You can't just restrict your list of security holes to the kernel - NT's kernel has had only one security hole that I can think of in the entire time it's been released (almost 10 years), that one had to do with the debug privilege IIRC.
Most of the vulnerabilities found in Micro$oft products are in user-mode components (like dcom) that are included on the CD but can be disabled.
Just like linux.
You CAN make a strong claim that many vulnerable services on Linux are not enabled by default (Apache, Sendmail) while they are on Windows, but don't bring out the "If it ain't in the kernel, it's not a Linux vulnerability".
"Dave, a well-known architect of minicomputer systems, quickly assembled a team of engineers to design Microsoft's new technology (NT) operating system."
The closest thing it had to a code name (other than NT) was NT OS/2
The only way to get the code to execute was to actively try to break the copy protection on Word 2.0. If you were running under a debugger and had patched out the first two of the three anti-debugger checks, that message would be printed out, and Word would start randomly reading data off the disk.
Peter Norton found it by looking at the word binaries on the disk and put it into his column, and Microsoft had to pull it immediately.
Needless to say the intern involved never came back to Microsoft.
That it was marketed as being a better windows than windows.
So people said: "Hm. I can either buy better windows than windows from IBM, or I can buy the real thing from Microsoft. But I know that every single application written for Microsoft Windows will work with Windows from Microsoft. I don't know that they will work with Better Windows than Windows from IBM."
So they made the logical choice (for users) and said "Ok, I want to make sure that my stuff works, so I'm going to go with the choice that I KNOW will work."
And that means they chose Microsoft Windows.
That may annoy the/. crowd, who are all techie people who know that IBM really did do a better windows than windows, but that doesn't matter - the people who matter (those that buy the software that goes into the home/office) DID care, and they cared enough to send OS/2 2.1 into the dustbin. It's a real shame, but that's what happened.
The other problem that IBM had was that IBM concentrated on 16 bit computing, and being a better version of 16 bit windows than Microsoft's 16 bit windows at the same time that the rest of the world was shifting to 32 bit. They had a powerful 32 bit API set in OS/2 but they never widely evangelized the development community.
If IBM had actually marketted OS/2 to DEVELOPERS as a 32 bit operating system and had worked as hard as Microsoft did at wooing those developers, they would have had a chance, but they decided that their sales would come from "Better Windows than Windows" and ignored the 32 bit platform thing.
So along comes Microsoft and they pitched the Win32 API to ANYONE who would listen, starting at the first PDC, back in '91 or '92. And they had real CD's at that show with a real operating system that people could install. And they had rooms upon rooms of machines running Windows NT 3.1 to prove that it was the real deal. And they had half the development team for Windows NT IN those rooms talking to anyone who would listen. IBM didn't do anything like that to the development community.
And the hardcore evangelism worked. Developers flocked to the Win32 API in droves, wrote applications for NT and for Win9x and OS/2 disappeared.
Oh, and the fact that the OS/2 only printed on like 3 models of IBM printers didn't help OS/2 either. I can still remember Paul Maritz (maybe it was Bob Muglia) getting a STANDING OVATION at the first PDC when he announced that out-of-the-box Windows NT 3.1 would print on every printer that was supported by Windows 3.1. That was an unbelievably powerful statement to developers that were used to OS/2.
I'll accept that the Win2K redirector is broken, but I'm quite surprised that Joe would intentionally have put such a feature in.
I know that the NT 3.1->NT4 redirector did no such thing, having read the detailed design documents and been involved with the development of that redirector.
Yah, but that's not real world.
For example, in real world, you'd flip the switch on NT that changes it from being an application server to being a file&print server.
They didn't do that for the it-world test, but it makes a WORLD of difference on a real system (it massively increases the size of the disk cache).
NT out-of-the box isn't particularly good as a file&print server, just like *nix out-of-the-box isn't.
And the 8.3 fix isn't likely to break that many current apps. It certainly won't break any apps with a Win95 or greater logo, since the logo requirements for Win9x require that they support non 8.3 files.
Gabe's post never indicated the attack vector. It could have been a trojan through outlook, it could have been something else (poor passwords, a machine infected with a trojan that later VPN'ed into the corporate network, etc).
There's not enough information available externally to blame any attack vector.
Can you name ANY of the exploits that have been released into the wild over the past two years that weren't already patched by Microsoft? I can't - some of the patches had been out for over a year before the exploit was released.
