Microsoft Vows Security Commitment on Win2K 349
dieMSdie writes "MSFT is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs" reads this story on CNN. There is also a poll; the results so far are quite amusing." I bet they'll be even more amusing once our readers get a crack at it.
Re:Only the LinuxPPC machine was penetrated. (Score:1)
Thunderstorm or something, was it not? Or maybe
it was solar radiation, or maybe phase of the
moon....
What was your username again?
15 is really quite a few (Score:1)
Or try looking at it this way. Do you honestly think if MS thought more developers would help, they wouldn't hire more? If any company has the resources to hire more developers, I think we could all agree it's MS.
Re:Quick Debunking... (Score:1)
Jesus God, get OUT more. Get a relationship. Go to the beach. Stop playing Quake and Starcraft. Stop looking for aliens with your spare CPU cycles and start helping actual humans on the streets of your hometown.
Not that I _support_ Microsoft, but holding this degree of anger against them CAN'T be healthy.
Read MY lips: the war you're fighting is SO small in the big picture that whatever the outcome, in 20 years it won't make a difference, and you'll wonder where the time went.
Re:speed of response (Score:1)
You said it !! As someone from an IT marketing background (my specialism is in guerrilla marketing), I have to congratulate and give kudos to Microsoft for the way they have empowered their employees to innovate round-the-clock. They have consistantly continued to develop great quality software that enhances the Internet experience, despite strong competition in the marketplace, and despite the intervention of the Government.
Cool, paradigm-busting category-killing products such as DirectX, OpenGL, DCOM, GCC, SOAP, ActiveX and the Perl rapid scripting tool are the envy of the Unix/Mainframe "old guard" who still "just don't get it". (will they ever? ;-) )
However, one thing that disturbs me about Microsoft is the way they are going about marketing Linux.
I think they may have gone just a little bit too far with their Gen-X/Slacker branding strategy, and may be alienating potential corporate customers.
In fact, sometimes it is not clear to me that Microsoft are really in control of their Linux product at all. I think the issue is one of brand-awareness amongst the target demographic. But also, the way they present Linux shows the dangers of a so-called "guerilla marketing" strategy
The spokesman for Linux, Richard Stallman is a particular problem. Sometimes it's hard to see how his comments can possibly add any shareholder value, and if these outbursts continue, the board and the stockholders would be well within their rights to attempt to have him removed. The whole point of guerilla marketing is that it only works if the target demographic is in on the joke. From what I have seen on this forum, and on other areas of AOL, it seems that many out there are at the very least, confused about Microsoft's involvement with Linux.
The whole "open-source" angle is also open to interpretation. What for instance is there to stop one of Microsoft's many competitors from simply copying the source, and claiming their system is Linux ? Or even worse, stealing Microsoft's patents ? How can Microsoft justify this, where are the future revenue streams ?
My advice to Microsoft (for what its worth) is this:
1) Cut out the gurrilla stuff - it's played out, especially the open-source gimmick. It may well mean that potential patents are not upheld in court. Can you say "major loss of $$$$s" ?
2) Change the name. Differentiation is fine, but if people don't associate Linux with Microsoft, where's the cross-branding synergy and leverage ?
3) Consider moving Richard Stallman from the GNU department into something where he can continue to innovate, but where he is not in a position to frighten potential corporate customers. Remember in business, security is very important. Anyone looking at the way Stallman dresses would assume he knows nothing about enterprise level security. At least make him get his hair cut and wear a suit and tie. That's just basic marketing 101. :-)
4) Leverage the existing user base. Do they know for instance that the GNOME desktop with the KDE browser are object-oriented and can therefore provide an out-of-the-box enhanced user experience that approaches that of the Win98/2000 family ? How about getting the Linux advocates to realise that Microsoft will never be able to make any money out of Linux so long as they continue with their immature behaviour. Without Microsoft innovation, Linux will simply fall by the wayside, like HP-UX's ill-fated CDE project did.
5) Finally, they need to seriously think about changing the name of Linux, to something more in keeping with the rest of the product line. For example ActiveUnix, ActiveUx, ActiveIx, or even perhaps ActiveGnuLinux. They must ram home the message to the consumer unit that Linux == Microsoft, and Microsoft==Linux.
Although I may not be an expert in the technology, I like to think I understand a bit about marketing, so I offer this unsolicited "open-source" :-) advice for free....
Current stats: Thu Jan 20 15:40:56 EST 2000 (Score:1)
Yes 944 votes, 6%
No 13643 votes, 94%
cant trust closed source (Score:1)
Re:Microsoft and Security... (Score:1)
The purely computational reasoning you propose is flawed, and always will be until the exponential advances in technology and algorithms are figured into the calculations.
Distributed.net is *not* the end-all, be-all of decryption. It *is* a massive display of brute-force, cracking power. That's it.
...and if 128-bit encryption is safe enough, why can't we legally be more paranoid? That's the real question.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
Re:Somebody moderate that up! :D (Score:1)
Either someone at Microsoft has a sense of humor, or... umm. No, the alternative is too scary.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
Re:Do any of you know what security is? (Score:1)
Yes, time certainly will tell - but history is also quite telling. People are slow to change - large corporations are even slower, if they can be changed at all. Microsoft has made claims like the claims that they're now making for Windows 2000 with every release of NT - and in the opinion of many, fell extremely short with each previous attempt. Hopefully they'll get closer to the target this time, but I'm not gonna be placing any bets on it...
Re:What?!? (Score:1)
Re:What do you all suggest Microsoft do then? (Score:1)
I know that I'd prefer bash-style completion, though...
Re:Do any of you know what security is? (Score:1)
Security depends on many things - knowledge and ability of the administrator, the quality and care put into the software used, and the willingness of the users to help make the system secure. A sloppy admin will certainly reduce security, of course. But a badly-written/badly-implemented piece of software will as well. A skilled admin may be able to work around some of a piece of software's flaws, but that doesn't make the software better.
Also, try picking up a copy of "Practical UNIX and Internet Security" by Garfinkel & Spafford at your local bookstore - nothing is ever 100% secure, unless no one can use it, which obviates the need for having it in the first place.
So maybe we should drop the whole question of "security"...
128 bit encryption - so what! (Score:1)
T.
