Forget California, it's time to recall Micro$oft - Tilted Forum Project Discussion Community

RoadRage · 08-21-2003, 01:49 PM

(Given the threads here and here and here and here describing various problems in dealing with M$ and its crap-er-I-mean programs, I thought this was only too appropriate not to share.)

From The Register

By Richard Forno

Posted: 21/08/2003 at 11:30 GMT

A sign on a Trenton, NJ railroad bridge says "Trenton Makes, The World Takes."_ In light of recent history, a sign at Sea-Tac airport should probably read "Microsoft Makes, The World Quakes."

For the second time this year, Microsoft is the source of a major internet security event. First was Slammer/Sapphire in January that seriously impacted networks and corporations around the world, including shutting down ATM machines at some large banks. And now, we've got MSBlaster taking advantage of a years-old vulnerability in Microsoft Windows operating systems. But unlike Slammer that only targeted servers, this one goes after desktop computers as well - meaning that ninety percent of the world's computers are potential targets and victims this week._ Consumer desktops are significantly more plentiful than corporate ones but less-protected against viruses, worms, and other attacks. As low-hanging fruit goes, they're a perfect target of opportunity for cyber-mischief.

According to a Wired story today, Microsoft is confused why these worms continue plaguing users when the company's made great effort to improve the patch delivery process. Microsoft says it's working with federal law enforcement to find out who's behind the dastardly deed that's giving the software monopoly yet another embarrassing black eye in the media. This is a typical Microsoft response full of proactive sound of fury, but signifying nothing helpful._ And the media's full of reporting about the pervasiveness of MSBlaster and what people can do to protect themselves against this "latest" cyber-threat.

Yet Microsoft says third-party software accounts for half of all Windows crashes. Funny, it also blamed the competing DR-DOS for Windows 3.1 crashes in an_ attempt to get people to buy MS-DOS back in the 1980s. (It was later discovered that Microsoft had engineered false error messages to trick users into buying MS-DOS.) It also said Internet Explorer couldn't be removed from Windows 95 without crippling the operating system, and was proven wrong by enterprising researchers. So Microsoft's track record for veracity isn't exactly stellar when it comes to its products and business practices.

But, few if any are mentioning the real issues here:_ MSBlaster's ability to affect practically all versions of Windows shows that despite Microsoft's marketing flacks, there is still significant code shared between all versions of Windows. Anyone who thinks DOS is dead, or Windows XP's code internals have little in-common with Windows NT 4 should think again. MSBlaster proves it.

Also, MSBlaster takes advantage of known vulnerable network ports in Windows, ports that any competent network administrator or internet provider should have closed long, long ago. In fact, there's probably no good reason why these ports should be enabled on consumer versions of Windows or supported by ISP networks, for that matter. In other words, it baffles the mind why these well-known ports continue to be a major security vulnerability in Windows.

Of course, Microsoft pledges to continue working on its patch distribution process as part of its larger "Trustworthy Computing" initiative. That's all well and good, but does this mean the security of our networked systems has been reduced to the repeated mantra of "run the patch" and then sit back to wait for the next pair (exploit and fix - a matched set!) to be released? Hopefully not. Security is a two-part process requiring the network staff to administer their resources appropriately and the software vendors to produce code that's much more reliable than it is now.

As it did with the Slammer worm in January, Microsoft proudly says it made available a patch for Windows far in advance of the vulnerability being exploited on a massive scale._ But many users didn't get the message or download the patch - either because home users didn't realize that the automatic Windows Update process was designed for just that reason (or would "do it later") or, in the case of large companies, network administrators likely were too busy installing any number of other patches required (at least 30, according to the number of security bulletins so far in 2003) to keep their Microsoft systems operating in a somewhat more secure manner from week to week. (And we wonder why help desk staffs burn out so quickly.)

If Microsoft really wanted to resolve its software problems, it would take greater care to ensure such problems were fixed before its products went on sale - and thus reverse the way it traditionally conducts business. Doing so means less resources wasted by its customers each year patching and re-patching their systems, hopefully meaning more is available for effective network planning, design, and management to support a robust defense-in-depth security strategy. Customers shouldn't be forced to spend their money cleaning up after Microsoft's mistakes, laziness, or general complacency, but on improving their information environments to take full advantage of the many benefits of the Information Age.

