Fog Creek Software
Discussion Board




Oh boy. ANOTHER security update from MS.


For the second time in two weeks, we're having to rush around to test the latest critical update from MS.

Another buffer overrun. For the love of all that is holy, can you not check your fu**** code?!!?

Of course, we'd love to be able to use SUS to deploy, but in their infinite wisdom, MS made it so that with Win2K computers the little "You have updates to install" balloon appears if the user is administrator of their machine. They provided a fix for this in XP, but for our 600 Win2K machines, SUS isn't an option.

So it's off to create an MSI wrapper around their patch, and then watching how Group Policy fails to install it and gives us all kinds of MSI installer error messages. Then it's off to try to put it in the login script with all the problems that come with that.

So for the second time in as many weeks, I'm having to sit up here to test and then try to force feed yet another update to our users. Thanks Microsoft. How about you take your fu*** time with Longhorn and get it fuc*** ready before you fu*** ship the fu*** piece of sh***.

Which way to Redmond?
Tuesday, February 10, 2004

Hear hear. I wasted 3 hours on this lovely patch today -- for one server.

Joel Spolsky
Fog Creek Software
Tuesday, February 10, 2004

This will all go away once we're running .NET & Longhorn.

promise!
Tuesday, February 10, 2004

promise!:  Did you say that with a straight face?  Sarcasm doesn't always come across when written...

Bleh
Tuesday, February 10, 2004

Forgot to include the universal JoS sarcasm symbol.

:-}

promise!
Tuesday, February 10, 2004

Worry more about the exploits that nefarious agents are aware of that haven't come to light yet.

Dennis Forbes
Tuesday, February 10, 2004

And there are guarunteed tons that aren't known about publicly.  I was discussing a flaw (publicly) found in OpenSSL with an old Computer Security professor of mine, the OpenSSL developers had just found out about it that day, and it made slashdot.

When I asked him what he thought about it, he said "oh, yeha I heard about that.  Some lists I'm on have known about it for over 3 months."

There are lots of vulnerabilities that don't get mentioned widely.

Andrew Hurst
Tuesday, February 10, 2004

http://www.eeye.com/html/Research/Upcoming/index.html

This is getting truly absurd. As a prior fairly pro-Microsoft advocate, these security issues have most certainly had an impact on my faith in Microsoft applications - each time Outlook pauses on previewing a message, I subconsciously start to wonder if a buffer overflow flaw is being exploited, etc. Each of my machines has local firewalls, and they're hidden behind a NAT, but I'm still getting an increasing sense of unease.

eEye, a security company that finds these holes to get a bit of PR, has been sitting on several remote exploit holes for months (and these aren't just hypothetical - eEye usually has exploit binaries ready too that proves the point. I remember one some time back that they released that gave you a command line against a default installation of IIS) -- if eEye could find these for a little bit of PR, what do you think hostile nations or organized crime could accomplish?

Dennis Forbes
Wednesday, February 11, 2004

it's the second tuesday of the month--that's when security updates are supposed to come out.

here's the strange thing: earlier today there were two critical updates. one was "A critical update is available to remove unacceptable symbols from the Bookshelf Symbol 7 font that is included with Microsoft Office 2003. The Bookshelf Symbol 7 font is contained in the Bssym7.ttf file. (KB833407)". on this machine, only one. maybe it doesn't have the font, or maybe they decided that the 'inappropriate character' issue wasn't really a critical update.

um, can anyone explain how this is critical? or why it was even done at all? has microsoft decided to give in to the conspiracy theory crowd?

mb
Wednesday, February 11, 2004

The symbol was a nazi symbol, there was news about it recently.

saberworks
Wednesday, February 11, 2004

Damit, it is NOT a nazi symbol. It is a Tibetan unicode character, thousands of years old, which represents the feet of Buddha.

The Nazi swastika, which is different, faces the wrong direction,  which any Buddhist will tell you is an extremely bad omen because the energy is flowing in the wrong direction.