Re:hrm. 15 people? (Score:1)
OpenBSD is thought of by many security professionals to be the most secure UNIX-like operating system as the result of a 10-member 1.5-year long comprehensive source code security audit.
Re:Tainted Vote (Score:1)
Baaaaaa.
Are you talking about a poll or a Microsoft benchmark?
The PPC box was running more services. (Score:1)
Basically W2K bug had:
HTTP
FTP
Linux had:
HTTP
FTP
TELNET
TIME
ECHO
and they gave out the root passwd.
Microsoft Security ??? (Score:1)
Re:Facist Linux Users (Score:1)
Poorly worded poll (Score:1)
Not a chance in Hell.
Of course, if you asked me the same question about OpenBSD's security, you'd get the same answer. Two reasons: First, I'm a paranoid so I don't trust any security system. If they had asked about OpenBSD _relative to other systems_ I would have said yes (MS would still get a big no). Second, I am not going to come close to trusting any system that I don't have direct control over, as I'm sure has been said many times in this thread, no system is inherently secure, it's up to the administrator to make it so.
What about the backdoors? (Score:1)
It is easy to talk about "SECURITY". You can have a million-bit encryption routine and still you are not secure, if there are backdoors readily to be cracked by spy agencies like the CIA or NSA.
What about the backdoors, Microsoft?
What is "security"? (Score:1)
What is "security"?
If backdoors are NOT important, the big brothers can cracked into your systems through the backdoors they have put in place, with the help from Microsoft, and they can wreck havoc with your system, your life, and everything that you own.
You own your computer, you put vital data into your computer thinking that it is secure, and when someone can get into your computer via backdoor, isn't _THAT_ a breach of security?
But I don't know. Maybe I am just not smart enough to know what it really means by "security".
Vigilance (Score:1)
Thanks, Yardley, for your post.
I find it interesting that there are still many people having the thought that governments can do no wrong, and all the wrongs committed must be by the 15-year-old hacks.
I also find it alarming that the influence of media on our everyday life is so thorough that some people's mindset are being changed/programmed by the "news items" (I rather call it propaganda, but I digress) that they are being bombarded with.
Ballmer and mousetrap (Score:1)
Hahaha, it should be Steve Ballmer getting himself stuck in a MOUSEtrap.
Re:speed of response (Score:1)
Re:Answered here a few days ago... (Score:1)
Re: (Score:1)
Re:Only the LinuxPPC machine was penetrated. (Score:1)
But didn't it get taken down fairly soon after it was put up, because of an internal problem? Of course, I'm probably remembering it wrong...
Re:And what about Linux's security.... (Score:1)
Re:Only the LinuxPPC machine was penetrated. (Score:1)
Re:speed of response (Score:1)
Why not? If they're trying to produce a foolproof, easy to use but yet secure OS, shouldn't their testers include some fools? I'm really not being sarcastic here - some of the biggest bugs are found by people who don't know how to use the product and just try what looks like a good approach.
With any product, this can easily blow up in your face. On a *nix box, typing random text into files in /etc isn't a recommended approach to system administration. But MS sells a lot on the basis of ease of use and customer familiarity with Windows. They should be testing their products with users who have no clues and are just depending on ease of use to get them through. We'll see how secure the OS is under those circumstances.
Re:Breakin stats are misleading (Score:1)
I thought the whole point of using an NT server was that it was easy to use, and thus you don't have to hire expensive admins with real knowledge of networking, security, and so forth. The ease of use of NT should make it possible for a less-knowledgeable sysadmin to keep up an NT server just as well as a more-knowledgeable *nix admin keeps up a *nix server. Or at least that's what I hear from Microsoft...
Re:speed of response (links on secure programming) (Score:1)
http://vapid.dhs.org/Library/P49-14-Aleph-One
This paper is by the w00w00 security team and it discusses heap overflows another result of bounds checking errors in C but these techniques are less widley known.
ftp://ftp.technotronic.com/rfc/w00w00-heap-over
This is a link to the UNIX secure programming FAQ.
http://www.whitefang.com/sup/secure-faq.html
Security model (Score:1)
Re:MODERATORS ON CRACK!!! (Score:1)
Actually, "Slashdot zealot crew" is a simple recognition of a common attitude around here. Deal with it.
Secondly, I obviously don't say things to please the cult fanatics which dominate the discussion around here, so I have no problem using my normal login to complain about moderation if I felt like it. (It was junk moderation -- if you notice, even the guy to whom I was responding agreed with my point about zealots -- but pretty typical and I'm used to it, so I wouldn't have said anything.) On the other hand, you hide behind the Anonymous Coward to make your accusation. Hopefully you'll be able to appreciate the irony.
Cheers,
ZicoKnows@hotmail.com
Re:um, no -- Uh, yes. -- um, no -- Duh, yes - NO (Score:1)
I'm not sure if your only knowledge of computers is how to use a web browser, but you seem to be under the impression that the only servers out there are web servers. When I said that they're using Win2K internally, I wasn't talking about just Win2K Professional (formerly Workstation) -- they're also using Win2K Server (probably Win2K Advanced Server as well, but that's one detail that I don't remember from the article), just not for their web site, for the reasons I stated above.
As far as which trade mag, I really don't remember, since I probably receive over 40 of them, and the article wasn't important enough for me to save. I know it was in the last month or two, if that helps, and if I come across it again, I'll post the URL or issue number.
Cheers,
ZicoKnows@hotmail.com
Re:Tainted Vote (Score:1)
For Mindcraft II, the Linux team was invited to make all the hacks they wanted, and NT still beat it like a drum. Also, from the job titles, it sounded like everybody on the Microsoft team was a marketroid. Ouch.
Cheers,
ZicoKnows@hotmail.com
You can open this with unzip. (Score:2)
--
Re:Do any of you know what security is? (Score:2)
Wow, you think? NT has to implement access control on many different types of things... yes, everything's an "object" - but on Unix and Unix-alike systems, everything is a file. That's why NT's security is very different from Unix security - it's just a plain different approach.
On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?
That doesn't necessarily make it more or less secure (unless something in the OS is implemented badly, has some kind of hole, etc.)...
NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
Uhhh. They'd have to have government permission to export "strong" encryption outside of the US. Also, "worldwide" is a relative term - there're still several nations on the US government's shitlist that they won't allow ANYONE to export crypto technology to (and some like France, where they simply don't permit crypto technology at all). Simply, I think you don't know what you're talking about here.
Windows2000 will use Kerberos strong encryption
Uhhh. You obviously don't understand what Kerberos is - Kerberos is NOT an encryption method, it is a secure ticket-based authentication system. (It doesn't necessarily use "strong" crypto, afaik.) And an "industry standard"? It's certainly a standard, but (a) it's not a standard in "the industry" proper (because far as I know, most Unix vendors don't ship a commercial Unix with Kerberos plugged into it), and (b) Microsoft, of course, is using their own bastardized version of Kerberos, not the standard protocols that the rest of the world uses (minimizing compatibility, as usual).
MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
I don't know what planet you've been living on, but Microsoft has taken its sweet time fixing security-related issues. (Unless of course, you're a huge corporate customer...)
Still, unskilled administrators install the basic set [of IIS modules].
"[U]nskilled administrators"? I believe I heard it said best like this (roughly quoted): "If you need point and click to be an administrator, you shouldn't BE an administrator." Microsoft harps on how "easy" it is to admin NT - yet all the people I know who admin NT say "you really need to know what you're doing, not just any monkey in a 3-piece suit can do it"... Next.
IE holes are a problem, but who surfs the net on a production server.
Well, when EVERY Microsoft product requires IE to be installed for installation, and all the help and stuff like that is provided via IE, that's what you get. YASMD. (Yet Another Stupid Microsoft Decision)
but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers
I don't have 10-12 years of experience (I have 4-5 years of Linux experience under my belt now), but most people I know consider me fairly learned, and I read ORA books, check up on BugTraq, and try to keep up on recent information and issues. You don't have to have a virtual lifetime of experience, but you need to have some, and you need to read up. That's the same whether you're running NT or Solaris or IRIX or Linux or HPUX or whatever.
No-one says unix is unsave because sendmail is crap.
Well, that's very true, but Sendmail is just one MTA - there are several others; also, the bad old days of poor Sendmail security have mostly passed us by. I think the developers of Sendmail learned a LOT from the days of the Internet worm.
if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.
All I can say to that is this: It's a lot easier to secure a Unix box than an NT box, if you know what you're doing. And by the very admission of NT admins that I've spoken with, you need to know what you're doing on NT too. Besides, with closed source, you never know what ports they're leaving open (at least till you portscan your own box), and that can be dangerous. I'd rather stick with Linux, where I can verify my own security (as well as having someone from outside check it), instead of depending on big daddy MS to do it for me.
Ask all those Solaris administrators currently suffering the DoS worms
Which are those? The main admins I feel bad for are SCO admins (seen loads of recent SCO issues on BugTraq) - and admins of NT 4 systems, who are soon to be orphaned unless they pay big bucks to update to the latest, greatest Microsoft product.
Bashing the FUTURE without knowing what it will bring with the facts of old material from the past is not fair.
It's called history. History is important - those who do not remember it are doomed to repeat it.
If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions
Not everyone runs the most holey of distros, but Linux security holes do (in general) get patched quickly. I happily run Debian, and have found it to be plenty secure for my needs (masq box/shell server/Web server for a public school district), and any security issues are quickly resolved with Debian, in my experience. NT's holes are just harder for the end-user to deal with - namely because you have to wait for them to come from above. You can't do anything about them on your own.
Your claim that NT security is "better" than Unix security is, IMO, quite false. Look at the history - then tell me what you believe.
Re:Only the LinuxPPC machine was penetrated. (Score:2)
http://www.zdnet.com/zdnn/stories/news/0,4586,2
If the Microsoft security challenge was meant as a publicity stunt, it may have backfired. As soon as the site went online, Microsoft ran into technical difficulties with the test server. Early visitors reported problems with the home page's HTML and JavaScript -- some serious enough to prevent them from accessing the page at all.
Posted status logs indicate that the server had to be rebooted at least once because the system log was full, and some services were unavailable at reboot.
Most significantly, the server has been repeatedly forced offline. The site was only intermittently available Tuesday and went down for approximately 8 hours Wednesday. Web service was restarted at least once Wednesday evening, and the server was rebooted after a reconfiguration on Thursday morning. Access continues to be intermittent, and the site was unavailable at press time.
Microsoft has offered conflicting reports as to the source of their problems. A Microsoft spokesperson attributed the difficulties Tuesday and Wednesday to router failures and thunderstorms in Seattle, while the site's status log blames the Wednesday crash on a "known bug". Microsoft was unavailable for further comment at press time.
So, do we know if it was hacked or not.
Re:Microsoft Good Security Habits (Score:2)
Too bad they can't be bothered to pick more secure default settings.
MEIN GOTT! (Score:2)
9:30 A.M. CDT
Poll: Do you trust Microsoft's Security?
GAHH! Looks like all 835 of Microsoft's directors and managers weren't at work in the last couple days. (Blatant UserFriendly reference)
Chas - The one, the only.
THANK GOD!!!
Re:How much will they charge? (Score:2)
Re:um, no -- Uh, yes. -- um, no (Score:2)
One of the trade mags had an article about Barnes and Noble recently. They are using Win2K internally and on the back end now, but not for their web site. The thinking being, if they ran into issues due the beta status of Win2K on the shipping side of things, they can take the time to sort the problem out. On the web site, however, they can't afford to run into any such slowdowns, because people expect to be able to place their orders immediately, and if they ran into a problem, might switch to another bookseller. This was especially relevant during the Christmas shopping season.
Cheers,
ZicoKnows@hotmail.com
Re:Microsoft and Security... (Score:2)
We're talking e-commerce here, not pages for family pets and innumberable "How to set up PPP under Linux" pages. NT is slaying Linux when it comes to e-commerce, even Netcraft's SSL statistics show this.
Cheers,
ZicoKnows@hotmail.com
Re:Only the LinuxPPC machine was penetrated. (Score:2)
No, it was a case of putting HTML tags into the guestbook, namely javascripts to redirect the viewer to a different web site. When someone went to the site, their browser would parse those tags and act accordingly, which in this case was to go to a different site. The guestbook originally didn't filter these out. Same thing happened to the LinuxPPC site, too, actually. Neither were server hacks.
