Microsoft's newest version of Windows....
December 20, 2001 10:30 AM   Subscribe

Microsoft's newest version of Windows.... billed as the most secure ever, contains several serious flaws that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The company released a free fix Thursday.

A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.
posted by bkdelong (56 comments total)
 
Doh!
Can you imagine if the fix WEREN'T free???
posted by aacheson at 10:35 AM on December 20, 2001


Microsoft's security bulletin with the patch.
posted by Mrmuhnrmuh at 10:43 AM on December 20, 2001


"The flaws...threatened to undermine widespread adoption of Microsoft's latest Windows software, which many hope will be an economic catalyst for the sagging technology industry."

The logical conclusion drawn from this article, then, is that undermining widespread adoption of Windows XP is the secret to economic stimulus during a recession. Not installing Linux would be un-American!
posted by Danelope at 10:45 AM on December 20, 2001


this must be the anti-terrorist service pack
posted by deftone at 10:56 AM on December 20, 2001


the only economic catalyst which would support the sagging technology industry would be some decent technology. gates, ballmer and company? they belong in jail.
posted by quonsar at 10:58 AM on December 20, 2001


gates, ballmer and company? they belong in jail.

For what exactly?
posted by eyeballkid at 10:59 AM on December 20, 2001


uh, what happened to that "worst hole ever" link? am I on crack? or did the content of the post just change before my eyes?
posted by twiggy at 11:04 AM on December 20, 2001


twiggy: it did
posted by eyeballkid at 11:07 AM on December 20, 2001


we now return to 'quonsar's desire', already in progress... ...'and the crowd goes wild as a sweating, skipping and hopping ballmer leads the troops in breathlessly chanting 'prison bitches! prison bitches! prison bitches! prison bitches!...'
posted by quonsar at 11:08 AM on December 20, 2001


link here
posted by eyeballkid at 11:08 AM on December 20, 2001


>> gates, ballmer and company? they belong in jail.
>
> For what exactly?

for selling a Virus Runtime Environment and calling it an OS.
posted by jfuller at 11:25 AM on December 20, 2001


There was a link in the post, and then it disappeared when I reloaded the page. Strange.
posted by tankboy at 11:27 AM on December 20, 2001


eyeball: for miring the advance of computer technology available to the masses in the same place for 30 years. for selling flawed, unreliable, self-destructing products to an unknowing and gullible public and costing untold millions in lost productivity, and for bald faced lying about it continuously. i'm sure you think i'm kidding. i assure you i am not. you may be one of those who measure the value of a firm by the performance of it's stock, i measure by the performance of its product. you may be one of those who uncritically hops on the worship bandwagon of anybody who manages to amass large amounts of money and notoriety and powerful connections. i hop on the bandwagons of those who contribute positive outcomes to society. i firmly beleive there are limits, that crass behavior in the marketplace is NOT 'just business', its a crime, and if an individual can be imprisoned for misrepresentation and deceit and fraud then likewise for the executives of a corporation engaging in the same behavior.
posted by quonsar at 11:40 AM on December 20, 2001


Um...I have Win XP Home edition and I really like it.

Sorry if that's uncool.
posted by daragh at 11:43 AM on December 20, 2001


Windows has not held the industry back... rather windows has created the possibility of the massive growth we have seen.

A common, compatible environment run by the majority of users is the core factor that has let small companies provide inexpensive hardware and software - as well as push the envelope of technology as fast as we have.

Having made my living in the business of providing features to consumers I can tell you for sure that 90% of the projects the clients I worked for built would not have happened if they couldn't target a single environment with their development efforts.

There is a good reason why Windows has the high end abilities provided by Direct X and Linux is still trying to agree on a way to get accelerated 3D to work under X-Windows.

A common problem is that people who simply dislike Microsoft as a company blind themselves to any sort of objective look at the impact of Windows. They hate Bill, therefore Windows must suck.

One could have hoped for a more objective response from "geeks" being as they are theoretically more mired in logic and objectivity but no... when they hate they do so as blindly as anyone else. Too bad.

