Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Microsoft

Microsoft Microsoft Microsoft 723 723

Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
This discussion has been archived. No new comments can be posted.

Microsoft Microsoft Microsoft

Comments Filter:
  • by Uttles (324447) <(uttles) (at) (gmail.com)> on Friday November 09, 2001 @03:54PM (#2545191) Homepage Journal
    I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...
    • . I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though.

      Remembering whom you are talking about should explain why they don't send this out. If they really had some competition they'd be letting you know, post haste. Ah, well, another reason why they should have been broken up for the good of the economy which wasn't done for the good of the economy.

      Yours.
      Theirs.

    • Microsoft posted the security bulletin PROMINENTLY in the bottom of a locked filing cabinet in an unused lavatory with a sign on the door that said, "Beware of the Leopard!"
    • by Tassach (137772) on Friday November 09, 2001 @04:14PM (#2545355)
      Any information that MS puts out is going to be a battle between engineering and PR -- The programmers probably want bugfixes announced prominantly, whereas the PR drones see this as a Bad Thing because it involves admitting that they screwed up in the first place.



      MS's windows update is a step in the right direction, but it sucks compared to Red Hat's up2date [redhat.com] program. It's a service that is well worth paying for. Even if you just download the Red Hat ISOs, consider subscribing to RHN [redhat.com] - you are supporting future Linux development and are getting a good service at a fair price. [Disclosure: I own RHAT stock]

    • by rtkluttz (244325) on Friday November 09, 2001 @04:23PM (#2545430) Homepage
      MS posted this bulletin to their security mailing list about 8:00 est today. They are doing a pretty good job of notifying everyone in the event of a failure. To get good, up to date information about security go to www.microsoft.com/security. They usually notify of new security issues and fixes within a day or so. The information is there and its not that hard to find. Just in case you still have trouble finding the link for the bulletin mailing list, here is the link. http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/notify.asp
    • by ergo98 (9391)

      I got this in my inbox at yesterday at 9:14pm (EST). If you really care about security with Windows machines look at this page [microsoft.com], specifically that [microsoft.com] mailing list service.

    • by Zico (14255) on Friday November 09, 2001 @04:46PM (#2545622)

      What is it exactly that you're so baffled by? Just because you've never seen them only shows your ignorance, since they've been sending these out for years now. As far as being in an obscure place, where would you expect to find it? I always use the direct link to the bulletin list (www.microsoft.com/technet/security/current.asp [microsoft.com]), but if I didn't know how to find it, I think I might try www.microsoft.com/security. And whaddaya know, there's a web page there and the second link on the left is for the Security Bulletin service. How obscure. *ahem*

    • by sheldon (2322) on Friday November 09, 2001 @05:33PM (#2545936)
      Go to www.microsoft.com

      Click on the link to the side that says "For IT Professionals"

      There are Security Bulletins highlighted in the upper right hand side of the page. The ones discussed here are listed, along with a link that says "More".

      Right on the top of that list is a link that says "Want to receive future security bulletins automatically?" You might want to click on that and subscribe.

      Now for home users, they have the WindowsUpdate feature which easily allows you to download patches. Plus it also includes links to find out more information about the patch... these links go to the security bulletins again.

      If Microsoft is hiding security bulletins, they are doing a piss poor job.
      • by ahaning (108463) on Friday November 09, 2001 @07:30PM (#2546558) Homepage Journal
        "For IT Professionals"?

        Ha! According to the bulletin, the people that should be reading this are:

        Customers using Microsoft® Internet Explorer

        That's quite a few people. And consider the link you have to click on. Most users of IE probably don't consider themselves IT Professionals. Heck, some of them are afraid to remove icons from their desktop because it might break Windows.

        You expect these people to:

        1) Visit www.microsoft.com. That's the boring site. They want www.msn.com or www.hotmail.com (these would be much better places to put bulletins.)

        2) Consider themselves IT Professionals. That means they have to be REALLY smart (yeah, sure).

        Basically, it IS hidden, especially for people to don't think to look for these security vulnerabilities. Microsoft may consider posting these bulletins in more prominent places. However, as someone above pointed out, there are probably battles between Marketing and the Developers (developers developers developers developers....) about what to make easily available.
  • I find it hard to believe that someone on slashdot would complain about webpages designed for IE not working.

    If MS security bugs encourages web designers to design gracefully degradable web pages, that's fine with me.
  • by instinctdesign (534196) on Friday November 09, 2001 @03:55PM (#2545201) Homepage
    Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.

    That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
    • by gorilla (36491) on Friday November 09, 2001 @04:19PM (#2545394)
      Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
      • by Flower (31351) on Friday November 09, 2001 @04:35PM (#2545537) Homepage
        Couldn't put it better myself.

        I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.

        Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.

    • I'm not sure I agree with this. I think that, in general, there are more bugs in Microsoft's software because there are fewer people looking at the code, not because there are more people looking at the end product.

      On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.

    • by Znork (31774) on Friday November 09, 2001 @04:29PM (#2545484)
      In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.

      Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.

      The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.

      So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
    • by iabervon (1971) on Friday November 09, 2001 @04:33PM (#2545521) Homepage Journal
      I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.

      Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.

      So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
  • by Anixamander (448308) on Friday November 09, 2001 @03:56PM (#2545206) Journal
    I'm just waiting for him to declare Windows XP to be "unsafe at any speed."
    • Reminds me of a .sig on the newsfroups:

      There is more to life than increasing its speed.
    • by Erore (8382) on Friday November 09, 2001 @05:24PM (#2545895)

      Sorry, I wrote this rant and just wanted to put it somewhere. Your mention of Unsafe at any Speed made me think of it.It is a response to Culp's comments last month.

      Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks. The people who wrote them have been rightly condemned as criminals. But they needed help to devastate our networks. And we in the security community gave it to them.

      By listing worms that attacked a variety of operating systems Culp makes it appear that the security threat is equal to all the players in the OS space. What he doesn't do is supply a severity to the listed worms that lets us see that the worst and most widespread of these attacks were against Microsoft systems. Microsoft's dominance in the OS space only increases their responsibility for security breaches, it does not justify their targetibility.

      It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

      What it is high time for is Microsoft to take security seriously. Their operating systems have always been about ease of use, not security. Just like passenger and baggage check in US airports are about hasslefree service. We have seen one consequence of the airports security measures, and that terrible act is the only reason airport security is increasing. Numerous reports in the past few years have pointed to the insecurity of passenger air travel, yet the airlines took no notice. Code Red may well be the clarion call to reconsider the importance of security in your operating system. If your current vendor isn't supplying it, perhaps you should look elsewhere.

      Arming the Enemy

      First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay.

      According to Ralph Nader automobiles in the 60's were unsafe at any speed. He blew the whistle, and the groundswell response led to drastic changes in the manufacturing of automobiles and the responsibility of those manufacturers for the safety of the cars after the sale had occurred. Fastforward 30 years and juxtapose Microsoft for General Motors and you can hear the whistle blowing. Despite Microsofts attempts to hide behind groups such as the DMCA consumers and lawmakers will not continue to put up with the security risks using Microsoft products make them vulnerable to.

      If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.

      Do not fear he who hath power to kill your webserver, fear he who hath the power to crack your server, steal your financial data and destroy your very business. Prior to a security fix or announcement of a vulnerability you aren't even aware that your system is at risk. The sooner information is released to the consumer, the sooner they can make a business decision as to which is the greater cost: the possibility of having their system cracked and data stolen, bearing the cost in dollars and man hours to move to a more secure system, or the business impact of shutting an insecure service down until the security bug is fixed.

      The relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more far conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published - in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons.

      Again, who is it that we fear? The script kiddies who are all bark, but no bite, or the blackhats who have established user accounts on your servers and has your corporate network as their playground?

      Good Intentions Gone Awry

      Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security, by giving system administrators information on how to protect their systems, demonstrating the need for them to take action, and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.

      These methods are only antithetical when you have a dominant market position that is dependent upon people perceiving your products as being easy to use, secure, and hassle free to maintain.

      Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.

      Wrong. Providing the exact details of an exploit allows competent administrators or programmers to go to the source of a program or operating system and provide their own fix if none is available from the community at large or the creator of that program. Furthermore, a community made aware of an exploit is able to marshall its resources to provide a fix as soon as possible. Culp's position is only true in a closed source environment where the system administrator is nothing more than a mouse monkey whose idea of system administration and security are the point and click wizards provided by the vendor; or where the risk to customers of using vulnerable systems is weighed against marketing and PR concerns or the availability of programming resources and the cost of providing them.

      Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities. In some cases, the fixes were available in multiple forms - singleton patches, cumulative patches, service packs, and so forth - as much as a year in advance. Yet when these worms tore through the user community, it was clear that few people had applied these fixes.

      Many people have faulted the patching process itself for the low uptake rate. Fair enough - we do need to make it easier for users to keep their systems secure, and Microsoft acknowledged this very point in a recent major security announcement. But if the current methods for protecting systems are ineffective, it makes it doubly important that we handle potentially destructive information with care.

      One of my cars had a factory recall, some sort of problem with the CV boots. The auto manufacturer contacted me, on more than one occasion, to let me know that my car had a potential problem, where I could go to get it fixed, and they said they would bear the cost to fix my car. I'm not certain which one of the myriad of forms I signed when I purchased the car that signed me up for this protection plan, but it sure did work. In my 7 years of administrating Microsoft networks, the hundreds of products I have registered with them and the thousands of times I have visited their website, never once has Microsoft contacted me to let me know about a security vulnerability in the product they sold me. Making the fix available is not the same as notifying people that there is a problem and a fix.

      Furthermore, like the boy who cried wolf, Microsoft products have so many vulnerabilities and the methods for keeping your systems patched are so time consuming that it can become a full time job just to keep on top of it. After awhile you just cry, "Enough!," I've got other things to do than babysit the Microsoft website to find out what the latest vulnerability is. I've subscribed to Microsoft Security alerts, and typically I have found them to be late in notifying me of problems and so filled with PR that it was hard for me to asses to true risk to my systems.

      Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.

      A very good point Culp, vendors must find other ways to protect their customers. What Microsoft has been doing is not sufficient. The whistle has been blown, the users hear it, and they know that Microsoft has not had their best interest in mind. If Microsoft had, they would have found ways to contact users of vulnerabilities and given users incentives to patch their systems.

      Responsible Handling is Key

      This is not a call to stop discussing vulnerabilities. Instead, it is a call for security professionals to draw a line beyond which we recognize that we are simply putting other people at risk. By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.

      "Fire" is not being called in a crowded movie house, a fire alarm is being pulled and people are making an orderly egress. The egress is to Apache, Linux, Solaris, and FreeBSD. I'm grateful for that fire alarm, without it I would have found myself surrounded in flames created by blackhats while a Microsoft infomercial drones on the screen telling me, "There is no fire." I've got news for you Mr. Gates, this isn't the Matrix, and we are not all plugged into your grand scheme. Some of us see where you are taking us not just today, but tomorrow, and we're going to stop you.

      Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is - that is, the type and extent of damage that an attacker could cause through it - and what users can do to protect their systems. This type of information protects users by giving them the information they need to decide whether to apply the fix, but it doesn't put them at risk.

