OS upgrades require ever more horsepower and the Wintel oligopoly forces us to constantly upgrade. Dual core? Of course - the new 3D holographic dancing Princess Leia UI in Vista will require it. Of course MSO 2007 will require it. OF course IE7.5 will require it. Of course Windows DRM will require it.
And the hardware companies are more than happy to sell it to us./
We're @ MSO 2002 and that's really only for new corporate builds - we still install MSO 2000 to folks who want it. There is absolutely no reason from a corporate perspective to worry about upgrading office and if MSO 2007 doesn't come in until 2008 and then of course gets the serious bug fixes 2Q2009 then who really cares? Our MSO 2000 and 2002 installations will be upgraded to 2003.
Why do I have this nagging feeling that this will fix exactly NOTHING from a security perspective and instead is meant to drag us evermore into MS's tentacles? I honestly can't imagine MS ever doing anything just because it's a good idea. MS first and foremost thinks of what's good for MS. You are a side effect. That is their business model. Mod me down as a hater but prove me wrong first.
Large companies are not leaders, they're followers. If you are an ISP or hosting provider and you have 20,000 servers on the floor and you have a few hundred instances of openSSH out there it's because it's cheaper to acquire, deploy and own. It has very little to do with whether it's good or bad. So if openSSH stops being supported here is what will happen. Companies will note that fact and stick a calendar item out there for the last day of support for that product. They are probably ALREADY backlevel so another level or two won't matter. Your customers really won't notice that much because they'll figure that you're coming after them for more money for a product you yourself should be paying for. The installed code will get older and older until about 2 years from now someone from the project office pulls together a project plan for replacing openSSH in the next fiscal year. It will get no more than 70% of the requested financing and the implementation costs will be 2x the estimate. This will yield about a 50% replacement rate and you will now have 50% a new vendor product and 50% old unsupported openSSH. Lather rinse repeat. In the meantime the business controls people will put a risk acceptance variance in to note to the auditors that you are aware the openSSH is out of spec and unsupported and that the work around is to get a funded project to replace it. Each RA lasts for one year so you will have at least 3 of these.
They have more or less concrete plans to decommission the shuttle fleet, and even if they don't have plans they won't be able to keep them flightworthy much longer. While the replacement or next gen seems to be this vaporous imagineering of something or other with perhaps an 8 or 10 year gap between the last shuttle flight and its replacement. Doesn't that seem like they're just quietly putting manned missions down for good?
We'd better be friends with the Russians and the Chinese who will have the only manned launch capability at that point.
Even when it was a so called supported product, we could never understand why they had zero interest in developing a browser. When they finally did it was a personal project of guys inside IBM that got product-ized but basically not supported. Similarly the nntp client and bunch of other stuff like that.
We could never understand why IBM could NEVER fix the single threaded IO queue no matter how many times we complained about it.
We could never understand why they never made an effort to improve or at least fix the fixpack process which could often as not leave you with a non operating system.
We could never understand why the desktop utilities were so incomplete that freeware or sharware like FM/2 were necessary.
We could never understand why we could get a bunch of APPC/APPM com tech support engineers on the phone but NO ONE inside the company was allowed to acknowledge the existence of Ethernet.
In normal use even with resident scanners like spybot and avast and a firewall you're going to pick up 20 COOKIES which the tool flags as spyware.
But I've been wrestling with a hijacker infeced machine that seems resolutel. I have maybe one or more things to try before I give up on removing it. Most of the popups start a blank browser window atleast because I scrupulously add all those urls to my = 127.0.0.1 section of HOSTS. But it's still a pain.
Anyway if you stop running your resident scanners for any amount of time you'll get spyware up the wazoo -- worse than mere cookies which pushing a few buttons regularly eliminated 90% of the scrubbing the spyware scanners would have to do. In fact I've stopped running my spyware scrubbers very much just like I rely on my resident AV scanner and no longer run a manual AV scan except very rarely.