Windows has bugs. It happens. Every OS has bugs. Windows get's a lot of publicity for them... and that's good. But the patches and fixes are generally available on time and the incidence of real intrusions in a intelligently maintained Windows network approaches zero quickly.

*shrugs* It's popular in the tech world to hate Bill... it makes people feel like the rebel outsider intellectual geeks. Good for them :)

Me, I'll keep installing the OS that gives my client the best features for their task ... and more and more often that isn't Linux.

Especially given the recent complete failure of quality control in Linux releases and the loss of Alan Cox as a "reality check" on Linus, it's only going to get worse.
posted by soulhuntre at 12:10 PM on December 20, 2001


you may be one of those who uncritically hops on the worship bandwagon of anybody who manages to amass large amounts of money and notoriety and powerful connections

Wrong. I run Windows 2000 servers and SQL Server. I also use Win2kPro/Citrix MetaFrame on the client side. I find it's easier to work with than Linux (especially for users) and I understand that any operating system has vulnerabilities/shortcomings. If you think that Microsoft has held back the progress of computer technology, you are delusional. Since the advent of the GUI operating system, Macintosh, and the adoption of of said interface type by Microsoft, the use of computers in the business and the home has multiplied a million-fold.

I'll agree that Microsoft's track record with security hasn't been the best of all possible worlds, but they are still very responsible about releasing fixes for said security problems. It is the /. type jihad rant that expects Microsoft to patch vulnerabilities in the OS seconds after someone has discovered them and then blames them when it takes some time (sometimes a week, sometimes a month) to examine said problem and write said patch.

As for Linux, I think it's a fantastic server operating system, but it hasn't really contributed to the spread of computer usage (and please don't cite back-end servers for the Inernet as Linux's influence, that would be Unix). The only two apps that I could imagine modern computer users being able to understand on Linux are GIMP and StarOffice, and both suck compared to the products they ripped off.
posted by eyeballkid at 12:33 PM on December 20, 2001


Linux is still trying to agree on a way to get accelerated 3D to work under X-Windows.
Who said they're trying to agree?

(and what does this have to do with the thread?)
But the patches and fixes are generally available on time and the incidence of real intrusions in a intelligently maintained Windows network approaches zero quickly.
Obviously why some insurance companies charge 5 to 15% more for using Microsoft windows and there isn't an insurance company charging more for Linux.

All software has bugs, sure, but the problem I have with Microsoft is their response to bugs, more than anything.
posted by holloway at 12:34 PM on December 20, 2001


The RISK here is that a computing monoculture is fundamentally vulnerable at a single point (its cybernetic genome if you like) to a catastrophic failure. Likewise it should be possible to disable later Pentium chips by reprogramming the errata microcode. A mass failure of either half of Wintel could cause WTC-sized economic disasters, and that's leaving out the military possibilities. And it could be done from anywhere in the wired world.

Add in rumors of AQ infiltration into Redmond's codebase (however unlikely) and that whole NSAKey business and realize that the Windows codebase is closer to munitions than PGP even was.

Windows is an unregulated and vital utility. Time to release the source before it takes civilization down with it. (Though I'd be willing to accept 98/ME source and leave 2K and XP alone.)
posted by retrofut at 12:34 PM on December 20, 2001


Yes, I know the rule about self linking....but this sort of market effect was, well, cool to see.
posted by bkdelong at 12:37 PM on December 20, 2001


Eyeball (how's Bacchus?), a lot of coders at Slashdot would like it if MSFT's talented hordes would just properly handle simple errors like buffer over- and underruns — or, preferably, stop making them.
posted by retrofut at 12:41 PM on December 20, 2001


One of the interesting points from In the Beginning was the Command Line, an essay from Neal Stephenson, was that Linux would never have been written if not for Microsoft. Linus' motivation for writing Linux was so he could run a Unix on his cheap 386 computer. However, the only reason that there were cheap 386 computers at all was because the Windows clone market forced price competition on the clone makers. Proprietary hardware makers like Apple, IBM (irony unintentional), Sun, HP, etc. had little motivation to lower their hardware prices because if you wanted to run their software, you had to buy their hardware.
posted by boaz at 12:53 PM on December 20, 2001


