Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again:-/
Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.
Nice idea, but I was thinking of something more along the lines of a bat. You could put big letters on the side "CLUE" if you wish. Then, everytime you find a relative ( remember folks, it starts at home ) doing something computer stupid, you use the bat.
We could break the back of this virus problem, literrally.
Yeah.. Exactly how is badmouthing causing a deal to be delayed? Sounds like a piss poor excuse. There is no excuse for a deal not being made before the plug was pulled. Sounds to me the badmouthing and uproar is having a positive effect.
Are you kidding? Do you have any idea how political this all can be? If people aren't genuinely interested in moving a product forward, if they are more interested in their ego and dick size, then a project can be stalled indefinitely, regardless of what it is.
"I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Wait..he can't be saying what I think he's saying, can he?
Excuse me, I'm going to go do this type of "proactive security" for my "customers".
You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner?
In his speech, he said some peculiar things about security:
"Ballmer... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'"
Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just...well, what would be the precise word here? You hate to say lying. It's so cold.
However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And after you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical".
Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side.
Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues:
Perhaps it is not I who is desensitised, but you who is hypersensitive to something as trivial as this.
I don't enjoy being forced to use a bug ridden software package that could, should I browse to the wrong site, allow a remote attacker to root my box.
So yeah, I am "hypersensitive".
Here's a clue, free of charge: It's your computer. Not MS's, Not the RIAA's, not Apple's and not the MPAA's. Yours. You may do with it what you wish, and if that means allowing MS to tell you what apps you get to use, that's your choice.
If you're going to try and bash MS, Taco, will you please post a story that actually shows MS doing something properly evil/insecure rather than just opening IE instead of the user's preferred browser?
Yes, folks, we've become this desentized to MS crap.
I will use whatever browser I want, thank you very much. I don't want any application deciding what to do for me.
that only works if it's ok to reboot those machines at night. (Then again, neither does windows, but I'm only one man in a 1400 man company)
Makes me happy when people correct themselves.:)
Some of our machines are processing 24/7, and we have to wait until they can afford to reboot. And if some patches are waiting in queue, then the new ones don't get deployed until after the existing (waiting) patches are applied. SUS isn't meant for machines that need to do real processing, or at least it doesn't work well for them.
I would recommend you setup some sort of patching schedule ( and SUS+group policies works well for this ), maybe use a rotating schedule so there are at least a few systems online at any given time, but make this a "Company Policy". If it's expected, PHBs are usually cool with it.
that'd be nice if every machine was the same.. some of us don't have the luxuary in our buisness worlds.
As long as you have at least win2k sp3 on your desktop, you should be good to go. Hell, you don't even need a domain controller to do this, although it certainly helps.
Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?
I fix it. Now, granted, we only have ~10 apps ( all critical tho ), and when this has happened, it's been due to other factors that the patch simply brought to light. Usually, a wipe and reload will do the trick, and while this is not pleasant in an organization of this size, it's the cost of bussiness I am afraid.
The other couple times, when it's broken something and couldn't be fixed, it's been a matter of finding work arounds. Again, not the ideal solution, but one which we must work with if we are working with MS software.
( note: A good perimeter security plan is essential of course. That goes without saying )
It did crash on both computers he tested it on. Maybe he should switch hardware.
Well, this being windows, were you expecting some sort of miracle?
Seriously, I wish they had used a different name for this service at the very least, but other than that it doesn't look too bad, when compared with the alternatives out there.
Granted, the first service to offer vorbis will have my money. But then, I tend to be a bit picky.
A) The software is beta B) The issues the reviewer had seems to have been hardware related, as was stated in the article
So, do slashdot editors READ the story they post? How about those that submit it? Do they just read half way, find something they don't like, and submit?
Typically, customers revolting against your software is the first sign that things, as they say, "ain't right(tm)". Sometimes, these are the precursors to the death of a company. Unfortunately, MS is so large, the normal rules go right out the window.
But if they finally are dying ( which I doubt ), we're in for a hell of a nasty ride.
I mean really, is this so big a concern? So you don't like saying the pledge with god references, TAKE THEM OUT. You don't like saying the pledge at all? DON'T.
Slashdot Mirror
Ok, here's my new pet theory, stop me if you've heard it. It wasn't an astroid that knocked out the dinosaurs, it was a severe period of solar storms.
Interesting, non?
Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/
Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.
Nice idea, but I was thinking of something more along the lines of a bat. You could put big letters on the side "CLUE" if you wish. Then, everytime you find a relative ( remember folks, it starts at home ) doing something computer stupid, you use the bat.
We could break the back of this virus problem, literrally.
The only problem with all things I see here is DarlandCo. will probably never see the inside of a prison cell, which is unfortunate.
Yeah..
Exactly how is badmouthing causing a deal to be delayed? Sounds like a piss poor excuse. There is no excuse for a deal not being made before the plug was pulled. Sounds to me the badmouthing and uproar is having a positive effect.
