Fog Creek Software
Discussion Board




Sasser

http://www.theinquirer.net/?article=15713

"– the worm made it impossible for staff members to hand over cash. A Finnish bank had this problem yesterday, although officially it claimed it was just upgrading its anti-virus software."

So tell me again, what is the TCO on Winodws?

Uncle Cracker
Tuesday, May 04, 2004

Patch has been available for 3 weeks.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, May 04, 2004

The worm is only an issue if you don't patch, and have no firewall.  The thing people don't realize is that infection is 100% preventable.

Myron A. Semack
Tuesday, May 04, 2004

Well, just because a patch is available, and a firewall may prevent machines from being infected, that does not absolve Microsoft completely from their responsibilities here.

It appears that there is one product liability rule for computer software manufacturers, and another for everybody else.

Ken Ray
Tuesday, May 04, 2004

You're right.  Remind me next time my car dies to complain to VW because the car should have driven itself to the gas station and added the necessary oil in order to prevent the engine from melting down.  Oh wait, Microsoft provides automatic windows updates, so in effect, it's customer error.  Software has bugs, deal with it.


Tuesday, May 04, 2004

"The thing people don't realize is that infection is 100% preventable. "


The plague was equally preventable *in theory*.

Mr. Analogy
Tuesday, May 04, 2004

"Patch has been available for 3 weeks.Patch has been available for 3 weeks."

Yes and what a fine patch it is too.  Nobody having problems that I've heard of.

"-----Original Message-----
From:     (Softlab) [SMTP:@SOFTLAB.CO.UK]
Sent:    Tuesday, May 04, 2004 9:03 AM
To:    WINNT-L@PEACH.EASE.LSOFT.COM
Subject:    Re: ISA questions

> And, if I've missed something, I'm sure Ian will point it out.  ;)

lol! Right now, Ian is too busy watching MS04-011 kill Dell/EMC SANS,
and having Dell Gold Support run round trying to fix it.

Gah. That patch is pure evil, still. At least we're protected by other
actions (my wings are like a shield of steel).

On topic, your reply seems right. Although I think I missed the
original mail.

Uncle Cracker
Tuesday, May 04, 2004

Whats this??? There is a connection between Microsoft and the Bubonic Plague!?! I knew it all along, those dasterdly scoundrels!

Anon-y-mous Cow-ard
Tuesday, May 04, 2004

The patch is fine, as long as you aren't running windows in the enterprise.

:o
Tuesday, May 04, 2004

It seems to be working fine for my "enterprise."

Sam
Tuesday, May 04, 2004

>> Remind me next time my car dies...

It's a simple matter of education -- of awareness.

With the car, it's common knowledge that you need to change the oil, fill it with gas, take it in when you see "check engine". This is the "car cycle".

People don't know the "Windows cycle": always patch, always use a firewall.

They are still in "DOS cycle": install and forget.

Do you blame them? Do you see big red warning stickers on XP boxes: WARNING! DO NOT CONNECT TO THE INTERNET UNPATCHED: YOUR COMPUTER WILL BE INFECTED WITHIN MINUTES! CONFIGURE YOUR FIREWALL CORRECTLY! DO NOT RUN UNTRUSTED EXE'S! PATCH ALWAYS!

No. You see pictures of heavenly clouds and a promise of effortless use.

People CAN'T KNOW if you DON'T TELL THEM.

And software companies don't tell because it would hurt sales. The Crunchy Frog law.

Ignorant youth
Tuesday, May 04, 2004

"The worm is only an issue if you don't patch, and have no firewall.  The thing people don't realize is that infection is 100% preventable."

Hell, why not add "disconnect from the net and unplug from the wall" in your simple fix list. Of course we all know that some of your solutions are partial solutions - Adding or removing Windows components often causes vulnerabilities to reappear, and there are interesting quirks like the fact that XP doesn't turn the firewall on until the machine is already up and online. Whoops - you've been owned!

These sorts of exploits were excusable years ago when there was a large bulk of legacy code build for safer days (like internal networks) that was suddenly exposed to the anonymous world at large. Now, though, they can't be rationalized away -- no matter how much of an apologist one is. In the corporate environment the firewall blocks the outside, but these exploits can still be used by nefarious agents (and no corporations can't just "turned automatic updates" on. As a note I recently installed the latest IE hotfix and now it breaks against a reporting service, and insists upon hitting the page twice, with bogus parameters on the second hit, if you choose to save the output).