It's popular in the tech world to hate Bill... it makes people feel like the rebel outsider intellectual geeks.

maybe it is, i dunno. i don't work in the tech world. i have never even seen linux run. the only thing i know about unix is what i fumble through on my leased server's shell account. i have been using computers since the vic-20. gates is a criminal, a liar, and presides over a company which produces shoddy product and engages routinely in egregrious behavior. you obviously make your living via those shoddy products, implying that you yourself have misrepresented the products to your own clients, so don't expect me to give any credence to your spiel. NASA flew to the moon from scratch in ten years with the equivalent of a few commodore-64's worth of raw computing power, now THAT was some software. microsoft has been recycling DOS, a product they appropriated from another company, for 20 some years by progressively hanging a buggy gui on it. who's delusional?
posted by quonsar at 1:06 PM on December 20, 2001


That market graph wasn't all that interesting given that the graph's range was only $2.50. Oooh, the stock fell to its lowest price in six whole days! People are going to be defenestrating themselves over that!
posted by kindall at 1:16 PM on December 20, 2001


I think the real source of anti-Microsoft resentment is that just about anybody can use a Windows computer. Basically, it is a geek chic clique upset that the general public has now invaded their formerly hidden underground. More or less the same thing that happened to alternative music..

My response to it is the same as well. Grow up. Cool is for insecure kiddies.

Use the system that meets your needs and be tolerant of the others who use the system that meets theirs..
posted by srboisvert at 1:39 PM on December 20, 2001


defenestrating themselves
i love defenestration.
posted by quonsar at 1:42 PM on December 20, 2001


Cool is for insecure kiddies.
statements like this outrage me. let me give you some history. long before you were moisture, the personal computer was going to be an instrument of social change. computing was the realm of money, power and institutions. the personal computer was going to change all that. power to the people. (said with a straight face, damn you!) powerful, modular software for accomplishing common tasks would be available free or at cost. the individual would be empowered. instead we have proprietary crapware, hardware that is designed around said crapware, hardware that requires the authorization
of the owners of said crapware to run, and no significant (non-cosmetic) advances since DOS and OS/2. this is because those in a position to bring about a betterment of society chose instead to maneuver for control of the whole computing magilla - and they are closer than ever to succeeding. microsoft has been taking a 25 year shit on you, and you think it's oil of olay because they keep saying it is.
posted by quonsar at 1:55 PM on December 20, 2001


I personally feel the other way around about it; that is, I hate Windows, and so Bill must suck. I don't feel he has any skill as a programmer; only as a usurper and exploiter, at which he seems to be without equal. Of course here he uses his power for evil, from the point of view of computer users, although the Bill and Melinda Gates Foundation does accomplish significant good with the fruits of that evil. Obviously good and evil are overly weighty words for such a discussion, but not by much. It is difficult to chalk his actions up to malice per se. It just bugs me that creating the best product doesn't matter, just being the best-promoted or having the best angle on everyone. It really just sticks in my craw, as they say. It also bugs me that Microsoft being such a monopoly creates such a single huge point of failure, and that failure happens so often. While small developers can target a single codebase with their efforts, small virus developers can also. This is as much a weakness as a strength. I would much rather see the basis of an operating system be more open, so that various developers could compete and still remain largely compatible.

Mark Twain once said, "When you find everyone agreeing with your opinion, it is time to find a new opinion." I tihnk that there is some element of truth to this statement, and also to the idea that people hate windows because it is the cool thing to do. But Windows is not the optimal solution for every person's desktop computing needs, and the fact that it has come to such prominence as much through business machinations as through technical achievement irks me.
posted by donkeymon at 1:59 PM on December 20, 2001


Damn quonsar, can you even see the ground from that high horse you are on? And to top it off you're a fact-inventing baffoon. Microsoft Windows 2000, NT, and XP roots lie not in DOS, but in VAX/VMS. The NT code base was designed to emulate (provide the same APIs) the Windows 9x line (i.e. win32).