Similarly for the exploits for ANY of the operating systems out there - the Cisco router exploit from August, the Linux LZW exploit from 6 months ago, etc.
There were patches available for ALL of those problems and the attacks were STILL a problem.
The problem isn't that Microsoft writes crappy code, or that Cisco writes crappy code, or that the open source community writes crappy code. The problem is that users don't keep on track of the patches available for their machines, and don't install those patches when they're available.
If you're going to hold Microsoft liable for their exploits, are you going to hold Linus liable for a linux exploit? If not, then why not? If it's not Linus who's responsible, then is it RedHat?
Russ's idea (which, btw, I think is UTTERLY stupid) is simply to move the responsibility of patching from the ISPs to the users that are propogating the problem.
Um. Every console ever shipped to this date was a loss leader. That's the way that the economics of game consoles works - you sell the console as a loss leader and make up the profits on the games.
This is true for EVERY existing console game out there.
Could you please provide a reference to that? Where did you read that M$ is cutting backwards compatibility in the new version of Office?
The article yesterday indicated that the DRM stuff was optional.
Early version of NT (up to NT 4) had GDI and user running in user mode (the graphics subsystem and windowing subsystems)
But drivers always ran in kernel mode.
All that moving them into the kernel did was to make the system faster. If GDI/User crashed when they were in user mode, the system would bluescreen, if GDI/User crashed when they were in kernel mode, the system would bluescreen.
Every class action lawsuit I've ever seen has a similar restriction placed on it.
When you join the class, you relinquish your rights to sue independantly. It's a classic trade-off. By joining the class, you get an immediate pay-off, however you lose the right to sue on your own.
If you avoid joining the class, you can sue on your own, but you stand a chance of losing a great deal of money if you don't win.
Nobody's forcing you to join the class though so...
Lots of little partitions is only good if you have lots of spindles.
Otherwise you're just causing your disk heads to thrash as they move from one partition to another.
Unnecessary head movement on your disk drive slows down your system performance, which is a bad thing on an enterprise server.
A single honking big partition is WAY better than lots of tiny partitions, UNLESS you've got lots of spindles on your drives, in which case you want to stripe/mirror them for fault tolerance.
I'm assuming that the disks in the machine in question is a typical machine configuration, and not connected to a SAN, if there's a SAN involved, the equations are significantly different (since the SAN has lots of spindles).
The issue isn't whether or not Linux had SMP support.
The issue is whether or not the source code in Linux was written by SCO or not.
Similarly, the comment in the topic about RCU being invented by Sequent is irrelevant. The issue is if the code that implements RCU in the Linux kernel was written by SCO.
If the code was written by SCO, then they have a case. If it wasn't, they don't.
Remember - SCO's not claiming patent infringement, they're claiming copyright violation. Their claim is that the Linux kernel contains code that was written by SCO and shared with IBM under SCO's license to IBM. They claim that IBM then turned around and inserted that code into the Linux kernel that they distributed, thus violating SCO's copyright.
Whether or not the concepts that are embodied in that code were original to SCO is utterly irrelevant to SCOs case. The ONLY issue is whether or not SCO's code appears in the Linux kernel.
If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).
It says about reporting security BREACHES.
Which is a whole 'nother ball of wax.
If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.
On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....
Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast. Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
RTFA. The patch was to improve the compliance with several internet standards, and one of the things that was changed was to increase the key length from bits to 2048 bits. Which is improving the security of the connections.
Without there being a security flaw or problem found.
MS screwed up because they didn't test some 3rd party firewall that relied on MS being non compliant.
Slashdot Mirror
If it's on a linux distro, it's a part of the OS.
You can't just restrict your list of security holes to the kernel - NT's kernel has had only one security hole that I can think of in the entire time it's been released (almost 10 years), that one had to do with the debug privilege IIRC.
Most of the vulnerabilities found in Micro$oft products are in user-mode components (like dcom) that are included on the CD but can be disabled.
Just like linux.
You CAN make a strong claim that many vulnerable services on Linux are not enabled by default (Apache, Sendmail) while they are on Windows, but don't bring out the "If it ain't in the kernel, it's not a Linux vulnerability".
That dawg don' hunt.
According to Helen Custers, in Inside Windows NT:
"Dave, a well-known architect of minicomputer systems, quickly assembled a team of engineers to design Microsoft's new technology (NT) operating system."
