IE Holes Not Microsoft's Fault, Says Bill 1035
thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?
No thanks (Score:5, Insightful)
Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?
Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.
You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.
Easy to assign blame (Score:5, Insightful)
Sick and tired of fixing spyware infested machines.
Rubbish! (Score:5, Insightful)
Re:Uhhhh... (Score:2, Insightful)
And you don't even have to view a webpage. How many Win32 worms* are there now?
* I mean real worms, not "the media calls it a worm for some unknown reason" when its really a virus.
Re:No thanks (Score:2, Insightful)
[risk of being devil's advocate]
Just for clarification, is that computer hooked up directly on the internet without firewall, or is it running behind a NAT router? I am not sure if it is true, but most of the Linux distros' default installation aren't to good to hook up directly onto the net.
[/risk]
software, eh? (Score:5, Insightful)
What's that I hear dying? (Score:5, Insightful)
Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?
Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?
I'm so sick of the lies (Score:5, Insightful)
This is the same mentality of shipping a crappy product and having tech support take care of the issues. Okay, fine, at least I have someone to complain to and I can return products, but with information you don't have that option. You complain to your peers, who are just an echo chamber. The fact that lying usually goes unchallenged in media makes for bigger more destructive lies.
The browser has holes, its a piece of software. This is way over the line. How did the information age become the disinformation age? Perhaps we officially entered the post-postman world [amazon.com] where everything is a soundbite that flies through the subconscious and sticks there. Long corrections don't have the same stickiness, so lying is now smart business.
Keep it up Bill, you're making my next Apple purchase all the sweeter.
Disclaimer for the mods: Yes, many politicians lie. Apple isnt perfect, etc. But there is a difference between small and big lies. Lies which are harmless and those which cause destruction.
Re:Easy to assign blame (Score:2, Insightful)
I use firefox at home, but my school only has IE, and it seems like i spend more time clicking the 'No' dont insall this crappy software button than actually reading webpages while browsing there!
Ones not made by Microsoft (Score:5, Insightful)
So the thing the users keep doing wrong is hook it up to the internet.
From TFA.. (Score:5, Insightful)
Gates: We're big believers in interoperability.
BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!
Yes yes... ofcourse, interoperability within Microsoft products
Article is a troll (Score:4, Insightful)
Wish there was a rating system for articles.
Technically, Bill Gates is correct (Score:2, Insightful)
Gates: Understand those are cases where you are downloading third-party software.
Here how it goes.
If you never download, let say a third party web-browser like Mozilla's Firefox or Opera, you'd never realize how problematic Internet Explorer is.
So it is us, the consumer, who are to blame for downloading those third party softwares. Especially the ones that make IE look so horribble.
Re:Blame Game (Score:5, Insightful)
Money is no replacement for clue.
Re:No thanks (Score:2, Insightful)
Because you haven't been downloading spyware and such things?
I mean, it's no secret that downloaded software ran under admin privilegies can do basically whatever it wish to your system, regardless if it's a Mac or not.
A big problem to me is that MS doesn't even *try* to tell that working in admin mode all the time is very bad.
Re:No thanks (Score:3, Insightful)
So you're saying the antilock brakes will work forever if you don't regularly service them? Cars need to be maintained, too, and that is part of the necessary "service". In fact, an improperly maintained ABS would be more dangerous than standard brakes.
Gibberish (Score:5, Insightful)
Re:Antivirus is not a thing you "build in" (Score:2, Insightful)
Re:Ones not made by Microsoft (Score:3, Insightful)
Bill (Score:4, Insightful)
Re:Bill Gates lecturing about security... (Score:4, Insightful)
Let's pretend you are Microsoft. (Score:2, Insightful)
So let's assume that your product will sell because of it's features, security isn't that much of an isue (Joe isn't going to know about those big gaping security holes, when the product will be at the middle of it's usefull life, then Joe might notice, but not before.)
If you consider this as your view of software and OS, I don't see what Microsoft has wrong. Of course thay have some version for sysadmin, but before being sysadmin, a lot of them have been user... on Windows system. If they didn't touch any other thing, they might try and use some version of Microsoft's server don't you think?
Anyway, the only thing i'm trying to say is that a lot of people, at some point in time, began thinking that Microsoft's main market is not common Joe Dumass. And then these people started expecting thing from Microsoft.