As for buggy, I have a total of 5 machines running Win2k, (3 pro, 2 server), this year I have had to reboot probably 10 times counting all the machines.

I mean come on, if you're going to complain about Microsoft's questionable business practices, that's one thing, but to be still complaining about buggy OS's??

And the last thing that I believe Microsoft does better than anyone is developer support. Microsoft Developer Network is bar none the best reference for programmers by a company. I mean seriously, have you ever tried to read a Redbook.
posted by patrickje at 2:03 PM on December 20, 2001


quonsar:
i don't work in the tech world.

along with:

you obviously make your living via those shoddy products, implying that you yourself have misrepresented the products to your own clients, so don't expect me to give any credence to your spiel.

That's just funny.

a) I hope by clients, you didn't think I meant people I sell things to, because I don't sell things.

and

b) I'm glad you liked the commodore64 and Vic-20. It's what I learned to program on, BASIC on those and PASCAL on the apple][e. As for Windows, XP and 2k are very much not DOS. Different filing system, different API/driver management.

c)I don't know why I'm arguing with your points since you have no facts to back them up.
posted by eyeballkid at 2:05 PM on December 20, 2001


It's days like this that make me embaressed to be a slashdot kiddie Linux Zealot.
posted by holloway at 2:13 PM on December 20, 2001


[ I think the real source of anti-Microsoft resentment is that just about anybody can use a Windows computer. ]

That is definitely one source of resentment, but it doesn't explain it all. My resentment of Windows (but not MS) stems from it dominating the market when the market would be better served by a different OS. From the first MacOS to OS/2 to BeOS, there have been several superior (or at least comparable, I was never an OS/2 fan) OS. Windows survives not because it is the best in terms of technology or usability, but because of it's momentum and apps.

I used to be a Linux diehard, but Linux probably won't be suitable for most people for several years, if ever. About a year ago I got sick of all the sysadmin stuff I had to do as a user, so I geeked out through the other end to Mac OS 9, and have transitioned to Mac OS X. Now I have all the good stuff that MS makes (IE and Office) without the mediocre (Windows).
posted by Llama-Lime at 2:13 PM on December 20, 2001


long before you were moisture, the personal computer was going to be an instrument of social change

And exactly who is to blame for that level of idealistic naivete?
posted by kindall at 2:19 PM on December 20, 2001


Good reading, via The Reg: Mandrake 8.1 Easier Than XP. Seems it all depends on the flavor of Linux to which you subscribe.
posted by Danelope at 2:45 PM on December 20, 2001


You shut up. No you shut up. No you shut up. No you shut up. Commie. Fascist. Jerk.

wheeeeeeeeeeeeeeee
posted by ook at 2:57 PM on December 20, 2001


(now i'm worried that nobody's gonna know what the heck I'm talking about)
posted by ook at 2:58 PM on December 20, 2001


If you have a firewall blocking ports 1900 and 5000 will save you while you download the patch.
posted by holloway at 3:14 PM on December 20, 2001


Llama-lime: Windows survives not because it is the best in terms of technology or usability, but because of it's momentum and apps.

Agreed. There are superior OSes, arguably; the problem (if one sees it as a problem) is that people are so used to Windows that if another system comes along that works better - even on a logical level - it faces a huge uphill battle just because a majority of software (consumer software) runs on Windows.

In addition, because people are used to Microsoft software, they expect viruses over email, they expect crashes, they expect hangs. XP may be more stable from a crashworthy standpoint but its security is Usual Microsoft Weakness. No one should expect that their friggin' email client or web browser will wreck havoc on their system. Alas, by putting all of corporate America's eggs in one basket, all it takes is one or two script kiddies to take it all out.
posted by hijinx at 4:25 PM on December 20, 2001


computing was the realm of money, power and institutions. the personal computer was going to change all that. power to the people. (said with a straight face, damn you!) powerful, modular software for accomplishing common tasks would be available free or at cost. the individual would be empowered. instead we have proprietary crapware, hardware that is designed around said crapware, hardware that requires the authorization
of the owners of said crapware to run, and no significant (non-cosmetic) advances since DOS and OS/2.


