Win2k Security holes found 553
According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.
Re:Gold Master != Beta, Unless You Live In Redmond (Score:1)
How many bugs were found in the 1/3 of the Win98 source code that was allowed to be viewed by a lawyer by court order? 3000? For only $99.95!
People are idiots.
Re:Why Did MS Stop Version Numbers? (Score:1)
Actually you've overcomplicated it a little. The 'Option Pack' for NT 4 is a collection of programs you can add to NT which are not installed as standard. (Stuff like the distributed transaction coordinator, the transaction server, IIS, that sort of thing.) This has nothing to do with the version - that's a bit like complaining that Linux 2.3.4 with Apache is a different version number from Linux 2.3.4. In fact with Linux you have the potentially more confusing situation where the versions of the kernel and the distribution you're running are different.
The scheme they use is actually pretty simple - a product name, and a service pack number. They stopped putting version numbers into the main name of the product because their research indicated that this confused people - separating the product name from the release seemed to go down better.
And hey, it discourages them from charging for the bug fixes, which they used to do with carefree abandon.
Re:QA != Quality Control anymore (Score:2)
This replaced the previous term "Quality Control" which fell from favor in the mid-80's right after Car&Driver made a barbed comment about how it was a good thing GM had such a good Quality Control program because "after all, we wouldn't want it to get out of hand..."
Within a matter of months, Qwality teams across the nation had improved their processes for the naming of Qwality teams and QA had displaced QC. If they had just worked half that hard to improve real quality instead of just improving their image. (If I sound jaded, it's just because in my experience, Qwality teams are the closest thing you'll ever find to Dilbertian thinking in real life...)
Re:Yes, But How Can We Use This To Create Chaos? ( (Score:1)
Sure. You take Maxwell Smart, I'll take 99.
Predjudice. (Score:4)
------------------
Typical! (Score:3)
But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:
Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure
I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.
Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.
Steven Rostedt
yes but (Score:2)
So any comment about security holes in development kernels is totaly unfounded. There is nothing development about win2k (of course, most linux users will exchange winks when encountering a statement like that
The real funny is that MS is already releasing broken patches for a product that isn't even available yet!
NightHawk
[-1 flamebait to read]
Re:Rushing bites MS again... (Score:2)
Wired has has been naming it as one of the top ten vapourware products of the year since '97.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re: (Score:2)
Re:How about all of the Linux security holes? (Score:2)
Re:Predjudice. (Score:2)
http://news.cnet.com/news/0-1003-200-1533081.html? tag=st
LOL (Score:3)
Customer: "My security has been breeched!"
Consultant: "Well, it might appear to be a problem, but it's not really since Linux is never considered to have a stable release."
Customer: "What???"
Consultant: "No! No! You're not looking at it the right way. Linux is in perpetual beta, so it's not really a problem you're experiencing, it's just feedback in the beta cycle!
--
Re:Predjudice. (Score:2)
Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc.
Nope, nothing compared. If you actually had read the article you would know that this affect final versions too, this is more alike of having a bug in the 2.2.0 kernel before any Linux distro issue a distro using this kernel. This would still be a stable kernel but not yet available in the form of a distribution.
How about this? (Score:2)
How about if I point out that they:
- have terrible testing processes
- rush too fast to get products out the door
- Are almost totally inept in terms of security
- apparently have NO usability staff on hand
- should take the time they currently spend "decommoditizing protocols" and applying it to proper software engineering processes
Would any of those be acceptable as an alternative?
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Re:How about all of the Linux security holes? (Score:2)
According to the poll [slashdot.org]
Linux is at 36%.
Windows(NT&9x) is at 30%
Although if you add in the "I hate everyone crowd" to Windows that pushes windows users over: at 38%. And we all know only windows users are angry at everyone.
Joseph Elwell.