      Baaahhhh! Sheep, that is what Microsoft wants for customers. Users who blindly follow them to the slaughter house. But, shepard Microsoft can't even protect us that long. The wolves circle and pick off the sheep one by one. Meanwhile, the lead sheep watch what is going on in the slaughterhouse and they are told by the shepard not to tell the other sheep. Such information would cause a panic in the fold and desertions so great that Microsfts stock price would fall into a irretreivable spiral.

      Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly. In many cases, it's possible to build a tool that performs non-destructive testing and can only be used by a legitimate system administrator. In other cases, the specifics of the vulnerability make it impossible to limit how the tool could be used - but in cases like these, a decent regard for the well-being of the user community suggests that it would better to not build the tool than to release it and see it misused.

      I repeat, those who use open source can always go the extra mile, and at the least, patch their own systems.

      What You Can Do

      Ending information anarchy will not end the threat of worms. Ethics and intelligence aren't a package deal, and some of the malicious people who write worms are quite smart. Even in the best of conditions, it will still be possible to write worms. But the state of affairs today allows even relative novices to build highly destructive malware. It's simply indefensible for the security community to continue arming cybercriminals. We can at least raise the bar.

      What is indefensible is Microsoft's lax security throughout an entire series of Windows operating systems, office suites, and back office products. I once heard a joke that Microsoft was in a uproar because they found a virus that Outlook was not susceptable to; the company vowed to quickly rememdy that situation. The best jokes are baised upon some truth, and this joke was very, very funny. Security warnings do not arm cybercriminals, security holes do. Once again, do you really think the most malicious of crackers out there don't know and take advantage of security holes before they are announced? Of course those crackers know, and the sooner the user knows the sooner they can do something about it.

      This issue is larger than just the security community. All computer users have a stake in this issue, and all of us can help ensure that vulnerabilities are handled responsibly. Companies can adopt corporate policies regarding how their IT departments will handle any security vulnerabilities they find. Customers who are considering hiring security consultants can ask them what their policies are regarding information anarchy, and make an informed buying decision based on the answer. And security professionals only need to exercise some self-restraint.

      My company can adopt a corporate policy that only open source software will be used for all mission critical systems because only open source has a proven track record of quick security fixes. Instead of worrying about a security consultants policy on security disclosures, a customer would be better served by keeping security in mind when evaluating software solutions. First avoid the obvious danger.

      For its part, Microsoft will be working with other industry leaders over the course of the coming months, to build an industry-wide consensus on this issue. We'll provide additional information as this effort moves forward, and will ask for our customers' support in encouraging its adoption. It's time for the security community to get on the right side of this issue.

      The security community has always been on the right side of the issue, it is Microsoft who has not. Even now they are trying to sway others to their position instead of adopting that held by the long standing security community.

      • Interesting read, thanks.

        For what it's worth, here is what I wrote after I read Culp's essay for the first time:

        I agree that some aspects of the current computer security community are quite strange. A few parties have indeed conflicting interests: They sell products which wrap around other software in order to enhance its security (from a purely methodological point of few, a questional practice in itself). In addition, these parties discover and analyze vulnerabilities (sometimes in very great detail), and they are clearly benefitting from the recent Microsoft worm craze.

        However, a few of Scott Culp's arguments are slightly wrong and do not reflect reality. For example, he claims,

        the publication of exploit details about the vulnerabilities contributed to their use as weapons.
        Is this really true? And if it is, could it have been avoided? After all, an attacker knows which components are vulnerable (just by reading the vendor announcement), and he or she can compare the machine code of the vulnerable and fixed versions. Of course, the recent worms didn't show a very sophisticated design. But it is really reasonable to expect that the attackers of the future are unable to retrieve the necessary information from a few pieces machine code?

        In addition, we should remember that the most visible worms were targeting closed-source, proprietary systems. By the same argument, operating systems based on free software would be facing a tremendous amount of worm-based attacks because it's much easier to write these worms based on the publicly available information. However, there is no evidence supporting that, and this is very unlikely that this is just caused by different market shares.

        Furthermore, Culp questions the usefulness of detailed information on vulnerabilities to administrators:

        Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks.
        I whish this were true, but I have seen circumstances under which additional information is essential, even for system administrators:
        • Vendors do not release complete information. Over and over again, products are not mentioned, either due to neglect or because they are no longer officially supported.
        • Vendors release vulnerable versions after a vulnerability has become known, and after public authorities (such as CERT/CC) have stated that these vendors do not ship vulnerable versions of the software.
        • New vulnerability types might exist in a wide range of software from different vendors, even though they do not share common code.
        • If code is shared, some vendors respond faster than other ones. No vendor information might be available for some products.
        This means that responsible system administrators have to check their system themselves in order to be sure that they are not vulnerable.

        Unfortunately, closed, automated tools do not help much in this context, at least without partly re-introducing the concept of full disclosure. Past experience suggests that the vulnerability has to be actually tested in order to minimize the number of false negatives. Our main concern are remote buffer overflow vulnerabilities, and even if such a testing tool is closed-source and does not contain any actual exploit code, it is not too difficult to snoop the network traffic, insert the appropriate exploit code, and try the result on some victims. In addition, testing tools require time to write and distribute, which is unacceptable in most cases. (Usually, the attacks start after the first advisory has been released, the Microsoft worms are rather exceptional in this regard.)

        But my favorite argument is the following one, which has been rehashed in many, many different contexts, most of the time suggesting that software vendors should be exempted from responsibility for the consequences of using their products:

        All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay.
        Nearly error-free software exists and is in wide use, but of course not in the general-purpose computing business. There are no technical reasons (or even mathematical ones, such as Goedel's Incompleteness theorem) for software being faulty. There is complex software which is believed to be close to zero defects, and Donald E. Knuth has shown with TeX that it is possible to write such software for use on workstations even if it uses tricky algorithms and it is fairly large. Poor software quality has different roots, many of them related to business models which force vendors to continuously release substantially different software versions, in order to generate a constant revenue stream from customers upgrading to the newest version.