Is inadequate technology the reason why the 'power to the people' vision of the PC pioneers has not come to pass?

What was to be the nature of the PC revolution? Empowering the small buisnessman with spreadsheets, the writer with desktop publishing, the lonely student with message boards? Communication, freedom to publish - the opportunity to associate with, discover, and build new communities of interest?

Cheap IBM clones and (more expensive) Apples gave people the power aquire tools for these ends starting in the late '80s. Then the Internet and the Web coming on the scene in the '90s further advanced the social and technical conditions needed to empower the individual. Have people really failed to transform society with the computer because the computer isn't fast enough, or cheap enough, or easy enough to use yet? When you give the people computers, it doesn't change them into creative, dynamic revolutionaries. It gives them new ways to do things they already like - make money, look at porn, get the sports scores, gossip about TV stars. I am growing skeptical of the whole utopian world-view that seems to surround computing and technology. It started at least as early as TV - the dreams of TV and radio pioneers were just as great as those of Steve Jobs. People would listen to lectures, improve themselves, etc. And look what TV and radio became.

This is a pessimistic view, and at Christmas-time. Sorry about that! Computing hasn't changed the world not because its nature was obscured by greedy corporations, but because most people really don't care about changing the world.
posted by crunchburger at 4:37 PM on December 20, 2001


I'm a geek and a programmer. I don't hate MS because they made things easy.* I don't hate MS because they made PCs cheap.**

I hate MS because if I or others write mediocre software, or software that very few people care about, MS will leave me alone. As soon as I write great software, MS will use their monopoly to steal my ideas, crush my company, and then (probably worst of all) they'll say that by stealing my idea they were 'innovating.' They've done it to the folks who wrote DOS, they've done it to Apple, they did it to Netscape, they're doing it to Java, they're doing it to mp3 and ogg and Quicktime. And they'll do it to whoever threatens them next.
So... yeah, I hate them, because their mediocre software prevents great software from being written. And that is why I hate Microsoft.

*Apple made things easy, MS copied them, and I spend every day trying to make Linux easy.
**Bill's recent claims notwithstanding, IBM made PCs cheap and MS piggybacked on that.
posted by louie at 7:06 PM on December 20, 2001


louie: Microsoft bought QDOS (Quick and Dirty Operating System) and gave it the respectable name MSDOS. Perhaps you're thinking about the DOS replacement DRDOS?

(Or did they do something to the developers of QDOS too?)
posted by holloway at 7:28 PM on December 20, 2001


Louie,

That is exactly correct! That is why so many have said MS stifles innovation...and they do. It is frustrating when people say that MS has done wonders for innovation, when the exact opposite is true!

Hey All,

Please read Louie's post.
posted by jlachapell at 7:49 PM on December 20, 2001


Bah... ignore that one, try this DRDOS link. Quotes include, We need to create the reputation for problems and incompatibilities to undermine confidence to drdos6; so people will make judgments against it without knowing details or facts.
posted by holloway at 7:49 PM on December 20, 2001


OK, y'all. What are your thoughts on this? Actually useful? Or just plan stoopid?
posted by black8 at 8:09 PM on December 20, 2001


Just to play devil's advocate for a moment, it doesn't matter to me, Joe Consumer, whether Microsoft steals your idea and puts out their own implementation of it. The market is not about pleasing the software developers, it is about pleasing the consumer. I still end up with the functionality if Microsoft steals your idea, and why should I, as a consumer, care who brought it to me? In fact, I might prefer the idea be brought to me by Microsoft, since at least I know they're not going out of business tomorrow.