Microsoft really needs to thank the hackers thus far, because they have been remarkably restrained. Imagine if slammer sent DTS dumps of data in the target system, spread itself for a while, and then wiped the machine. Imagine if any of the countless personal computer worms/trojans/viruses did the same with people's personal info. Thus far the vast majority have just been nuisances (letting people justify it away), but they had the potential to be catastrophically worse, in a way that would have led to lawsuits, regulatory oversight, and mass customer migration.

Dennis Forbes
Tuesday, May 04, 2004

Thanks Microsoft.  You make life better.

"In Australia Railcorp trains were halted apparently because a virus disrupted the radio systems and stopped drivers talking to signalmen.

Also in Australia Westpac Bank staff were forced to use manual methods to record transactions as the virus made computers unusable. Two other banks reported infections.

Meanwhile, Finnish bancassurer Sampo said it had temporarily closed all its 130 branch offices as a precaution against Sasser. "

http://news.bbc.co.uk/2/hi/business/3679511.stm

Uncle Cracker
Tuesday, May 04, 2004

Why do you blame Microsoft for sysadmins who aren't doing their job?

Explain to me why Microsoft should be blamed for connecting such critical systems to the Internet so that it can be exploited?  Heck, even if they weren't using Windows, they're still vulnerable to a DDos attack.

Myron A. Semack
Tuesday, May 04, 2004

As a sidenote - for every comment apologizing with the classic "there has been a patch available for x weeks", what about the long interval before that, since the product release? I'm not nearly as disturbed by big publicity worms like this as I am the experience-proven vulnerabilities that swiss cheese our economic infrastructure. It seems logical that the smart hacker would be exploiting effectively and discretely for years on end, rather than big bang worms.

Dennis Forbes
Tuesday, May 04, 2004

"Explain to me why Microsoft should be blamed for connecting such critical systems to the Internet so that it can be exploited?"

It just takes one VPNd worker or laptop that someone used with dial-up to connect to the internal network and it's all over. This is how slammer got into most corporations (and yes, those people need SQL access internally, so every server can't be firewalled from its own users).

Dennis Forbes
Tuesday, May 04, 2004

"People don't know the "Windows cycle": always patch, always use a firewall.

They are still in "DOS cycle": install and forget."

That's bologna.  You can't turn on the news today without a story on patching a virus for Windows, Linux or Mac.

Microsoft has touted Windows Update since Windows 98!  It's not new or recent.  Even Win98 setup had a whole ad for it that displayed itself every 3 minutes.

People are lazy, and that's why they don't patch.  Windows users are lazy, and they get hacked.  Linux users are lazy, and they get hacked.

They tell the TV stations, they publish articles.  They create web pages.  They offer patches with big "install now before you get screwed" messages.  They have email lists you can subscribe to.  They simply don't have the ability to go door to door.

And don't turn this into a "Windows Sucks" thing, when the exact same thing happens across the board.  Anyone who says that it doesn't happen to all OSs must believe "it is the moon that shines so bright in the day".

This is the cause of all the successful virus/hack attacks:  You can idiot-proof the software, but the world will compensate with a bigger idiot.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

Please name the last Unix/Linux any other OS not made by MS virus/worm than brought trains to a halt and closed banks.  Are there ANY in the last 5 years?

Uncle Cracker
Tuesday, May 04, 2004

http://news.com.com/2100-7349-5113227.html
http://news.com.com/2100-1001-943911.html

Don't convince yourself that because it hasn't been in the news, it doesn't happen.

When I was in college, we never had any of our Windows machines/servers compromised.

The ones that got hacked were Linux and Solaris machines that would be used as DDoS attacks against the university.  They would reformat and reinstall the machines about every 2 months to rid the boxes of all the back doors.  That's a pretty high TCO.

Is shutting down a university network less significant than shutting down a bank?

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

"People are lazy, and that's why they don't patch.  Windows users are lazy, and they get hacked.  Linux users are lazy, and they get hacked."

This argument was moldy and outdated 4 years ago. The fact that we're still seeing software released with classic, absurd buffer overflows, and nonvalidated inputs from untrusted source is absolutely unjustifiable.

As an aside, the Linux comparison is a shit comparison, and it's amazing how frequently it's made. If I've bought a BMW and a big rust hole appears, I don't care if a free 1973 Impala in Mexico also has rust holes - I care about the fact that my money went towards something that has serious defects. There are millions of users, and an entire economic infrastructure, handing over billions yearly, relying upon Microsoft to spend the bloody money (what's the profit margin on Windows? 95%?) to secure their software.

This is brutally unjustifiable and it's sad seeing otherwise credible individuals acting like it's par for the course. Don't give me any garbage "Show me your perfect software" textbook reply either -- give me $30 billion in profit yearly and I'll show you some perfect software.