Cheers,
ZicoKnows@hotmail.com
Re:Only the LinuxPPC machine was penetrated. (Score:2)
Sure, a weather crash sounds odd, but it's happened to me before, so I can relate. The reason why it doesn't sound suspicious to me is because there were times when the server crashed due to bugs, poor sample configurations, and DoS attacks, and the Win2K guys didn't seem to have any trouble admitting these. If they're going to admit the other problems, why bother making up the weather/router one?
Cheers,
ZicoKnows@hotmail.com
Re:Tainted Vote (Score:2)
Great isn't it?
Sure, if you're the kind of person who needs cheap validation from others to help make all your decisions for you, even when you know deep down that the results are rigged -- I'm sure it must be wonderful. Party on, homes. Baaaaaa.
Cheers,
ZicoKnows@hotmail.com
Re:What do you all suggest Microsoft do then? (Score:2)
- When I use "Add/Remove Programs" to uninstall Microsoft Office from my C: drive, and then reinstall it on my E: drive, it should actually remove the "Microsoft Office" folder from my C: drive. At the very least, if I do this and then delete the "C:\Program Files\Microsoft Office" folder myself, running the Word program that's on my E: drive shouldn't give me an "Unable to locate DLL" error.
- When my colleagues have compiled a class library with version N of Microsoft's C++ compiler, and all I have is version N+1, I should be able to compile a program with my compiler that links to their class libraries.
ObSecurity: if they can't release software that handles these simple interactions with other software from the same company, how can they write an OS that protects users from malicious code written by outsiders?...--
"But, Mulder, the new millennium doesn't begin until January 2001."
hrm. 15 people? (Score:2)
waiting on my OS/2 cds and Mandrake 7.. gotta nuke this win98 install.
jim
Equipping it, eh? (Score:2)
Re:It's better than Win98, that's for one thing (Score:2)
It's NT 5.0, they just renamed it to Windows 2000. Remember.. it was *going* to be their new OS.. they were going to scrap the 9x line... but that's not gonna happen either...
Re:speed of response (Score:2)
Re:What do you all suggest Microsoft do then? (Score:2)
Nice try, but that's not the behavior of the command line at all - it doesn't just "Cd you into the first match"... it shows you the first match, after which you can hit TAB again to show the next match, or hit SHIFT+TAB to show the previous one. Sheesh.
Simon
Re:Only the LinuxPPC machine was penetrated. (Score:2)
This is the same argument which makes Microsoft's "Embrace and Extend" policy perfectly valid and acceptable.
Choose your poison: Follow standards, or have core standards with branches coming off them. But don't be a hypocrit and expect to have both whenever Microsoft would choose the one you didn't.
Simon
speed of response (Score:2)
dave
(strangely tempted to shout first post, but resisting)
Re:speed of response (Score:2)
Bugs creep in despite your best efforts. The best you can do is respond to reports quickly.
dave (not even going to comment on the claim that "we put it naked on the internet")
Other Issues? (Score:2)
Well done to MS, they're now looking at security. How about stability? I know for a fact that quite a few financial institutions use NT on the desktop, but have banned it from their servers. Or actively discouraged the use of it there. How about MS showing us definite proof of W2K's stability, as compared to, for example a Sun Enterprise server or SGI enterprise class server, or IBM, or HP etc etc etc.
The desktop user does tolerate BSOD's and the occasional reboot (once an hour is annoying, but provided you don't lose data, it's fine
No (Score:2)
In conclusion: Linux is not an unstable beta product and is not one by definition. Just because there's always a development version getting kicked around at a furious pace (and immediately so after a stable version is declared so), doesn't speak to the contrary.
This be a marketing gimmick, folks (Score:2)
Giving the source out to 70 external agencies is a
meaningless gesture. Is it going to be ALL of the code? or some of the code? or maybe just snippets here and there? And of course these agencies will
likely have to sign NDA's which will limit the exposure to the people who actually *can* help.
And for helping out, what do we get? Do we get a piece of the M$ pie? Stock mebbe?? I think NOT.
It's likely that M$ will charge for the source as well.. So us grubby non-M$ coders will have to like.. *PAY* to take a look at it.
All in all, its a lose-lose situation for anyone
involved in this goofy business..
Sheesh.
-vanth
Re:Amusing... (Score:2)
"Gosh, if they want security, I'm sure they'll just solve the problems themselves. No reason we should spend any of our monopoly supported profits on fixing the problems for them."
Re:Do any of you know what security is? (Score:2)
"NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example."
1) Linux supports stuff like this via POSIX.1e, which allows you to flexibly drop what you don't need (super user wise). An example is ProFTPD, which has mod_linuxprivs. When it's used, ProFTPD loses all super user abilities, except for the binding to ports lower than 1024 one.
2) More complex does not mean better. During WWII, German artillery had 49 moving parts and could strike more accurately, whereas American artillery only had 9 movings parts -- it's only feature was it broke less
"MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded."
It doesn't take ages to get a fix.. It just takes ages for them to post it on their website. They do really have a long latency time between a patch, and a posted patch.
"IE holes are a problem, but who surfs the net on a production server. "
Except that IE is now integrated into many other applications that don't need it (I've tried NT 5, and I really hate the grey-child-like Notepad common dialogs which huge "My Network Friends" buttons, and webenabling).. When you take an insecure code base, and cram it everywhere to stop people from ripping it out, you compromise a lot more than your morals. Then you have the marketdroid angle -- NT 5 Work^H^H^H^H Professional (where's the non-professional?) is targetted at those people who like saying they're using the "professional" version. I betcha they surf the web lots.. Do you want your CEO to go and get BOed because of their workstation OS choice?
"MS provides a bulkload of security documents how to implement security on your servers."
I'll have to go with Theo (de Raadt) on this one, and say ship the default config secured -- don't document what you have to do after the fact. When you have to install 500 workstations with a secure setup, it doesn't pay to have to go to each one and click on the same frickin' security wizards, over and over. There are ways around this, but I don't know why they don't ship with more things turned off, or at least with a visible off switch. I received some funny emails from my IDS when NT 5's probing of port 445 ("microsoft-ds") on the Linux firewall set it off..
