OSNews

http://news.bbc.co.uk/1/hi/technology/7976099.stm "

Couldn't we just apply his response to Symantec's own software? It seems more like exploits than upstanding utilities most of the time. I don't know of any other software that could be labeled as crashware so readily.

if people had of patched their systems in October, when the patch came out, then the worm wouldn't exist. This is not a problem with Windows security, it's a user problem.

Every system gets security updates. Repeat it now:

EVERY SYSTEM GETS SECURITY UPDATES.

If you keep spouting nonsense, it'll be you that looks like the joke.

Because bug-free code is impossible to write. Only agencies like NASA can write bug-free code, but that does mean that in the hypothetical case NASA were to write a general-purpose operating system, it would cost upward of 10000 EUR per copy - probably a hell of a lot more.

We are modding you down because you have absolutely no idea what you're talking about. Starting with Windows Vista (and to a lesser extent, XP SP2) Windows is a pretty damn secure operating system. The only recent case of massive failure is this Conficker thing, which doesn't count since it only affects unpatched system.

Satan666, I know you are the person who systematically mods down almost each and every of my posts, we have insights into those things, you know. It's kind of funny that you complain about being modded down while you yourself abuse our system so thoroughly.

What makes you think NASA writes bug-free code? They just test their code, have some redundancy in their systems, and don't have to put up with malicious users.

I've been following NASA lately. There's some really exciting stuff going on. For example, the Kepler mission is going to give us a remarkably reliable statistical map of "Earth-like" planets in their stars' "habitable zones" in just 3 or 4 years. But... as Thom asserts... it's not bug-free code[1]:

http://www.nasa.gov/mission_pages/kepler/news/keplerm-20090330.html

My assertion is that software projects, including those at Microsoft (and yeah, Mozilla), have come to expect that we won't roast them for being careless. (Hell, we heap praise upon Mozilla for being careless... after they release the fix.) And the more lax we become in our insistence upon quality, the more lax they will become in their development and release practices.

I used to despise DJ Bernstein and his attitudes. These days I'm not so sure.

[1] It is, however, well thought out and resilient.

Edited 2009-04-01 19:24 UTC

Some of it is not just carelessness. Security bugs usually arise when people have subtle misconceptions about the contracts of the functions they call (or the functions are misspecified). You really can't get anything done if you spend all of your time reading every callgraph down to its leaves.

Microsoft (particularly the Windows team) tries its hardest to catch all of these security defects by banning certain unsafe standards, by encoding the contracts in a static anotation language that is checked by machine before code is allowed into the main branches, and by fuzzing and heavily reviewing parsers, protocols, and externally-facing code. It's still possible to miss something, however.

I wish DJB luck in 'putting the security industry out of business.' I'm afraid though that to truly do that, we'd need to ensure that all network-facing software is written by a small cadre of uber-programmers, reviewed by another set of uber-programmers, and fuzzed/tested extensively. Even if you can get Linux and Windows written by those kinds of people, you still need to deal with the third-party and LOB applications of the world who don't have the same incentives and resources.

I assume that your irony levels are somewhat on the high level there!?

Why are there security holes in Debian? Fedora? OS X?

Because all operating systems have holes, and all need patches. Believing that Windows is the only OS with security holes and patches issued is what's lame. Here are some pages. Read them and become at least a little knowledgeable:


List of recent security updates for Debian Stable:
http://www.debian.org/security/

Fedora 8:
https://admin.fedoraproject.org/updates/

OS X:
http://support.apple.com/kb/HT1222

FreeBSD:
http://www.freebsd.org/security/advisories.html

Windows:
http://www.microsoft.com/protect/computer/updates/bulletins/default...

Oh, and please, grow up. I didn't call you any names, I just yelled some common sense at you.

And for fun

OpenBSD ( the uber secure OS)

http://www.openbsd.org/security.html" http://www.openbsd.org/se...

Yeah.. I will blame people for not updating their system, visiting pr0n and warez sites then receiving virii which disables security updates, using pirated Windows, thinking they're smarter than the hacks out there so they don't need anti-virus or updates, etc.

OK fine your arguement about the hole shouldn't be there in the first place is true, but if we waited until every product was 100% bug free we'd still be using Windows 1.0, we'd have not have moved away from the first kernel release in Linux or have wonderful products like the iPhone or TiVo.

Might as well go ahead and blame people who notice that the allowed updates *observably* trash their systems more than any malware they perceive.

sbergman27, to be completely honest I have NEVER seen any update from Microsoft that trashes someone's system, either personally or professionally.

I'm in the support field and served years at the desktop level and am currently on the server level and I quite simply haven't seen it happen at all.

Maybe it has happened at some point in time but it's by no way the norm in my experience.

I do recall occassions where patches don't do what they're intended to do, but nothing to the extent where users systems are trashed.

If it were really a common problem we'd see a lot more media attention and it'd be far more commonly known within the community of people who actually participate in applying these patches on mass (thousands of machines in my case).

Well, personally and professionally, the number one reason I have heard from people for turning off updates is that a previous one "trashed their system". Maybe it did. Maybe it didn't. But you really can't blame people who feel helpless anyway from taking an "If it works, don't fix it" attitude.

Oh, I have. Anyone remember what happened, initially, when you tried to install IE7 on XP via Windows Update, and you got unlucky enough to have it error out half-way through the installation? That caused one hell of a mess on any system affected. Been there, done that. It was fixed fairly quickly, but not quickly enough to prevent a lot of people's systems from getting screwed up.
Plus, Microsoft's method of releasing updates and additional patches leaves a lot to be desired. What, may I ask, is the point of having .NET Framework and then on top of it have to download hotfixes or service packs (.NET is merely an example here, there are others)? Novel idea, why not, when a service pack is released, repackage the whole thing with the service pack slipstreamed into it? Leave the hotfix up for those who've already installed the base package, but for those who didn't, we wouldn't have to run cycle after cycle of windows update checks to make sure we've got all the patches, meanwhile having to deal with their temporary files that are left over and weren't deleted when they should have been?

That can also happen to any OS, just like the xorg update that trashed Ubuntu a few versions back.

I'm not sure what your point is.

You might as well go ahead and blame people who notice that the allowed updates *observably* trash their systems more than any malware they perceive.

Edited 2009-04-01 23:09 UTC

Of course it can. I was merely pointing out that I have seen a Windows update hose the system, and that it is certainly possible.

I work as a web dev for the US Air Force and I can tell you exactly what the problem is; the whole chain of command issue. What I mean is that a guy like me has to put in a request for something and the request has to work it's way up the chain of command because the first person you asked won't give you an answer for fear of being chewed out by their superior for overstepping authority.

So up and up the request goes, and eventually, down it comes through the chain again once an answer has been given. This takes days, months, even YEARS in some cases. The IT guys in my detachment that I work with have been trying to get everyone to upgrade to IE7 and to delist Firefox as unstable for the work environment. They put that request in quite some time ago.. and I can still hear it crawling up the chain ever so slowly....