Re:Predjudice. (Score:4)
http://news.cnet.com/news/0-1003-200-1533081.html? tag=st
Even The Register is saying how good Windows2000 is and they aren't exactly fans of MS over there.
http://www.theregister.co.uk/000124-000012.html
Re:Yet another mole-whacking opportunity (Score:3)
*pop*
*whack*
*pop*
*pop*
*whack*
*pop*
*pop*
*pop*
*pop**whack*
*pop**pop**pop**pop**pop**pop**pop**pop**pop*
*install linux*
Re:I'm glad (Score:3)
2.b) security hole ignored after reported, until the media hears about it
2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.
In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like
[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:Service packs [or lack thereof] (Score:4)
Not a direct MS quote though, just the CNet reporter paraphrasing Brian Valentine, senior vice president of the Windows Division. Saying that "the first version of the operating system will not need service packs or bug fixes like other software releases". Probably a case of sloppy journalism.
Why Did MS Stop Version Numbers? (Score:2)
Who the hell... (Score:2)
Service Pack 2 (Score:2)
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com [npsis.com]
Re:I assume... (Score:2)
But your points are moot. I can obtain Linux for free, and fix the bugs on my own. I can pay for Microsoft software and never be able to fix the problems without entering into a perpetual upgrade-payment cycle. I reserve the right to critize anyone whom wants my money, and is failing to deliver on products. I consistently forgive volunteers.
Re:Gold Master != Beta, Unless You Live In Redmond (Score:2)
How can it not be finalized when CDs have been sent off to the printers for mass duplication? How in the world is that not a final product?! The documentation is being printed, the boxes, too. The discs are flying off the printers - do you really, really believe that this product is in Microsoft's hands anymore? They certainly considered it finalized enough to put on store shelves.
And that's really the sad thing about how Microsoft does business. They go too damn fast, and leave all sorts of mistakes, bugs, security holes, etc. in the shipping version of the product. And that's a real shame, because there are going to be millions of people who buy this product, bugs and all - Microsoft's folly has just been writ large in the world's computer users.
Would it help if I told you that this bug will be in the shrinkwrapped product that will be on store shelves two and a half weeks from now? It's too late to go back and fix it - the bug will be there.
And the fix won't.
I hope that impresses upon you the gravity of these sorts of errors.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Aha! (Score:4)
Makes sense to me
--
An oldie but a goodie . . (Score:3)
--
Bill Gates
_________________________
Re:I wish we did (Score:2)
No bug fixes (Score:2)
Re:Predjudice. (Score:2)
of course they do, you just did it. And if you'd taken the time to add tags, even the really lazy people would see that all new OSes will have bugs, ofttimes catastrophic ones.
'course I'm on your side for this one, the editorial comments on the headline for this story are horrendous.
Re:I assume... (Score:2)
You do realize that "Hey! You have the source code; you can fix it yourself! Isn't that cool?!" is not an acceptable answer to a client when they complain about a security problem?
--
This is the Real Thing (Score:2)
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing. Trust me there will be more...
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com [npsis.com]
Mitigating vs. aggrievating circumstances (Score:4)
It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.
That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.
Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.
It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.
Re:Defending Microsoft - Come on?! (Score:2)
Let's get real... Microsoft or not, how realistic is it to release an ENTIRE OS and not have any bugs or security holes? Can anyone honestly say that they have NEVER had a Debian/Redhat/Mandrake/SuSE/Suckware/etc. distribution that DID NOT have any "security updates" or new packages to download to "fix bugs"?
My guess is NO. That's why utilities like autorpm and the Mandrake updater exist. Go to any of the Linux distro's sites, and you'll find Errata, Security Fixes, or something similar. I was just looking at several of them this morning!
Yes, it's fun to bash MS every now and then, and sometimes (more often than not) they deserve it. But give me a break -- 2 security holes? If that's all they've got so far, they're doing better than most of the Linux distros...
Security in general, with Win2K specifics... (Score:3)
On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.
One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve
Re:Yes, But How Can We Use This To Create Chaos? ( (Score:2)
Didn't anyone READ the LINK? (Score:2)
BTW, this was reported yeaterday morning on the UK ZDNET and BugTraq, it took the US ZDNET editors a day to catch on....I patched my NT boxen yesterday morning.
Re:I wish we did (Score:2)
Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.