More importantly, why are we - users, administrators, media, and the government - praising Microsoft for their response to this critical problem? If something's wrong with a product, responsible companies are obligated to fix it as a matter of good business practice. A responsible adult knows that if you make a mess, you're expected to clean it up, regardless if anyone compliments you for your efforts. Did anyone expect widespread praise to be heaped on Ford Motors after its Explorer fiasco a few years back? Hardly - there was a serious problem with one of its products, and the company fixed it, albeit under the threat of lawsuits from victims or their families.

But that's not the case with software, from Microsoft or anyone else. When you acquire software, you don't really "buy" it, but rather purchase a license to use it "as is" for a period of time, and the vendor is under no obligation to fix anything wrong with its product. If you take the time to read the thousands of words in a typical software End User License Agreement (EULA) - and many people don't - you'll see that by installing and using the software, you indemnify the vendor against any claims, losses, or problems resulting from using its software, even if the vendor knew about the problem before it sold the product. In some cases, as this Register article notes, you agree to let Microsoft remotely modify your software and you can't hold it liable if something breaks as a result.

Code Red, Love Bug, Slammer, Nimda, Pretty Park, BubbleBoy, Melissa, Code Red II, MSBlaster, and numerous other high-profile Microsoft-sponsored incidents... many view them as "the price of doing business in the Information Age" and cheerfully spend (or lose) increasing amounts of money with each new incident arising from poorly designed software. But rather than face reality by conducting a dollars-and-sense risk assessment of their IT operation to see how much Microsoft's vulnerabilities cost their enterprise annually, these sheeple - at all levels of government, industry, and society - prefer tolerating mediocrity to efficiency and reliability in their software assets, because they're either too lazy to investigate alternatives or don't want to propose changes to the comfortable status quo.

What recourse do you have in such cases?_ You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?"

Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff._ Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it.

After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead._®

Copyright © 2003, Richard Forno. All rights reserved.

hrdwareguy · 08-21-2003, 02:14 PM

Ya know, I'm not the biggest MS fan around, but Mr. Forno needs to get some facts streight.

First, Blaster does not "affect practically all versions of Windows". It only affects Windows 2000 and Windows XP (according to the Symantec website).

Second, it was not "exploit and fix - a matched set!". It was a fix then the exploit.

When this guy can write a robust operating system without any security flaws, then he has the right to complain about this. Bugs exist in any extensive program, it's just a fact. Believe it or not, programmers are human to and can overlook something.

HeAtHeN · 08-21-2003, 02:15 PM

I'm not Anti M$.... they just come under attack alot because hackers see them as an easy (and big) target.

charliex · 08-21-2003, 03:05 PM

Consider the number of lines of source code, the number of programmers, the amount of hardware, the types of end users, the drivers, the 3rd party hardware, the tweaking users, the crackers.

Its practically impossible to test complex software these days, a lot of the problems are found after a live release because if you waited till you tested it 100% you'd be out of business, software goes out of date/use and still has huge bugs in it, look how long it took to find the pentium math bug, very obscure,.

I don't see why a network solutions CSIO is complaining, if he still works there.

I'm pleasantly suprised it works as well as it does, and one way to make the machines and software work better would be to say control most aspects of course if MS did that there would be a huge outcry, say like a certain infinite looper does.

MS fixed the blaster problem about 3-4 weeks before it appeared, they made a centralized site with an automated delivery mechanism to fix it, and people don't use it, self appointed security and technical 'experts' claim it doesn't work or screws up their systems.

I bet half the time its because they've tweaked the crap out of the system, and have it loaded with tonnes of junk.

I remember when we'd man the forums and net helping people out with problems with our games, the ones that caused us the most problems and were the loudest, were the ones that contantly fiddled with their software/hardware trying to make it 'better', usally screwing up something else since they didn't really understand the pros and cons.

People are always looking for someone else to point the finger at.

Splice · 08-21-2003, 03:51 PM

RoadRage: Thanks for the article. I'm not gonna get into the Anti-Microsoft thing either, but the author makes a good point. When does Microsoft accept responsibility for flaws in its operating system. Patching this and patching that is a sign that there IS a major problem. I think the author is arguing that before releasing an OS with major flaws, Microsoft should be more careful to check and recheck.

