Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month. On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. Update by Thom: Ars thinks the situation is hot air, mostly, something I agree with (a cracker already has to have login credentials for the flaws to be of any use).
I think we expected Hackers to play with Vista to find holes in it, And also Norton and Mcafee to advise on the end of the world.
Its up to Microsoft to either provide updates quickly or not.
Its up to End users to be sensible or not.
Its up to IT staff to Test and Plan ahead or not.
“I think we expected Hackers to play with Vista to find holes in it, And also Norton and Mcafee to advise on the end of the world.”
You haven’t seen anything yet – and this piece of digital scurf isn’t even out for consumption.
“Its up to Microsoft to either provide updates quickly or not.”
Oh, you mean like the “zero-day” Word exploit? Haven’t seen a fix yet.
“Its up to End users to be sensible or not.”
Absolutely! Don’t use MS products, period!
“Its up to IT staff to Test and Plan ahead or not.”
Absolutely! Don’t let your users use MS products and for crying out loud, keep it off your servers!
That’s why it’s not a good idea to sell an OS as the most secure OS ever. I’m not exactly sure Microsoft actually have made that promise, but they sure want their customers to think they did. The problem is, that if they in spite of this get too many flaws, they will lose even more credibility.
Actually, its a bit unfair as the security of an OS will have a lot more to do with how it is managed and used than the actual number of flaws. I have had windows boxes running for years, and have had no trouble at all, but then again, I don’t open every e-mail attachment that happen to come my way, or install cracked software from god knows where, and I have a good external firewall.
It’s true that you will need patches from your OS vendor to deal with some problems, but as all OSes known to man so far have had security problems now and then, good security is to make sure such patches are available in a timely fashion, and that there are simple preferably automated ways of applying them.
It is also a good idea not to use bleeding edge software, but instead wait for service pack 1 or 2 before upgrading to a new version. By then the most obvious problems should have been solved.
My only worries with Vista security, is that it to some extent seam to be more important to protect content providers from the user, rather than protecting the content of the user. There is nothing wrong with protecting premium media, as long as people are willing to pay for it. The problem is that these systems could be primary targets to create denial of service attacks at a scale that was not possible with previous versions of windows.
Edited 2006-12-27 02:17
The thing here that gets me and a LOT of other people is the fact that MS has more money then GOD, but makes a product that is not more secure then products that are put out by people with NO money. (Like many versions of Linux)
This also shows that that amount of Windows installs has NOTHING to do with the flaws found. Right now there are not many installs of Vista out there yet major flaws are already being found. As the installs go up so will the number of flaws.
Also shocks me that with all the testing they do that is NEVER MS that finds the major flaws.
Software development is complex.
Microsoft windows is hugely overly complex with so many integrated parts.
Linux is a kernel. It’s small compared to the whole system. There are plenty of programs that run on a linux system that provide holes for privilege escalation.
We all know the excuse that software development is complex, yadda, yadda, yadda.
And we ALL know that “Linux” is a kernel.
Here is the question? Please list those “Plenty of programs” that are included in desktop Linux distros that provide holes for privlage escalation.?
Since Vista is a “Desktop” OS lets not compare Apples to Oranges
The other funny thing is most of thee programs you are prob thinking of like PHP a lot of times have the same issues on Windows Server.
There’s always ImageMagic. You open a jpeg and have your hard drive deleted (they may have fixed that one, but it was unpatched for about a year).
I was reading the other day that The AOL National Cyber Security Alliance Online Safety Study from 2005 determined that 80% of Windows users were infected by at least one spyware/adware hack, crack.
That is crazy!
There’s always ImageMagic. You open a jpeg and have your hard drive deleted (they may have fixed that one, but it was unpatched for about a year).
I suppose you are thinking of the CVE-2005-0005 bug. It have been fixed in most Linux distros by now.
You should also realize that this bug allows for executing arbitrary commands, but it still does not elevate privileges, so you would need to run as root to erase your entire hard drive.
If you have a proper SELinux policy setup, then you could prevent execution altogether, even when the bug is present.
Bugs like this are bad, but please don’t make it sound worse than what it actually is.