And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.
--
Re:LOL (Score:2)
Uh, the point of the whole thread is security breeches caused by bugs, not by incompetent security personnel.
P.S. If you think "plethora" is an advanced word, then, well, I think it's time to buy that "Power Vocabulary" course you've been eyeing.
--
Nope. (Score:2)
Linux 2.2.0 was not comparable (Score:2)
These bugs are in the version that Microsoft expected people to pay money for.
Besides which, the bug in question was, "Crash Linux". It wasn't a remotely exploitable hole, you needed to already have access to the box to (ab)use it.
Regards,
Ben
Warning: I am a rational IT professional (Score:5)
Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).
I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.
At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.
Period, end of discussion.
The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.
In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.
Everything clear?
Re:I assume... (Score:2)
And as for downloading it from the web, I would assume MS would also have that. I mean, they may be many things, but I don't think they're stupid enough to not post a bugfix on their website at this point.
___________________
Re:Gold Master != Beta, Unless You Live In Redmond (Score:2)
Microsoft has a better patch distribution system. At least they will if they provide something like the Windows Update site that is available in 98. That's something the the various Linux distros really really need. Also, the speed of releases for security patches with 98 has been admirable. If they keep that pace with W2K then they will easily be competative with the level of service provided by the various Linux distros.
Rushing bites MS again... (Score:4)
Re:The Doc Sayz (Score:2)
Missing the point slightly (Score:2)
I assume... (Score:2)
...that whenever a Linux security problem comes up (in ANY of the Linux packages, in ANY state of development), we will immediately see a headline in Slashdot about it?
SORRY! Just asking.
--
Re:Predjudice. (Score:2)
Yet another mole-whacking opportunity (Score:3)
*pop*
*whack*
*pop*
*whack*
*pop*
*whack*
Problem is most mole-whackers don't even know where to find the mallet,much less how to use it
If you can't figure out how to mail me, don't.
Re:Predjudice. (Score:2)
Re:other suggestions: O/T (Score:2)
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
LOL! Oops... I think you're right. Still, the placement of the "quick go look it up" is next to the PLETHORA (in all scream-caps), and I hadn't read the "linux security sites" at that point in the sentence, so I think most computer language parsers would back me up on my interpretation. :)
--
I'm glad (Score:5)
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
-konstant
Yes! We are all individuals! I'm not!
Re:Security in general, with Win2K specifics... (Score:2)
Does running you own 24x7 server-type box (whatever OS) whilst at univeristy count?
If not, the how DO you get experience without putting someone elses computer/company/future at risk (to be melodramatic)? Is it feasable for large companies to set up trainee sysadmin network "sandpits" for them to cut their teeth on, without being able to damage the integrity of the main network?
Just my random thoughts (and queries),
Skaff
How about all of the Linux security holes? (Score:3)
Re:Predjudice. (Score:5)
Wrong - this isn't development (Score:2)
Glass houses. (Score:5)
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Re:I assume... (Score:3)
Not :Predjudice, experiance! (Score:2)
That disparity makes the case here. It IS a big deal on Win2k. It's not a big deal on Linux, because a fix WILL be out in less than a day.
Linux: How to GET where you want to go today.
Hey Rob, Thanks for that tarball!
I wish we did (Score:2)
Linux is going to get a bad name someday because millions of people out there have distributions which install with tons of (often unneeded) services on, and don't know enough to subscribe to a security mailing list or check for updated packages. It doesn't matter if Linux gets security fixes within 24 hours, if most people don't install them within 6 months. No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".
Re:I assume... (Score:2)
Also, in the case of a monopoly such as Microsoft, YES, they do make you wait for 6 months before releasing a patch (in the form of a Service Pack.) IIRC, you have to pay for these, much the way you have to pay for Win98 SR2, which was bugfixes for Win98. They're in the business of making money, not producing usable software. With real competition with something like Linux, they will either adapt, or crumble (I would think...)