"Microsoft machines are poluting the Internet"
Well, yes, corporation don't care about polution, it cost way more to make something the clean way rather than pullution like a dumass.
Stop expecting secure systems from Microsoft. As long as Joe IDontCare doesn't know about security, he's still gonna be using Microsoft products. If you want to help make Microsoft systems more secure, start educating people around you about the need for secure system and the polution on the Internet.
You'll basically get the same response from people as if it where about nature and other kind of pollution.
People won't care until it's gonna be a problem.
Anyone if free not to share my opinion, but I beleive it's an environement problem. And Microsoft is only going with what people are freaking asking for.
Microsoft is in it for the money.
Features sell beter than security.
Is it that complicated?
Windows May Suck... (Score:2, Insightful)
Very rich (Score:2, Insightful)
Are we going to all get gout from using Windows in the future?
Re:Easy to assign blame (Score:3, Insightful)
Re:Best quote from Bill... (Score:5, Insightful)
Re:No thanks (Score:3, Insightful)
Re:No thanks (Score:2, Insightful)
Well, while I agree that Microsoft should bundle anti-virus/spam/spyware/any-bad-thin with their OS, I don't think that this statement is right. I'm sure that the people who work for Symantec and MacAffee would be very unhappy to hear that they are not paid workers. Both of these companies, and presumably MSFT if they were to bundle anti-whatever software, must be constantly updated to detect the changes in viruses and what-have-you.
Re:No thanks (Score:3, Insightful)
That'll be because no-one targets the Mac with spyware or viruses, because Windows is a soft enough target and has vastly more market share; it's not worth their while to yet.
Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates?
Because if he did, he'd have avs companies and MS-unfriendly tech sites screaming bloody murder about MS using their monopoly to enter new markets, just like they did when they first included a firewall. They can only weather so much of that before people start muttering "anti-trust" and starting court procedings. They're in the middle of getting slapped for that sort of thing here in the EU, I don't suppose they want another one just yet.
Re:I'm so sick of the lies (Score:4, Insightful)
First of all they are utterly clueless and can't even discern between the truth and a lie. They are pretty much programmed to accept whatever somebody on the tee vee tells them.
Look at this (or any other election) for example. Is Kerry a flip flopper? Is he a coward? Did he get his metals from self inflicted wounds? Ask your typical american and they will say yes. Press them for details and you'll realiize they don't know shit, they are simply repeating what they saw on television commercials.
Same with Gates and Company. Ask yourself. Have you ever heard or read an interview with Ballmer or Gates in which they didn't tell at least one lie? Not a minor one either but a blatant out and out lie. They people are habitual and pathalogical liars. They will continue to tell lies until the press calls them on it. Since they buy lots of advertising don't hold your breath though.
Re:No thanks (Score:5, Insightful)
Installation Instructions
1. Login as root
...
Re:Gibberish (Score:4, Insightful)
It just means that Bill Gates still doesn't get network connected computers. I remember he once thought that 'the Internet' would never be important. And now I think that, IE monopoly and all, Microsoft still, inherently, deeply, doesn't get network connected computers. Yes, they forced Netscape out of the market with IE, but for them IE is just another piece of software.
The user's fault? We can fix that! (Score:5, Insightful)
Again.
As usual.
As always.
Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.
It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.
Since the user is at fault, the user can fix it--like I did: dump microsoft.
Re:Antivirus is not a thing you "build in" (Score:4, Insightful)
Or hey, here's a novel idea... maybe make your OS secure enough that you might actually have a choice whether or not you want to drop X amount of dollars on a 3rd party virus scanning app.
My god. The people at Microsoft can be so completely dense sometimes.
Re:No thanks (Score:5, Insightful)
Gates: It's not a thing you build in.
Us: But a browser is a thing you can build in
Re:No thanks (Score:3, Insightful)
Re:No thanks (Score:2, Insightful)
Give them a Little, Take a Lot (Score:2, Insightful)
This is just like the pinto.. the car wasnt going to blow up unless the other driver was crap.
Re:I'm so sick of the lies (Score:5, Insightful)
So you see things like "Bush said this, and Kerry said that." Which is 100% true. But there's no investigation into whether the quotes are actually, like, true.
So Microsoft will release a press release saying "We're improving security!" and then various media reports will say "Microsoft says it's improving security." But the media won't actually investigate whether or not Microsoft actually is improving security, they'll just report that Microsoft has said that they are.