It also illustrates the importance of using independent layers of security. If one layer fails there should be other layers left to keep you safe.
There’s some major differences between Windows and the rest of the world. First being that most Open Source apps have a very fast development cycle, with regular releases. Also most Linux distros handle these agile release cycles via a package management system that can sync to a managed repository in order to update the system. These two factors shrinks the attack window and administration hassles of average installations that are kept updated.
of course each complex product has it’s flaws.
Linux as a system, not as a kernel only, also is a very complex product. There aren’t that many privilege escalations out there, even while open source.
The fact that MS is being used on more systems does not directly mean that more used = more hacks. in fact, Apache vs IIS for instance shows that it doesn’t have to be true.
There are a lot of people looking at the linux code (complete, not the kernel) and bugs are found quicker, fixed quicker and don’t have adverse side-effects as often as what MS does.
I think that one of the biggest problems MS has is the way it develops code; many parts haven’t even bene developed at first by MS itself; their revision control system has quite a few problems — it sometimes takes 4 months to get a piece of code mainstream aftre it has been checked out. This causes a lot of problems.
What the biggest problem of MS in my opinion is: they state so much about security and time after time, hey fail to deliver. It wouldn’t be big news if MS hadn’t told us about their most secure os.
If MS wants to have a better OS, they should do a few things like
having external code reviews and being able to build the code by the reviewers.
So far MS again has done it — tell people how good they are and the people will just show how wrong they are.
edit: changed ‘the’ in ‘their’ to clarify more.
Edited 2006-12-27 10:36
//It wouldn’t be big news if MS hadn’t told us about the most secure os. //
Actually, Microsoft didn’t say that. Not at all.
What they said was that Vista is the most secure Windows OS ever.
I suppose there is even some truth in that, because there is less malware right now for Vista than there is for any other Windows OS.
Mind you, you can also probably say that there is less malware right now for both Mac OSX and GNU/Linux than there is for Vista.
It does not seem to be about money. Its more to do with work ethic/culture (I’m unsure of the right word)
For instance Toyota’s value is “Constant improvement” etc.
Edited 2006-12-27 02:38
You know, I’m not a Microsoft fanboy, but this is really tiresome. Your post displays blatant and massive bias, and you are freely pulling your conclusions out of thin air…
In other words, you’re trolling.
Than refute “Windows Sucks”‘s statements.
So speak to the contrary instead of playing the very played-out “troll” card. That’s what’s, in fact, tiresome.
Maybe his drawn conclusions are inaccurate, but at least he’s drawing some. You’re just sitting there spewing “troll” and getting modded up for it by the rest of those with no thoughts of their own.
he’s spewing ‘troll’ because he’s right. the post he replied to had no useful information in it whatsoever. refute what? there was hardly anything in it worth responding to. if it walks like a troll, and talks like a troll…
Hmmmm, I don’t know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000? Or is it just that hackers and big security firms with thousands of engineers focus on Windows because it had more users in many fields? What if 95% of the world ran Linux? Remember when Debian got hacked?
One thing is for sure, Microsoft has made some really stupid decisions that aversely affect security, and they should have been obvious. Like default enabling guest accounts (Windows 2000, I think) and making users Administrators by default.
//Hmmmm, I don’t know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000? //
Why do you feel it necesary to compare un unspecified GNU/Linux with a “properly locked-down and patched Windows >=2000”. Why not compare with a “properly locked-down and patched GNU/Linux” … say with SE Linux extensions installed.
No comparison. Linux is immeasurably more secure than Windows by any measure.
//Or is it just that hackers and big security firms with thousands of engineers focus on Windows because it had more users in many fields?//
Why not just assume the obvious … hackers attack Windows for two reasons, not one … the first is that there is a large installed base of Windows machines, but the second is that Windows is immeasurably easier to hack.
//What if 95% of the world ran Linux? Remember when Debian got hacked? //
The Debian hacks to which you refer were weak passwords. Someone managed to log on as a Debian developer by guessing a password. Any OS can be breached in this fundamental way. The hacker did no damage, and did not achieve privelege escallation before he was kicked off the system.