Re:2.2.0 kernel (Score:2)
I'm not claiming that MS does this, but Red Hat obviously can't drag its feet when other distros acknowledge the existence of the bug in their releases. So RH will always be forced to be honest, and any company that admits to year-long lags is obviously fairly honest.
As for "scrounging the net" for fixes, you're either using the wrong distro or not using it correctly. Depending on your connnectivity, you should be automatically notified within hours or days of any upgrade on your distro's security site.
Re:I'm glad (Score:2)
Microsoft is lucky that the person that found the bug was a reputable person and not someone who would have used it maliciously.
No, Microsoft was very unlucky in that regard. Had this shown up in the hands of script kiddies MS would have issued forth a reeking stream of FUD about 'malicious hackers', which would have been quickly taken up by the 'tech news' media like ZDuhNET, and another million or so of the clueless would shake thier heads and resolve to write thier legislators that something must be done about "evil hackers" so that the internet can be made safe for business-, er, Microsoft.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Re:Not surprising (Score:2)
Re:I'm glad (Score:2)
Problems already reported with "tested patch". Oops, back to the drawing board.
In Microsoft's defense, it's probably not a big deal that the news server is broken. Who runs news servers on Windows anyway. It's certainly not being run in the MS test labs.
-Jordan Henderson
Re:How about some honesty (Score:2)
So the fact that the bugs are in existing products somehow makes the bugs OK? Or are you just saying that because it's Microsoft, we can expect it, but that it's unfair to expect bugs in Microsoft products in newer ones? What exactly are you trying to prove here, that Microsoft has a bad rap for holes in new software, or that Microsoft software is has a bad rap for holes in existing software? Does it really matter?
I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
Basically, in addition to the lengthy 1-2 hour installation time that is expected, and the downloading and installing of updated drivers which is almost expected (as new hardware drivers get old fast also) one is also now required to get online immediately after installation and download patches for software which was broken before it was sold? Instead of engineering better products from scratch, we'll just give the users a permanent connection to a database of corrections and act like it's their fault if they forget to "update" once a week?
You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
The perceived damage potential may be low, but a security breach is still a security breach. If Microsoft is going to make a product and market it as a secure server operating system, and it is not secure virtually from purchase onward, regardless of the degree of insecurity, they HAVE lied to the consumer. Underestimating the power of the cracker or even the script kiddie is generally a bad idea.
he exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
This doesn't seem obvious to me. Should an administrator really be required to compensate for the quirks or poor design of the system? Particularly true of Microsoft software, which is both expensive and marketed primarily as a simpler solution?
Don't take this the wrong way--it's not a flame. But people don't dislike MS's software so much as the hypocrisy. They pretend as though they are producing powerful, easy to use "solutions," yet more often than not, we are given costly systems which are difficult and counterintuitive to configure, subject to security holes inherent in poor design, and unable to provide non-destructive patches due to the archaic monstrosity which they are patching. Sure, it's their fault--they haven't rewritten Windows in a long, long time; a friend of mine suspects that there is probably still Pascal in there somewhere. But if they are going to try to sell us a powerful easy solution for large amounts of money, they had better be able to provide it.
Daniel
Re:Service packs [or lack thereof] (Score:2)
FOR A FACT: Internet connection sharing was NOT available for 98, you had to buy 98SE to get that feature!
FOR A FACT: You get EVERYTHING else if you download them from windowsupdate, or buy the cheep cd they put out.
Hey Rob, Thanks for that tarball!
Re:Predjudice. (Score:2)
That is the funniest sig I have seen in a long time!
Re:Gold Master != Beta, Unless You Live In Redmond (Score:2)
It's been said before by others in this thread, but I'll say it again here (whoever posted this bit earlier, kudos).
Not one of those fixes affected the kernel. They may have been in relation to one or another package, but they weren't security fixes in Linux.
There's also the point that security issues and other bugs in Linux and other free software are an integral part of the evolution process of those packages/systems. On average those fixes are published far faster than fixes for Windows. Those fixes do not destroy other functionality in the fashion of this newest patch or SP6.
And, I should mention, that there are far fewer of them necessary for Linux and similar packages than there are for Windows. How many security updates have there been for NT this year, anyway? 6?