Dennis Forbes
Tuesday, May 04, 2004

Sorry, I just have to say my point.  Don't falsely categorize between insecure (Windows) and secure (Linux, etc) operating systems.  It is a false security.  There is no such thing as a secure machine as long as there is I/O.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

Tell ya what.  How about you write "perfect software" and make yourself 30 billion a year.  :')

N/A
Tuesday, May 04, 2004

>This argument was moldy and outdated 4 years ago.

Really?  How is it not valid?  What research shows that people are anxious to install the patches?  What research show that people aren't aware of it?  I see studies all the time on CNet about how people still haven't installed last year's patches.

>The fact that we're still seeing software released with classic, absurd buffer overflows, and nonvalidated inputs from untrusted source is absolutely unjustifiable.

Do you inspect every line of 50GB of your source code every time you release?  They are fixing them as they find them.  Not even MS can be expected to do this.

>As an aside, the Linux comparison is a shit comparison, and it's amazing how frequently it's made. If I've bought a BMW and a big rust hole appears, I don't care if a free 1973 Impala in Mexico also has rust holes - I care about the fact that my money went towards something that has serious defects. There are millions of users, and an entire economic infrastructure, handing over billions yearly, relying upon Microsoft to spend the bloody money (what's the profit margin on Windows? 95%?) to secure their software.

If your going to say that Impala is better, like some say Linux is better, you'd better beat it where you say it does, regardless of price.  There is no dearth of Linux patches.  And 95%?  You've got to be kidding.

>This is brutally unjustifiable and it's sad seeing otherwise credible individuals acting like it's par for the course. Don't give me any garbage "Show me your perfect software" textbook reply either -- give me $30 billion in profit yearly and I'll show you some perfect software.

Why is it garbage to expect someone who bitches about bad software to show us they can do better?  Apparently you don't need $30 billion to product perfect software.


Please!  With all the money in the world, you couldn't produce perfect software on that type of scale.  *No one* can do it!

You waste your time complaining about it, while turning a blind eye to the real issues.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

Microsoft doesn't build perfect software, they make lots of $.  They are a business, that is their #1 goal.  This is neither good or bad.  Other businesses and non-businesses write 'less-not-perfect' software and still they don't match microsoft's profits - why?  Their focus is on business!  Does their software meet the need of most users? Yes!  Is it easy to install? By and large, YES! Do they market the sh*t out of their wares? Yes!

The article on perfectionism comes to mind...

 
Tuesday, May 04, 2004

"As a sidenote - for every comment apologizing with the classic "there has been a patch available for x weeks", what about the long interval before that, since the product release?"

What about continuing vulns being found in sendmail, bind, cisco ios, etc?

How the loss of the Challenger?

Titanic?

Honestly Dennis, what world do you live in?  Mine is very imperfect, and as an administrator I deal with it, then go home - kiss my partner, play with my cats and have a reasonably happy life . . .

John Murray
Tuesday, May 04, 2004

"Please name the last Unix/Linux any other OS not made by MS virus/worm than brought trains to a halt and closed banks.  Are there ANY in the last 5 years?"

They're still vulnerable to a DDos attack.

Myron A. Semack
Tuesday, May 04, 2004

"""They're still vulnerable to a DDos attack. """

You seem to have a script kiddy understanding of DDos, since you parrot it every 3rd post. Go read up on distributed operating systems then come back.


Tuesday, May 04, 2004

Drop it Dennis. You're talking to a bunch of anal retentive nerds that take offense about windows/linux as if you've said something about there moms.


Tuesday, May 04, 2004

""They're still vulnerable to a DDos attack. "

You seem to have a script kiddy understanding of DDos, since you parrot it every 3rd post. Go read up on distributed operating systems then come back."

He makes a valid point you can't refute, so you must cower with no name and attack the writer.

Even with distributed OS, you can't avert a DDoS attack, only lessen the blow.  Most people still bottleneck their DOS behind a single entry point on the Internet.  Of course, the game in DDoS is to plug the bottleneck, not to shut down the machines behind it.

However, Linux machines seem to get used more to *launch* DDoS attacks than Windows machines are.  One must wonder how they get access to the machine?

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

What does a distributed operating system have to do with anything? 

The point is, people are blaming Microsoft because their mission-critical systems were compromised.  If these systems were so critical, why on Earth were they connected to the outside world?  Mission-crticial systems for controlling train traffic have no reason to be connected to the Internet.

I don't care what operating system you're running, if you're connected to the outside world you can be compromised.  Maybe not by a worm, but perhaps a determined individual.