//Like default enabling guest accounts (Windows 2000, I think) and making users Administrators by default.//
Those are bad choices, but not the worst. The worst security decision in Windows is that the execute pemission of files is determined only by the three letters of the file’s extension. Files with no pedigree at all on a Windows system (could have come from anywhere) are nevertheless happily executed by Windows. This design choice was made with DOS, and has been maintained ever since for reasons of backwards compatibility. While this remains (and it still does with Vista), Windows security is fundamentally borked. By design.
“Those are bad choices, but not the worst. The worst security decision in Windows is that the execute pemission of files is determined only by the three letters of the file’s extension. Files with no pedigree at all on a Windows system (could have come from anywhere) are nevertheless happily executed by Windows. This design choice was made with DOS, and has been maintained ever since for reasons of backwards compatibility.”
and to protect the innocent customers, MS also decided not to show th extensions because they are not needed by customers. so click… huh ? this was a screensaver that actually was something else ? or that jpeg was an executable ?
Indeed borked by design.
nail on the head……
most users do not know what a .pif .bat .scr .com files are
savvy users are fine, they know how to enable windows to show extensions, but joe downloader doesn’t
he blindly clicks everything…. ooooh cool emoticons, I;ll have them.. ooooh free screensaver, I’ll have that, jay-lo nudies, gimme gimme etc etc
microsoft tried to simplify computer use, the succeeded a bit too well, as now any simpleton scan screw up a machine.
Hmmmm, I don’t know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000?
There are a few things to factor in to answer that:
1) Theoretical security
2) Practical security
3) Real world users.
If we look at it from the theoretical point of view, Linux is far more secure than any version of windows. The reason for this is that it supports mandatory access control. In such systems anything that is not explicitly allowed is forbidden. E.g. it is totally possible to prevent firefox or something that have been downloaded with or started from firefox, to alter, reed or even see files or folders that have been created with other applications, and that even if firefox run as root (the Unix/Linux equivalent of Administrator in windows).
Then there is also traditional Unix security, such as chrooting, and intlligent use of posix ACLs. As the SELinux mandatory accesscontrol system and traditional
work more or less independently of each other the chance of penetration is lessended significantly
E.g. if you can break SELinux with probability p, and break normal Linux security with probablility q, the probability of getting a penetration will be p*q if you have that extra layer as they are independent events.
If we look at it from a practial point of view, the high level of security available in Linux is quite hard to configure. To get it right you need knowledge that most Linux admins don’t have. So chances are, that they resort to traditional Unix security measures.
Some Linux distros like Fedora tries to provide good default SELinux policies, but as they are more or less one size fits all, they have to be more lax than they should, if you were to make full use of the SELinux protection potential, but even so they will offer quite good protection, provided they are turned on.
The last we have the factor of real world users. Real world users will try to make their work as easy as possible. This means that they are going to turn things that asks them for passwords or deny them doing certain things they feel they should be able to do, even if it is an insecure behavior. This will happen regardless if you run some version of Windows or if you run Linux.
The problem with earlier Windows versions was that the easiest way to get things to work was to run as Administrator.
So, in the end, the security of your Linux system will be much more dependent of your sysadmins level of paranoia and level of education than the fact that you are running Linux.
One thing is clear with the right skills you can get very high level of security with Linux. However secure systems usually are a hazzle to use (regardless of what OS that provides the security). So in the end you will need to ask yourself, is the things you want to protect worth all the trouble that the level of security creates.
“This also shows that that amount of Windows installs has NOTHING to do with the flaws found. Right now there are not many installs of Vista out there yet major flaws are already being found. As the installs go up so will the number of flaws. “
———–
Are you really so naive as to think that the security researchers aren’t spending orders of magnitude more time and effort trying to break Vista than they are trying to break for instance, the “Final Amiga OS Update” that was just released? Get real.
Wait, I just noticed your user name is “Windows Sucks”. I was going to address your other points (feeble as they are), but with a name like “Windows Sucks”, I don’t feel like wasting any more time on you. (Does this site have an “Ignore user” feature?)