My point is that security mistakes happen. The speed and effectiveness of those responses pretty well defines how secure an operating system is, since someone's always going to have a new attack. Fixes to Linux packages are fast and clean. Windows fixes have this nasty habit of breaking other parts of the OS.
Either way, Microsoft blew it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Re:Defending Microsoft (Score:3)
Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.
Why?
Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.
Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).
As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!
Simon
Re:I'm glad (Score:5)
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
Except that the hotfix breaks functionality... Define "tested."
This is nothing new. Look at SP6, which broke Winsock (how did THAT get out the door?), so SP6a was released... then pulled... then re-released, although it was hard to tell which SP you were getting, since SP6 web pages and downloads were still posted and linked to...
MS has released 6 security fixes so far this year for NT4... That's 1.5 security fixes per week for an operating system that was released how many years ago?
So, they can scream all they want about 128 bit encryption providing their security, but encryption doesn't mean squat if there are holes in the underlying foundation.
Defending Microsoft (Score:5)
But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".
And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.
Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.
Re:Service packs [or lack thereof] (Score:2)
Did MS make it clear that the most everything that Windows 98 SE had that Windows 98 didn't was available for free? Most people won't use Internet Connection Sharing.
-Jordan Henderson
"Non-BETA" in Linux terms is a state of mind (Score:2)
Considering anyone can run into the kernel code and hack away at any moment on a non-beta release of Linux, I guess it would turn back into beta in that particular installation.
I find it particularly funny that Linux people are so anti-MS, they don't even want to pay attention to the fact that there is always the right tool for the right job. Some jobs work better with Linux, some better with MS products.
You can rant a rage about MS all you want, but there are security issues in all OSes regardless of its lifecycle state. You can detect all detectable bugs, but you can't detect undetected bugs.
Re:How about all of the Linux security holes? (Score:5)
In other words, security holes in Linux (and other free software) are reported on Slashdot. Your statement appears to be a misleading one intended to incite others to fear, be uncertain about, or doubt the honesty of the Slashdot editors. Isn't that what FUD is all about?
Further, keep in mind that while Microsoft thinks itself to be hurt by the reporting of security holes in its products, Linux is not hurt by the reporting of security holes in Linux-related software. Bug-reporting is a threat to the proprietary-software model, but it is an element of the success of the free-software model.
No patch out as of yet (Score:3)
Dammit, I'll only say it once more! (Score:2)
- Bill Gates, former CEO, Microsoft
Re:Service packs [or lack thereof] (Score:2)
Naaah... They learned their lesson long ago on that one. You can't continue to have record quarters if you give away Betas (Win2K betas cost quite a bit more than media cost), or give away patches/service releases (Win98 Special Edition).
They'll collect up the top 10 patches and put out Windows 2000 Special Edition and charge you full price.
-Jordan Henderson
Microsoft security. (Score:3)
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
Just my 2 shillings.
Re:Warning: I am a rational IT professional (Score:2)
"There are no longer any mustfix bugs. So sign."
"That's because you deferred all the bugs. So I won't."
How about some honesty (Score:4)
#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how
#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?
Re:Predjudice. (Score:4)
> by bmetzler (bmetzler@twistedpair.net) on Wednesday December 15, @04:06PM EST (#240)
> (User Info) http://users.twistedpair.net/bmetzler/
>
> "It took us a while to get here, but that's because we were not ready to compromise,"
> Valentine said, promising that the first version of the operating system will not need
> service packs or bug fixes like other software releases.
>
> Can someone hang on to this story and rerun it when MS releases the first service
> pack for W2K?
Well, not the first service pack, but worthy of requoting...
Re:dude (Score:2)
Some alien chick in France gave birth to a 3000 pound elephant, and he's a Nazi and planning to take over Australia where he's going to signal Martians to come down and kill Jennifer Love Hewitt!!