About the only time you'll hear any discussions about the truth of any position anyone has is on various talk shows, where to "show both sides" you'll get two people who are representing "opposite sides" of a given debate. Directly opposite sides.
Since these people are soley debating for their side, we're ultimately left with no middle ground. Only two extreme views on a topic.
So while the two "sides" of the debate are represented, the media generally "let's the reader decide" which side they believe in. But since the veracity of the two sides has never been called into question (other than each side calling the other wrong), the average reader/listener/viewer has no way of judging complicated scenarios they don't really understand.
(For example, I don't really know what Kerry's position is on Iraq. I have no idea whether or not it's a good position, because I only hear polarized viewpoints on it. About all I know is that he intends to "do it differently" and "get international support." I have no idea about the details and don't know enough about international politics and warfare to judge it even if I did know.)
This is one of the main reasons I get all my news from the Daily Show with Jon Stewart. At least then I know it's all fake. :)
I'm currently up due to insomnia, so if any of that makes no sense, I'll try and post a correction tomorrow. It'll be in fine print and on the fifth page. :)
Re:No thanks (Score:5, Insightful)
Windows instead has many "default" services that you can't turn off.
Re:No thanks (Score:1, Insightful)
I don't know about you, but I think that's kinda sick.
And yes, on my Mac I can start doing productive things right away without holding Mac OS' hand.
Re:No thanks (Score:2, Insightful)
Offering anti-virus is not the same as making a more secure environment. Anti-Virus searches for specific types of attacks, as opposed to closing ports or limiting the damage an executable can do. Windows does not have built in virus protection, but Microsoft is actively closing security holes.
"After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium."
This is a flawed analogy. Microsoft is already providing (err trying to provide) those equivalents. (Although, if Windows were a car, it'd be recalled. Bear with me.) Anti-Virus would be more like On-Star. It's a service for helping drivers with situations that building a car 'correctly' can't deal with. For example, if your car is stolen, On-Star can track it. However, that is a monthly service. Yes, you can make doorlocks tougher, that doesn't prevent On-Star from being an interesting service.
Still not convinced? Okay, consider this: Recently Slashdot had a story about a Mac exploit. A 'beta' of Word 04 wsa supposedly released. A bunch of Mac users downloaded and executed it. They were all victims of an exploit. Basically, the executed file wiped out their home directory. (Note: My memory is fuzzy on this. Corrections or additional info appreciated.) Permissions can be set. Apple could release a patch, no problemo. But what do you do? Lock down the machine so that executables have really strict rules to follow? Do you run an anti-virus app to scan for known exploits like that? Well I'm not trying to answer that. All I'm saying is that they are two very different techniques, and yes forced anti-virus can cause unwanted results.
Catch 22 (Score:5, Insightful)
It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.
And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.
Re:infomechanics (Score:5, Insightful)
Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.
All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.
Re:What's that I hear dying? (Score:3, Insightful)
(Mod me troll)
Re:No thanks (Score:5, Insightful)
Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??
Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another
Re:infomechanics (Score:5, Insightful)
Re:No thanks (Score:5, Insightful)
He wasn't criticizing what you said, he was criticizing your reasoning behind what you said. If what you said is true for "viruses" and "malware", why wouldn't it be also true for "remote exploits"?
It sounds to me like you came up with an overgeneralization and now you're trying to rationalize it in face of contradictory evidence. *sight* You can be as impatient with us as you want and you can patronize us all you want, but your backtracking rationalization about the technical proficiency of users doesn't hold much water. For me, the only reason I first installed Apache was because I had no clue about how I could install Microsoft's Personal Web Server. I suspect it's the same for most users. Apache simply worked out of the box, that's it magic and that's partly why it has the biggest marketshare.
Re:No thanks (Score:5, Insightful)
Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.
Why we put up with this madness... (Score:4, Insightful)
So why Bill Gates is still in buisness after making such a comment: "Understand those are cases where you are downloading third-party software" it makes my eys roll. Why is the customer always right? because only the customer knows what he or she wants. If the customer wants a good solid car, they are going to buy a good solid car from *insert favorite car manufacturer here*. So why people put up with this slander from the biggest man in Microsoft is beyond me.