Edited 2006-12-27 04:18
@MollyC your love of Microsoft products is well known. I see little difference from your posts to windows sucks.
Linux is not Amiga; Linux is Linux. Linux is quite common as web server I believe, and quite common as a server in general.You I know are aware of such arguments.
The fact that cracks are already showing in Vista’s security when as yet its such a small say Linux userbase size. Show things do not look promising.
The simple fact it is more common and therefore a better target. Is not a good enough an excuse. It maybe cause for a complaint about Microsoft being a Monopoly, but I’m sure thats not your point.
Edited 2006-12-27 04:28
First, what you interpret as my “love of Microsoft products” is simply my attempts to counter the anti-MS FUD that goes on here 24/7. I’m typing this on my Powerbook, BTW. If Apple were being bashed 24/7 then I’d be defending them and you’d interpret that as my “love of Apple”. But Apple needs no defense around these parts.
And sorry, anyone that goes around with a “Windows Sucks” or “Linux Sucks” username is not to be regarded with any seriousness. You’ll find that my posts have some substance. If you really see no difference between my and “Windows Sucks”‘s posts, that’s on you, not me.
And you can’t convince me that security researchers are spending more effort trying to break Linux than Vista, regardless of Linux’ share in servers. Do you really believe that Linux is under the same or greater scrutiny than Vista is at this point?
Peoples colours are easy to spot they normally start with I us Ubuntu at home or I’m an Apple user. It fools nobody. At least “Windows Sucks” has at least the courage to show his convictions without hiding behind a smokescreen.
FUD is a weak term for something quite specific. This is not relevant here. What has happened here is nothing to do with security. Which is *really* *really* hard to do even by experts especially when the source is only available to Microsoft and the Bad Guys(sic). Its to do with marketing Vista because it has much less of an impact than the transition from DOS–>win 3.1(wimp)–>95(real wimp)–>NT based OS they are selling it on security. It was a dumb marketing move.
I am 100% certain that Linux has has 20 years of security research on it, and has been *used* for as long; Vista only hits the streets 1st feb(sic). It will be a long time before it dethrones XP.
Edited 2006-12-27 05:20
“Peoples colours are easy to spot they normally start with I us Ubuntu at home or I’m an Apple user. It fools nobody. At least “Windows Sucks” has at least the courage to show his convictions without hiding behind a smokescreen. “
Are you seriously calling me a liar when I say that I’m using my Powerbook to read and post to this thread? I’ve been using Macs since 1986 (Windows since 1991, though not at home until 2000; my current home computers are one XP desktop and my Mac Powerbook). I don’t worship the ground that Steve Jobs walks on, but I’ll put my Mac user credentials up against anyone’s.
And what “smokescreen” am I hiding behind? I already said that much of my time spent here is countering the constant anti-MS FUD, so my agenda regardig that is clear and openly stated. If there were not the constant FUD, then I wouldn’t spend time countering it. And one of my ways of countering it is pointing out the foibles of Apple, because A) pointing out areas where the beloved Apple is as culpable as the hated Microsoft puts things in perspective; and B) I’m knowledgable enough to use Apple in that manner. The only reason I said that I’m using a Mac, is that you implied that I’m a Microsoft fanboy and would automatically prefer their products over anything else.
Maybe it’s you that has the “smokescreen”. You normally come off as the “objective, impartial analyst”, but maybe you’re actually just one more anti-MS fanboy, but just more subtle. Maybe you should change your user name to “Microsoft sucks” so your agenda will be as clear as “Windows Sucks” is. Hey, if you get off accusing me of having hidden agendas, then we can both play that game.
“I am 100% certain that Linux has has 20 years of security research on it, and has been *used* for as long; Vista only hits the streets 1st feb(sic). It will be a long time before it dethrones XP. “
Linux isn’t even 20 years old yet, so I don’t know what 20 years of security research your talking about, much less how linux “has been used for as long”.
Liar is a better word than fud. I have made my opinions *very* clear. I will not go around in circles.
I look for your posts, *you* are simply better at making them than me, but I have no doubt about your bias. Anyone can check your earlier posts.