The closest thing it had to a code name (other than NT) was NT OS/2
So what's your point? That consumer operating systems have to ship with the default logon as root?
The only way to get the code to execute was to actively try to break the copy protection on Word 2.0. If you were running under a debugger and had patched out the first two of the three anti-debugger checks, that message would be printed out, and Word would start randomly reading data off the disk.
Peter Norton found it by looking at the word binaries on the disk and put it into his column, and Microsoft had to pull it immediately.
Needless to say the intern involved never came back to Microsoft.
That it was marketed as being a better windows than windows.
/. crowd, who are all techie people who know that IBM really did do a better windows than windows, but that doesn't matter - the people who matter (those that buy the software that goes into the home/office) DID care, and they cared enough to send OS/2 2.1 into the dustbin. It's a real shame, but that's what happened.
So people said: "Hm. I can either buy better windows than windows from IBM, or I can buy the real thing from Microsoft. But I know that every single application written for Microsoft Windows will work with Windows from Microsoft. I don't know that they will work with Better Windows than Windows from IBM."
So they made the logical choice (for users) and said "Ok, I want to make sure that my stuff works, so I'm going to go with the choice that I KNOW will work."
And that means they chose Microsoft Windows.
That may annoy the
The other problem that IBM had was that IBM concentrated on 16 bit computing, and being a better version of 16 bit windows than Microsoft's 16 bit windows at the same time that the rest of the world was shifting to 32 bit. They had a powerful 32 bit API set in OS/2 but they never widely evangelized the development community.
If IBM had actually marketted OS/2 to DEVELOPERS as a 32 bit operating system and had worked as hard as Microsoft did at wooing those developers, they would have had a chance, but they decided that their sales would come from "Better Windows than Windows" and ignored the 32 bit platform thing.
So along comes Microsoft and they pitched the Win32 API to ANYONE who would listen, starting at the first PDC, back in '91 or '92. And they had real CD's at that show with a real operating system that people could install. And they had rooms upon rooms of machines running Windows NT 3.1 to prove that it was the real deal. And they had half the development team for Windows NT IN those rooms talking to anyone who would listen. IBM didn't do anything like that to the development community.
And the hardcore evangelism worked. Developers flocked to the Win32 API in droves, wrote applications for NT and for Win9x and OS/2 disappeared.
Oh, and the fact that the OS/2 only printed on like 3 models of IBM printers didn't help OS/2 either. I can still remember Paul Maritz (maybe it was Bob Muglia) getting a STANDING OVATION at the first PDC when he announced that out-of-the-box Windows NT 3.1 would print on every printer that was supported by Windows 3.1. That was an unbelievably powerful statement to developers that were used to OS/2.
That stupid MS email protocol - you mean Exchange? They're still using it, and it's not stupid, certainly not when compared to POP3.
MS Fortran was best-of-breed for PC fortran compilers for many years. Ditto Xenix.
DOS 1.0 was designed for a machine with 16K of RAM. You don't get a directory tree on 16K of RAM.
Notepad's 32K buffer went away with Windows NT 3.1.
NetBEUI's an IBM invention, not Microsoft.
http://msdn.microsoft.com
Check it out, it's amazing what they've put up on there.
Actually it was MCIS (Microsoft Commercial Internet Server), and it was intended to serve as the backbone for an ISP.
Nobody bought it. Literally.
With Exchange 2000, SMTP replaced X.400 completely, it's FAR from an afterthought.
I'll accept that the Win2K redirector is broken, but I'm quite surprised that Joe would intentionally have put such a feature in. I know that the NT 3.1->NT4 redirector did no such thing, having read the detailed design documents and been involved with the development of that redirector.
Yah, but that's not real world. For example, in real world, you'd flip the switch on NT that changes it from being an application server to being a file&print server. They didn't do that for the it-world test, but it makes a WORLD of difference on a real system (it massively increases the size of the disk cache). NT out-of-the box isn't particularly good as a file&print server, just like *nix out-of-the-box isn't. And the 8.3 fix isn't likely to break that many current apps. It certainly won't break any apps with a Win95 or greater logo, since the logo requirements for Win9x require that they support non 8.3 files.
Gabe's post never indicated the attack vector. It could have been a trojan through outlook, it could have been something else (poor passwords, a machine infected with a trojan that later VPN'ed into the corporate network, etc).
There's not enough information available externally to blame any attack vector.