I like this part of the article the best:

"...You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?"

"Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff. Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it."

"After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead."

...Hmmmm....Something to think about.

juanvaldes · 08-21-2003, 05:07 PM

Quote:

Originally posted by hrdwareguy
Ya know, I'm not the biggest MS fan around, but Mr. Forno needs to get some facts streight.

First, Blaster does not "affect practically all versions of Windows". It only affects Windows 2000 and Windows XP (according to the Symantec website).

almost.
# Microsoft Windows NT® 4.0
# Microsoft Windows NT 4.0 Terminal Services Edition
# Microsoft Windows 2000
# Microsoft Windows XP
# Microsoft Windows Server™ 2003
Source

Sion · 08-21-2003, 05:31 PM

charliex, you have a point about the difficulties inherent in bug testing large software such as MS's operating systems. There is no doubt that it would be nearly impossible to completely, 100% eliminate EVERY possible bug or software/hardware incompatability problem that could cause WinXP (or any other OS) not to function perfectly. However, it is my opinion that security flaws both can and should be eliminated before any software product ships, especially one that comes with a built in firewall. After all, the number of network I/O ports in XP is finite, is it not? Would it be so hard for MS to assemble a small team of security experts to examine EVERY possible way into the system and securely close them before the product goes to market? I think not. As the MSBlaster worm showed, even a mediocre hacker can find and expoit these security flaws. That suggests that MS didnt do enough to eliminate the hole in the first place.

Of course, in this case it is entirely possible that MS precipitated the problem by issuing the patch, thus alerting the hacking community to the problem in the first place. It seems very likely to me that whoever createded the MSBlaster did so after MS announced the existance of the problem. In such a scenario, it is indeed the fault of the users for not implementing the patch as soon as it was available. However, MS still bears some culpability for a) not eliminating the problem before selling the product, and b) not taking a stronger proactive position to make sure all its customers knew about the existance of the patch and the danger that not running it presented.

Finally, if MS's OS wasnt so bloated with unnecessary and overly complicated code, perhaps product testing it would be a more useful endeavor.

cowlick · 08-21-2003, 07:16 PM

Quote:

Originally posted by Sion
Would it be so hard for MS to assemble a small team of security experts to examine EVERY possible way into the system and securely close them before the product goes to market? I think not.

I've worked in software for many years and regularly interact with many of the lauded theoretical and practical scions of computer science. No intelligent researcher or practitioner has ever suggested that any system is free of security holes or any other type of design or code defect.

Splice · 08-21-2003, 08:26 PM

Quote:

Originally posted by Sion
...Would it be so hard for MS to assemble a small team of security experts to examine EVERY [I would change this to as MANY as POSSIBLE way] possible way into the system and securely close them before the product goes to market? I think not. As the MSBlaster worm showed, even a mediocre hacker can find and expoit these security flaws. That suggests that MS didnt do enough to eliminate the hole in the first place.

...MS still bears some culpability for a) not eliminating the problem before selling the product, and b) not taking a stronger proactive position to make sure all its customers knew about the existance of the patch and the danger that not running it presented.

Good point Sion. Like you, I am not saying that MS should have been perfect. But (1)these viruses and their mutations have shown very clearly that "even a mediocre hacker can find and exploit these flaws" and (2)that MS is not doing enough to protect and/or inform their consumers. Instead of releasing 30 patches a year, just release a rewritten or corrected OS every 2 years. Considering the amount of $$ that MS has, that is very doable. Apple has been able to do this. Again, I'm not trying to get into Mac vs. Pc here, only to point out that releasing a major OS is reasonable every 2 years. I am no computer techie, but from what I heard Windows XP was still using some of the same codes as the older versions. These were the codes that contained the flaws.