Personally, i think i run a very tight ship. I dont need antivirus, and a nice firewall is all that stands between me and the next script-kiddie on the block. Problems i've ever had are related to IE and poor OS performance.
Because i will shortly be entering my era of University in 2005, my thoughs turn to my financial future. I will not be able to afford a new computer, much less new games/new MS OS. When the time comes when i can no longer play games on my current setup, windows will have no further place on my computer.
*Deep Breath* - Thank you for your time.
3rd party (Score:4, Insightful)
True, that. Now the point is that you're downloading this "third-party software", aka virus, trojan horse or spyware, even though you never wanted to.
Staying Alive..... (Score:1, Insightful)
Put differently,how does microsoft.com manage to be stable?
Re:No thanks (Score:2, Insightful)
It's not a thing you build in. You have to offer a service......
But we'll build in a browser, mail client, media player, etc to hold on to our monopoly.
I'm sorry, what!? (Score:5, Insightful)
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?
Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
[Italics and bolded sentence my own markup]
So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?
Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.
The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.
I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.
Re:No thanks (Score:5, Insightful)
Re:No thanks (Score:3, Insightful)
Critical assesment vs Belief (Score:5, Insightful)
Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?
Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.
Teach your children to think, not believe.
Q.
Re:I'm so sick of the lies (Score:5, Insightful)
Politicians (especially the ones in power, regardless of party) always tend to lie. And salespeople have never been noted for truthfulness.
What has changed, gradually, over a couple of decades, is that the media no longer provide a check on politicians and corporate liars.
The purpose of the media used to be to provide information and critical comment. That's changed. A newspaper or a TV network makes more money if it's operated primarily as an entertainment. That means: nothing that requires the consumer to think, because a lot of people don't like to think. Not too many boring facts, either (unless they're sensational).
Don't be too hard on Gates. There will always be people whose goal in life is to make more money, by any means that works. The problem is that our society has lost the checks and balances that used to constrain people like him.
He's right, of course. (Score:4, Insightful)
Re:No thanks (Score:4, Insightful)
It seems mods didn't care about your signature on this topic. Proof? Your posts score
I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.
OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.
About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.
Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.
Re:Not to be behind Bill or anything .... (Score:2, Insightful)
IIRC, the article is about the problems in IE, which should be just a normal user-space application. I don't know how tightly they integrated their IE into the ring-0 kernel space, though
Re:So let me get this straight (Score:2, Insightful)
"What was I saying? Oh, yeah. Third party software. I dunno. My computer's running pretty slow at the moment, ever since you came over a few months ago and installed all that stuff for me. What was it, Thunderfox or something?
"I remember you tried to show me how to use it, but I prefer that Outlook program. Doesn't try and stop me doing what I want to do, make all the images in my emails broken and stuff like that.
"D'you think that that's why my computer's slow? After all, that Gates guy was saying that third party software's what makes 'em go bad. Are you sure that stuff you installed was safe? I mean, I've heard there are a lot of viruses going around on the World Wide Web...
"Maybe you better just keep this anti-virus software, and take that Thunderfox thing off my machine, and see if it speeds up any. I'll just stick to Microsoft stuff, that should be safe enough.
"Besides, I don't think I need anti-virus stuff, really. My doctor always tells me to get a flu jag, and I ignore him. Hate needles. But I've not been ill for twenty years and I'm not intending to be ill any time soon. I don't go out in the rain without a scarf on, I cover my mouth when I'm sitting on a train next to a guy who's coughing and sneezing away. Sensible, see?
"It's like that with the computer. I don't use the Internet Explorer much - mostly I just use the computer for email and typing up letters and stuff. And I've never been on this World Wide Web thing - I remember a guy at work saying that you could get a lot of viruses off this Web, so I stayed away from it. So I'm pretty safe, right?
"Anyway, I'll see you next week. Oh, and hey, while you're at it
"Yeah, anyway, see you next week. Sure, I'll say hi to your Mom for you. Alright, bye."
Re:No thanks (Score:3, Insightful)
Windows (XP especially) is a consumer OS. It isn't supposed to be serving any networked services. Why are things like DCOM, NetBIOS, Messanger, etc running on XP, which is installed mostly on consumer computers. Anyone remember how blazingly fast that DCOM hole was exploited and spread, how many Windows boxes went down at once, and how much bandwidh was consumed?