If nothing else, there should have been a firewall in place.

These are basic security measures that any properly-secured network should have in place.  It's not a Windows thing, it's a common sense thing.

Can anyone come up with a sound reason why they should be connected to the Internet?

Myron A. Semack
Tuesday, May 04, 2004

Good point.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

Ack! I meant read up on distributed computing.

"""If nothing else, there should have been a firewall in place."""

Go install it on my 70 y.o. father's dsl connection then, sswipe.


Tuesday, May 04, 2004

MY DAD CAN BEAT UP ALL OF YOUR DADS. SO SHUT UP! STFU!

sasser
Tuesday, May 04, 2004

"Go install it on my 70 y.o. father's dsl connection then, sswipe. "

I'm talking about mission critical systems here, not your dad's computer.

Although your dad should have a firewall too :-)

Myron A. Semack
Tuesday, May 04, 2004

Mission critical systems are also vulnerable to fires, earthquakes, robberies, etc...

That doesn't mean those things happen once a month, unlike windows vulnerabilities.

sasser
Tuesday, May 04, 2004

Unless you live in CA, anyway... depending on the season (fires, earthquakes, riots, or mudslides).

;)

~
Tuesday, May 04, 2004

>> It just takes one VPNd worker

Exactly. Some non-technical type, who installs and forgets. Sure, he might have "heard" that Windows is insecure, and you "must" patch, but he thought, "hey, "I'll just dial up to get my mail *once* -- what are the odds of this happening to me?" And he is NOT TO BLAME.

To use a bad analogy, *everyone* in the world *knows* unprotected sex means the risk of AIDS. You don't need to be a doctor, you *know*.

If you're faced with the prospect of unprotected sex, the very *first* thought you have is "I might get AIDS."

One doesn't get infected, go to the doctor, and hear: "Well, you have this incurable disease and you will die in a few years. But it's *your* fault.

You could have prevented it if you subscribed to this and that mailing list, and kept up to date with the appropriate medical publications. After all, it should have been in your best interest to keep informed on medical issues. Next, please."

Every six-year-old has heard and is afraid of the word "AIDS", but "buffer overrun" just doesn't sound scary. Maybe a few Arnold movies.

Norwegian Blue
Tuesday, May 04, 2004

Snide comments about Windows don't justify connecting the system to the Internet.

Myron A. Semack
Tuesday, May 04, 2004

"http://news.com.com/2100-7349-5113227.html
http://news.com.com/2100-1001-943911.html

Don't convince yourself that because it hasn't been in the news, it doesn't happen.
"


These aren't worms attacking are they.  Yes servers get hacked, not all of them get worms every month.  The challenge still stands.  Please name the last Unix/Linux any other OS not made by MS virus/worm than brought trains to a halt and closed banks.  Are there ANY in the last 5 years?  In case you're too busy coming up with ways to defend a swiss cheese OS, the answer is NO!

Uncle Cracker
Tuesday, May 04, 2004

Why does it have to be a worm?  Other hacks besides that are not valid?  Is that the only way to justify the argument?

You're trying to prove that by the fact that Microsoft has gravity in the news media and others don't, therefore only Microsoft has security problems.

That can't ever wash, regardless of what challenges or exaggerations you put forth.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

I can't name other schools besides Columbine where kids went on shooting sprees.

I guess that proves Colorado is a bad place to raise children.

Conspiracy Anti-Theorist
Tuesday, May 04, 2004

Here's the challenge:

If you think Microsoft should do more testing and comb over each line of code before shipping, why not apply to Microsoft and do just that?  Apparently they can benefit from your skill and prowess.

Otherwise get off your high horse.

Capn' Kirk
Tuesday, May 04, 2004

"I guess that proves Colorado is a bad place to raise children."

No, that just proves that you don't get much news. hint: news.google.com

"Why does it have to be a worm"

Joe's plumbing shack getting hacked is on a whole different level than millions of machines causing millions of damage in the economy.

Again, check the news more.


Tuesday, May 04, 2004

I always knew captain kirk was an idiot.

"""Here's the challenge:

If you think Microsoft should do more testing and comb over each line of code before shipping, why not apply to Microsoft and do just that? """

I'm opposed to people driving drunk too. Maybe I should apply to the police dept?


Tuesday, May 04, 2004


Hmm......on patch day we first tested the patch, then rolled it out to production that night. Not a hitch.

Sasser comes around and amazingly enough, we didn't get hit.