Cynthetiq · 08-21-2003, 08:26 PM

the price of interopability is the ability to compromise everyone... use an Amiga and you don't have to worry about virii

sandeep · 08-21-2003, 09:09 PM

keep in mind here that with such a huge selection of computer users running microsoft code, you have a hell of a lot more hackers working on breaking it down. it also becomes a more attactive score for hackers.

any video game or software you use, be it microsoft or any other, there will be bugs and flaws. but because this is multiplied by the millions of machines running it, you turn a piece of flawed code into a fireworks show, the world over.

also, the "ease of use" that microsoft has been promoting in all of it's software essentially attracts a less computer-literate market, which is genius. if your customer doesn't know what it's doing, you can teach 'em as they go along, but with your own books. now the people using these computers don't understand what's happening to their systems, they just follow the arrows to "make it work again".

i'm not taking sides here, i'm just saying that you need to take into account the sheer size of microsoft's user base.

the example of the Ford Explorer. If no one bought the cars, it wouldn't be such a big deal. it's only because the problem was so wide spread that it got the attention that it did.

to follow along with that, just about every car can be broken into. period.
however, lets say for example one car maker takes a huge proportion of the car marker, similar to how MS has done with operating systems. well not only would those cars in particular be broken into more than anything else, simply because of the numbers, but it would also be more widely known.

charliex · 08-21-2003, 10:20 PM

When i said 'practically impossible' i meant it, its just not possible to test every variable, jsut think of the size of the Os, all the things you can do in it.

Do we honestly think that MS doesn't do as much as they can to make sure the product is as secure as it can be, unfortunately the way the commerical world is it will sometimes slip. They want you to buy it, they want you to like it, your average microsoft employee takes pride in their work and get satisfaction out of seeing people having a good experience using it.

its just a fact of life that complex systems have complex failures, look at firestone, there are multiple checks in place to stop stuff like that happening, but it frequently does.

Even a dedicated hardware firewall from a network giant like cisco has lots of flaws, they have a huge repuation at stake over this, yet they still have failures, and a hardware firewall is a gazillion times less complex than a windows OS

How many products do you see recalled that are a potential choking hazard, or can burst into flames etc etc.

I wish it were simple to have a dedicated group of people work out all the bugs (which they do already have ) but it wouldn't matter, for every 100 testers microsoft has theres 500 cracker script kiddies on the outside looking harder, these guys will spend months and months going over over one possible exploit, thats just not viable in business.

Hindsight is always 20/20 and every code base has the same percentage of flaws, Apple don't have any super human coders, they are from the same pool.

Its very easy to look in at something you think you can see every aspect of and critique it. The old 'that doesnt seem so hard' line.

Using old code doesn't mean its automatically bad, since that code has been tested over and over and over, if its got a legacy bug that wasn't found, then its very obscure, so iits tough to find ( again the pentium math bug, it was years before it was found )

Its the mediocre virus writers that get it out, there, but its generally the smart guys that find and publish the exploits they use.

As for 'ease of use' i thought that was apples line.

Hehe Cyn, the Amiga spawned some of the worst virii out there.

The best programmers in the world write 3-5 lines of fully debugged full working code a day, there are 100s' of millions lines of code in a major OS sytem. It just takes one character difference to make a major flaw that is stealthily hidden, that my never be found.

i think if someone could invent something that allowed you to understand or visualize just how complex a computer and its software is, you'd be dropping your jaw in amazement.

Splice · 08-22-2003, 08:16 AM

charliex & sandeep: You both made a good point. It is true that to "cover all bases" when it comes to a complex OS is impossible, since humans are prone to errors.

Sandeep: You pointed out about the Ford Explorer & FireStone tire example. "you need to take into account the sheer size of microsoft's user base...the example of the Ford Explorer. If no one bought the cars, it wouldn't be such a big deal. it's only because the problem was so wide spread that it got the attention that it did."

But I would argue that Honda produces a significant number of cars, Civic, Accord, etc. But notice that their "quality-control" is much higher than the Ford. Now if we're talking the "user base" then I think that is a fair comparison. So if what you're saying is true then Honda cars should have just as many problems as Ford cars. And again, I would argue that this is not the case. One company obviously has a "higher standard of quality" than the other. This might also be supported by the fact that Honda Accords are among, if not the top selling cars in the U.S.

Charliex: "...for every 100 testers microsoft has theres 500 cracker script kiddies on the outside looking harder, these guys will spend months and months going over over one possible exploit, thats just not viable in business."