Are you kidding? Do you have any idea how political this all can be? If people aren't genuinely interested in moving a product forward, if they are more interested in their ego and dick size, then a project can be stalled indefinitely, regardless of what it is.
We simply hang in there, hoping it will get better, blaming ourselves for the lack of content in their game.
"It's our fault", we say, "that I am not enjoying this as much as I did when I first started. If I just hang in there, and believe, it will all be ok"
We're sorta like battered wives, except we pay for the privledge.
"I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Wait..he can't be saying what I think he's saying, can he?
Excuse me, I'm going to go do this type of "proactive security" for my "customers".
you're the one who posted the article in the first place?
Yes, I provided the text for everyone to read, not for the karma points ( which mean dick anyway ).
post it anonymously next time karma whore.
Don't mod it up, fucking retard
Wednesday, October 22 2003 @ 06:44 AM EDT
... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
...well, what would be the precise word here? You hate to say lying. It's so cold.
You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner?
In his speech, he said some peculiar things about security:
"Ballmer
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'"
Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just
However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And after you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical".
Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side.
Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues:
"'An att
Why don't you mellow out and use Linux, NetBSD, FreeBSD, OpenBSD, Solaris x86, or QNX then?
:)
Were it just me, I would in a heartbeat ( a humming bird heart beat even ). But alas, I don't have that choice for my organization.
I do have a choice on the browser, which is currently firebird.
Perhaps it is not I who is desensitised, but you who is hypersensitive to something as trivial as this.
I don't enjoy being forced to use a bug ridden software package that could, should I browse to the wrong site, allow a remote attacker to root my box.
So yeah, I am "hypersensitive".
Here's a clue, free of charge: It's your computer. Not MS's, Not the RIAA's, not Apple's and not the MPAA's. Yours. You may do with it what you wish, and if that means allowing MS to tell you what apps you get to use, that's your choice.
Note, however, that that would not be my choice.
If you're going to try and bash MS, Taco, will you please post a story that actually shows MS doing something properly evil/insecure rather than just opening IE instead of the user's preferred browser?
Yes, folks, we've become this desentized to MS crap.
I will use whatever browser I want, thank you very much. I don't want any application deciding what to do for me.
Well holy shit, I am shocked.
They seemed like such a nice company, too.
that only works if it's ok to reboot those machines at night.
:)
(Then again, neither does windows, but I'm only one man in a 1400 man company)
Makes me happy when people correct themselves.
Some of our machines are processing 24/7, and we have to wait until they can afford to reboot. And if some patches are waiting in queue, then the new ones don't get deployed until after the existing (waiting) patches are applied. SUS isn't meant for machines that need to do real processing, or at least it doesn't work well for them.
I would recommend you setup some sort of patching schedule ( and SUS+group policies works well for this ), maybe use a rotating schedule so there are at least a few systems online at any given time, but make this a "Company Policy". If it's expected, PHBs are usually cool with it.
that'd be nice if every machine was the same.. some of us don't have the luxuary in our buisness worlds.
As long as you have at least win2k sp3 on your desktop, you should be good to go. Hell, you don't even need a domain controller to do this, although it certainly helps.
Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?
I fix it. Now, granted, we only have ~10 apps ( all critical tho ), and when this has happened, it's been due to other factors that the patch simply brought to light. Usually, a wipe and reload will do the trick, and while this is not pleasant in an organization of this size, it's the cost of bussiness I am afraid.
The other couple times, when it's broken something and couldn't be fixed, it's been a matter of finding work arounds. Again, not the ideal solution, but one which we must work with if we are working with MS software.
( note: A good perimeter security plan is essential of course. That goes without saying )
Or common sense?
I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.
Last I checked, the default distro for qmail did not include qpopper.
Hell, I use courier-imap ( ssl ) to access my mail, so let me know if you have an exploit for that.
qmail, 4 years and counting.
Maybe they meant they make bugs faster?
It did crash on both computers he tested it on. Maybe he should switch hardware.
Well, this being windows, were you expecting some sort of miracle?
Seriously, I wish they had used a different name for this service at the very least, but other than that it doesn't look too bad, when compared with the alternatives out there.
Granted, the first service to offer vorbis will have my money. But then, I tend to be a bit picky.
A) The software is beta
B) The issues the reviewer had seems to have been hardware related, as was stated in the article
So, do slashdot editors READ the story they post? How about those that submit it? Do they just read half way, find something they don't like, and submit?
Typically, customers revolting against your software is the first sign that things, as they say, "ain't right(tm)". Sometimes, these are the precursors to the death of a company. Unfortunately, MS is so large, the normal rules go right out the window.
But if they finally are dying ( which I doubt ), we're in for a hell of a nasty ride.
I mean really, is this so big a concern? So you don't like saying the pledge with god references, TAKE THEM OUT. You don't like saying the pledge at all? DON'T.
See how simple that is?
I'm betting it's more along the lines of entropy calculations.
:) - For the humor-impaired )
You know, the numbers that can be derived from the numbers that the chip produces? Yeah.
(