I'm sure it's just because I'm naive, but I see some correlation between patching our systems and not getting infected. Maybe I'm just jumping to conclusions here, but it seems that if you *DID YOUR FUCKING JOB AND INSTALLED THE PATCHES* then you won't get infected. I dunno...maybe I'm just thinking crazy thoughts.

Oh I know...you did install it and it messed up your system and with all of your vast MCSE training, you weren't able to figure out. I know. But that's because you're a dumbass and should have your job outsourced to India.

Or perhaps you expect companies to never issue patches because they should have gotten it right the first time. Well, perhaps, but then again, you should have installed the patch you putz and the fact that you didn't indicates you aren't too skilled at doing things right the first time either.

Whatever
Tuesday, May 04, 2004


"Go install it on my 70 y.o. father's dsl connection then, sswipe. "

Well then maybe your 70 year old father should learn how to use the fucking operating system, huh? I mean..really..what do you want? We all agree that in a perfect world everything would just work.

But it doesn't.

Windows, like any other OS is going to require updates. What is your solution? Huh? How fucking hard is Auto updates?

In the remote chance that Auto Updates screws up his system, then he has to call a tech out. Kinda like when your water pump blows on your Chevy. Gotta call someone out.

Whatever
Tuesday, May 04, 2004

Whatever :

The key to a successful troll is to sound 1/2 way knowledgeable AND serious.

Your troll is lame.


Tuesday, May 04, 2004

Many powerfully benificial activities in our lives involve problems or danger, but we learn to use the beneficial aspects and avoid the dangerous.

Large buildings expose people to getting killed if they fall out of windows. Medicines will kill if taken in large doses. Cars kill if driven too fast.

Windows is enormously useful throughout the world. That's why it's so prevalent and thus such an attractive target for criminals. Just like bank cash tansfers are. That doesn't mean occasional preventable problems are a) the fault of Microsoft or b) complete disasters that mean Windows is useless.

Call me Bill
Tuesday, May 04, 2004


"Your troll is lame. "

And yet you took all that time to tell me.

Still having trouble getting that ever-so-tricky Auto Updates working?

Whatever
Tuesday, May 04, 2004

"And yet you took all that time to tell me."

No, I'm actively trolling both sides of this debate. Just trying to help you out some.

re: not getting updates to work. I know you are but what am I?


Tuesday, May 04, 2004

"I'm opposed to people driving drunk too. Maybe I should apply to the police dept?"

If you're going to complain all the time that cops aren't doing enough to stop it, then yes.

Capn' Kirk
Tuesday, May 04, 2004

"Joe's plumbing shack getting hacked is on a whole different level than millions of machines causing millions of damage in the economy."

Fine, if you want to believe that Joe's Plumbing Shack is the only place getting hacked.

However, when a bunch of machines get hacked and they run a DDoS against Amazon.com, that does damage to the economy.

Security threats are threats indeed.  A worm is no worse than an active hacker.  In fact, it's the other way around.  But if you're wondering if these hackers have the time to get control of enough systems to do a DDoS, they don't.  They use worms.  Yes, worms that infect Linux and Windows.

Capn' Kirk
Tuesday, May 04, 2004

>Hmm......on patch day we first tested the patch, then rolled it out to production that night. Not a hitch.

And it goes without saying that your experience applies to everyone on the planet. Read around--this patch, like all others, DOES BREAK THINGS. Just because it doesn't do anything bad to your IE & Solitaire environment doesn't mean it is safe for everyone.

>Maybe I'm just jumping to conclusions here, but it seems that if you *DID YOUR FUCKING JOB AND INSTALLED THE PATCHES* then you won't get infected.

Wow, you must really rack up those frequent flier miles, visiting EVERY SINGLE REMOTE SALESPERSON in your company. And to do it for all 200 of them in a single night? Impressive. Santa could learn something from you.

( o ) ( o )
Tuesday, May 04, 2004

The original question was about TCO of windows IIRC.

Its an interesting point, regardless of the rights and wrongs of it problems like this _do_ increase the average TCO for both Windows and Linux.

Is anyone willing to argue that it should not do so?

I wonder whether the calculations that aredone to calculate TC _do_ take the cost of patches/worm damage/time spent fixing the OS after the patch and/or worm damage etc.

Does anyone know where I can find a breakdown of all the things included in the TCO calculations for Linux and windows?  ie, the figures on which the overall conclusions are drawn?

...would be interesting to see whats counted and whats not...

FullNameRequired
Tuesday, May 04, 2004

I don't use Windows in my "Enterprise".

Captain Kirk
Tuesday, May 04, 2004

"Please!  With all the money in the world, you couldn't produce perfect software on that type of scale.  *No one* can do it!"