You may be right, and I'm not debating that. However, we keep going back to the sheer amount of users for MS. Ok then, since there is such a big user base, then is it not MS's responsibility to ensure that their products are as "flawless as possible?" Let's say for a small company with 500 users. This company could "screw up" or develop crappy software/hardware and it would not affect that many people. So this company would not have to test, re-test, and triple-test their products to death. Now, what about MS? This is where the difference is. Because MS is acutely aware that it controls 90-95% of the computer market, shouldn't the responsibility lie upon MS to test, re-test, and test and test again 10-20-50-100 times their products? I mean, the U.S. govt has chosen MS as the OS for Homeland Security. Isn't it ironic that after sealing the deal with the US govt. that all these flaws showed up? They are obviously very successful in marketing, but how lucky could one company be? I for one, am scared that an OS with this many flaws is now "protecting Americans."

*** Please know, I am debating and mean NO disrespect to either of you. Since this is a forum for discussion, so please take what I say with a grain of salt. BUT, I do stand by my argument.

08-21-2003, 01:49 PM	#1 (permalink)
RoadRage Stay off the sidewalk! Location: Oklahoma City, OK	Forget California, it's time to recall Micro$oft (Given the threads here and here and here and here describing various problems in dealing with M$ and its crap-er-I-mean programs, I thought this was only too appropriate not to share.) From The Register By Richard Forno Posted: 21/08/2003 at 11:30 GMT A sign on a Trenton, NJ railroad bridge says "Trenton Makes, The World Takes."_ In light of recent history, a sign at Sea-Tac airport should probably read "Microsoft Makes, The World Quakes." For the second time this year, Microsoft is the source of a major internet security event. First was Slammer/Sapphire in January that seriously impacted networks and corporations around the world, including shutting down ATM machines at some large banks. And now, we've got MSBlaster taking advantage of a years-old vulnerability in Microsoft Windows operating systems. But unlike Slammer that only targeted servers, this one goes after desktop computers as well - meaning that ninety percent of the world's computers are potential targets and victims this week._ Consumer desktops are significantly more plentiful than corporate ones but less-protected against viruses, worms, and other attacks. As low-hanging fruit goes, they're a perfect target of opportunity for cyber-mischief. According to a Wired story today, Microsoft is confused why these worms continue plaguing users when the company's made great effort to improve the patch delivery process. Microsoft says it's working with federal law enforcement to find out who's behind the dastardly deed that's giving the software monopoly yet another embarrassing black eye in the media. This is a typical Microsoft response full of proactive sound of fury, but signifying nothing helpful._ And the media's full of reporting about the pervasiveness of MSBlaster and what people can do to protect themselves against this "latest" cyber-threat. Yet Microsoft says third-party software accounts for half of all Windows crashes. Funny, it also blamed the competing DR-DOS for Windows 3.1 crashes in an_ attempt to get people to buy MS-DOS back in the 1980s. (It was later discovered that Microsoft had engineered false error messages to trick users into buying MS-DOS.) It also said Internet Explorer couldn't be removed from Windows 95 without crippling the operating system, and was proven wrong by enterprising researchers. So Microsoft's track record for veracity isn't exactly stellar when it comes to its products and business practices. But, few if any are mentioning the real issues here:_ MSBlaster's ability to affect practically all versions of Windows shows that despite Microsoft's marketing flacks, there is still significant code shared between all versions of Windows. Anyone who thinks DOS is dead, or Windows XP's code internals have little in-common with Windows NT 4 should think again. MSBlaster proves it. Also, MSBlaster takes advantage of known vulnerable network ports in Windows, ports that any competent network administrator or internet provider should have closed long, long ago. In fact, there's probably no good reason why these ports should be enabled on consumer versions of Windows or supported by ISP networks, for that matter. In other words, it baffles the mind why these well-known ports continue to be a major security vulnerability in Windows. Of course, Microsoft