NT 5 is better, but the ideas behind it are a mishmash of idealistic engineering, hopeful marketting, and sadly failed implementation. As the users on Bugtraq said, "it's getting better [with things like run as alternate user], but it still has lots to catch up on compared to Unix."
---
Re:Contest! (Score:2)
Of course, if you wanted a secure webserver, you would have to wipe the partition table and install OpenBSD on the box. That would require two additional reboots.
Re:Contest! (Score:2)
It's been my experience that the reboots can be avoided during a clean install. On a 'used' machine I usually reboot, but then I'm only installing a couple of SP/HF and the extra reboot can't hurt. I'm a little faster and looser with NT than I should be, however. Then again, the Windows boxen are behind a Linux Masq firewall and then a commercial NAT and a PIX. 'The Company' buys into the security-through-paranoia model of things.
Great, 128 bits and more unchecked buffers... (Score:2)
MS has already released 2 security bulletins this week alone, and of course, these are publically known exploits.
They release fixes as quickly as they release bulletins, but anyone who installs a hotfix the day it is released is pretty much a masochistic guinea pig. I mean really, how does a service pack that totally borks WINSOCK get released?
He already said he was working for an MCSP (Score:2)
Ummm. Win2K isn't written in VB... (Score:2)
Re:PnP: how is it secured? (Score:2)
The "autoinstall" of drivers is a side-effect of this: if the Windows or NT is in a position to detect new hardware being added to the PCI (or ISA) bus, it makes (a certain) amount of sense for the OS to attempt to install the relevant drivers for the new hardware. This led to the behaviour first seen in Win95, where the OS detected that you'd added a new card and pleaded to be allowed to install drivers for it.
With the advent of more highly "swappable" bus specs such as PCMCIA and USB, as well as laptops with swappable floppy and CD-ROM/DVD drives (and no-one who's ever installed NT3.51 on a laptop from a stack of floppies will ever forget the experience) the need arose for NT to be able to handle devices arbitrarily appearing and disappearing again. Since NT, at the moment, scans the busses at boot time and then starts device drivers as appropriate, a new approach was needed.
The solution adapted is to say that PnP devices which are added when the machine is shut down (i.e. internal cards) are just a subset of all PnP devices and therefore to say that drivers shoudl have the capability to be started on demand by the PnP Manager. Obviously this is, in many cases, not highly useful (the ability to start the RTC drivers at a point other than boot time is probably not going to see much real-world application ...) but it implies that load-on-demand for USB devices and PCMCIA cards (and IEEE 1394 devices, come to that) drops straight out of the design.
Now, to answer the question: the first time you add a new USB/PCMCIA/IEEE 1394 device to a Win2K box, you need to be logged in with Admin-level rights to install the drivers - but once that's done, anyone can hotswap to their heart's content no matter what their permissions.
--
Cheers
Re:Bugs are not the nature of software (Score:2)
Bugs are not the nature of software (Score:2)
Sorry, but you are wrong. Bugs are not the nature of software, but a symptom of the nature of human beings.
Our software is faulty because we are fallible. And that's because our software development processes mostly suck. Is your software buggy? Your process was lousy, and your own fallibility got you.
I would like to ask every coder around here to read this great article [fastcompany.com], only to learn a little about what perfect software development takes, and how difficult it is to tame our own tendency to screw things up.
Of course it is possible to write perfect software, just eliminate the coders' ability to fail. Perfect software development is very non-human.
Re:speed of response (Score:2)
> types of bugs - I find it funny that not only
> MS, but Solaris, all the flavors of *nix, etc,
> all have security flaws...It really DOES come
> down to fixing them.
It does and it doesn't. I think there are a
couple of issues here. YES, most programmers
make mistakes or fail to consider things and these
bugs DO creep in, even in the skilled code of the
best programmers.
(being a programmer, and NOT one of "the best" I
find it comforting to know they are human too)
It is a matter of learning from ones mistakes and
the mistakes of others, and thinking about
security.
You will not write secure code if you are not
writting it from a security consious mindset.
Every time your code takes input from a user, or
anything outside of your own code, then you must
be thinking to yourself "what if I get back what
im not expecting".
Its easy to make the mistake of allocating a
static bufffer thinking "no username will be
longer than X chars", and never think someone
might purposfully HOPE you assumed that.
Now...how does this relate to microsoft?
They are well known for having all night hacking
runs for days on end as it comes down to the
wire. When they see that release date aproaching,
its "balls to the wall" time to code like a
madman.
I do not think that that type of event is
condusive to writting a secure system. Its
allot easier to forgo bounds checking on every
little variable that came from userspace and
to take dangerous shortcuts as that clock ticks
away.
Of course, you are right, careful programming only
goes so far (however it *IS* the first step).
After that response is what matters. I think that
their response has shown to be pretty bad too.
They have earned a reputation for denying the
existance of problems and stalling. They have
made it difficult to find real information on
the security problems in their OS. (back when
I used windows...I found that every time I went
to their website looking for security patches etc
I found them increasingly hard to find every time)
-Steve
Re:Only the LinuxPPC machine was penetrated. (Score:2)
feedbacking bugs (Score:2)
security-stats: Microsoft vs. Open Source (Score:2)
it's hard to use this list to compare linux vs. NT, because lots of the bugs listed for the operating systems are in add-ons and third-party products.
the nearest statistical comparison of openrating-system-security is on attritions [attrition.org] web-defacement-counter. in the overall OS-count from august 1999 to present Win-NT is leading clearly with 55%, followed by linux with 19% and solaris with 13%. source: http://www.attrition.org/mirror/att rition/os.html [attrition.org]
these total number of defacements should also take into account, that there are more webservers running on linux than on NT, as can be seen here [leb.net].
open source brings a security-problem which is not as big in closed source: it's far easier to write trojans. but this risk is small compared to backdoors intentionally implemented by clodes-source software manufactures. a good example is the international version of lotus notes where the NSA knows [heise.de] 24bit of the 64bit-key.
Re:Microsoft and Security... (Score:2)
>The Win2K guys posted the Administrator password, what's your point?
His point is that the machine was NOT naked on the internet, it was behind a firewall. That test had nothing to do with cracking Win2K.