Okay, if not perfect, then how about something less than the swiss cheese open door that we currently have? How about eliminating absolutely brutally trivial buffer overflows? I'm much more understanding of complex exploits involving multiple convoluted steps that circumvent a usage pattern, but these trivial faults that we keep getting hit by are completely unacceptable.

Let me give a prediction (and please feel free to hold me to it) - After a few more of these, there _will_ be liability lawsuits, followed shortly thereafter by industry regulation regarding liability and certification (likely applicable to software companies with a gross revenue above some threshold to ease complaints, and to encourage innovation). I guarantee this. Somehow we'll manage to make better software.

BTW: Sorry, a 95% profit margin was ridiculously high of me to say. How about 86%?

http://zdnet.com.com/2100-1104-966219.html

So for every copy of Windows you buy, 14% goes into cost centers and a relatively small group of developers, and 86% goes to support the some other grand initiative (Xbox7!). How about instead another 14% of that is applied towards Windows, given that it is the defacto platform of our economy, and maybe spruce up the security a bit? I know it's unfair to cut that profit back to a lowly 72%. What sort of monster can live on that little?

As a sidenote, just imagine the chaos a criminal/terrorist organization could unleash if they got a couple of the people with the skill of eeye, but with more of a malicious intent?

Dennis Forbes
Tuesday, May 04, 2004

"Large buildings expose people to getting killed if they fall out of windows. Medicines will kill if taken in large doses. Cars kill if driven too fast."

I think we are on to something here.  If we keep adding useless stuff into the OS, then it will slow down and the worms will not be able to propagate so fast.  Now just make sure the additional stuff is secure =|;}

Sloth
Tuesday, May 04, 2004


"Wow, you must really rack up those frequent flier miles, visiting EVERY SINGLE REMOTE SALESPERSON in your company. And to do it for all 200 of them in a single night? Impressive. Santa could learn something from you. "

It's even more impressive than that, my friend. It's this nifty little tool called "E-mail". You might have heard of it.

It goes something like this:

"Dear remote user, there's something nasty going on in the world. We would explain it, but it's too confusing for you. Please see the instructions below that provide painstakingly simple instructions on how to protect your machine. Yes, they really are so simple that your mother could do it. Please note that if you don't perform this simple task and your machine gets all fucked up, then we will laugh at your misery while you miss your sales quotas. Just read the fucking instructions and do as we say."

Granted, maybe something got lost in translation , but you get the idea. If you have remote users then you *communicate* with them. Even provide a phone number so the morons can call in when they have a question like if anti-bacterial wipes will remove the virus.

Then, internally, you run SUS to push out the updates to users that connect locally. You are running SUS, right? It's free ya know.

See, we just took care of our users and it didn't even involve Santa or his fucking reindeer.

Whatever
Tuesday, May 04, 2004

"Why does it have to be a worm?  Other hacks besides that are not valid?  Is that the only way to justify the argument?"

Has to be a worm, because while other hacks are possible, worms are fast, and spread without user intervention and are far wider spread than sucessful hacks.  Of course you'd like it to be some other type of hack wherin the operating sytems are on more equal footing. When it comes to worms, Windows rules, and you can't show any evidence to the contrary from the last 5 years.

Swiss Cheese, I tell you, Swiss Cheese.

Uncle Cracker
Tuesday, May 04, 2004

"Large buildings expose people to getting killed if they fall out of windows. Medicines will kill if taken in large doses. Cars kill if driven too fast."

Yes but Windows used as advertised gets your ass owned.

Uncle Cracker
Tuesday, May 04, 2004

"Let me give a prediction (and please feel free to hold me to it) - After a few more of these, there _will_ be liability lawsuits, followed shortly thereafter by industry regulation regarding liability and certification (likely applicable to software companies with a gross revenue above some threshold to ease complaints, and to encourage innovation). I guarantee this. Somehow we'll manage to make better software."

Dennis  I hope you are correct.  Every other industry must produce safe products.  Software vendors because of the "difficulty" of producing software lobbied out of such problems - for now.  Well it probably is difficult when you'd rather add features and charge for an upgrade instead of fix you bugs and holes.

MS needs to take from another February off (of course they chose the shortest month seeing how concerned they are about security), this time Feb 2005 until Feb 2008.

Uncle Cracker
Tuesday, May 04, 2004

"It appears that there is one product liability rule for computer software manufacturers, and another for everybody else. "

While I agree that MS has some security problems, this statement isn't really accurate.  They provided a fix pre-emtively.  If you did not take advantage of it, that is your fault.  If a car has a serious fault and the company issues a recall, it is your own fault if you don't take advantage of the recall and later suffer from the failure.  I'm pretty sure the company would not be held accountable (at least under US law) if they took every reasonable step to fix the problem pre-emptively.