        In addition, there is no evidence that the security vulnerabilities exploited by the worms were related in any way to the overall complexity of the system. If we look at typical buffer overflow problems in free software (for obvious reasons, we can't do that with Microsoft software, but there is no indication that Microsoft source code is entirely different), these problems are local problems in most cases, which could be caught automatically by using different software construction tools, often obvious from local code inspection, and a local fix was usually sufficient. If software shows buffer overflow problems because of its overall complexity, something is very wrong.

        Indeed, security vulnerabilities will not disappear soon, but not because of fundamental technical problems. And even if complexity starts to become an issue, why not reduce complexity, then? Security vulnerabilities are going to stay simply because too many people accept them.

        (And, by the way, like Windows and Solaris, Linux is a trademark, and since we aren't talking about the kernel alone, we should probably call this operating system "GNU/Linux".)

  • by sulli (195030) on Friday November 09, 2001 @03:57PM (#2545211) Journal
    "fuck you" [siliconvalley.com] to MS/DOJ. Gillmor's piece is pretty good:

    "California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."

    • As a proud Californian, I'm willing to admit that the MA Attorney General (who's name escapes me) deserves a heck of a lot of credit too.
    • by Rupert (28001) on Friday November 09, 2001 @04:18PM (#2545383) Homepage Journal
      I wonder if Mike Hatch (MN Attorney General) is going to have time to pursue Microsoft now that he's also suing baseball.

      My preferred solution: break Microsoft into 28 operating companies. Give one to each MLB owner. Let Bill & Steve run baseball. Benefits of this solution are that baseball still gets run like a monopoly, but by people who are good at running a monopoly, and baseball comes with a built-in anti-trust exemption. Microsoft goes down the tubes, just like baseball has been doing for years. And best of all, programmer salaries get to match those of baseball players.
  • by b-side.org (533194) <bsideNO@SPAMb-side.org> on Friday November 09, 2001 @03:58PM (#2545218) Homepage
    Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?

    How are software bugs, especially critical ones, different from design flaws in a tire?
    • by Anonymous Coward
      Your PC case doesn't roll over and kill 3 of your family members when the OS blows out.
    • If there's a flaw in your car tire, then you know your car tire may blow out and hurt you. Increased distribution of the information lowers the risk (people may change the tires, stop driving it long distances etc).

      If there's a security hole in your OS, increased distribution of the information will do MORE damage (unless you believe that everyone that hears the information will immediately patch or repair their servers themselves - since if the info is distributed before a patch is available, then the vendor can't help you yet).

      Big difference - bad analogy.

      - Steve
    • Legality (Score:5, Informative)

      by truthsearch (249536) on Friday November 09, 2001 @04:31PM (#2545500) Homepage Journal
      Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.

      IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.

      Anyone know of any precedence or the true current legal standing of such a situation?
      • You're not a lawyer, fortunately for MS they have a bunch of lawyers who write their EULA's. They specifically bar anyone who clicks their license from suing them because their software sucks ass (I think that's even a direct quote).
  • And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows.

    If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.

    Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
    • by avdp (22065) on Friday November 09, 2001 @04:02PM (#2545251)
      ahhh... but Microsoft claimed in court that IE could not be removed from Windows so this is indeed a security hole in Windows.

      Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?
      • right, and Gates also claims to be singularly responsible for the invention of DOS. But you and i both know that that's bullshit.

        IE can certainly be removed from windows. I've done it several times. It's a huge pain in the ass, and it's not something that the average user-at-large would want to consider doing, but it can be done. So to put it bluntly, IE != Windows.
        • the point is... MICROSOFT said IE could not be taken out of Windows. It is an integral piece of Windows according to Microsoft. So if an integral part of Windows has a bug, Windows has a bug!

          Of course, If IE can be removed from Windows, Microsoft has lied before the courts.

          Either way, Microsoft is either lying or has another bug in their OS. Which way would you like to have it, Mr Gates?
  • And don't forget... (Score:5, Informative)

    by Anonymous DWord (466154) on Friday November 09, 2001 @03:59PM (#2545223) Homepage
    The Register, and How Microsoft invented open source, by Billg [theregister.co.uk]
  • by Genaro (30541) on Friday November 09, 2001 @04:00PM (#2545233)
    because I disabled scripting.

    Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.

    Odd.

    Yes. I have to use Windows at work.

    Yes. I could use Mozilla.
    • The Bug (Score:2, Redundant)

      by Anonymous Coward
      Cookie Data in IE Can Be Exposed or Altered Through Script Injection

      Originally posted: November 08, 2001

      Summary

      Who should read this bulletin: Customers using Microsoft® Internet Explorer

      Impact of vulnerability: Exposure and altering of data in cookies.

      Maximum Severity Rating: High

      Recommendation: Customers should consider disabling active scripting in the
      Internet Zone and the Intranet Zone. Customers using Outlook Express who have
      not set OE to use the "Restricted Sites" Zone should do so as a best practice.

      Affected Software:

      Microsoft Internet Explorer 5.5
      Microsoft Internet Explorer 6.0

      Technical details

      Technical description:

      Web sites use cookies as a way to store information on a user's local system. Most
      often, this information is used for customizing and retaining a site's setting for a
      user across multiple sessions. By design each site should maintain its own cookies
      on a user's machine and be able to access only those cookies.

      A vulnerability exists because it is possible to craft a URL that can allow sites to
      gain unauthorized access to user's cookies and potentially modify the values
      contained in them. Because some web sites store sensitive information in a user's
      cookies, it is also possible that personal information could be exposed.