Perhaps you weren't paying attention, but the Linux box was compromised due to an insecure 3rd party CGI script. That is the fault of the administrator for using such a script, not the OS.
What do you know, Zico? I wonder...
Here are my suggestions: (Score:2)
2. Get rid of the required GUI. That's just asking for trouble, really. If people want the shiny happy face buttons, let them have them. But maybe if your OS overwrites the video drivers randomly, people should be able to at least boot their server to a useable state until they can comfortable fix it after-hours.
3. Actually do what they just said. Every week a new bug comes out in ActiveX. Every few weeks, an exploit comes out for NT or 9x. It always takes them a lot longer to fix it than the Linux or BSD people. Plus, when they found a bug in the Linux 3C59x driver, I hand-edited the file and fixed it myself. However, I DON'T want them to go OSS, as stated above.
4. Keep the "happy marketing" away from the server products. Servers are not named "My Computer". Servers have ugly names, so that crackers cannot guess them, unless you feel like putting up a script-kiddie magnet by naming it something like "exchange.getbent.com". I am not in a Network Neighborhood; I'm on a LAN. Blechh.
Re:um, no -- Uh, yes. (Score:2)
www.bn.com
is running [netcraft.com] Microsoft-IIS/4.0 on NT4 or Windows 98
www.barnesandnoble.com
is running [netcraft.com] Microsoft-IIS/4.0 on NT4 or Windows 98
This leads me to speculate that you do not have a source for your information.
Cargo Cult Security (Score:2)
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
MS Security is NOT the BIG problem (Score:2)
Re:Microsoft and Security... (Score:2)
Hmm. But exactly _what_ is being encrypted? Your passwords? (does it matter how strong this encryption is, when there's 1000 backdoors waiting to be discovered?) Your network connection? Or just your browser? Do they even say? Does it really matter? Knowing how secure Microsoft OS's have been historically, this sounds like putting a strong deadbolt into a flimsy wood-panel door that's really only suitable for indoor doors.
And here's an even better question: can you export this encryption? (The French just might not care anyway, if it's the only strong link in a weak chain.) Another is to ask whether the filesystem has any security whatsoever, besides "are you sure you want to delete everything in this directory?" Of course, filesystem security doesn't mean jack when you can do whatever you want from the outside anyway.
---
I can't wait for proper speech-recognition.
Re:What do you all suggest Microsoft do then? (Score:2)
It wouldn't be so bad if we've got a "standard" operating system (alright, dominant/monopoly) that actually works very very well.
Things I would LOVE to see Microsoft do in Windows are proper process control - including being able to kill a process NOW, because _I_ think it's safe, rather than letting whatever program has gone zombie decide if it's safe or not, before finally letting the operating system say "okay, it's dead now. Should I kill it?" after about 45 seconds. The applications that most people use to create documents with already have some sort of functionality to automatically save your work every couple of minutes, just in case things go bad. (why? Because everything is so damn unstable...) The process control Windows has now doesn't help this problem any, because once a program has gone south, 99% of the time there is No Going Back to save your files anyway. Included in "proper process control" are things like telling any process to re-read its configuration file, which you just changed, and to do it without rebooting the whole OS. I hear they've managed this with W2K, but I'm skeptical.
I'd also like to see some decent Protected Memory designed into the OS. I understand that they might have gotten it sort of right this time with W2k, with its much-hailed stability.
And for the love of god, design the filesystem so that you don't _have_ to defrag the drive! It takes long enough to do on a 2 gig drive, let alone the 20 gigs that are typically in new computers.
Another neat functionality that any unix user would really appreciate, is a checkbox somewhere, maybe even hidden deep in the GUI away from clueless eyes, saying "No, I'm not an idiot. You can stop asking me if I'm really sure I wanna do that. (I hereby declare that if I screw up, it's my own damn fault, and I won't sue Microsoft.)"
If Microsoft can do all of these things, that would make me very happy to use Windows. I still won't like Microsoft, because they're Completely Evil(TM), (It's true! Isn't that what the CE in Windows CE means?
---
I can't wait for proper speech-recognition.
What do you all suggest Microsoft do then? (Score:3)
If they hire 1000 people to do nothing but track down bugs and security problems, you people will say it's not enough.
If they totally open-source Win2000 and give away everything, including the source code....you people will say "oh, they're just trying to jump on the Open Source bandwagon...it's all hype".
If they say: "ok, we give up...we're getting out of the OS business"...you people will THEN yell at them for being quiters.
So what I want to know is this....WHAT do you want Microsoft to do?
Re:And what about Linux's security.... (Score:3)
I disagree. Different people have different skill-sets. If you are an 31337 crypto expert, by all means work on the security, however, if time pressures or a "real" job or plain lack of talent (in my case) or whatever prevent you from contributing actual code base, you can still make a difference to the progress of the open-source steamroller by exposing Micro$haft to ridicule wherever their marketing-driven FUD rears its ugly head. Remember that the mis-perception of a platform's security is in itself, a security flaw.
The poster of the self-extracting .exe link made a valuable contribution. Remember, in marketing perception not reality is everything.
After reading that link, my perception of Microsoft's commitment to security was that it is non-existant.
um, no (Score:3)
And what is the "overall picture" you're speaking of? Sounds kinda vague.
I'd like to think that IIS5 is more secure than IIS4; if not, expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.
Re:And what about Linux's security.... (Score:3)
VMS has had it's share of security problems too. So what? A more interesting metric is not whether an OS, or any underlying apps, present security holes, but how quickly they are fixed. See this Securityportal [securityportal.com] cover story for a comparison of time from announcement to vendor fix between Redhat Linux, Windows NT, and Sun Solaris (see, I can add gratuitous links as well!) I note that Redhat Linux won hands down in this competition, and that's only security updates from a vendor supplied source! I don't know about you, but when I hear about a serious security hole in lpd (for example), I don't wait around for Redhat to go recompile the fix. However, the Securityportal article makes a reasonable assumption that most small to medium sized businesses would probably rely on vendor supplied fixes rather than trying to find a hot Linux guru to compile up to the minute security fixes.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
DUH. Because C doesn't bounds check during compilation or run time. That's just ONE reason. Look, I'm no security "expert", but if you're uptight about security, and don't consider yourself competent at securing your own code, then either hire a professional to go through your C code with a fine tooth comb, or write it in some interpreted language like perl, LISP, Scheme, Python (whatever) and let the LANG developers deal with security.