"Please name the last Unix/Linux any other OS not made by MS virus/worm than brought trains to a halt and closed banks.  Are there ANY in the last 5 years? "

Linux has plenty of security holes.  Just look at the security sites and you will see plenty of similar exploits which have been patched in Linux.  Of course you don't get spectacular failures like trains crashing or banks losing people's money, because those systems don't run on Linux.  Just because none of Linux's security holes have been turned into major worms or have caused trains to crash doesn't make them any less real.

Dennis: I don't think anyone would claim that MS has no room for improvment.  But it is important to understand that perfect software of this complexity just isn't going to happen.  The 86% profit number is somewhat questionable.  They don't really say how that number is calculated.  Does it take into account R&D?  Costs involved in producing the next version of Windows?  What exactly does it take into account, and for what years?  It's certainly not news that the actual physical production of CDs is extremely cheap, and the support costs are not that high either.  So without taking into account the R&D you are missing a substantial part of the costs for Windows.

MikeMcNertney
Tuesday, May 04, 2004

"After a few more of these, there _will_ be liability lawsuits, followed shortly thereafter by industry regulation regarding liability and certification "

Well, if so then you kiss yet another industry goodbye, driven totally offshore by the scum-sucking, blood thirsty leeches our society politely refers to as "lawyers". It won't get past the lawsuits to get to regulation. The fucking lawyers will have such a field day raiding the coffers of every software company in America that those companies will flee en-masse to countries with less stringent product liability law.

Try suing a company located somewhere in the middle of India. After they laugh their asses off, they will just tell you to go fuck yourself. And you can rest assured that the Indian government will happily turn a blind eye to it while they shrug their shoulders and tell the world that there is little that they can do.

Whatever
Tuesday, May 04, 2004

"The lawyers will have such a field day raiding the coffers of every software company in America that those companies will flee en-masse to countries with less stringent product liability law."

Liability applies when you sell the product, regardless of where you make it. If you mean that they'll just abandon the US market -- well a high quality replacement would happily take their place (maybe something based on QNX? A hardened version of OS X?). Legal changes of such a nature are interesting in that they're infectious. If the US enacted such legislation, you can be sure that most other first world nations would post haste.

Regarding lawyers, that's a nice extremist view, but those lawyers and liability laws have kept a lot of people alive or unmaimed where otherwise someone would have cut a corner or skipped a step to save a buck.

Listen, I make my living on Windows. I develop for Windows. I advocate Windows. I write about the Windows platform and technologies. None of this means that I have to be a brainless zombie parading the company line that there's nothing to see here and this is all par for the course, and what about that Linux anyways? (This sounds like a bunch of kids pissing about how they have to come in at 8 but Timmy gets to stay out till 9) I don't care about Linux, nor do I care about any other operating system. Indeed I think that's a foolish (and meaningless) diversion from the issues. The issue is that Windows has become the defacto platform for a large part of our economy and computing lifestyle, and it has to achieve a much higher standard. Given the unbelievable profits Windows is feeding to the Microsoft machine, how about getting a small portion of them towards perfecting Windows instead of feeding the endless money pits of other industries Microsoft wants to dominate?

That is all. Thank you.

Dennis Forbes
Tuesday, May 04, 2004


To those of you who had "No problem" installing this patch and others: Are you running a cluster? Are you running Windows Terminal Services? A Citrix farm that supports hundreds of users? I would have no problems either if all I was doing was patching a simple Windows file and print server!

How do you know your windows patch got installed? Just because there is now a registry entry that says it was? Did you check the files themselves? Did you checksum the files to be sure? How do you know that next patch won't undo it (Microsoft has done this several times)? Did you know that Microsoft sometimes even releases "updates" to the patches.

Subscribe the the NTBUGTRAQ mailing list for a few months and you will get quite a education about the Microsoft patch process.

One thing that always has pissed me off about patching Windows is the "You must restart your computer" dialog.

At least with Linux/Unix, as long as it isn't the kernel or a critical daemon (service), you can just restart the daemon effected by the patch. No need to boot everyone off. But every month we have to schedule downtime to install patches on our Windows Servers.

Is Linux/Unix the end-all-be-all of secure operating systems ? Not by a longshot! But IMHO it's architecture makes it easier to secure than Windows.

For instance: Can somebody PLEASE explain to me why on earth I can write Excel/Word Macros that can modify SYSTEM REGISTRY SETTINGS ? That's just asking for trouble.

