The backlash is well deserved (they are full of it), but it almost seems like we're stoking the fire instead of letting this announcement sputter out in anonimity. Did anyone else notice that this preview press release came out the day after Nader came out to the government in favor of Open Source - even though they aren't releasing it for another week? Coincidence? I think we all can agree that this is M$ paid-for-schlock that will be ignored by anyone who knows their a$$ from a hole in the ground (much like their paid-for-'experts' in the anti-trust trial). What remains to be seen is how much credibility government leaders, the mainstream press, and business executives (i.e. those who don't necessarilly know their a$$ from a hole in the ground) will give this report... BTW, they describe OSS as "software that inherently requires that its blueprints, source code and architecture is made widely available to any person interested - without discretion." Does anyone know if there is anything that would keep the government from creating their own Linux distro and not releasing the code or bins to "any person interested - without discresssion"?