If microsoft closed those services, there would be a dozen fewer eggs on its face. At least if you install Linux, you might have a few things running, like SSH, and RPC. RPC you close automatically, but exploits in SSH are not as easily and automatically exploited like DCOM.
Re:I'm so sick of the lies (Score:4, Insightful)
So instead, grossly over-simplify the argument, chuck in some spurious statistics and come up with an inflammatory headline that completely misrepresents the story. Maximum sales, minimum effort.
windows install (Score:1, Insightful)
Re:No thanks (Score:2, Insightful)
Re:No thanks (Score:5, Insightful)
It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.
The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my
Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.
FUD (Score:1, Insightful)
Gates: Understand those are cases where you are downloading third-party software.
What is implied by these comments:
Fear:
Trusting "third-party software" will get you rooted. Only use official Microsoft software.
Uncertainty:
Perhaps we have been being lied to by all the reports about how vulnerable IE is, nevermind that IE may not give you a choice or even let you know that your system has downloaded and installed third-party software (spyware/viruses). I think it is safe to say that IS an IE bug regardless of what your definition of "is" is.
Doubt:
According to Bill, you probably shouldn't trust those comments from CERT and the like about using, say Firefox or Opera, because it is all caused by other people's software.
*Bill waves hand*
Microsoft software is not vulnerable, only third-party viruses are.
Unfortunately... (Score:3, Insightful)
Yeah, you can get away with running some applications using the "RunAs" command, but that is nowhere near as powerful or as capable as the much older *nix version of that.
Seriously though, out of the millions of people that use computers running Windows, very few of those people are even aware different levels of access to the PC and a smaller number of those folk understand that there is a utility in MS Windows called "RunAs".
Fighting the last war. (Score:3, Insightful)
Microsoft doesn't do that well. They're forever preparing for the first war all over again, never learning the lesson they're faced with after every new exploit.
The problem is that Microsoft is trying to use discretionary access control to implement a design that requires mandatory access control. In an environment with mandatory access control, every object (document, program, web page, email message) in the OS has its security level bound to it in such a way that an application displaying that object can have no more rights than the least secure object it has accessed. The only way to raise the security level of an object is through a trusted component that has explicitly been granted the rights to do so.
Their "security zones" can't be depended on unless the whole operating system and all applications operate on this basis. If they're not going to create a compartmentalised Windows AND make it the default configuration (and wouldn't people scream at that!), the only place they can create these compartments, these internal layers of sandboxes, is by having the applications themselves handle their own sandboxing. Remove the responsibility for trust management and remote access from the HTML control and let it merely render HTML. If the document displayed wants to access an image or stylesheet or script, run a script or a plugin or embedded component, let it ask the application for it, and let the application decide if the request should go through. Internet Explorer would let it fetch remote documents, but not run scripts or applets that weren't sandboxed, nor pass URLs or files to applications that aren't prepared to enforce the same level of mistrust. Windows Explorer wouldn't display remote documents at all. Outlook would be even more restrictive. And IE wouldn't blithely pass files to arbitrary desktop applications to open.
You can't do this by having the HTML control guess, no matter how good a guess it can make, because it's not in a position where it can actually know what rights the document should have. Only the application does.
Split the HTML control down the middle like this, and restrict IE to only running fully sandboxed applets and scripts, and there would be very little change in the user's experience. About the only thing they'd notice is that Windows Update would have to become a separate program instead of an ActiveX plugin (and likely run faster), and a few applications would need updates because they were doing dangerous things. There would be an enormous improvement in security, though, and Microsoft could quit wasting time on fixing the unfixable and get around to working on the NEXT war instead.
The whole attitude makes me angry (Score:4, Insightful)
Gates: Understand those are cases where you are downloading third-party software.
This is just a lie. I wonder if he really belives this bullshit.
Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.
And here you can see that the whole attitude towards the security is weird at M$. I mean I don't want Anti-Virus or Anti-Spyware Software from Microsoft. I want the structural problems of Windows solved.
If you start MacOS X the root user is disabled per default. That is why Spyware doesn't have a chance. Even the most stupid user will think twice if he has to enter his system-password if he installs Software. Same with Linux. The whole Spyware-thing would be much much less trouble if the default install of Windows would create a user account.
And Windows has these capabilities. But at the moment this feature ist pretty much unusable because most of the software vendors don't give a shit about multi-user install. And why do they do this? Because M$ creates a default Admin-Account anyway. If M$ would change that, the software-vendors would adapt very quickly, like they did with SP2.