But political sensitivity dictates that all similar symbols must be erased from the collective consciousness rather than explain to overly sensitive people that it is NOT a swastika representing Naziism, it is a ancient and holy Buddhist symbol.

Dennis Atkins
Wednesday, February 11, 2004

It's basically nothing more than an attempt by MS to destroy the faith of Buddism.

Next they'll delete the letter t and all other cross like symbols since crosses are used by the Klan.

Dennis Atkins
Wednesday, February 11, 2004

Big Brother is watching you Dennis ;^)

Steve Jones (UK)
Wednesday, February 11, 2004

I don't know about anyone else but I'm having trouble getting this morning's patches.  I'm OK until actually asking for the download - but then downloads.microsoft.com appears not to exist. 

I suppose a front page headline "The Worst Windows Vunerability Ever" (yes there was) isn't too different from a Denial of Service Attack.  Then again after 6 months perhaps an hour or two isn't that important  (:-} - obviously)

a cynic writes...
Wednesday, February 11, 2004

Well, has it happens the swastikas in this character set (0x7E and 0x8F) are in the orientation used by Nazi organisations. I seem to remember being told the reversed swastika was a symbol for destruction in some ancient script or another.

KB article on the subject: http://support.microsoft.com/?kbid=833404

I still don't agree that this is a "critical update" though.

SteveM
Wednesday, February 11, 2004

That eEye list above is open, unfixed serious exploits that eEye alone has knowledge of. At least two of them are remotely exploitable to run arbitrary code.

"Big Brother is watching you Dennis ;^)"

I'm not sure which Dennis you're talking about here, but given that Mr. Atkin's was tongue-in-cheek, I'll presume it was mine. Being aware of the threats in the world is one of those funny sorts of things that quite frequently gets cast into a strawman "if you worry about this, then you must worry about the aliens and their anal probes". It's funny how the standard is different by person/group (I saw an episode of Without a Trace a week or two ago, and one scene has them going through his garbage, where they found shredded documents. The way they, or the characters, reacted you'd think they found tinfoil hats and magnetic protection charms: It was actually cast as something kooky that only crazy people who are hiding from the police or are paranoid do).

In this case, this is a serious, national security risk, and it puts the entire infrastructure under extreme risk - there are some 100,000,000 PCs in the US, many of them out in plain site, that harbour the holes that eEye documents, and I'm sure many more. These PCs are used to contact financial institutions, to VPN into work under priviledged accounts, to connect with monitoring and control hardware, etc. This is a very serious issue. It's only due to lack of motive and timing that thus far we've only suffered minorly as kids, basically, get their kicks. One of these days it's going to be someone a little more motivated.

Dennis Forbes
Wednesday, February 11, 2004

downloads.microsoft.com appears not to exist.

That could be from the latest mydoom variant.

Mike
Wednesday, February 11, 2004

Unfortunately for me I cannot even install these security patches.  The last time I tried to install a service pack on my Win 2000 box it messed it up so badly that I had to reinstall the OS.

Now I am thinking that I need to try upgrading to XP to put me over whatever hump caused the problem.  Is this security flaw exploitable if the machine is behind a firewall?

name withheld out of cowardice
Wednesday, February 11, 2004

Just out of interest, what is one supposed to do regarding security patches when one has to reinstall Windows? I mean, when you download them it just installs the fsckers AFAICT, which means, what?, you have to re-download x-hundred megabytes from Microsoft again? No wonder so many installations are unpatched.


Wednesday, February 11, 2004

"Another buffer overrun. For the love of all that is holy, can you not check your fu**** code?!!?"

<vent>
I honestly have to wonder why MS hasn't hired all the coding wunderkind that are out here. I mean - apparently every developer in the world that doesn't work in Redmond writes bugless code that never needs to be patched once it's deployed.

And I'm sure that all the applications written by coders, all the networks deployed by sysadmins, all the databases run by DBA's could easily withstand the combined scrutiny of the tens of thousands of hackers and crackers that the major corporate software companies attact.