Now you could argue that if Microsoft keeps doing this that nobody will want to innovate anymore, but on the other hand, if this was going to happen, why hasn't it? Microsoft makes games, yet there is a healthy gaming market. Microsoft makes an OS, yet Apple is still in business, as are Sun, and of course the Linux people can't go out of business because they never were in business to begin with. Microsoft gives away a Web browser and e-mail client with the OS (not just on Windows but on the Mac), yet there are multiple competitors for both on both Windows and Mac, some of which are worth paying for. Adobe still owns publishing; Microsoft isn't even trying seriously to compete with Photoshop or Acrobat or Illustrator or even QuarkXPress (though it'd be easy to take on the arrogant Quark). Where's Microsoft's competitor for Flash, where's their Director? There's still Norton Utilities even though there's a disk repair utility and defragmenter built into Windows! Palm OS still exists and the only reason PocketPCs are finally starting to make inroads is because they have more features than Palm units. Despite Xbox, Playstation is still king of consoles, and Nintendo and Sega keep hanging in there. Do you know how many Windows applications there are? Even Microsoft cannot, and does not, compete with all of them.

I just don't entirely buy this theory that Microsoft Stifles All Innovation or even Most Innovation. I see lots and lots of innovation. In fact, you might say that by becoming the defacto standard, Windows has done more to encourage innovation than stifle it. Since nearly all developers target Windows preferentially, they are immediately in competition with each other. If Mac, Linux, and Windows all had equal marketshare, each developer could make a comfortable living on one platform, and the amount of competition in that OS's application market would be reduced by 2/3! Or a developer could try to support all three platforms but would require many more resources to do it, so only products from really big companies would be available on more than one platform, sort of the way it is now except more extreme.
posted by kindall at 8:26 PM on December 20, 2001


Eyeball (how's Bacchus?), a lot of coders at Slashdot would like it if MSFT's talented hordes would just properly handle simple errors like buffer over- and underruns — or, preferably, stop making them.

This of course is why about two-thirds of the security notices that come through my mailbox involve buffer problems for UNIX products. If we were keeping score, I would suggest that sendmail probably tops the list of software with the most frequent and most severe security bugs. However it seems that when irix, Linux, Apache, or sendmail are discovered to have a major security hole that isn't publicized to the same extent (which is really a shame, because sometimes we had to tell people to patch their workstations months after the security hole was discovered). This is on top of the fact that thousands of copies of Linux shipped in 1998 in 1999 with insecure configurations.

I think that the primary think that saves Linux and other UNIX variants from large numbers of crack attempts is a relative obscurity. Having seriously used both I haven't extreme lack of faith in the inherent superior security of Linux. As with any operating system it is only as secure as the idiots at the keyboard. And I suspect that if everyone was using Linux that we would start seeing large number of worms that propagate from idiot mouse clicks.
posted by KirkJobSluder at 9:51 PM on December 20, 2001


Of course bugs aren't specific to Windows, only their ubiquity as a result of cowboy coding practices (you should hear what Intel people think of MSFT's code). (Note that newer languages tend to put wrappers around memory allocation and access, since that's where most of the errors occur [particularly in C and C++].)

Suggesting *nix is "too obscure to crack" ignores the fact that a majority of web servers are running *nix and Apache — that should be enough of a target.

BTW, except for Flight Simulator (the cash cow of the division) as of a few years ago all of MSFT's action/adventure/strategy games were developed by third parties and licensed. (They spent a lot on developing one in-house that died quite embarrassingly. The parties were good, though.) That may have changed since then, in fact the division may actually be making money now instead of losing a quarter-million a year.
posted by retrofut at 2:25 AM on December 21, 2001


Suggesting *nix is "too obscure to crack" ignores the fact that a majority of web servers are running *nix and Apache — that should be enough of a target.
What's the percentage? (I tried netcraft and got lost)
posted by holloway at 3:31 AM on December 21, 2001


the idea that people dislike monopolysoft becase guis make computers easy to use holds no sway with me.

i would say that ms windows is not intuitively usable. it is not an easy to use or understand environment and it is not all of the things that ms often claim in their advertising. maybe osx is also flawed, i don't know, but i would bet it is a lot more intuitive to use.