      Microsoft is preparing a patch for this issue, but in the meantime customers can
      protect their systems by disabling active scripting. (The FAQ provides step-by-step
      instructions for doing this). This will protect against both the web-hosted and the
      mail-borne variants discussed above. When the patch is complete, Microsoft will
      re-release this bulletin and provide details on obtaining and using it.

      Mitigating factors:

      A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed
      URL.
      Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of
      this vulnerability.
      Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail
      exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that
      this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active
      Scripting is still disabled in the Restricted Sites Zone.

      Severity Rating:
      Internet Servers
      Intranet Servers
      Client Systems
      Internet Explorer 5.5
      High
      High
      High
      Internet Explorer 6.0
      High
      High
      High

      The above assessment is based on the types of systems affected by the vulnerability, their typical deployment
      patterns, and the effect that exploiting the vulnerability would have on them.

      Vulnerability identifier: CAN-2001-0722

      Tested Versions:
      Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are
      affected by these vulnerabilities. Previous versions are no longer supported, and
      may or may not be affected by these vulnerabilities.

      Frequently asked questions

      Why isn't there a patch available for this issue?

      The person who discovered this vulnerability has chosen to handle it irresponsibly,
      and has deliberately made this issue public only a few days after reporting it to
      Microsoft. It is simply not possible to build, test and release a patch within this
      timeframe and still meet reasonable quality standards.

      What's the scope of this vulnerability?

      A malicious web site with a malformed URL could read the contents of a user's
      cookie which might contain personal information. In addition, it is possible to alter
      the contents of the cookie. This URL could be hosted on a web page or contained in
      an HTML email.

      What causes the vulnerability?

      The vulnerability results because of an unsafe handling of cookies across IE zones.

      How would an attacker carry out an attack using this vulnerability?

      An attacker could attempt to maliciously exploit this vulnerability by hosting a page
      with a maliciously crafted URL. They could also send the victim an HTML email with
      a similarly crafted URL.

      In the case where the attacker hosted a web page, would he have any way to
      compel me to visit the site?

      The attacker could not force you to visit his site. Instead, he would need to entice
      you into performing some action that would cause you to visit the site. There are,
      however, a variety of actions that could be used to do this, from visiting a web site
      that would redirect you to the attacker's, to opening an HTML e-mail that
      referenced the attacker's site.

      In the case where the attacker sent me an HTML e-mail, would simply opening
      the mail allow me to be attacked?

      Yes. It is possible for an attacker to craft an HTML email in such a way that it
      would exploit this vulnerability on opening the mail.

      Why does changing my IE settings help protect me against a mail-borne
      attack?

      As we mentioned above, HTML e-mails are just web pages sent via e-mail. Outlook
      uses the IE security architecture to limit what HTML e-mails can do when opened.
      By default, Outlook 2002 opens all HTML e-mails in the Restricted Sites Zone.

      Is this a permanent change?

      No. Microsoft is working to develop a patch that will eliminate the vulnerability.
      When it's completed, you'll be able to install the patch and then return your IE
      settings to their previous values.

      How likely is it that I could be affected by this vulnerability?

      It depends on your web browsing and e-mail habits. Customers who exercise care
      in choosing the sites they visit, and who are careful not to open obvious spam and
      other untrustworthy e-mails would be at less risk from this vulnerability. However,
      customers can easily make a configuration change that will provide complete
      protection.

      What's the configuration change that will protects against this vulnerability?

      Customers who are concerned about this vulnerability should disable active
      scripting. All web pages (and HTML e-mails, which are just web pages delivered via
      e-mail) are categorized into one of several zones, and the settings in each zone
      dictate what actions can be taken within it. By disabling active scripting in the
      Internet zone a user can prevent an attacker from exploiting either the web-borne
      or mail-borne versions of this attack.

      How do I disable active scripting in Internet Explorer 5.5 and 6.0?

      On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
      In the Settings box, scroll down to the Scripting section, and click Disable under "Active scripting" and
      "Scripting of Java applets".
      Click OK, and then click OK again.

      I am a network administrator. How can I disable active scripting in my
      enterprise?

      With new deployments of Internet Explorer, an administrator would use the IEAK and disable active
      scripting before building the package and rolling it out to client machines.
      For currently deployed client use Profile Manager to create an auto-config INS file to make registry changes
      needed to disable active scripting on the client machines with Internet Explorer already installed.
      For administrators that prefer to use SMS or login scripts, the following are the registry changes that would
      disable active scripting on the client machine:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones
      HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones

      There are five different sub keys under each "Zones" key. Each key control a
      different security zone. The key names are 0-4.
      = Your computer
      1 = Local Intranet
      2 = Trusted Sites
      3 = Internet
      4 = Restricted Sites
      There is then a DWORD value under each zone number key that must be modified to disable active-scripting
      for each zone.

      REG_DWORD value is "1400" to be modified.

      Setting this value to "3" (from "0") will disable active scripting.

      HKCU setting changes take effect immediately. However the HKLM settings
      would most likely require a reboot.

      Patch availability

      Download locations for this patch A patch will be posted as soon as it is available.

      Additional information about this patch

      Installation platforms:
      This patch can be installed on systems running Internet Explorer 5.5 and 6.0 when available.

      Obtaining other security patches:
      Patches for other security issues are available from the following
      locations:

      Security patches are available from the Microsoft Download Center, and can be most easily
      found by doing a keyword search for "security_patch".
      Patches for consumer platforms are available from the WindowsUpdate web site
      All patches available via WindowsUpdate also are available in a redistributable form from the
      WindowsUpdate Corporate site.

      Other information:

      Support:

      Technical support is available from Microsoft Product Support Services. There is no charge for
      support calls associated with security patches.