You can have it fast, cheap, or good - pick any two. And you can't have it perfect, because shit happens, so we're going to go through a few revisions. Those are standard developer caveats - like laws of the universe. Except if you're Microsoft you're expected to violate the laws of space, time, and economics and deliver on time, under budget, cut the price, and have no bugs.
</vent>

Thanks. Wanted to get that off my chest.

Obviously, the opinions voiced here are solely my own and do not reflect the views of Microsoft Corp.

Philo

Philo
Wednesday, February 11, 2004

Philo,

If you honestly think that Microsoft's security record is on par with the industry, then it's pretty clear that MS does indeed have a brain-washing program to initiate new hires.

I don't expect their code to be perfect, but hell, I do expect it to be free from critical "install immediately" patches that are required to be installed at least once or more times a month.

Which way to Redmond?
Wednesday, February 11, 2004

No, I think Microsoft was in "features over security" mode for a long time, and they're catching up. I can tell you that internally security in our products (real security, not just appearances) is taken VERY seriously.

What annoys me (and it did before I even thought of working here) is the attitude - two patches this month. Several million lines of code base, massive pressure to deliver on time*, massive pressure to provide more features every time**, millions of customers, every script kiddie on the planet targeting the products, and this month - two critical patches. I always felt if it was my code, there would be two critical patches a day. ;-P

So when I see "Oh my god - a bug! Their stuff is crap!" it bothers me.

Philo

* Despite said massive pressure, MS will still slip deadlines to finish the product.

** How many times, despite the near constant "stop putting features in and fix the bugs" roar, have we seen marketing reports on new products that say "not really a lot of new features here to justify upgrading"? Talk about a catch-22.

Philo
Wednesday, February 11, 2004

Perhaps people would prefer the old policy of keeping quiet about such bugs and not releasing security updates.

Mind, that doesn't change how mind-globbing it is to try and update even a small company's machines.

Simon Lucy
Wednesday, February 11, 2004

"Perhaps people would prefer the old policy of keeping quiet about such bugs and not releasing security updates."

Few of these bugs are found internally in Microsoft per their big security overhaul -- these bugs are generally found by small security firms looking for exposure, and the clock is then ticking for Microsoft to react.

There is a very serious lesson here that every Microsoft apologist needs to take to heart -- eEye, a small security consulting firm, has personally been responsible for finding dozens of remotely exploitable, make-you-supergod bugs in various incarnations of Windows over the years. This contantly expounded idea that the only reason that these flaws are only found is because there's a million anti-Gates hackers slamming away at Windows is proven horribly unjustified (and it's more realistically described as "a million unskilled hackers", and the few times they've hit paydirt, usually by exploiting a long patched hole that a professional firm found, they've generally been amazingly restrained: Imagine the uproar if slammer wiped out the machine it was on after spreading the payload?): One single tiny firm has proven this claim woefully incorrect. Now what if that one firm was a foreign government with a few more resources, or organized crime, or whatever?

Security holes may indeed be par for the course (though operating systems like OpenBSD have proven that incorrect), but Microsoft cannot rest on the same standards that apply to the "rest of them" -- Given its huge market presence Microsoft has to achieve a higher standard (because it is a matter of national interest). Is it really too much to ask that any incoming data from the network be untrusted until proven trustworthy? (i.e. within all expected constructs) It really doesn't seem that horribly demanding.

Oh God, I've got this great new idea for an internet phone! Let's stick it in.

char mybuff[256];
strcpy(mybuff,some_random_packet_from_net);

Awesome!

Dennis Forbes
Wednesday, February 11, 2004

Microsoft simply cannot win. If they do something for the customer, the customer complains that he wanted to do it himself. If they let the customer do it himself, he complains that he *has* to do it himself.