I metculously setup my homeLAN machines at home as well as my college student's machines to have firewalls and spyware scanners and AV scanners as well as resident scanners. I have the routers set up to deflect everything they are able. I turn off services I know are a problem, I have resident scanners for email, web, p2p, IM, the works. I run hijack and rootkit testers on all the clients and set up the machines to flush all their tempfiles and browser caches on shutdown. I have hostfiles locked.
And just watched someone look at an AV scanner popup with colors and flashing lights that it captured a bug - what do you want to do with it? And this person couldn't cancel it, ignore it fast enough.
That's fine but here's the rub. If MS wants to charge a premium for their own AV then it has to deliver some function that you can't get any other way. Which means that it will exploit undocumented fetures, or, if it doesn't exploit undocumented features then it has to be some feature set or API that they have to licence. If MS wantsw to licence APIs then we're in a whole new world.
Does Ford explicitly charge you for brakes?
on
No Anti-Virus in Vista
·
· Score: 3, Interesting
Let me see if I get this right. Implement a bad design that's vulnerable. Force people (more or less) to upgrade to it. Toss normal ecnomic efficiencies out the window so that price never goes down. Then charge folks a premium for a bunch of extra tools meant to overcome the badly flawed design vulnerabilities?
This is like car companies charging you for brakes or airlines charging a premium for not crashing.
Here in Central North Carolina Dell was offered about 300 million dollars in tax rebates to locate a plant here. But the local conservatives and small business groups are up in arms that tax dollars should be spent at all, even if it is for jobs. Now the number of jobs is questionable so the criticism may be valid but on the whole, in the US we prefer the Walmart model which is to move in to a local economy, destroy it, and then hire back some of the people to work in the local hypermart. Most local governments would rather have one Walmart with 1500 part time jobs than one software developer with 300 high paying jobs. So if its going to be 1500 wage slave jobs then there's no need to fork over tax dollars to entice them when there's a bunch of hypermarts lining up to do it for 'free'.
Let Dell hire 100,000 people in India. Americans don't care as long as you don't spend tax money.
Without saying 'everything' what are the actual ranked or prioritized security issues at MS for Windows?
DRM? Spyware? Integrating tools that already exist into the MS sphere? Patch management? Time -to -fix cycles? Better security architecture? Other?
I get a creepy feeling that Mr. Nash gave either "Everything is important to us" or "You don't understand how much less complexity everyone else has to deal with" as a template answer. Which is unfortunate because it's a little self serving. openBSD based Mac OS has the same suite of features and complexity that MS Windows does, for example. Most Linux/Unix on the SERVER side has as much complexity as Windows to deal with.
I just don't follow how not only is MS's own feature creep and out of control change management/version control problems a virtue but apparently it's my cross to patiently bear.
All we're really looking for Mr. Nash is MS's competant management of OUR expectations. What are YOUR priorities and how do you plan to address them.
But not because of licencing. Because of national interest. Recently a union threatened to shut down the power plants and oil refinery infrastrure via programming and the government was terrified at the prospect of not being able to get their software running, or, if something was done to damage it, fixed.
I get regular security vulnerability email alerts all the time. Just today there was a long list of potential problems with 10 different flavors of Linux, HP-UX, Cisco, OS/400, Z/OS and of course Windows.
Now the issue is, how bad is that? And the other question is what is the cost - benefit of fixing it?
Many of the vulnerabilities in the alert I alluded have the potential to be serious enough to warrant your attention but this assumes that you already have NOTHING in place to protect yourself, that you've effectively not implemented any security infratrature whatsoever. The probability of this is quite low.
But - and this is the big issue with Windows, your exposures surface out of EVERY SINGLE ordinary everyday common task you employ the machine to do. It would be as if every Cisco vulnerability surfaced specifically and only when it routed packets and only because it routed packets.
Therein lies the difference.
In the Mac world, no one is seriously suggesting that their BSD based OS is defacto immune from problems. What they're arguing convincingly is that those problems when they arise will arise out of non common tasks and obscure problems that typically stem from operating your machines in a very nonstandard way to begin with. For instance the ordinary Mac user could, if they were motivated, run as root all day everyday. But why would they? That's a nonstandard operation mode. Moreover the common problems you do see in the Mac world won't ordinarily occur because of executing common tasks that ordinary users employ their machines to do. You won't see many vulnerabilities exploited the same way that simply using AOLIM or Limewire or reading a rich email or any of the other innumerable problems in Windows stems from.