GNU foundation started 1983. In reality Unix was developed in the 60’s. I’m not going to play the definition game of Linux with you, because you know for certain its been around an awful lot longer than an OS thats not been released yet. Although I am happy for you to argue the point. Even if you focus on *just* the kernel then that would be 15 years vs -1 month
“Liar is a better word than fud.”
So, you are indeed calling me a liar when I say that I’m using a Mac, or not? Speak plainly, if you have the guts (not that it takes much guts to anonymously call someone a liar over the internet in the first place), but be prepared to back up your accusations (i.e. show evidence that I don’t use a Mac). And if you can’t back them up, then don’t make the charge in the first place.
Speaking of FUD, I see that osnews’s summary has been updated to refer to the arstechnica article showing that the NY Times article is indeed classic FUD of the first order.
http://arstechnica.com/news.ars/post/20061227-8499.html
And the arstechnica comments thread indicates that most agree that the article is indeed FUD.
And the betanews article cited earlier in this thread also shows the article to be FUD.
Which goes to show that you (sadly, since you’re usually more reasonable) and others jumped on the NY Times article prematurely, so anxious were you to declare that Vista is no more secure than XP. You, in particular, accused me of not dealing with the article’s issue directly, when you didn’t deal with it either, other than taking it at face value and running with it like it was Gospel. You even went so far as to suggest that the problem compromised IE7’s sandbox, with no evidence of that whatsoever. Well, how now, that it’s been shown to be FUD?
“So, you are indeed calling me a liar when I say that I’m using a Mac.”
No I didn’t, I would say what you are doing is *misdirection* which is a common theme in your posts. You have actually changed the spin to mean something else. I admire that.
What I said regarding your mac, is you mention it to hide a “pro-microsoft bias”. *Only* People who are doing this ever mention their OS, unless its to make some other point relevant like the article. Which you didn’t and it wasn’t.
You used FUD to refer to the “anti-microsoft”(sic) posts in this thread….now its to do with the article. I love these switches being made. Having read your new URL which is irrelevent to all of mine…and yours. I see two things from interest.
A)The flaw is found in many versions of windows….which doesn’t sound very ground-up to me.
B)The user has to run a malicious piece of code…well users are well known for not running naughty code on there computers. They never run anything from their e-mail they are not expecting or heaven forbid warez.
Again read my posts Vista is not bulletproof. I’m more interested in.
A) how many flaws are discovered.
B) how quickly they are patched.
The fact that it will have flaws and they will be discovered for years is of little interest.
Edited 2006-12-28 00:27
Linux isn’t even 20 years old yet, so I don’t know what 20 years of security research your talking about, much less how linux “has been used for as long”.
If you actually mean Linux, the kernel, and not GNU/Linux, the OS, you are right, but if we should compare to windows or MacOS-X we need compare them to GNU/Linux or we would compare apples to oranges.
GNU/Linux is a clone of Unix, so in theory it would benefit from security reswarch done for Unix, even prior to the birth of the Linux kernel. For one thing it have inherited the concept of having many small programs, that do one thing well, working together to build the full system and some of the GNU tools that used in GNU/Linux have a longer history than the kernel itself.
Having small programs that do one thing well instead of large monolithic packages makes it easier to debug and verfy the correct functionality of unixlike systems like Linux.
Other than that, I think it doesn’t really matters if you have 20 years of reaserch behind you or not. Most of the threats we see today are related to internet, and that was not a factor 20 years ago, so whatever reasearch that was done back then, may not be all that relevant to the computing landscape of today.
To be completely fair you should also mention that windows NT and their successors, was hevily inspired by VMS, so even windows would have a long history to fall back on.
In the end what matters is that we are aware of whatever security deficiensies and risks that are associated with the systems we run, and that we find ways of work around them to get a security level that fits our needs.
I’m certain that windows is not a clone of VMS, the link to VMS is simply Microsoft used the same engineers.
You can argue that the internet changed things…and it did. Always on machines networked to the world, but Unix has always been designed as multi-user networked OS.
The lie I was trying to dispell was simply that Vista has had a stack of research done on it and Linux has none. Which is simply untrue.