If you don't like Microsoft's products, don't use them. After all, Linux is every bit as good. Of course, I've NEVER seen Windows lock solid while trying to open two copies of Word, but at least I didn't have to reboot Linux to fix it -- I just had to flip to a shell prompt and kill the X server, which was IMMENSELY better than a reboot. After all, I only lost all my work and had to start over; my uptime stayed nice and high, which is what really mattered anyway.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

'How many times, despite the near constant "stop putting features in and fix the bugs" roar, have we seen marketing reports on new products that say "not really a lot of new features here to justify upgrading"? Talk about a catch-22.'

It's a catch-22 for Microsoft, perhaps, but it certainly isn't a catch-22 for consumers.

a) I already paid for this, and now I'm being rooted every other day. Fix it!
b) We'd love new features, but how about you work on a first?

If Microsoft can't fit in enough secure new features to sell an upgrade to someone, that's MICROSOFT's problem, not the consumer. Don't pretend like consumers are begging for root-holes.

And from another post.

'Microsoft simply cannot win'

Yes, poor downtrodden Microsoft - it's a good thing that you're here to back them up. They just _can't_ win now can they? Here comes Gates telling us that the new OS is the "most important release in the companies history" (anyone notice that every release lately is the most important ever?), and that whatever they sold you last year is crap and this new software is more secure than ever. "Ooops, I did it again! Don't worry, in next years app this'll all be fixed for good!"

Dennis Forbes
Wednesday, February 11, 2004

"If you don't like Microsoft's products, don't use them. "

Oh please...you're killing me. It's not as if I get to make the decisions which OS gets rolled out to our 600 users. Beyond that, even if it were my decision I would still go with MS.

That notwithstanding, we still have a legitimate gripe with the near constant critical updates coming out of Redmond. See, I can be a customer *and* complain too. I hope you aren't responsible for paying customers with that type of "If you don't like it, then leave" attitude.

And Dennis hit the nail on the head about eEye. I first heard of them around 98-99 when they demonstrated how IIS could be brought down with a simple command line tool. They aren't a huge company with endless resources, but yet they manage to find a large number of exploits in *someone else's code*. I find it ironic, no I find it shameful that MS can't do better at this, especially considering they wrote the fu*** thing!

Oh well, I'm done getting patched and thusly done bitching until month. (Or next week if we have yet another "critical update" from Redmond.)

Which way to Redmond?
Wednesday, February 11, 2004

Philo -  in my extremely unglamorous role as sysadmin & everything else techie in a small professional organisation I work with the company that supplies our database & accounts system.  They're also a small(ish) company.  So when something goes wrong or needs patching I don't talk to a company - I talk to the developer(s).  If it's really really bad I get to shout at their IT Director.  I know them, they know me - it's a human relationship.  I *feel* positive about the whole thing.

However, when patch Wednesday rolls around I have a list of patches which may or may not need to be added.  The experience is a complete pain in the bum.  So at best I'm going to grumble.  At worst I'm going to vent.

This doesn't mean that MS code is worse than theirs - it almost certainly isn't.  Nor does it mean that if I were using *nix based systems I'd be better off.  But this is one area where the user experience isn't optimal.  In this case the user being the poor bloody admin. 

So you're right - it's not fair.  Forgive me if my heart doesn't bleed.

a cynic writes...
Wednesday, February 11, 2004

"Several million lines of code base, massive pressure to deliver on time*, massive pressure to provide more features every time**, ..." says Philo, defending Microsoft.
However, Microsoft is responsible for this state of affairs. Microsoft wrote every one of those lines of code, and Microsoft provides the massive pressure in both cases.

Breandán Dalton
Wednesday, February 11, 2004


Just to be fair minded...I have to give kudos to MS for allowing an un-install this time. Nothing gets my knickers in a knot more than some shoddy patch from MS that screws up our systems and then can't be un-installed.

So, I'll give him a tip of the hat for the uninstall option.

Which way to Redmond?
Wednesday, February 11, 2004

I really don't know the answer to this, so I'd be glad to hear from someone that does.