      Security Resources: The Microsoft TechNet Security Web Site provides
      additional information about security in Microsoft products.

      Disclaimer:
      The information provided in the Microsoft Knowledge Base is provided "as
      is" without warranty of any kind. Microsoft disclaims all warranties, either
      express or implied, including the warranties of merchantability and fitness
      for a particular purpose. In no event shall Microsoft Corporation or its
      suppliers be liable for any damages whatsoever including direct, indirect,
      incidental, consequential, loss of business profits or special damages,
      even if Microsoft Corporation or its suppliers have been advised of the
      possibility of such damages. Some states do not allow the exclusion or
      limitation of liability for consequential or incidental damages so the
      foregoing limitation may not apply.

      Revisions:

      V1.0 (November 08, 2001): Bulletin Created.
    • by jmv (93421) on Friday November 09, 2001 @04:45PM (#2545615) Homepage
      Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.

      It's the new MS security policy: "if you can't read this page, you're not vulnerable"!
    • After making their reccomended changes I can't use
      Windows Update either. Very interesting, how ironic that MS stuff is these days.
  • by Tassach (137772) on Friday November 09, 2001 @04:00PM (#2545235)
    For better or worse, it's good to have a high-profile individual like Nader get involved in this. While anyone can file a letter during the public commentary period, or an amicus curae brief (if they have a valid interest in the outcome of the case), judges are more likely to pay attention to comments that come from respected public figures than they are to listen to J. Random Public. At least his letter will be read by the judge herself, instead of just being skimmed by a junior clerk and tallied up in the appropriate columns.



    Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)

    • could hurt things if the judge has right-wing leanings

      It strikes me how much we all seem to be recognizing that the courts now operate based on their political leanings instead of the foundation of law.

    • Nader? (Score:3, Insightful)

      by DrCode (95839)
      While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.
  • by dpilot (134227) on Friday November 09, 2001 @04:00PM (#2545236) Homepage Journal
    OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?

    Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.

    Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.

    Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?

    But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
  • Quote (Score:4, Funny)

    by MouseR (3264) on Friday November 09, 2001 @04:01PM (#2545242) Homepage
    Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"

    Are they referring to the recent release of XP?
  • by Drath (50447) on Friday November 09, 2001 @04:01PM (#2545245)
    Thanks Raplh, this is why I voted for you.

    Also I like seatbelts.
  • Oh really? (Score:3, Informative)

    by Mr. Sketch (111112) <mister...sketch@@@gmail...com> on Friday November 09, 2001 @04:01PM (#2545246)
    Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"

    Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
    • by davebo (11873) on Friday November 09, 2001 @04:11PM (#2545328) Journal
      . . . which managed to get an OS X root exploit [stepwise.com] patch released in just over a day.


      But what do I know.

    • Re:Oh really? (Score:3, Insightful)

      by gmhowell (26755)
      Let me play devil's advocate (seriously):

      Yes, you can get a patch to kernel 2.foo very quickly. But it can take weeks/months for RH to get a package out. Perhaps M$ can get the code fixed, but not quickly send out a package (and in some ways they do. They send out hotfixes, and only later service packs).

      Why? In both instances, the companies have to make sure that by fixing one problem, they don't create several others.

      So yes, you can get quick fixes to Samba, the kernel, etc. But it takes time for commercial vendors to roll out the patches.

      (And, having said all that, I used to use Progeny, and am switching to Debian. They get out patched packages really damned fast.)
  • SF Gate [sfgate.com] has an article about how the states are "sabotaging" the settlement:

    Why are they asking the court to derail the settlement, effectively guaranteeing that the case won't be resolved for years? The state attorneys general claim the high ground as defenders of consumers, but it is hard to see what consumers of software would gain in prolonging this legal agony.

    Uhh, ok...
  • security software (Score:5, Interesting)

    by whiteben (210475) on Friday November 09, 2001 @04:02PM (#2545249)
    Perhaps the scariest line in the securityfocus.com article is this one:

    The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.

    Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.


    I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.


    BEN

  • BBC Article (Score:3, Informative)

    by calibanDNS (32250) <brad_staton AT hotmail DOT com> on Friday November 09, 2001 @04:04PM (#2545266)
    The BBC [bbc.co.uk] also has an article [bbc.co.uk] today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.
  • by CokeBear (16811) on Friday November 09, 2001 @04:04PM (#2545271) Journal
    Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".


    Pardon my french, but *bullshit*.


    Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)

    • by Jagasian (129329) on Friday November 09, 2001 @04:27PM (#2545474)
      Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
      Note that I am a Debian Linux user, so I have no bias in favor of Microsoft, but come on, the real question should be "Can anyone imagine MS shipping a product with such a horribly-stupid-of-stupid-critical-lose-every-flaw as the recent iTunes 2.0 ultra-blunder?" Apple is no hero for bringing out a fix as fast as they did; simply because such a fix never should have been necessary in the first place.

      I have seen Microsoft release products that do really stupid things, but I have trouble recalling the last time they released a music application that unnecessarily formats your harddrive. I mean, come on... MS is bad, but are they as bad as Apple? If Apple was as popular as MS, you would probably be singing a different tune about iTunes 2.0?

      Debian Linux has a community run software testing process that would never let something like iTunes ship as "stable".
    • I agree that Microsoft (and any software company for that matter) should get patches out as soon as possible - especially "within a few days". At the very least, a workaround or protection measure that is somewhat more useful than just disabling Active Scripting should be posted within 24 hours.

      Full disclosure should follow the announcement of a bug after 30 days or whenever a patch is released, as is standard practice on security mailing lists. Not having full disclosure hanging over a company's head allows them to become lax in protecting their customers which when it comes down to it for Microsoft is exactly what Scott Culp's job should be.