Its especially difficult to judge especially when you have discussions of whether Vista’s “rewrote from the ground-up”(sic) vs the security fixed old stuff.
Linux isn’t even 20 years old yet, so I don’t know what 20 years of security research your talking about, much less how linux “has been used for as long”.
I am not sure what the original poster meant to say, but I think he meant that Unix is over 20 years old. Linux is a free Unix based system and a lot of it’s applications are actually very mature. Usually mature software translates into more security, but even under Linux, the system can only be as secure as it’s weakest spot..
Edited 2006-12-27 18:05
The Linux kernel was first worked on in 1991, 2 years before Windows NT came out.
So even though it’s not 20 years old, it’s as old as the NT Kernel. (If you don’t include all the cross OS2 API’s used in Windows NT)
But when you say 20 years, remember that most of the design ideas in the Linux kernel are based on Unix standards. Even though not Unix and there is no Unix code (That might not be 100% true) It still uses tried and true security standards and design standards that have been well used and abused in Unix.
And you can’t convince me that security researchers are spending more effort trying to break Linux than Vista, regardless of Linux’ share in servers. Do you really believe that Linux is under the same or greater scrutiny than Vista is at this point?
That is a valid point *but* MS only has itself to blame for the actual vulnerabilities. Either they are there or not…the added scrutiny only makes them come out faster.
If MS wants less scrutiny over its OSes, there’s one thing it can do right now: release Office for Linux, and stop trying to defend its desktop OS monopoly so much. If popularity is what makes Windows effectively less secure (and that seems to be the reasoning behind your position), then reducing the platform’s popularity is a good way to increase its effective security.
In other words, you should help make Windows more secure by promoting Linux… 🙂
Yes, I have a very bias opinion. And anyone on here who has a different opinion can state it. People jump on me for being bias but then don’t bring any facts to dispute what I say, they just jump on me. Which is all fine and well, I am a big boy and I can handle it!
The thing here that I am making a point of is that the new excuse for Windows is that it’s so complex that it is bound to have holes! Ok and when it was less complex it was more secure??? LOL! NOOOOOOO. It was even LESS secure. SO being complex is no excuse. Even when MS didn’t have 90% of the desktop market they had problems. Back in the dos days you had to run scared of your friends floppy disks cause they may have gotten a virus from a BBS. (And yes so did Mac OS)
Oh and the other excuse is that MS is so much more popular then *.NIX operating systems that there is WAY more research done on Windows then anything else. Hummmmm. I think the reality is two fold, one they know by showing holes in Windows they can sell their products and two people love to show up a bragger with flashy marketing.
Anyway last time I looked the world ran on *.NIX! The Internet is based on Unix and Linux machines. Most Web sites are hosted on Unix or Linux, the main DNS servers are on Unix, most routers and switches are based on Unix or Linux, firewalls are based on Unix or Linux, Wireless routers etc, etc. And most companies that make their money off the net (Including Microsoft for Hotmail and for their DNS) use UNIX and LINUX! It’s very simple.
It’s why MS has 400 Linux machines in a research lab and Red Hat has 0. It’s Why Windows security and user permissions are becoming more Unix like, not vice versa.
It’s why MS uses LDAP in active directory (Copied from the UNIX world! Banyan to be exact) And why MS recruted Jim Allchin who was a UNIX man and helped create Banyan VINES(based on LDAP)to MS.
I am sorry to say but no matter how much money MS makes and how flashy their marketing is, *.NIX will always be there and be depended on as the real work horse. It was there way before MS and will be there long after. (Linux included)
Forgot to add:
and I am SURE as much if not more research is done on *.NIX based platforms as a whole then on Windows.
Just remember MS is about making money, they could care less about the users security! The only reason they have even made Windows more secure is because of their Rep. Their rep was getting tarnished every other day at one point. And that was hurting their bottom line! Making people look at Linux.
Not exactly
Microsoft has completed switching the Hotmail servers over to IIS. ALthough this is reflecting badlyt in system speed and uptime, and an increasing amount of spam, even from accounts that have not been used. Figure that one out….