As someone once said, "Windows is a 32-bit extension of a 16-bit patch for an 8-bit operating system originally designed to run on a 4-bit processor produced by a 2-bit company that doesn't care 1-bit about it's customers."

Neil Johnson
Tuesday, May 04, 2004

"Are you running a cluster? Are you running Windows Terminal Services? A Citrix farm that supports hundreds of users?"

Yes, yes and no. But only because it's not hundreds, but we are running Citrix.

Whatever
Tuesday, May 04, 2004

>> As someone once said, "Windows is a 32-bit extension of a 16-bit patch for an 8-bit operating system originally designed to run on a 4-bit processor produced by a 2-bit company that doesn't care 1-bit about it's customers."


As someone once said, "Men with little tiny penises complain about Windows."

John Holmes
Tuesday, May 04, 2004

As someone else said, "Men with a penis-deficiency turn everything into some sort of penis issue".


Wednesday, May 05, 2004

So in order to download the patch one has to connect to the internet, where one runs the risk of being infected by sasser. Niiice.


Wednesday, May 05, 2004

> Given the unbelievable profits Windows is feeding to the Microsoft machine, how about getting a small portion of them towards perfecting Windows instead of feeding the endless money pits of other industries Microsoft wants to dominate?

That won't make them nearly enough money, particularly since so few people seem inclined to switch from Windows to other operating systems.


Wednesday, May 05, 2004

A typical company has mission critical plumbing and electrical installations.

If they required the same kind of continous attention some here say the computer infrastructure should have, they would just rip them out and you would be treading on the hundreds of large turds in the parking lot on the way to the well to get the water to put out the fire that the upturned candle has just caused for the second time this month.

Stephen Jones
Wednesday, May 05, 2004

Well said Stephen Jones. Quite the professionals, aren't we?


Wednesday, May 05, 2004

> So in order to download the patch one has to connect to the internet, where one runs the risk of being infected by sasser. Niiice.

What happened to your firewall?

a
Wednesday, May 05, 2004

"What happened to your firewall?"

Oh, I'm sorry - did I miss the system requirements section that indicates that you need to also supply a firewall to run Windows OS'?

.
Wednesday, May 05, 2004

> Oh, I'm sorry - did I miss the system requirements section that indicates that you need to also supply a firewall to run Windows OS'?

No, but if you're in this particular situation, (unwired system that you want to patch), a firewall will help you out.

In any case, I would consider it foolhardy to sit a machine on the internet without any protection whatsoever, trusting that the services that you have exposed do not have any security vulnerabilities, regardless of what OS you run.

a
Wednesday, May 05, 2004

"""I would consider it foolhardy to sit a machine on the internet without any protection whatsoever"""

joe: "I'd like to buy a computer, please"
schmoe: "I'll need to see your MCSE license, first"


Wednesday, May 05, 2004

"In any case, I would consider it foolhardy to sit a machine on the internet without any protection whatsoever, trusting that the services that you have exposed do not have any security vulnerabilities, regardless of what OS you run."

Fair enough, but shouldn't the default setup for something like XP Home Edition be absolutely zero TCP IP ports listening on the public IP (i.e. they can still listen for localhost connections so it can abstract the interface through TCP/IP if it simply insists upon connecting to the registry through the "remote registry service"). Of course we know that Microsoft didn't release it that way, and instead the default is generally to enable a wide swath of unnecessary and expoit-ridden services by default. Universal Plug and Play for some futuristic home automation scenario where Microsoft will be at the center? Why not!

Dennis Forbes
Thursday, May 06, 2004

I thought the main reason ports were open and the firewall off by default was to allow networking. Basically you want to plug yur new computer into the company network and presume that you can connect to it for configuration, cloning and other purposes.

Now, you could argue that the hassle of dealing with Blaster and Sasser is greater than the initial hassle you would have had if everything was locked down.

Stephen Jones
Friday, May 07, 2004

It's sad that so many people pretend not to understand. Here are some simple clues for the impaired:

1. Yes, there are updates available -- when the worms get out. But the worms get written because there are updates out, when the exploits has been known for quite some time. Some vendors are worse than others, but six months is just not acceptable.

2. A default installation should be reasonably secure. A workstation Linux box has had exactly zero remote root exploits during the last ten years. Running servers by default is just not acceptable.

3. Windows is constantly plagued by worms. Why is that? Apache has some 65% market share and has had only one remote exploit when IIS has had dozens.

R.D.
Friday, May 07, 2004

*  Recent Topics

*  Fog Creek Home