Same with Firewall: First install zillions of services which most of the users don't need at all. And instead of swichting these services off per default, you create a Firewall to fix it.
It's the whole "If we have to decide between usability and security, we will always go for usability" approach that bothers me...
"Never Trust Microsfot" Re:No thanks (Score:2, Insightful)
Why isn't there a checkbox for "never trust Microsoft"?
Re:No thanks (Score:3, Insightful)
I don't. I just want them to build in stuff that doesn't suck.
I always thought this bundling issue was just an excuse for Netscape to whine because they couldn't write a good browser (or more specifically, that they had a good browser and MS'ed it up by bloating it beyond usability). No one complains that Windows comes with WordPad, which as far as I'm concerned is all the word processor I need.
Re:No thanks (Score:2, Insightful)
Nope. I'm suggesting they scrap this train-wreck of an OS and rebuild from the Kernel up. With all they've learned about security patching maybe next time they can get it right.
Re:No thanks (Score:3, Insightful)
Yes indeed. Given Apples history of remote code execution via web pages in Outlook stylie (look up the disk:// and help exploits), I think the only thing really "protecting" the Mac is statistical irrelevance. Same is true of Linux to some extent.
Re:No thanks (Score:5, Insightful)
Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.
Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.
A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)
I'd imagine something like this could be done with relative ease with Hurd [gnu.org], since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator [gnu.org] to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).
An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).
To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).
Re:Check the history of the seatbelt in the car (Score:1, Insightful)
Why the hell would we want the government involved? It's not their job to make your PC protect itself. If consumers want those protections, they should use their buying power to initiate change. We all know that there are more operating systems out there that are more secure. If you want that security, fix it yourself. Take some responsibility.
Re:No thanks (Score:2, Insightful)
Media Data (Score:4, Insightful)
Reember they have lives, and that they dont live anywhere near the records, which are often kept from the average citizen anyway. ( perhaps not techincally restricted, but the artifical barriers that have been erected serve the same net result )
And btw, the same goes for your totally OT statement about Senator Kerry, appears you dont know diddly either.. Start reading his public voting records and then compare them to what he says.
It should be easy, he tended not to show for work too often.
Or just listen to televised debates, and actually listen to what he says from sentence to sentence.
Where did you get your 'facts', from another biased news service i bet?
( and no, i dont claim his main opponent is any better.. before you go blame me of being biased )
Yeah right (Score:2, Insightful)
Gates: It's not a thing you build in. You have to offer a service.
Imagine if automakers charged to offer seatbelts and brakes as a service.
Re:No thanks (Score:3, Insightful)
Bill is right, in the same way that Clinton was when he said he "never had sex" with Monica. I guess Bill is defining "download" in the quite correct sense of data arriiving on your PC via network. What most people think though is of software they choose to download and install, not stuff that exploits OS or browser holes or even user gullibility (clicking something with a deceptive label).
Re:I'm so sick of the lies (Score:2, Insightful)
Re:No thanks (Score:2, Insightful)
Ah.. Now I understand why they call it "Windows 2000 SERVER" and "Windows 2003 SERVER"
But since IIS is an install option for 2000 Professional (and XP I believe) and PWS is an install option for 98, I can't see how Microsoft is saying "This is a consumer OS that isn't supposed to be serving any network services." In fact, since they are providing these applications, they are saying that this is ok.
The roof won't leak, unless it rains (Score:3, Insightful)
Re:+1 FUNNY (Score:1, Insightful)
he's telling the truth!
they provide a common API for all viruses and worms to be compatible with.
Self-knowledge. (Score:3, Insightful)
I am not surprised at all from the above statement. After all, IE has the biggest security problems, so it is natural that IE had the biggest expenses in making it secure.
Re:[Slaps forehead] Of course! (Score:2, Insightful)
Re:Check the history of the seatbelt in the car (Score:5, Insightful)
Even though you acknowledge the overall statistics, you then rely on one person's experiences for choosing not to wear a seatbelt in many circumstances to overrule the statistics.