Also, keep a watch on N1etcraft for microsoft.com servers being hosted on Linux servers each time there is a perceived threat form a Windows worm about to hit. Although a lot of people around here claim that Microsoft use a 3rd party, and it is the 3rd party that uses Linux, none of them can answer WHY ?
<quote>
Also, keep a watch on N1etcraft for microsoft.com servers being hosted on Linux servers each time there is a perceived threat form a Windows worm about to hit. Although a lot of people around here claim that Microsoft use a 3rd party, and it is the 3rd party that uses Linux, none of them can answer WHY ?
</quote>
I seem to remember that MS turn to Akamai to deliver their website when the need arises – and Akamai’s servers run Linux.
I do not believe it’s a true statement (And MS has not made it) That hotmail is 100% IIS.
Netcraft is not a valid place to get info in this as you will find out using netcraft that a lot of companies mask behind firwalls and other IDS tools what they are actually running on the machines serving the data.
Also it’s been long reported that for almost all their downloading for Windows Update etc plus most of their DNS they use Akamai which has a distributed network of Linux servers (20 + thousand Linux servers)
As Google has shown it’s easy to throw up and make a custom version of Linux for tasks like this.
My understanding of what Microsoft used as the basis for Active Directory is somewhat different than what you have said. I could be wrong but I remember Microsoft and Novell signing a technology agreement in the 1990’s in which Microsoft was trying to figure out problems they were having with AD and that working with Novell they might get the answers to. It is my recollection that Microsoft abruptly terminated the agreement and announced Active Directory to the world.
As someone who has actually administered both Banyan Vines and Novell NetWare, it only makes sense that Microsoft would use NetWare as the basis for AD. We used Banyan Vines version 5.54 until we transitioned to Windows NT. StreetTalk was ancient feature wise compared to NetWare Directory Services (NDS) and the graphical tools Banyan packaged with StreetTalk were not very good compared to those shipped with NetWare. We used CLI tools exclusively because of the quality of the Banyan tools. Novell basically had “plug and play LDAP” and for the most part it worked as advertised. Since Microsoft would have wanted graphical tools to manage AD and want plug and play capabilities, I think they used Novell rather than Banyan Vines.
This page on Microsoft’s web site about Jim doesn’t even mention Active Directory:
http://www.microsoft.com/presspass/exec/jim/default.mspx
Actually I also was a Banyan Admin for the Federal Governemt and did two Banyan to NT migrations. And I am a Novell 4 CNA so I have worked with both also.
When Allchin went to Microsoft he helped create the Migration tools to move from Banyan to NT.
Even in looking around the net, searching MS, Novell etc I find no mention from any where that MS worked with Novell in anyway (Even to steal) when creating Active Directory.
The only real link to directory services and MS are people we know for sure went from Banyan to MS in the late 90’s (Allchin not being the only person, just the most important)
Indeed. My main pet peeve with the way Windows is marketed is that it blurs to the point of eliminating the distinction between system administration and system usage. Microsoft’s marketing (and sadly for a long time also development) strategy relies inherently on the (unspoken) assumption that administering a system is easy, which of course it is not. This is the root cause of Windows’ security problems, and I frankly don’t see how Microsoft could possibly fix this without sacrificing backwards compatibility – which is their main lock-in tool.
In short – they made their bed, and now they have to sleep in it. I wouldn’t shed too many tears over this, were it not for the fact that the Windows ecology affects us all, whether we use it or not.
That’s why it’s not a good idea to sell an OS as the most secure OS ever. I’m not exactly sure Microsoft actually have made that promise, but they sure want their customers to think they did. The problem is, that if they in spite of this get too many flaws, they will lose even more credibility.
They’ve never said that about their consumer operating system – they’ve said it is the most secure WINDOWS operating system yet, and when compared to Windows XP; it is MORE secure.
The end of the day, end users don’t make purchasing decisions based on ‘security’ – the make those decisions on whether their favourite game or time wasting applet will working ‘teh operating system’ – if it were all security, no one would be running Windows.