Some alien chick??? That "alien chick" was actually the illegitimate love child of Elvis and Jackie O. Sheesh. Try to get it right, please.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
other suggestions: O/T (Score:2)
Myriad is somewhat unique in that it can be used as a noun or an adjective. e.g.:
"There is a MYRIAD (quick go look it up) of linux security sites, as well as *BSD security sites."
but one can also say:
"There are MYRIAD (quick go look it up) linux security sites, as well as *BSD security sites."
Also nice would have been "INNUMBERABLE," "COUNTLESS," and "SUPERFLUITY."
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
___________________
Re:Rushing bites MS again... (Score:3)
This bug might not be from rushing. Eradicating all software bugs is like eradicating all cockroaches in the world. It just won't happen.
This is 2 bugs that are out before win2k is out.
This could happen with any OS. Linux v2.4 will be out some time before RedHat completes a version of their own. Bugs could be found in the kernel before RedHat ships.
And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves.
Who do most people rely on when exploits are found in Linux/FreeBSD/etc.? If they are a developer, they probably turn to the developers who developed it. This is a sore point for Microsoft. If they are just a general user, they might turn to USENET, local geek, or the distributor (RedHat/FreeBSD/Microsoft). My point being is that even though Windows is closed the users will most probably behave the same as if they owned a copy of RedHat Linux. Even if the bug is fixed by someone else besides one of the project developers, people will turn to the distributor.
When I say distributor, I am not talking about Cheap Bytes or CDW. I just can't think up a good word for it.
Why we should work for lazy people (Score:2)
Not really. Win98 comes close, at least. All that missing network functionality at least means there's less to break, and Windows Update means you can get patches when something is found broken, whether you're a security expert or not. Sure, in Windows' history it's been susceptable to remote-crash attacks more often than not, but I can't recall more than a few times it's been possible to "root" a stock Windows box remotely (not counting third-party products like mirc and ftp servers).
With Linux there's so much stuff open to the net by default that it seems like there's a remote root exploit every year. If you're security aware you'll be able to install the fix as soon as the world knows about the problem, but if you're not you're just a target.
updates are the user's responsibility. why should everyone work double for the lazy ppl?
Because that way we don't have a ripe population of insecure Linux boxes for viruses and worms to spread through?
Because that way Linux looks better in the press?
Because lazy people buy things like Unreal Tournament and CivCTP, and thus get companies to port those things to Linux so we can buy them too?
Because we have lazy or non-computer-geek friends and family whom we'd like to stop using Windows (and stop bugging us when it crashes), and we can't personally see to the security of every one of their machines?
Because distributions who do work double for lazy people sell more copies and make more money.
So we can achieve world domination! Duh.
Because sometimes *we* are inadvertently the lazy people. Deadangel, I notice your computer may be on a new distribution with no security updates required (and ssh installed; good for you), but the fact that you've still got telnet and linuxconf ports open to the net doesn't bode well for the future. (Sorry for the nmap, BTW; I hope you don't have any paranoid TCP/IP logging enabled)
Finally, because having the operating system checking it's own security in a cron job means we have one more thing that the computer is doing for us, which is just technically better. Users shouldn't have to monitor a security mailing list when the computer can do that (and update programs from cryptographically signed packages) for us.
Re:You're talking bullshit. SP6 knocked out all po (Score:2)
If you want to make a point, do so. I don't see the reason for personal attacks. We don't need this antagonism on
I wasn't stupid enough to install sp6 until it had been in use for a couple of weeks and the problems had shaken out, so I didn't bother to read all of the RFC's. Why should I?
Take a fucking Valium and relax.
Re:I'm glad (Score:2)
2.2.0 kernel (Score:5)
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.
Don't overlook the issue (Score:2)
Had Windows 2000 even been thought of yet, would people still be making such a fuss? Or are they simply out to bash the 'new product on the block' because it ships with a component that has an error.
You don't see people screaming about RedHat when the release a distro that contains and installs a buggy program by default. Hell, last time I installed RedHat it installed that crazy Gnome thing that has more bugs than an African river.
I guess I'm trying to say that this is simply being ridden for all people can get out of it in order to bash Windows 2000.