I do this kind of thing for a living. We have zero people regularly staffing lights out colo cages all over the world. We're not within a few hundred miles of any server. On the odd instance that we have to reseat a blade or physically unplug a server or replace a patch cord we contract someone locally to do that under out supervision.
The only exception to this is where local law requires us to do this as in some EU countries.
But WTF do I know, I get modded for trolling and I've only been in IT for 25 years?
Excuse me and thanks for the insult. You must be a/. mod or groupie.
Our support ratio, oh being of celestial intelligence, is, wait let me check MY figures.... yeah about 250:1 I think they're still mediocre.
BTW oh brain of computing intelligence far beyond the comprehension of mere mortals...the article was (now breathe deep...)/. so I couldn't read TFA.
Thanks again for talking out your fucking ass like so many noob dickwads at/. who think that having an opinion about something they read online is not only the same as having real experience, but even better.
The basic mechanism of MS Update is fragile and prone to break for any number of obscure reasons that MS can't or won't address. Even on MS's own support pages there are innumerable references to the obscure yet popular 'cannot install update' or any number of other vague problems. Often the fix is to record the fix number then root around in the download areas, download them and install them by hand. BTW this doesn't work for many hardware drivers.
So MS can rollout all fixes they want. As long as they insist on using that scheme instead of the more simple - send out a URL, link, download, execute they're going to suffer through lots of machines that don't get updated at all.
With inadequate RAM and slow graphics and they'll just put the real requirements as EXTRAS in small print in the footnotes just like they do now.
"Get your Dell/Tiger/HP/Greybox/eMachines....for only $399!! We'll throw in a free printer."
And then you dump an extra $150 in to make it run right.
No NON Microsoft products in his house.
And make sure you squawk and cluck and complain if the person next to you dares talk on the phone.
Paying to watch commercials? oh yeah.
OS upgrades require ever more horsepower and the Wintel oligopoly forces us to constantly upgrade. Dual core? Of course - the new 3D holographic dancing Princess Leia UI in Vista will require it. Of course MSO 2007 will require it. OF course IE7.5 will require it. Of course Windows DRM will require it.
And the hardware companies are more than happy to sell it to us./
We're @ MSO 2002 and that's really only for new corporate builds - we still install MSO 2000 to folks who want it. There is absolutely no reason from a corporate perspective to worry about upgrading office and if MSO 2007 doesn't come in until 2008 and then of course gets the serious bug fixes 2Q2009 then who really cares? Our MSO 2000 and 2002 installations will be upgraded to 2003.
Why do I have this nagging feeling that this will fix exactly NOTHING from a security perspective and instead is meant to drag us evermore into MS's tentacles? I honestly can't imagine MS ever doing anything just because it's a good idea. MS first and foremost thinks of what's good for MS. You are a side effect. That is their business model. Mod me down as a hater but prove me wrong first.
Large companies are not leaders, they're followers. If you are an ISP or hosting provider and you have 20,000 servers on the floor and you have a few hundred instances of openSSH out there it's because it's cheaper to acquire, deploy and own. It has very little to do with whether it's good or bad. So if openSSH stops being supported here is what will happen. Companies will note that fact and stick a calendar item out there for the last day of support for that product. They are probably ALREADY backlevel so another level or two won't matter. Your customers really won't notice that much because they'll figure that you're coming after them for more money for a product you yourself should be paying for. The installed code will get older and older until about 2 years from now someone from the project office pulls together a project plan for replacing openSSH in the next fiscal year. It will get no more than 70% of the requested financing and the implementation costs will be 2x the estimate. This will yield about a 50% replacement rate and you will now have 50% a new vendor product and 50% old unsupported openSSH. Lather rinse repeat. In the meantime the business controls people will put a risk acceptance variance in to note to the auditors that you are aware the openSSH is out of spec and unsupported and that the work around is to get a funded project to replace it. Each RA lasts for one year so you will have at least 3 of these.