i used to have to sell pcs to the public, and in doing so had to try to explain the windows interface on a daily basis. after a while, say ten minutes, the jovial patter starts to be difficult to maintain. you just want to say 'yes it is shit, but it is the shit that is now standard, i didn't make it so don't blame me.'

examples - the start/programs menu does not correspond to the 'program files' directory contents.

the 'shut down' dialogue box is accessed via the 'start' menu.

what is the point of having a drop down menu that does not contain all of it's options by default?

counter-intuitive placing of system management controls.

windows (95/98) will not report the processor speed in sytem properties.



that's not to mention the vagaries of these ms products:

word

excel

ms vsual basic



i can imagine selling xp is a bit of a challenge, given that upgrading your pc is not something that it encourages. i am lead to belive that you have 3 'goes' at upgrading, then the thing stops working. also, re-installation is not allowed and to activate the software you must be online.

otherwise, you must call ms and register the software by phone. ms licencing is not consumer friendly.
posted by asok at 4:21 AM on December 21, 2001


Suggesting *nix is "too obscure to crack" ignores the fact that a majority of web servers are running *nix and Apache — that should be enough of a target.





again, which is why almost two-thirds of the security alerts that come through my mailbox involve UNIX products. Perhaps it is more correct to say that UNIX is not "too obscure to crack" but that no one aside from system administrators cares about the fact that UNIX products are cracked on a regular basis (if the volume of mail regarding security updates is any indication on the order of about once a week.)





After all, we are not talking about the buffer overflow in system 5 UNIX announced last week that permits a cracker to get root access to server or workstation.



When Windows is cracked, everybody makes a big stink about it. When Linux is cracked everybody shrugs the shoulders, applies the patch, and get on with their lives. After all, no one is calling for the programmers of SSH to be arrested because of the security vulnerability that permitted an unauthorized user from a banned host to get access to a system.
posted by KirkJobSluder at 7:12 AM on December 21, 2001


KirkJobSluder - at least you're getting the *nix security alerts. With MS, you just hope that you might find out about it from somebody before you're hacked - and you rarely find out from MS first.



Don't rank vulnerability by number of security alerts issued. Rank vulnerability by (a) severity, (b) likelihood, (c) response time. You get lots of *nix security alerts because they're very timely, but the stuff covered is not very severe (usually) and the likelihood of a hack is usually very low.



Whereas MS will issue one security alert to cover 4 months of problems and patches, the *nix crowd would issue one for each problem/patch as it occurs. That makes the count a rather poor metric.
posted by yesster at 8:49 AM on December 21, 2001


That is stretching the truth quite a bit. I've been getting Microsoft security alerts on the order of about once every two or three weeks. Almost all these alerts included a patch, and if not a patch an immediate suggestion for have to configure your system to protect yourself. Most of these alerts have come about with no reports of any actual exploitation of the bug. Granted I find out about most of these through helpful third parties that check the Microsoft Web sites for news of updates. But then again most of the UNIX alerts are coming from third parties also.



I also quite honestly disbelieve claims that the UNIX community is particularly on top of their security vulnerabilities. When I worked tech support it took us months to close down all of the stray copies of sendmail that were being used for DoS, mail bombing, and spamming. And sometimes we had to go through the process all over again every time somebody decided to start up a Linux Web server in their office. And in fact, the very fact that people are bothering to argue on this thread for a fictional invulnerability for Linux as opposed to Windows reveals that most of those participating in the argument know squat about security. The only secure computer is a computer with no networking locked in the bunker. If you run a computer, your question should not be "is it vulnerable" but "how long will it take for someone to find the holes in my security?" This attitude that Linux users have nothing to worry about in regards to security threats or mobile malicious code is quite dangerous.



Granted there are quite a few ways both Microsoft and the UNIX community could make it easier for users to patch holes as they are discovered. Microsoft actually has implemented one of those ways by configuring the system to automatically look for new operating system patches.
posted by KirkJobSluder at 9:45 AM on December 21, 2001


KJS - I fully agree with you that "secure" is a misnomer. And I agree that it would be nice if the OS hunted for its own updates.