Not that this will make your application any more secure, but it will pass the buck to the likes of Larry.
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
This is bogus. And I run OpenBSD, the BSD distribution tailored for security, on my cablemodem gateway and consider it an excellent secure distribution out of the box (CD). But, so what? Can you give me ANY specific examples of userspace application security holes present in Linux that were not present in BSD? Hell, most of the networking kernel holes seemed ubiquitous across just about every OS and networking stack, BSD sockets and streams based.
On the kernel side I seem to remember that both BSD and Linux (and NT!) were vulnerable to the Ping of Death, various Tear Drop attacks and fragmented TCP attacks, and those lovely smurf DOS attacks. Don't see a significant difference here... both the BSD's and Linux kernel groups figured the problems out and posted solutions in record time, while the commercial vendors picked their butts and didn't post fixes for their products I might add.
On the userspace side of things, this is managed project by project. Since much our application software is ported between the BSDs, Linux, and most any other commercial UNIX, there's little difference. A bug in one version of lpd on Linux is almost surely the same bug on BSD
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
There. Now you said something rational.
Marketing makes Convenience overrule Security (Score:3)
For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.
I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.
There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).
Re:And what about Linux's security.... (Score:3)
Windows NT, on the other hand, has a really good security model but the implementation sucks.
Such a pledge, of course... (Score:3)
(/me waits for howls of laughter from Slashdot)
I agree. Surprised? :) (Score:3)
However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place. Do you look at a hideous malformation like rdist? Not really...I don't even think that's GNU. X Windows? Not GNU, either.
What, then, is left of Linux? In my mind, Debian shows it best. If you install from floppy disks, you have your basic UNIX system, about 30MB of software. Tar, gzip, more, ftp, telnet--all the collectable charachters! THIS is Linux. Though even then, tcpwrappers is included, which is not Linux-specific...
Of course, the reason that I agree with you is that no one could use that system. OpenSSH or SSH would go first, and then Apache, Sendmail, etc. depending on the function...but, I could just as easily use AOLserver, zeuss, zmailer, qmail, etc. as those 2. That's why it's hard to nail apps to Linux...sure, there are ones that MOST people use, but there are no real DEFAULTS. With Linux, you get to pick from several GNU alternatives, each interesting in its own way. With NT, you get One Microsoft Way...not fuzzy at all. But not my style, either.
And, it is too bad about the zealots. My machine _is_ dual boot, and I know my TNT is faster under '98...but I haven't booted '98 in months, since I got the PSX...
Do any of you know what security is? (Score:3)
NT's security is NOTHING like you'll find on linux or any other unix or similar. Whohoa. On what kind of fact is this based?? On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?
To me it sounds like people who rate NT's security as 'lame and nowhere the level of security on Unix is' really don't have a clue about how NT's security works.
Let me sum up a small list of items, related to the topic. This is not ment for a flamebate, but to let unixpeople learn it's not windows 9x we're talking about, but NT/windows2000.
- NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
- NT 3.x and 4.x uses the weak NTLM protocol. It could be tough to break but in areas outside US/Canada, the encryptionkey was too short to hold long. Windows2000 will use Kerberos strong encryption, which is an industry standard. Poking at MS that their encryption is weak (especially in their upcoming product) is without ground, because Kerberos is a proven secure technology.
- NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example.
- MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
- In the past year, there were some minor security glitches in NT itself. The security bugs in IIS are due to leaks in modules that IIS uses, not IIS itself, like the idq.dll module for old style indexserver queries. Today you don't need these modules. Still, unskilled administrators install the basic set. Like unskilled administrators will with RedHat 6.x on their hands. That's why there are idiotproof docs to guide these (majority, unfortunately) people.
:) - IE holes are a problem, but who surfs the net on a production server.
- MS provides a bulkload of security documents how to implement security on your servers. These are perhaps silly for die hard techies ("Duh! don't install the examples!!"), but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers. Don't forget that. Most sites which are hacked are setup by not well skilled people. Pointing at the OS is silly. No-one says unix is unsave because sendmail is crap. the administrator should be aware that the sendmail on his system is likely an older version than available today.
- Which brings the last and most important subject to the surface: if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.
NT 4 was a wise lesson for MS. They have it on track now, but it has been a long road. It's nowhere near the end, there are still areas for improvement, but these are there too in other OS-es, like Linux or *BSD. Being aware of the weaknesses of your own system is a Good Thing (tm). You can then secure it more. Blinding yourself with talk that only MS makes insecure stuff is silly. Ask all those Solaris administrators currently suffering the DoS wormsBashing the FUTURE without knowing what it will bring (have you all used Win2K server??? have you tested the security???) with the facts of old material from the past is not fair. If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions which were found in the last 2 years and say: "linux is not secure... because of all those leaks in it in the past years." is that fair? I'm pretty sure you'll say: "No!".
And what about Linux's security.... (Score:4)
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
Other open source operating systems, such as FreeBSD [freebsd.org], NetBSD [netbsd.org] and OpenBSD [openbsd.org] have had security problems, but not in such numbers as the various GNU/Linux distributions.
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
Microsoft and Security... (Score:4)
Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...
We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*. (Compare to the linux box. um... no, no comparison.)
What are they going to do to enhance security, stop selling Office? Those pesky macros, always making my paperclip sick...
But seriously, folks, now that Microsoft released this to the press, that they're really *really* serious about it this time, and they're going to be extra-nice by charging us more for this week's upgrade, don't you think we should let them play with the big boys yet?
Nah, I didn't think so either.
Sure, it's easy to criticise Microsoft. Because it's so much fun. And historically accurate. I mean, if they wanted to try to do better now, they'd have to issue a formal apology to anyone who ever had to suffer through an unpatched Windows bug. Whoops, I think that's everyone!
</CHEAP SHOT>
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
Amusing... (Score:4)
I think that's pretty obvious when they don't open source the OS! :)
Re:What do you all suggest Microsoft do then? (Score:4)
For starters, I'd love for reality to live up their hype. Example:
I needed to deploy dozens of computers running web browsers in a college library. These computers need to be fairly locked down.