They have more or less concrete plans to decommission the shuttle fleet, and even if they don't have plans they won't be able to keep them flightworthy much longer. While the replacement or next gen seems to be this vaporous imagineering of something or other with perhaps an 8 or 10 year gap between the last shuttle flight and its replacement. Doesn't that seem like they're just quietly putting manned missions down for good?
We'd better be friends with the Russians and the Chinese who will have the only manned launch capability at that point.
Even when it was a so called supported product, we could never understand why they had zero interest in developing a browser. When they finally did it was a personal project of guys inside IBM that got product-ized but basically not supported. Similarly the nntp client and bunch of other stuff like that.
We could never understand why IBM could NEVER fix the single threaded IO queue no matter how many times we complained about it.
We could never understand why they never made an effort to improve or at least fix the fixpack process which could often as not leave you with a non operating system.
We could never understand why the desktop utilities were so incomplete that freeware or sharware like FM/2 were necessary.
We could never understand why we could get a bunch of APPC/APPM com tech support engineers on the phone but NO ONE inside the company was allowed to acknowledge the existence of Ethernet.
In normal use even with resident scanners like spybot and avast and a firewall you're going to pick up 20 COOKIES which the tool flags as spyware.
But I've been wrestling with a hijacker infeced machine that seems resolutel. I have maybe one or more things to try before I give up on removing it. Most of the popups start a blank browser window atleast because I scrupulously add all those urls to my = 127.0.0.1 section of HOSTS. But it's still a pain.
Anyway if you stop running your resident scanners for any amount of time you'll get spyware up the wazoo -- worse than mere cookies which pushing a few buttons regularly eliminated 90% of the scrubbing the spyware scanners would have to do. In fact I've stopped running my spyware scrubbers very much just like I rely on my resident AV scanner and no longer run a manual AV scan except very rarely.
I metculously setup my homeLAN machines at home as well as my college student's machines to have firewalls and spyware scanners and AV scanners as well as resident scanners. I have the routers set up to deflect everything they are able. I turn off services I know are a problem, I have resident scanners for email, web, p2p, IM, the works. I run hijack and rootkit testers on all the clients and set up the machines to flush all their tempfiles and browser caches on shutdown. I have hostfiles locked.
And just watched someone look at an AV scanner popup with colors and flashing lights that it captured a bug - what do you want to do with it? And this person couldn't cancel it, ignore it fast enough.
I quit. People are morons.
We had to modify our payroll system in 1987 to be able to cut a check with 8 digits to the left of the decimal for one broker.
Including the sparse failover functions? Screw Windows, I'll replace Sun and AIX!!!
That's fine but here's the rub. If MS wants to charge a premium for their own AV then it has to deliver some function that you can't get any other way. Which means that it will exploit undocumented fetures, or, if it doesn't exploit undocumented features then it has to be some feature set or API that they have to licence. If MS wantsw to licence APIs then we're in a whole new world.
Let me see if I get this right. Implement a bad design that's vulnerable. Force people (more or less) to upgrade to it. Toss normal ecnomic efficiencies out the window so that price never goes down. Then charge folks a premium for a bunch of extra tools meant to overcome the badly flawed design vulnerabilities?
This is like car companies charging you for brakes or airlines charging a premium for not crashing.
Here in Central North Carolina Dell was offered about 300 million dollars in tax rebates to locate a plant here. But the local conservatives and small business groups are up in arms that tax dollars should be spent at all, even if it is for jobs. Now the number of jobs is questionable so the criticism may be valid but on the whole, in the US we prefer the Walmart model which is to move in to a local economy, destroy it, and then hire back some of the people to work in the local hypermart. Most local governments would rather have one Walmart with 1500 part time jobs than one software developer with 300 high paying jobs. So if its going to be 1500 wage slave jobs then there's no need to fork over tax dollars to entice them when there's a bunch of hypermarts lining up to do it for 'free'.
Let Dell hire 100,000 people in India. Americans don't care as long as you don't spend tax money.