Guess you and I don't have to be polarized on this.
posted by yesster at 11:06 AM on December 21, 2001


Anybody placing bets on how long it is till someone uses the bogus MSFT security certificate issued earlier this year to spoof system updates and install viruses or trojans instead?
posted by retrofut at 11:25 AM on December 21, 2001


Boaz, thank you for the Stephenson link, very interesting.
posted by emf at 12:23 AM on December 22, 2001


"properly handle simple errors like buffer over- and underruns — or, preferably, stop making them."

Well, since /. itself crashes fairly regularly because it can't handle the load, they might want to clean up their own act. And that's before we discuss the buffer problems and vulnerabilities in BIND and Sendmail.

As for this 60's era idea that only free (power to the people, right) stuff can empower the masses, I think it is pretty clear that this is far from a panacea nor is it the only way. personally, I think it's a staggering failure... but I'll be generous.

"Wintel" is the driving force that did bring power to the people. The market itself, the free market, commercialism and so on IS a path of empowerment for "the people". And as long as the obsolete and quaint notion that commercial == bad hangs on it will be seen that some folks just object to Windows on political grounds.

Political objections are fine, but don't pretend they have a technical basis.

Powerful, easy to use computers are available for less than $499. Almost anyone can use one to communicate globally through the internet and find a wealth of software (usually included) that will allow them to accomplish basic tasks. This all came about because of the drive for profit in a free market.

Oh, and I don't want to hear how the 'net is a free thing and not a product of commercial forces. That's true, but all the miles of cable and fiber and all the servers that make massive, easy and inexpensive connections (ISP's) are a product of a profit motive.

It was a nice idea, but like so many idea from the 60's it should be allowed to die as the drug induces fantasy it was.

Lindows? useful for Linux zealot types who want to try and trick some clients/friends into switching with buzzwords... but it won't every be a mainstream environment worth dealing with.

"I just don't entirely buy this theory that Microsoft Stifles All Innovation or even Most Innovation. I see lots and lots of innovation. In fact, you might say that by becoming the defacto standard, Windows has done more to encourage innovation than stifle it."

Thank you! Almost perfectly said. Competition and innovation are rampant in the computing world... and MS isn't stopping so much of it - may, just maybe, the market will handle itself? Of course it

"Whereas MS will issue one security alert to cover 4 months of problems and patches, the *nix crowd would issue one for each problem/patch as it occurs. That makes the count a rather poor metric."

You clearly aren't admining MS systems. the hotfixes come out very quickly... usually at the same time of in parallel with the vulnerability announcement. There are cumulative patches yes, but hotfixes are small and usually target a specific flaw.

"Anybody placing bets on how long it is till someone uses the bogus MSFT security certificate issued earlier this year to spoof system updates and install viruses or trojans instead?"

Since that hole was patched, it won't be a problem for people who stay current :)
posted by soulhuntre at 11:39 AM on December 22, 2001


The market itself, the free market, commercialism and so on IS a path of empowerment for "the people". And as long as the obsolete and quaint notion that commercial == bad hangs on it will be seen that some folks just object to Windows on political grounds.
I haven't seen anyone in this thread against Microsoft because they're capitalist, or some higher principle. They tend to state specific examples of another security hole (insurance against hacks costs more for Microsoft operating systems due to historically bad security), or because of their restriction of competition through exclusivity deals, or maybe it's because Microsoft flaunts the law (handing over the doctored tape, as evidence, by accident - har!).
Lindows? useful for Linux zealot types who want to try and trick some clients/friends into switching with buzzwords... but it won't every be a mainstream environment worth dealing with.
I tend to agree (about it never being sucessful - not the paranoid story about Linux zealots tricking people with buzzwords, that's just silly)
posted by holloway at 4:47 PM on December 22, 2001


« Older Banker withdraws a £100,000 pledge to his old...   |   The Worst Committee Charge Ever Newer »


This thread has been archived and is closed to new comments