Re:Rushing bites MS again... (Score:2)
I wonder how many crackers have been participating in the beta program just to get the inside edge on this kind of stuff? (I don't know any, so don't sent the police around, OK?)
> Guess is yet another push for the linux community.
Windows 19100 going to be enormously popular when people find out you have to reboot when you install the patch. (And you thought Micorsoft really "got it right this time", eh? It's a regular Unix killer, I'm tellin' ya!)
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Red Hat did not declare "6.1 will need no patches" (Score:2)
Of course, anyone who's had to deal with NT knows how hard to laugh at such a proclamation.
Gold Master != Beta, Unless You Live In Redmond. (Score:4)
The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.
Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.
There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Re:The Doc Sayz (Score:4)
Note that not every Microsoft security vulnerability out there is listed, either. Do a search on vunlerabilities by vendor for Microsoft at Security Focus, which is at http://www.securityfocus.com [securityfocus.com] to see all 235 vulnerabilities listed, most of which Slashdot missed.
Good resources for Linux security news, specifically, are Linux Weekly News at http://lwn.net/ [lwn.net] and its continually updated Daily Edition at http://lwn.net/daily/ [lwn.net] For additional resources you can visit Linux.Com's security section at http://www.linux.com/security [linux.com]
Re:The Doc Sayz (Score:3)
Oh, wait, I'm sorry. There are Microsoft people on the BugTraq/CERT lists. Well, then how could they not know about the holes? ...
[ fade to a daughter sitting in her father's lap while he reads a story to her: ]
yes but.. (Score:2)
You don't pay primo money for a development linux kernel, either.
Windows 2000 will charge you up the hiney - once for the client version, and once for one of three server versions, and yet you get these huge, gaping bugs.
This isn't that big of a deal yet (Score:2)
One can argue about the wisdom of turning on unnecessary services, but that problem is not unique to Microsoft. When I installed SuSE, I had to go and basically clean out inetd. Still nothing terribly new there. That's unfortunate, but it's an industry-wide problem.
There will be security holes in W2K. If Microsoft responds more quickly and openly, and the holes are in add-on services rather than appearing systematically in the core, then maybe they're finally learning their lesson. My guess is that they'll do better than NT4 (they've really been taking a beating over this) but not as good as the better Linux/Unix distributions. But that's just a guess, too. Time will tell.
Re:In related news... (Score:2)
Explain: MS have actually hired some of the best Windoze security people lately. David LeBlanc for example. There was a message on Bugtraq today but I guess it is not in the archive yet. So do not expect them to post any more messages about Windoze vulnerabilities any more...
Re:You're talking bullshit. SP6 knocked out all po (Score:2)
not really (Score:2)
I find it ironic how you said "development linux kernel." Key word, "development." This thing wouldn't (more than likely) happen to linux due to extensive testing by many. MS doesn't do this with windows. Win2k had only 15 security programmers checking the entire code base! 15, for crying out loud! that's a lot of code for 150 coders to security check in such a short period of time!
Quite simply put, Microsoft screwed up. The product hasn't even been commercially available yet, and there are already two security holes, one that is fairly serious. The thing is, if this WERE the beta version of win2k, it would be tolerated or even acceptable. Maybe praised even, since the bugs would be found before final release. But no, thse bugs are in the commercial release. For the price that MS is charging, it shouldn't be defective out of the box and require repair immidiately. That's not good for the customer, and it certainly isn't good for product reliability.
If this type of thing were to happen in Linux on an even numbered kernel, (they're all essentially developmental since they're always 'active' or open, right?) MS would have a hay day of FUD and there would be a great moral decline in the lands. Microsoft will probably get away with it, since they will try and hush it up.
*sigh* Little guys always get stepped on. But that's life. People should be a lot more angry about bugs like this than they are. I mean, two weeks is a LONG time to wait for a bug patch! Linux patches are out of the bag in less than a day, sometimes within an hour of the bug's discovery. I'm not aware of a single serious/semi-serious MS bug that has been patched in less than a week.
This was not intended as a MS-bash, although it may come across as one. Microsoft has one a lot of
-------
CAIMLAS