I downloaded the IEAK (IE admin Kit) *and* bought their IE admin book too. 75% of the book was marketing hype talking about all these great things you could do with the kit, including being able to change customizations through policies, etc...
Great! So I spent two weeks just trying to get it to work. The docs on how actual policy restrictions work and what they do amounted to TWO PAGES. I was forced to experiment.
But then I learned some harsh lessons. First, to get customizations and restrictions to actually apply to a NT user logon, the RunOnce key must be r/w to the user. Yes, that's correct. Even though numerous Microsoft KBs say to *not* make RunOnce r/w to users due to security problems, to make IE restrictions kick in, it must be because rundll32 for some reason wants it that way.
Then the Custom directory must be r/w and all files in it r/w so customizations can be downloaded from a web server and applied to the machine.
Even with all that, all customizations wouldn't work right. Bottom line, the only way to get the browser customizations to work as advertised was to give the logon account ADMINISTRATOR PRIVS.
Then there were other hassles, like the fact that unless your web server MIME types .ins to be application/x-internet-startup, the customization file won't apply (not documented because that's the default in IIS I guess).
So I use and support Microsoft products constantly. All I want, all I really want from Microsoft, is to live up to the hype because these days whenever I read about nifty new features of their software and OSes, I just can't believe a word of it. :-(
Quick Debunking... (Score:4)
Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.
15 people to review... What was it? 30 MILLION lines of code? And what was the qualification of these people? Script Kiddies??
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...
Source code also was delivered to 70 agencies and universities around the world for their perusal.
*Yawn* Which Universities? Which Agencies? (Mindcraft???!!!) Names, references, Web site? Results of aforementioned "perusal"? Are these results published anywhere? (Probably not...) Were the "agencies" able to modify the source code?
As someone else said: "Microsoft is not an answer. Microsoft is a question. The answer is: No".
Read my lips Microsoft: Open-Source is going to bury you alive. Commodification of hardware, commodification of OS is the end of Bill's Evil Empire. The penguin and the demon will dance on your graves... (insert Dr Evil most sinister laughter here)
Re:And what about Linux's security.... (Score:4)
For another thing, the OpenBSD guys (for example) spent six months doing *NOTHING BUT SECURITY AUDITING*. This means they pretty much found every bug in the existing code. However any new code they add will be subject to just as many bugs as any other code.
For a third thing, because there are so many more people working on GNU/Linux stuff, there's more code being created, and thus more bugs.
And the reason that there are so many bugs in the first place is because that is the nature of software. Any piece of code, even slightly complex, will probably be buggy until you take the time to debug it. How many bugs do you think there are in Windows NT that haven't been found?
Furthmore, GNU/Linux users would gladly spend 100% of their time improving GNU/Linux, if that were possible -- unfortunately their brains would fry; they need sleep, food, time to relax (not having to think), and time to commit FUD against Microsoft. Not that MS doesn't deserve it.
And I didn't see any posts being holier-than-thou; they were all being funnier-than-thou.
Microsoft Good Security Habits (Score:5)
It's good to see that they're giving us those safety tips already.
This is off of http://www.microsoft.com/security/ [microsoft.com] - the link is in the article too, but it's broken.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
How much will they charge? (Score:5)
I used to work for a Microsoft Solution Provider, whose job it was to sell and support Microsoft products. And yet they have several different levels of support which they charged us for. We actually had to pay for "Premium" support to get access to information, knowledge base articles etc that would help us fix or workaround a problem one of our clients had with their products. In other words, they were denying us access to information, fixes, known problems, incompatabilities, etc. that would help us do our job supporting THEM and THEIR software unless we paid them. And we were an "Official" Microsoft Solution Provider!!
Some anecdote (Score:5)
I've read this yesterday:
There was a kangaroo in one zoo. And every day it somehow been managing escaping from its cell. Then the zoo has built higher fencing around it. But kangaroo escaped once again. Then the zoo has built a 20 feet high fence. Once again - kangaroo escaped. A neighbour hippo chatting with our hero:
H: Well, how high you think they'll build it?
K: Don't know, 100 feet maybe. But really - they should've start locking my cell door first.
Morale: No zillion bits encryption will help M$ as long as their "NT security guide" is dedicated to selecting proper chains to attach servers to the room walls.
do you trust any internet security... (Score:5)
Do you trust linux security?
Average users thoughts: "hmm that's internet isn't it? that must be insecure"
result:
yes : 25%
no : 75%
Do you trust *BSD?
"huh, *BSD? that must be something I don't know
result:
yes : 5%
no : 95%
Do you hand a waiter you don't know your credit card to pay the bill?
"what would they mean by that? why not?"
result:
yes : 95%
no : 5%
Again I feel forced to criticize this "poll". Ppeople don't trust internet.. why? no reason really.
They trust the mailman with postcards but they don't trust a server with their boring e-mail message.
They trust waiters in tiny restaurants in the most corrupt nations in the world with their credit card yet they have doubts about using that card in a way that actually transmits their number/expiry date encrypted.
So what do we learn from this poll?
Well, the only thing I learn is that people don't want to do or use stuff for irrational reasons until told by those people who are least knowledgable about said stuff (their neighbours-brothers- second cousin) that doing/using it is ok.
The internet is just as secure as any shopping street, but you need a college level education to be a pickpocket.
It's better than Win98, that's for one thing (Score:5)
I know I don't have to say it, but the security is nothing like what you'd find in Linux (or any UNIX that comes to mind). The Win 2000 "Administrator" account has nothing on root :)
Thumbs up to Microsoft for (at least) making a decent effort at a flexible, easy to use, and relatively secure operating system (to say it bluntly, "as good as Windows will be for a long while").
Build 2195 has also made some great strides from the bugged menus and SMP slipups of the early betas (you might remember even RC1 had some serious pitfalls). As much as I may hate to admit it, Microsoft did its homework on this one.
Win 2000, although perhaps not the Ultimate answer to Linux, is IMHO better in most aspects than NT. It's going on my first personal box for the time being (Red Hat 6.1 on the other) - and also on my webcam [oscarfish.com] server until there's decent USB support in Linux.