How easy is it to patch 600 linux computers distributed throughout a corporation every time a new security update comes out?  I'm not looking for any flames here, just an honest answer.  And I realize that security patches probably don't come out twice a month for Linux, but when they do, how difficult is it?

I'm also curious as to how secure the default install of say RedHat 9.0 is?  I know that OS's like OpenBSD are extremely secure by default install, but I'm not aware of the security for your more common flavors of *nix based systems.  Any enlightenment would be appreciated.

Elephant
Wednesday, February 11, 2004

I'm glad to stand corrected on the glyph orientation issue.

As it is, I am looking through a couple different unicode browsers and I can't find the glyph in the tibetan anyway.

Dennis Atkins
Wednesday, February 11, 2004

Elephant - speaking from complete ignorance, my understanding is that unless you have to patch the kernel you usually don't need to reboot, most updates are scriptable and that default installs aren't very secure as a rule.  I'm going home now - so I'll let someone who knows what they're talking about fill in the details:-)

a cynic writes...
Wednesday, February 11, 2004

> (anyone notice that every release lately is the most
> important ever?)

Well, yes. That's the entire point of a new release. You make new software that's better than your old software. So, by definition, it's the best you've ever released.

Did that honestly not occur to you?

From another post...

> I hope you aren't responsible for paying customers with
> that type of "If you don't like it, then leave" attitude.

Are you actually proposing that I should try and convince people who are dissatisfied with Microsoft *not* to switch?

That looks like another one of those trick questions where you just can't win.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

> How easy is it to patch 600 linux computers distributed
> throughout a corporation every time a new security
> update comes out?

The Red Hat Network has made this *much* easier, so it's not much of an argument for the Microsoft platform anymore. It's roughly as easy as Windows update, and gives you significantly more information and control over the process.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

"Did that honestly not occur to you?"

Thank you for enlightening me master. Of course, I didn't say "best" release, as you rephrased. Instead I said "most important" release. Couple this with the fact that Microsoft doesn't have a single product, they have hundreds, but seems that a successive littany of products have been the "most important" ever. I believe Windows Me, Windows 2000, Windows XP, Windows 2003 Server, Office XP, Office 2003, Visual Studio.NET -- At one point or another a senior executive at Microsoft has proclaimed each the most important release in the companies history. Personally I'd tag Windows 3.1, Internet Explorer 3, and Office 97 as the most important releases in Microsoft's history.

Dennis Forbes
Wednesday, February 11, 2004

I think that all these best products ever has to do with the internal company structure.  It's setup much like individual organizations that report to the main product groups within the compnay.  Those in turn report back to the top.  The seperate product groups are loosely coupled at best though, and interoperating can be difficult.  It doesn't surprise me that whenever one of these groups puts out a new product, the lead for the group proclaims it the most important product ever.  Then that person moves onto a different position within the company (I'd say there is a pretty high rate of internal turnover between groups), so the next time that group releases a product, they have a new manager, and they procliam in the most important product in the history of the company.  I think what these people really mean is that it is the most important release of a product that in their history of the company/product group.  Of course this is all a complete guess which is most likely completely wrong.

Elephant
Wednesday, February 11, 2004

I really didn't intend to sidetrack down what the most important release in Microsoft's history. It really isn't a mystery why they repetitively make this claim (particularly Bill Gates) -- it gets press. It works brilliantly when the radio or TV covers  release as "Microsoft today release UNeed2Have XP, lauded by Bill Gates as the most important release in the company's history". Mission accomplished.

Dennis Forbes
Wednesday, February 11, 2004

I feel that Linux has nothing to do with this. I.e its a problem you get with Windows, and its a problem whether you have any alternatives or not.

A college I work for from time to time recently installed a niffty ghosting system that allows them to install images on the 300+ machines over night. So, when something needs to be changed, they change it on one box and then ghosts the image out on full auto. (Why dosent everyone do it like that?)