And they'd been working on it for a while before that. I believe it sipped in 1985 though.
Can you name ANY of the exploits that have been released into the wild over the past two years that weren't already patched by Microsoft? I can't - some of the patches had been out for over a year before the exploit was released.
Similarly for the exploits for ANY of the operating systems out there - the Cisco router exploit from August, the Linux LZW exploit from 6 months ago, etc.
There were patches available for ALL of those problems and the attacks were STILL a problem.
The problem isn't that Microsoft writes crappy code, or that Cisco writes crappy code, or that the open source community writes crappy code. The problem is that users don't keep on track of the patches available for their machines, and don't install those patches when they're available.
If you're going to hold Microsoft liable for their exploits, are you going to hold Linus liable for a linux exploit? If not, then why not? If it's not Linus who's responsible, then is it RedHat?
Russ's idea (which, btw, I think is UTTERLY stupid) is simply to move the responsibility of patching from the ISPs to the users that are propogating the problem.
Um. Every console ever shipped to this date was a loss leader. That's the way that the economics of game consoles works - you sell the console as a loss leader and make up the profits on the games.
This is true for EVERY existing console game out there.
Could you please provide a reference to that? Where did you read that M$ is cutting backwards compatibility in the new version of Office? The article yesterday indicated that the DRM stuff was optional.
I want mod points to mod the parent up. It doesn't deserve to be moded 1.
Early version of NT (up to NT 4) had GDI and user running in user mode (the graphics subsystem and windowing subsystems)
But drivers always ran in kernel mode.
All that moving them into the kernel did was to make the system faster. If GDI/User crashed when they were in user mode, the system would bluescreen, if GDI/User crashed when they were in kernel mode, the system would bluescreen.
Every class action lawsuit I've ever seen has a similar restriction placed on it.
When you join the class, you relinquish your rights to sue independantly. It's a classic trade-off. By joining the class, you get an immediate pay-off, however you lose the right to sue on your own.
If you avoid joining the class, you can sue on your own, but you stand a chance of losing a great deal of money if you don't win.
Nobody's forcing you to join the class though so...
Lots of little partitions is only good if you have lots of spindles.
Otherwise you're just causing your disk heads to thrash as they move from one partition to another.
Unnecessary head movement on your disk drive slows down your system performance, which is a bad thing on an enterprise server.
A single honking big partition is WAY better than lots of tiny partitions, UNLESS you've got lots of spindles on your drives, in which case you want to stripe/mirror them for fault tolerance.
I'm assuming that the disks in the machine in question is a typical machine configuration, and not connected to a SAN, if there's a SAN involved, the equations are significantly different (since the SAN has lots of spindles).
Yeah, the filesystem that was already obsolete within a year of its initial release....
HPFS had a hard coded limit of 4G partitions.
And no amount of juggling could raise it.
That's why M$ ditched HPFS support in Win2K.
As several others have pointed out, I don't believe that SCO EVER had an issue with IBM's independantly implementing algorithms.
If IBM came up with similar code to SCO's there would be no dispute - IBM is probably within its rights to do that.
If IBM independantly came up with the exact same code, including comments that were in SCO's code however....
A good and valid point. Mod parent up please.
The issue isn't whether or not Linux had SMP support.
The issue is whether or not the source code in Linux was written by SCO or not.
Similarly, the comment in the topic about RCU being invented by Sequent is irrelevant. The issue is if the code that implements RCU in the Linux kernel was written by SCO.
If the code was written by SCO, then they have a case. If it wasn't, they don't.
Remember - SCO's not claiming patent infringement, they're claiming copyright violation. Their claim is that the Linux kernel contains code that was written by SCO and shared with IBM under SCO's license to IBM. They claim that IBM then turned around and inserted that code into the Linux kernel that they distributed, thus violating SCO's copyright.
Whether or not the concepts that are embodied in that code were original to SCO is utterly irrelevant to SCOs case. The ONLY issue is whether or not SCO's code appears in the Linux kernel.
If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).
It says about reporting security BREACHES.
Which is a whole 'nother ball of wax.
If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.
On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....
Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
RTFA. The patch was to improve the compliance with several internet standards, and one of the things that was changed was to increase the key length from bits to 2048 bits. Which is improving the security of the connections. Without there being a security flaw or problem found. MS screwed up because they didn't test some 3rd party firewall that relied on MS being non compliant.