pledges to continue working on its patch distribution process as part of its larger "Trustworthy Computing" initiative. That's all well and good, but does this mean the security of our networked systems has been reduced to the repeated mantra of "run the patch" and then sit back to wait for the next pair (exploit and fix - a matched set!) to be released? Hopefully not. Security is a two-part process requiring the network staff to administer their resources appropriately and the software vendors to produce code that's much more reliable than it is now. As it did with the Slammer worm in January, Microsoft proudly says it made available a patch for Windows far in advance of the vulnerability being exploited on a massive scale._ But many users didn't get the message or download the patch - either because home users didn't realize that the automatic Windows Update process was designed for just that reason (or would "do it later") or, in the case of large companies, network administrators likely were too busy installing any number of other patches required (at least 30, according to the number of security bulletins so far in 2003) to keep their Microsoft systems operating in a somewhat more secure manner from week to week. (And we wonder why help desk staffs burn out so quickly.) If Microsoft really wanted to resolve its software problems, it would take greater care to ensure such problems were fixed before its products went on sale - and thus reverse the way it traditionally conducts business. Doing so means less resources wasted by its customers each year patching and re-patching their systems, hopefully meaning more is available for effective network planning, design, and management to support a robust defense-in-depth security strategy. Customers shouldn't be forced to spend their money cleaning up after Microsoft's mistakes, laziness, or general complacency, but on improving their information environments to take full advantage of the many benefits of the Information Age. More importantly, why are we - users, administrators, media, and the government - praising Microsoft for their response to this critical problem? If something's wrong with a product, responsible companies are obligated to fix it as a matter of good business practice. A responsible adult knows that if you make a mess, you're expected to clean it up, regardless if anyone compliments you for your efforts. Did anyone expect widespread praise to be heaped on Ford Motors after its Explorer fiasco a few years back? Hardly - there was a serious problem with one of its products, and the company fixed it, albeit under the threat of lawsuits from victims or their families. But that's not the case with software, from Microsoft or anyone else. When you acquire software, you don't really "buy" it, but rather purchase a license to use it "as is" for a period of time, and the vendor is under no obligation to fix anything wrong with its product. If you take the time to read the thousands of words in a typical software End User License Agreement (EULA) - and many people don't - you'll see that by installing and using the software, you indemnify the vendor against any claims, losses, or problems resulting from using its software, even if the vendor knew about the problem before it sold the product. In some cases, as this Register article notes, you agree to let Microsoft remotely modify your software and you can't hold it liable if something breaks as a result. Code Red, Love Bug, Slammer, Nimda, Pretty Park, BubbleBoy, Melissa, Code Red II, MSBlaster, and numerous other high-profile Microsoft-sponsored incidents... many view them as "the price of doing business in the Information Age" and cheerfully spend (or lose) increasing amounts of money with each new incident arising from poorly designed software. But rather than face reality by conducting a dollars-and-sense risk assessment of their IT operation to see how much Microsoft's vulnerabilities cost their enterprise annually, these sheeple - at all levels of government, industry, and society - prefer tolerating mediocrity to efficiency and reliability in their software assets, because they're either too lazy to investigate alternatives or don't want to propose changes to the comfortable status quo. What recourse do you have in such cases?_ You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?" Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff._ Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it. After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead._® Copyright © 2003, Richard Forno. All rights reserved. __________________ Join TFP Team SETI 43K workunits complete, 34 members, more of each needed.