Eric Debois
Wednesday, February 11, 2004

"Are you actually proposing that I should try and convince people who are dissatisfied with Microsoft *not* to switch? "

You seem to spend a lot of time trying to twist and rephrase what people say.

No, I wasn't proposing anything other than as a customer, I have a right to complain. You suggested that I switch to another product if I had a gripe with Microsoft. I suggest that that is an absurd and customer-hostile attitude to have.  You seem to have a rather two dimensional view of customer satisfaction: Either someone is perfectly happy, with no complaints or they should take their business elsewhere. There doesn't seem to be any middle ground with your approach. But, that isn't surprising.

Which way to Redmond?
Wednesday, February 11, 2004

> Of course, I didn't say "best" release, as you rephrased.
> Instead I said "most important" release.

What's the difference? They're both subjective superlatives that have no clear definition.

From another post...

> when something needs to be changed, they change it on
> one box and then ghosts the image out on full auto.
> (Why dosent everyone do it like that?)

Colleges can tell their users to take whatever they get and be happy about it. Companies can't. People in the company inevitably have special needs, and they have accounted for them in the machine's configuration. If you ghost over a new drive image, you slaughter those changes, and the users have to start over. In the event that you have something really major like a blind user whose screen reader gets trashed, you can conceivably end up in court over it.

This can be resolved with proper configuration management, allowing most of the ghosted-drive benefits to be realised, but nobody cares.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

Colleges often have loads of machines with exactly the same configuration. I know, I'm copying a ghosted image onto 180 identical machines (well they should be identical but they decided to reallocate 90 and re-order, and the second ninety have a different network card - Arrhg!!!)

However you'd find your body parts spread all over the college lawn if you tried to wipe out the install on the machines in the academic staff's offices.

Ghost restore  is OK as an emergency measure; you should restore the C partition and leave the data partition alone. It is great of university labs, which it was actually first devised for. But forget it for patching.

Stephen Jones
Wednesday, February 11, 2004

> You seem to spend a lot of time trying to twist and
> rephrase what people say.

Not really. Doesn't take any time at all. Look, you've done it yourself -- you've turned around and said that I advised you not to use Microsoft products if you have a *gripe* with them. That's not what I said. I said if you don't *like* Microsoft products, don't use them. Exactly how much time did that take you? A second, maybe two? Not much time at all. It just happens.

But if that's wrong, and you *shouldn't* stop using products you don't like, then isn't THAT what I ought to tell people? Seems to me that I should tell people to do the Right Thing. If not using what you don't like is wrong, then what's right? Using what you don't like, or not using what you like?

> You seem to have a rather two dimensional view of
> customer satisfaction: Either someone is perfectly happy,
> with no complaints or they should take their business
> elsewhere.

I never said anything about being perfectly happy. I thought I was pretty straightforward about it: don't like it, don't use it. You don't have to be happy about it; I'm certainly not. I think it's absolutely inexcusable that there isn't even ONE sensible replacement for the Windows platform. But that's not Microsoft's fault. The failure lies in the competition, which has failed to compete at every opportunity.

If people would just shut up about what Microsoft isn't doing and go do it, a lot more stuff would get done.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

Caliban,

It's pretty clear that you were bitching about his bitching. Your semantic issue on "gripes" versus "likes" is just..well it's stupid.

It's clear that you were effectively saying "if you don't like MS products, then don't use them" and you said this in regard to his complaints about the product. Therefore, your point was if you are gonna complain like this, then don't use their products. You sound like Bill Clinton quibbling over what "is" is.

In summary, you were being an asshat when he was just blowing off steam.

I Hate Whiners
Wednesday, February 11, 2004

After what we might call an interesting day, not all patch related, I've come to the following conclusions:

• Patching or updating software (of whatever type, make, system or licence) is a pain.
• Not being able to talk to the developer is a bigger pain.
• Having to reboot each time is an even bigger pain.
• Having to do it for a load of machines is an enormous pain.
• Users who *think* they know what they're doing are the biggest pain of all.