To see why this is crazy, imagine asking a 1000 people all across the country to toss (fair and balanced) coins. Ask the 500 or so people who get heads to toss again. Ask the 250 or so people who get heads that time to toss again. And so on, through 125, 62, 31, 15, 7, 3, till you're left with 1 person. Now this 1 person has tossed a coin 10 times and it's come up heads every time! [1]
Now if you didn't know much about coin tossing, except a statistic that said they come up tails about 50% of the time, and you only knew that one person, should you believe her if she says "Well, the statistics say tails comes up 50% of the time, but from what I've seen, it's heads all the way!"?
Unless you know of a broad survery of many accident investigators who detect a tendancy for low-speed or low-traffic density accident injuries to be increased in either number or severity because of seat belts, then you must take what you're hearing with a hefty grain of salt, even if what they are saying is 100% true[2]. (By the way, I fail to see the difference in between accidently wrapping oneself around a telephone pole on a busy road vs. a quiet road.)
Don't forget there's an obvious potentail for observer's bias here too: you're not seeing his formal reports, but just the stories he's choosing to share with you in an environment which encourages entertaining conversation, not neccessarily statistically accurate conversation.
In the absence of such of survey, perhaps the best thing is to consider the failure mode you're really concerened about: it's not that wearing a seat belt is bad during the accident, but that you may be trapped afterwards. Put a box cutter or similar within reach, say in the door drawer. If you can't operate the cutter because of unconsciousness or severe injury, well, in your condition, you weren't getting of that car anyway
[1] There's actually a well known stock-market scam [investorhome.com] which operates in very much this fashion.
[2] The furor over silicone breast implants is another good example: a lot of women honestly reported problems after breast implants, but when all was said and done [emedicine.com], their problems were coincidental.
Somewhat incorrect. (Score:3, Insightful)
Of course, since most of those attempts are from compromised Windows boxes, looking for other unsecured Windows boxes, the attacks don't get very far.
It just that the overwhelming majority of compromised machines are Windows machines that are now looking for other Windows machines.
Re:Spin is just spin (Score:3, Insightful)
Re:Ones not made by Microsoft (Score:3, Insightful)
Honestly though, Canberra is a very small town, so if you are expecting to see "Australia" while you're there, there's not much. Your best bet is to look here [canberratourism.com.au] or here [atn.com.au] for things to do there.
Otherwise bear in mind that it's about 200 miles to Sydney, 400 miles to Melbourne or 800 miles to Brisbane, where the real stuff happens...
What kind of things do you like to see when travelling?
Canberra LUG here [clug.org.au], Wollongong LUG seems offline [uow.edu.au] at the moment.
Re:Spin is just spin (Score:3, Insightful)
Don't some USB drives have locks? (Score:3, Insightful)
The basic idea is a really good one. It adds anothe rlayer of defense, as how many spyware and virii REALLY are going to try and write to mozilla.exe?
People should make more of a distinction between what is possible and the reality of what is around now. A number of people act like because you COULD write spyware for OS X or Linux, that there's no point in switching - when the reality is Windows is the only system you have to deal with that crap right now and it will probably be years before anything hits the other systems.
Re:No thanks (Score:4, Insightful)
Re:No thanks (Score:3, Insightful)
99% of the time, people are going to use sudo or have to type their password into a box that pops up, and if they don't know why something is asking for root privs, they deserve what they get if it's malware.
That said, I haven't heard of anything nasty that does that - yet.
Re:No thanks (Score:5, Insightful)
Well, they're sure not hardware...
They are peices of bad code
Bad or not, if its code, its software, and it is 3rd party.
Personally, I would have modded the grandparent "Funny" if anything. Its the same thing I thought. Technically, it is all 3rd party software that's being downloaded...
Re:From TFA.. (Score:3, Insightful)
Tell them to quit micromanaging.
Are you supposed to turn down business
Only business from customers you don't really want anyways. Maybe if more people would grow a spine we could stuff these halfwits who think they're stellar managers (because they use MS-Project) back in their place serving us french fries.
Or do you keep the most popular OS on the planet around because you have to have it to run some of the most popular software packages?
Is that like kids saying they have to have Kazaa otherwise they won't be popular? Is that like kids whining for $200 tennis shoes? Maybe the world does revolve around spoiled, rich, underachiever brats who like to play manager with their nifty new MS-ProjectPlusSuperStellarEdition 2005 Ultra Pro XP.
I, however, will always have the brainpower while Mr. Yuppie over there goes berzerk when his HD crashes.