08-21-2003, 02:14 PM	#2 (permalink)
hrdwareguy "Officer, I was in fear for my life" Location: Oklahoma City	Ya know, I'm not the biggest MS fan around, but Mr. Forno needs to get some facts streight. First, Blaster does not "affect practically all versions of Windows". It only affects Windows 2000 and Windows XP (according to the Symantec website). Second, it was not "exploit and fix - a matched set!". It was a fix then the exploit. When this guy can write a robust operating system without any security flaws, then he has the right to complain about this. Bugs exist in any extensive program, it's just a fact. Believe it or not, programmers are human to and can overlook something. __________________ Gun Control is hitting what you aim at Aim for the TFP, Donate Today

08-21-2003, 05:31 PM	#7 (permalink)
Sion Dumb all over...a little ugly on the side Location: In the room where the giant fire puffer works, and the torture never stops.	charliex, you have a point about the difficulties inherent in bug testing large software such as MS's operating systems. There is no doubt that it would be nearly impossible to completely, 100% eliminate EVERY possible bug or software/hardware incompatability problem that could cause WinXP (or any other OS) not to function perfectly. However, it is my opinion that security flaws both can and should be eliminated before any software product ships, especially one that comes with a built in firewall. After all, the number of network I/O ports in XP is finite, is it not? Would it be so hard for MS to assemble a small team of security experts to examine EVERY possible way into the system and securely close them before the product goes to market? I think not. As the MSBlaster worm showed, even a mediocre hacker can find and expoit these security flaws. That suggests that MS didnt do enough to eliminate the hole in the first place. Of course, in this case it is entirely possible that MS precipitated the problem by issuing the patch, thus alerting the hacking community to the problem in the first place. It seems very likely to me that whoever createded the MSBlaster did so after MS announced the existance of the problem. In such a scenario, it is indeed the fault of the users for not implementing the patch as soon as it was available. However, MS still bears some culpability for a) not eliminating the problem before selling the product, and b) not taking a stronger proactive position to make sure all its customers knew about the existance of the patch and the danger that not running it presented. Finally, if MS's OS wasnt so bloated with unnecessary and overly complicated code, perhaps product testing it would be a more useful endeavor. __________________ He's the best, of course, of all the worst. Some wrong been done, he done it first. -fz I jus' want ta thank you...falettinme...be mice elf...agin...

08-21-2003, 08:26 PM	#10 (permalink)
Cynthetiq Tilted Cat Head Administrator Location: Manhattan, NY	the price of interopability is the ability to compromise everyone... use an Amiga and you don't have to worry about virii __________________ I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not. What's the best nation in the world? DO-NATION!

08-22-2003, 08:16 AM	#13 (permalink)
Splice Crazy	charliex & sandeep: You both made a good point. It is true that to "cover all bases" when it comes to a complex OS is impossible, since humans are prone to errors. Sandeep: You pointed out about the Ford Explorer & FireStone tire example. "you need to take into account the sheer size of microsoft's user base...the example of the Ford Explorer. If no one bought the cars, it wouldn't be such a big deal. it's only because the problem was so wide spread that it got the attention that it did." But I would argue that Honda produces a significant number of cars, Civic, Accord, etc. But notice that their "quality-control" is much higher than the Ford. Now if we're talking the "user base" then I think that is a fair comparison. So if what you're saying is true then Honda cars should have just as many problems as Ford cars. And again, I would argue that this is not the case. One company obviously has a "higher standard of quality" than the other. This might also be supported by the fact that Honda Accords are among, if not the top selling cars in the U.S. Charliex: "...for every 100 testers microsoft has theres 500 cracker script kiddies on the outside looking harder, these guys will spend months and months going over over one possible exploit, thats just not viable in business." You may be right, and I'm not debating that. However, we keep going back to the sheer amount of users for MS. Ok then, since there is such a big user base, then is it not MS's responsibility to ensure that their products are as "flawless as possible?" Let's say for a small company with 500 users. This company could "screw up" or develop crappy software/hardware and it would not affect that many people. So this company would not have to test, re-test, and triple-test their products to death. Now, what about MS? This is where the difference is. Because MS is acutely aware that it controls 90-95% of the computer market, shouldn't the responsibility lie upon MS to test, re-test, and test and test again 10-20-50-100 times their products? I mean, the U.S. govt has chosen MS as the OS for Homeland Security. Isn't it ironic that after sealing the deal with the US govt. that all these flaws showed up? They are obviously very successful in marketing, but how lucky could one company be? I for one, am scared that an OS with this many flaws is now "protecting Americans." *** Please know, I am debating and mean NO disrespect to either of you. Since this is a forum for discussion, so please take what I say with a grain of salt. BUT, I do stand by my argument. Last edited by Splice; 08-22-2003 at 08:19 AM..

08-21-2003, 03:05 PM	#4 (permalink)
charliex Junkie Location: North Hollywood	Consider the number of lines of source code, the number of programmers, the amount of hardware, the types of end users, the drivers, the 3rd party hardware, the tweaking users, the crackers. Its practically impossible to test complex software these days, a lot of the problems are found after a live release because if you waited till you tested it 100% you'd be out of business, software goes out of date/use and still has huge bugs in it, look how long it took to find the pentium math bug, very obscure,. I don't see why a network solutions CSIO is complaining, if he still works there. I'm pleasantly suprised it works as well as it does, and one way to make the machines and software work better would be to say control most aspects of course if MS did that there would be a huge outcry, say like a certain infinite looper does. MS fixed the blaster problem about 3-4 weeks before it appeared, they made a centralized site with an automated delivery mechanism to fix it, and people don't use it, self appointed security and technical 'experts' claim it doesn't work or screws up their systems. I bet half the time its because they've tweaked the crap out of the system, and have it loaded with tonnes of junk. I remember when we'd man the forums and net helping people out with problems with our games, the ones that caused us the most problems and were the loudest, were the ones that contantly fiddled with their software/hardware trying to make it 'better', usally screwing up something else since they didn't really understand the pros and cons. People are always looking for someone else to point the finger at.