• Home is where the scotch is...

Oh, and Philo sorry for biting your ears off earlier - at that stage I'd had Exchange *and* proxy server playing up and still couldn't get the bleeding patches downloaded. 

A cynic writes...
Wednesday, February 11, 2004

> It's pretty clear that you were bitching about his bitching.

Not really. I was bitching about his continued insistence that not having a good patch management process is somehow Microsoft's fault.

> Your semantic issue on "gripes" versus "likes" is
> just..well it's stupid.

Since when is it *my* issue? I'm not the one who complained about twisting and rephrasing things. I'm the guy who said "if you don't like it, don't use it". That strikes me as an awfully simple statement. I don't really see how anyone could misunderstand it. You either like something enough to use it, or you don't. That's all there is to it.

And if you don't have a choice, it seems to me that this is the fault of everyone who *could* give you a choice -- not the one company that actually gave you what you're using. If the other team doesn't show up, it just doesn't make sense to blame the team that did.

Caliban Tiresias Darklock
Wednesday, February 11, 2004

<Quote>MS made it so that with Win2K computers the little "You have updates to install" balloon appears if the user is administrator of their machine<End Quote>

Um...remind me again why your users are administrators of their machines?  You also know that even if they are, the schedule is stil respected so they just get the option to install it earlier?

Stu
Wednesday, February 11, 2004

"Um...remind me again why your users are administrators of their machines?"

Because our users aren't infants who can't be trusted with their machines, and our IT department isn't one of those who feels we have to save the users from themselves. They are largely scientists who have enough mental capacity to work a computer.

" the schedule is stil respected so they just get the option to install it earlier?"

Yes, we are aware of that but we still don't want the user to be bothered with the popup. We just want the installs to happen invisibly, without the users even being aware of it.

Which way to Redmond?
Wednesday, February 11, 2004

"Because our users aren't infants who can't be trusted with their machines, and our IT department isn't one of those who feels we have to save the users from themselves. They are largely scientists who have enough mental capacity to work a computer. "

It's not about saving the users from themselves, it's about good security practice.  (You know, that whole "least privilege" thing).

"Yes, we are aware of that but we still don't want the user to be bothered with the popup."

Seems to be a bit of a disconnect here.  If your users aren't infants and can be trusted (big call here) then why don't you tell them to ignore the popup.  If they're so smart and trustworthy then it won't matter if a popup comes up. 

Stu
Wednesday, February 11, 2004

"It's not about saving the users from themselves, it's about good security practice.  (You know, that whole "least privilege" thing). "

Security isn't the only concern of the IT department, Stu. We have user satisfaction and ensuring that our clients are able to get their work done. You know..the work that pays the salaries of the boys in the IT room. Beyond that, there are greater issues in security other than the local admin on the user's computer.

"If they're so smart and trustworthy then it won't matter if a popup comes up. "

See, this is why you do what you do and why we have one of the best run IT organizations in our industry. It's not a huge deal, but we would rather our users simply not to be bothered by a popup telling them that there are updates to be installed. There is really no reason for them to even be aware of it. We manage the machines so they don't have to.

Which way to Redmond?
Wednesday, February 11, 2004

"Security isn't the only concern of the IT department, Stu. We have user satisfaction and ensuring that our clients are able to get their work done. You know..the work that pays the salaries of the boys in the IT room. Beyond that, there are greater issues in security other than the local admin on the user's computer."

Absolutely agree.  However, there are very few situations where users need to be local admins of their workstation - like I say, it's a matter of good security practice.

"See, this is why you do what you do and why we have one of the best run IT organizations in our industry."

What I do is irrelevant - but I help people run their IT organisations.  Well.

"It's not a huge deal, but we would rather our users simply not to be bothered by a popup telling them that there are updates to be installed."

So would I, but coming on here and bitching about how SUS isn't an option for 600 workstations because you're worried about a popup dialog seems a bit daft.  Seems to me like you're making life much harder for yourself to save your users from a small popup.