Without saying 'everything' what are the actual ranked or prioritized security issues at MS for Windows?
DRM?
Spyware?
Integrating tools that already exist into the MS sphere?
Patch management?
Time -to -fix cycles?
Better security architecture?
Other?
I get a creepy feeling that Mr. Nash gave either "Everything is important to us" or "You don't understand how much less complexity everyone else has to deal with" as a template answer. Which is unfortunate because it's a little self serving. openBSD based Mac OS has the same suite of features and complexity that MS Windows does, for example. Most Linux/Unix on the SERVER side has as much complexity as Windows to deal with.
I just don't follow how not only is MS's own feature creep and out of control change management/version control problems a virtue but apparently it's my cross to patiently bear.
All we're really looking for Mr. Nash is MS's competant management of OUR expectations. What are YOUR priorities and how do you plan to address them.
It just struck me as funny that then you would work hard to protect FAKE information.
But not because of licencing. Because of national interest. Recently a union threatened to shut down the power plants and oil refinery infrastrure via programming and the government was terrified at the prospect of not being able to get their software running, or, if something was done to damage it, fixed.
Concerned about privacy issue and the thing you're trying to protect is your VIP Shoppers card? Wow.
I get regular security vulnerability email alerts all the time. Just today there was a long list of potential problems with 10 different flavors of Linux, HP-UX, Cisco, OS/400, Z/OS and of course Windows.
Now the issue is, how bad is that? And the other question is what is the cost - benefit of fixing it?
Many of the vulnerabilities in the alert I alluded have the potential to be serious enough to warrant your attention but this assumes that you already have NOTHING in place to protect yourself, that you've effectively not implemented any security infratrature whatsoever. The probability of this is quite low.
But - and this is the big issue with Windows, your exposures surface out of EVERY SINGLE ordinary everyday common task you employ the machine to do. It would be as if every Cisco vulnerability surfaced specifically and only when it routed packets and only because it routed packets.
Therein lies the difference.
In the Mac world, no one is seriously suggesting that their BSD based OS is defacto immune from problems. What they're arguing convincingly is that those problems when they arise will arise out of non common tasks and obscure problems that typically stem from operating your machines in a very nonstandard way to begin with. For instance the ordinary Mac user could, if they were motivated, run as root all day everyday. But why would they? That's a nonstandard operation mode. Moreover the common problems you do see in the Mac world won't ordinarily occur because of executing common tasks that ordinary users employ their machines to do. You won't see many vulnerabilities exploited the same way that simply using AOLIM or Limewire or reading a rich email or any of the other innumerable problems in Windows stems from.
I do this kind of thing for a living. We have zero people regularly staffing lights out colo cages all over the world. We're not within a few hundred miles of any server. On the odd instance that we have to reseat a blade or physically unplug a server or replace a patch cord we contract someone locally to do that under out supervision.
The only exception to this is where local law requires us to do this as in some EU countries.
But WTF do I know, I get modded for trolling and I've only been in IT for 25 years?
Excuse me and thanks for the insult. You must be a /. mod or groupie.
/. so I couldn't read TFA.
/. who think that having an opinion about something they read online is not only the same as having real experience, but even better.
Our support ratio, oh being of celestial intelligence, is, wait let me check MY figures.... yeah about 250:1 I think they're still mediocre.
BTW oh brain of computing intelligence far beyond the comprehension of mere mortals...the article was (now breathe deep...)
Thanks again for talking out your fucking ass like so many noob dickwads at
The basic mechanism of MS Update is fragile and prone to break for any number of obscure reasons that MS can't or won't address. Even on MS's own support pages there are innumerable references to the obscure yet popular 'cannot install update' or any number of other vague problems. Often the fix is to record the fix number then root around in the download areas, download them and install them by hand. BTW this doesn't work for many hardware drivers.
So MS can rollout all fixes they want. As long as they insist on using that scheme instead of the more simple - send out a URL, link, download, execute they're going to suffer through lots of machines that don't get updated at all.
It's mediocre at best. Even with 'only' 200 admins that's a support ratio of 50:1 which is not all that great. We do 3-4x easily.