      As for "Can anyone imagine MS responding that quickly?", yes. They responded in about 24 hours to the Ping of Death bug (IIRC). They were only beaten by the Linux devs who responded in about 8 hours.

      To be fair though, the iTunes bug (which would wipe all your MP3s without any external provocation) and a IE bug (which requires a hostile site to set up the flaw) are in somewhat different circles. I wouldn't even make a comparison between a bug freshly released product and a bug in a browser that has been released and is in common use. Pulling the IE installer is really going to solve a lot of problems...

      Apple has been fairly slow at fixing some of the security issues in OS X - many were just postponed to 10.1, so I wouldn't hold them up to being the paragon of truth and justice right now. Go look on their web site and see if you can find full disclosure on any of the problems of OS X...

      Linux is even descending into the game of playing petty politics with security issues. Alan Cox should know a lot better than to play into Microsoft's hands the way he seems to be. Not announcing Linux flaws simply gives credence to Microsoft's current bad behaviour.
  • by CmdrTroll (412504) on Friday November 09, 2001 @04:06PM (#2545292) Homepage
    Back when I was in high school, I was a script kiddie. I would DDoS my classmates to show how k-RaD I was. I had an extensive network of trin00 and BO2k zombies at my disposal. It was fun. For a while.

    The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.

    Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.

    -CT

    • Maybe I'm naieve, but...

      > But the majority of the time, I would
      > see sploits circulated by my Russian friends
      > on IRC weeks before anyone even mentioned the > vulnerability on BUGTRAQ....

      > Stopping full disclosure won't hurt the script
      > kiddies. It will hurt the admins, who won't
      > have enough information to patch their source
      > base to fix the problem.

      Seems to me some reverse-espionage is in order. Last time I took a security course, it was recommended that a savvy security admin lurk in the dark areas, just to share the information XPerience earlier than the public.

      Golly, a business-savvy person could even make money that way.

      What Microsoft doesn't understand is that if black hats are trading the information, they can't really tell the white/grey hats from the black ones, over the internet connection.

      Or can they?
  • by JoeBuck (7947) on Friday November 09, 2001 @04:07PM (#2545297) Homepage

    It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

    Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.

    • I think the difference between Microsoft's tactics of making customers slaves and ducking responsibility for their own products and Alan Cox's "civil obedience" protest is sufficiently clear that no parallel can be drawn between them.
    • But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion.

      It is thoroughly possible that Alan's interpretation of the DMCA is wrong, and that yours is right. However, it is Alan and not you who is at risk if he is right. It is unseemly to chide him for refusing to take what he deems to be a serious legal risk, when you yourself are at no such risk.

      I'm pretty sure that Alan's point is not that "discussion of bugs" in general is prohibited by the DMCA. It is that a bug in the permissions functions of a kernel could serve as a method of evading access controls -- and that dissemination of methods to evade access controls is prohibited.

      Don't forget that Alan is not the only party at risk, either. Since he is employed by Red Hat in developing the kernel, Red Hat might also find itself liable. Indeed, Alan probably has the advice of Red Hat's lawyers in the matter. He isn't in a position to go against that.

      Even if you are right and Alan is wrong, the matter serves as an able example of what the lawyers call a "chilling effect" upon speech. The DMCA is vague! The matter of whether Alan is at risk is unclear and contentious -- that's why we're having this discussion. In such an environment, people such as Alan and companies such as Red Hat are going to err on the side of excessive caution. Their speech will be "chilled", even if the risk is imaginary. That's part of why restraints upon speech are so dangerous.

    • by Velex (120469) on Friday November 09, 2001 @05:47PM (#2546006) Journal

      It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

      Not at all. The way I see it, there are two things at work here.

      1. As pointed out in other posts, Alan Cox is not the one censoring himself, but rather it is the DMCA, which has the enforcement of the entire populace of the United States behind it. That is what it means to make a law, to create a policy with the enforcement of every single individual in the country where the law was made. On the other hand, Microsoft is the one that is censoring itself, without respect for the DMCA, whether or not it applies to the bug as it did to the bugs that Cox refuses to discuss in a forum intended for United States audience.
      2. More importantly, the intents of the actions are completely different and somewhat incomparable. When Cox refused to discuss security of the Linux kernel, he had two intentions:
        1. Cover his own ass from possible litigation from the people of the United States, represented by John Ashcroft.
        2. Drive a message to the people of the United States that the DMCA is a bad law, and they should seek its immediate repeal.
        On the other hand, Microsoft, while their intention is also to cover their ass, it's not from litigation and legal hot water, it's from their own bad PR. Microsoft isn't even trying to seek repeal of the DMCA, for obvious reasons. Whereas Cox was making a political statement, Microsoft is just trying to censor bad PR.

      Therefore, it is right and consistent that we can hate Microsoft for censorship, and applaud Cox for censorship, because there are deeper levels and motives than simply censorship.

  • Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".

    A Microsoft spokesman was later heard saying - "We didn't fix it in the first place, what makes you think we're going to now?"
  • by libre lover (516057) on Friday November 09, 2001 @04:10PM (#2545317) Homepage
    From the open letter:
    The agreement provides Microsoft with a rich set of strategies to undermine the development of free software, which depends upon the free sharing of technical information with the general public, taking advantage of the collective intelligence of users of software, who share ideas on improvements in the code. If Microsoft can tightly control access to technical information under a court approved plan, or charge fees, and use its monopoly power over the client space to migrate users to proprietary interfaces, it will harm the development of key alternatives, and lead to a less contestable and less competitive platform, with more consumer lock-in, and more consumer harm, as Microsoft continues to hike up its prices for its monopoly products.
    To think that a man who ran for President "gets it" with respect to Free Software boggles the mind. As days go by I just keep feeling more and more vindicated for having voted for him.
    • To think that a man who ran for President "gets it" with respect to Free Software boggles the mind.