"We manage the machines so they don't have to"

Yet you give them the privilege so they can manage the machines.  I'm curious - do you have custom software that requires them to be local admins?

Stu
Wednesday, February 11, 2004

Dear Which way to Redmond,
                                            There is little reason to run as Admin in XP, since the users can be taught to use the runas... command if they want to install stuff. Power User should keep most gripes away.

Stephen Jones
Thursday, February 12, 2004

I'm the guy who said "if you don't like it, don't use it"

If you don't like your wife, divorce.

A good advice indeed.

Rick Tang
Thursday, February 12, 2004

One comment about somebody's post on the KB833407 update:
Well, the buddhism symbol is in there ALONG with the swastika.  I don't know if the update will erase just the Nazi symbol, or both, but if the latter of this is true, this would truly be an unacceptable situation.

Also other characters that may have been "unacceptable" (i.e., religious or otherwise--by the way, I have nothing against religion; it is just the idiots at Microsoft may have thought religious symbols are unacceptable because society today is so touchy on this topic) are the Chinese character for 'evil,' the Star of David, and the Japanese torii (symbol of shintoism).

Personally, I am not installing this update, because none of the characters are really offensive.  Religious symbols certain are not, the word for "evil" is not, and the swastika--well, it embodies a horrible ideology (i.e., anti-semetism and racism), but that does not mean we should just get rid of all instances of the swastika.  For example, somebody might be able to use it for the purpose of fighting racism (after all, it is a FONT, which is supposed to be there for convenience when we need it), and also, it might serve as a constant reminder to us of the mistakes we have made as humanity.  And I just don't understand at people who just cannot tolerate the sight of the swastika (exculding possibly the actual victims of the holocaust).  Well, it's just a symbol!  Deal with it!  I just don't see how deleting such a character from a font makes the world a better place.  If they are really interested in fighting racism, I'm sure they can spend their time doing something more meaningful than that.

John Sample
Monday, March 01, 2004

When will these politically correct ignoramuses ever stop?

The swastika has been in use for thousands of years before the Nazis hijaaked it for their own evil purposes. In fact, if we look at the swastika when used as a religious symbol it has been used by Hindu, Jain, and Buddhist religions, as well as in Norse, Basque, and Celtic Paganism.

It is interesting that the swastika has been found on 2000 year old Jewish temples in Palestine, so Hitler used a Jewish symbol as well as an Hindu one. The "Cross of Thor" was the same symbol, brought to England by Scandinavian settlers, long before Hitler. The Nazis chose not to use the term "Cross of Thor," consistent with German history, preferring the Indian word instead.

Traditionally, when the swastika is drawn facing right handed or clockwise as above, it is a good luck symbol. It is sometimes claimed when it is drawn left facing or counterclockwise, it is a bad omen and it is labelled a "sauwastika". However, there is little evidence of this distinction in Hindu history from which it is derived.

Hindus all over India still use the symbol in both representations for the sake of balance, although the standard form is the left-facing swastika; Buddhists almost always use the left facing swastika.

The hexagram is a six pointed star composed of two overlapped triangles, also found in use by a number of faiths and cultures. It is associated with the Biblical Solomon, known as the Star of David in the Jewish religion.

In ritual Magick, the hexagon is called the Seal of Solomon, and represents Divine Union, being composed of a female, watery triangle, and a male, fiery triangle. The traditional elemental triangles of earth, air, water, and fire are derived from the seal.

In the Hindu religion, the hexagram is called the Shatkona, and is equivalent to the symbolism in ritual magick. The Shatkona is the combination of the Shiva kona (trikona, triangle), the symbol of the God Shiva, representing the element of fire, and the Shakti kona, representing the element of water. Together, they represent the union of male and female, and the heart chakra.

See this page for more information: http://altreligion.about.com/library/glossary/blsymbols.htm

jsch
Tuesday, June 22, 2004

*  Recent Topics

*  Fog Creek Home