08-21-2003, 03:51 PM	#5 (permalink)
Splice Crazy	RoadRage: Thanks for the article. I'm not gonna get into the Anti-Microsoft thing either, but the author makes a good point. When does Microsoft accept responsibility for flaws in its operating system. Patching this and patching that is a sign that there IS a major problem. I think the author is arguing that before releasing an OS with major flaws, Microsoft should be more careful to check and recheck. I like this part of the article the best: "...You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?" "Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff. Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it." "After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead." ...Hmmmm....Something to think about.

08-21-2003, 09:09 PM	#11 (permalink)
sandeep Insane	keep in mind here that with such a huge selection of computer users running microsoft code, you have a hell of a lot more hackers working on breaking it down. it also becomes a more attactive score for hackers. any video game or software you use, be it microsoft or any other, there will be bugs and flaws. but because this is multiplied by the millions of machines running it, you turn a piece of flawed code into a fireworks show, the world over. also, the "ease of use" that microsoft has been promoting in all of it's software essentially attracts a less computer-literate market, which is genius. if your customer doesn't know what it's doing, you can teach 'em as they go along, but with your own books. now the people using these computers don't understand what's happening to their systems, they just follow the arrows to "make it work again". i'm not taking sides here, i'm just saying that you need to take into account the sheer size of microsoft's user base. the example of the Ford Explorer. If no one bought the cars, it wouldn't be such a big deal. it's only because the problem was so wide spread that it got the attention that it did. to follow along with that, just about every car can be broken into. period. however, lets say for example one car maker takes a huge proportion of the car marker, similar to how MS has done with operating systems. well not only would those cars in particular be broken into more than anything else, simply because of the numbers, but it would also be more widely known.

08-21-2003, 10:20 PM	#12 (permalink)
charliex Junkie Location: North Hollywood	When i said 'practically impossible' i meant it, its just not possible to test every variable, jsut think of the size of the Os, all the things you can do in it. Do we honestly think that MS doesn't do as much as they can to make sure the product is as secure as it can be, unfortunately the way the commerical world is it will sometimes slip. They want you to buy it, they want you to like it, your average microsoft employee takes pride in their work and get satisfaction out of seeing people having a good experience using it. its just a fact of life that complex systems have complex failures, look at firestone, there are multiple checks in place to stop stuff like that happening, but it frequently does. Even a dedicated hardware firewall from a network giant like cisco has lots of flaws, they have a huge repuation at stake over this, yet they still have failures, and a hardware firewall is a gazillion times less complex than a windows OS How many products do you see recalled that are a potential choking hazard, or can burst into flames etc etc. I wish it were simple to have a dedicated group of people work out all the bugs (which they do already have ) but it wouldn't matter, for every 100 testers microsoft has theres 500 cracker script kiddies on the outside looking harder, these guys will spend months and months going over over one possible exploit, thats just not viable in business. Hindsight is always 20/20 and every code base has the same percentage of flaws, Apple don't have any super human coders, they are from the same pool. Its very easy to look in at something you think you can see every aspect of and critique it. The old 'that doesnt seem so hard' line. Using old code doesn't mean its automatically bad, since that code has been tested over and over and over, if its got a legacy bug that wasn't found, then its very obscure, so iits tough to find ( again the pentium math bug, it was years before it was found ) Its the mediocre virus writers that get it out, there, but its generally the smart guys that find and publish the exploits they use. As for 'ease of use' i thought that was apples line. Hehe Cyn, the Amiga spawned some of the worst virii out there. The best programmers in the world write 3-5 lines of fully debugged full working code a day, there are 100s' of millions lines of code in a major OS sytem. It just takes one character difference to make a major flaw that is stealthily hidden, that my never be found. i think if someone could invent something that allowed you to understand or visualize just how complex a computer and its software is, you'd be dropping your jaw in amazement.