      And to think that most of the Neanderthals on Slashdot still think it the height of humor to castigate him as a loon. I don't want to be a troll, but I find it the penulimate irony that people who can wax rhapsodiacally over RMS bitch about the one nationally recocognized politician that seems to actually "get it" when it comes to Free Software.

      The ulitimate irony is, of course, that anyone actually takes these Neanderthals seriously enough to bitch about it :-(.

      I made my mistake in the last election by wasting my vote on Gore. Next time, it's Green all the way, baby...

  • Something Amusing (Score:5, Interesting)

    by DarkZero (516460) on Friday November 09, 2001 @04:11PM (#2545331)
    As an experienced IE user, I immediately took the usual steps to get around IE vulnerabilities. I immediately turned off Active Scripting (it was a blunder on my part that it wasn't disabled, because I didn't know IE6 had added THAT MUCH new stuff), and then went to Windows Update...

    You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.

    Redmond dumb-asses.

  • by Xerithane (13482) <xerithane@nerdfa ... g minus math_god> on Friday November 09, 2001 @04:14PM (#2545350) Homepage Journal
    From the article:
    The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

    I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.

    They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.

    Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
  • Prrof in the pudding (Score:3, Interesting)

    by snarfer (168723) on Friday November 09, 2001 @04:16PM (#2545363) Homepage
    The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.

    So what is the effect on investment capital of the settlement?

    The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
    • Red Hat is trying to sell a product that can be downloaded for free. Why again do you expect investors to be lining up behind them? Especially when the only time they've been able to show profitability is by using accounting tricks -- in other words, if they continued "making money" at the same rate, they'd be bankrupt in a number of quarters.


      Palm is on a not-so-slow path to www.f---edcompany.com. Everybody realizes that it's in trouble, including Palm itself. If they thought their real troubles spawned from Microsoft getting a favorable settlement, they wouldn't have just shitcanned their CEO.


      Hell, Microsoft probably doesn't even plan for world domination, they've gotta be surprised by how easily it continues to be given to them by all these completely incompetent companies that you seem to be in love with. Next up: Sun Microsystems. :)

  • by tb3 (313150) on Friday November 09, 2001 @04:19PM (#2545401) Homepage
    From the MSNBC article:

    In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.

    So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
  • From the FAQ... (Score:4, Informative)

    by don_carnage (145494) on Friday November 09, 2001 @04:24PM (#2545449) Homepage

    Why isn't there a patch available for this issue?

    The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

    Hehe.


  • Bug Non-disclosure (Score:3, Interesting)

    by Mike1024 (184871) on Friday November 09, 2001 @04:31PM (#2545496)
    Hey,

    Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin

    Wasn't @stake [atstake.com] formed from hacker group l0pht [l0pht.com]? Yes, I think they were! They used to attend Def Con, and work on Back Orifice [everything2.com] and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?

    My, how times change.

    -M
  • by SquierStrat (42516) on Friday November 09, 2001 @04:31PM (#2545497) Homepage
    Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.
  • by krmt (91422) <therefrmhere@yah ... m minus language> on Friday November 09, 2001 @04:54PM (#2545682) Homepage

    On Sept. 28, she told the parties in the Microsoft case that 'the recent tragic events affecting our nation' demanded a prompt end to litigation that had already roiled the stock market and generated economic uncertainty.

    That exhortation hit home. After Sept. 11, 'the world had changed, with war abroad, threats at home and a deteriorating economy, creating a powerful dynamic to settle,' says Richard Blumenthal, Connecticut's attorney general and one of the more-aggressive state officials involved in the case.


    While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
  • by Adhoc (132137) on Friday November 09, 2001 @05:02PM (#2545743)
    Reading this gave me a warm fuzzy feeling inside.
    -----------------
    The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
  • Slashdot editor bias (Score:3, Informative)

    by sheldon (2322) on Friday November 09, 2001 @05:10PM (#2545805)
    It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.

    But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.

    For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?

    http://news.cnet.com/news/0-1014-201-7819204-0.h tm l?tag=bt_bh
  • by BLKMGK (34057) <.morejunk4me. .at. .hotmail.com.> on Friday November 09, 2001 @05:22PM (#2545878) Homepage Journal
    Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?

    WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.

    Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.

    Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....

    P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
    • by ryanr (30917) <ryan@thievco.com> on Friday November 09, 2001 @07:06PM (#2546383) Homepage Journal
      The only info we have pulled out of the vuldb that I can remember was the telnetd exploit. This was because the copyright holder insisted. We do on occasion have a duplicate BID, or consolidate several into one when it becomes clear that they are the same. Therefore, you may sometimes see a particular BID number "go away", but the info exists under another BID. We also had a few temporary problems while we switched from Roxen to Apache a few weeks ago, and I recall that not all info was showing up for a while.

      But basically, no we aren't pulling anything out.
  • by Skip Head (262362) on Friday November 09, 2001 @05:56PM (#2546052) Homepage
    Here is a little quote from the Wall Street Journal article:

    James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues". He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"
    Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.

    This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.

    It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
  • by weave (48069) on Friday November 09, 2001 @06:30PM (#2546203) Journal
    OK, someone was irresponsible by releasing details so soon after notifying Microsoft and they say that is irresponsible.

    Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...

    1. Discovery
    2. Notification
    3. Disclosure
    4. Exploits

    The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.

    We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....

  • by Quadell (197852) on Friday November 09, 2001 @06:37PM (#2546236) Homepage

    Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.

    From Microsoft's article [microsoft.com]:

    We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

    Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.

    If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.

    I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:

    By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.

    But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.

    It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.

If you think the system is working, ask someone who's waiting for a prompt.

Working...