Where Microsoft is touting ‘security’ when compared to other operating systems is in the server space; where purchasing, deployment and so forth decisions are made by professionals – its a nice ‘eye grabber’ when handing out the flyers and leaflets at their hypefeasts; which seem to have more BS than the local evangelical meet-up.
Compared to Linux and other operating systems, Windows 2003 so far has actually been pretty damn secure; there hasn’t been one major security outbreak like there was with Windows 2000, they’re gaining customers, both from *NIX/Linux and old Windows customers – so actually, on the server security front, they’re not going too badly.
For me, I’d wait till Service Pack 1, which will be released at the same time as Windows Vista Server (or what ever it is called at the time) – basically, it’ll be Windows Vista Server, but with the server components ripped out – what that should mean, hopefully, is a ‘server grade’ security – basically, Microsoft will use the client end as guinea pigs for their server product.
Although Windows Vista will be a much more secure product than Windows XP, I certainly wouldn’t go so far as to say it is superior to anything else that; at the most, it brings it up to par, in terms of security with MacOS X and *NIX; it’ll require alot of work to get past them.
Edited 2006-12-27 04:12
“Although Windows Vista will be a much more secure product than Windows XP, I certainly wouldn’t go so far as to say it is superior to anything else that; at the most, it brings it up to par, in terms of security with MacOS X and *NIX; it’ll require alot of work to get past them.”
————–
I don’t know that OSX is so much more secure. I install security updates regularly for my Mac. And looking at the Security Updates that Apple has released since Jan 2005, I see that Apple releases them nearly every month. (Not each and every month, but sometimes multiple times per month, so it averages out to close to once per month.)
http://docs.info.apple.com/article.html?artnum=61798
And some of those Security Updates are huge; I recall one that patched 40+ flaws, and two others that patched 20+ flaws. And I’m guessing that security researchers spend way more time trying to find Windows holes than they do OSX holes. If they spent the same amount of time trying to break OSX as they do Windows, who knows? It’s not like Apple’s programmers are immune to buffer overflows (particularly since they moved to intel (I’ve read that stack overflows are easier to exploit on intel than PPC)).
The only “by design” thing that I’ve seen on OSX that makes it “inherently” more secure than XP SP2 is that on OSX, even when running as admin, you have to go through authentication dialogs in order to alter system settings. Vista’s getting that, so I don’t know where else OSX would be *inherently* more secure. Simple bugs (like buffer overflows) can be present in either OS.
On the other hand, I do see a couple things that Windows does to enhance security that OSX lacks:
* First, Windows checks digital sigs of any app that the user downloads, and displays that info to the user when the user runs the app (info such as whether the app has a digital sig, whether it’s valid, and the digital sig itself). And if the app doesn’t have a digital sig, or has an invalid one, the user is warned, with the default button being Cancel rather than Run. OSX runs any app you download without checking any digital sig whatsoever.
* Second, IE7 on Vista runs in a sandbox, isolated from the rest of the system, so exploits in IE (e.g. buffer overflows) can’t access the system or user data.
I’m just not convinced that OSX is inherently more secure. That Apple frequently releases Security Updates is evidence that the holes are there aplenty. Nobody is bothering to exploit them, though. So while I’m not convinced that OSX is inherently more secure, it is more secure in practice.
Edited 2006-12-27 05:02
@MollyC you’ve moved from Amiga to Linux to Apple. I do find it interesting that you never actually focus on the issue.
I know *nothing* of apple security, but it seems that they patch it. Same it true of Linux or even windows. I must have missed that point. Patching is good and IMO more newsworthy.
From your post you clearly lack enough insight into making a comparison. I do find it slightly amusing that you point out the new security feature of IE7 that this very article talks about compromising.
As I said I don’t want to hear excuses.
Edited 2006-12-27 04:58
What are you talking about?
If there’s a bug, there’s a bug. It gets fixed.
I’m concerned with design flaws, not buffer overflows, misparsed input strings, and the like. Unless you’re saying that other OSes don’t have similar issues.
Other posts in this thread have already dismissed the IE7 issue as FUD (by citing betanews.com’s analysis – there’s certainly a serious crashing bug there due to an old feature of the MessageBox function, but no security hole, and nothing related to IE7). But even if there were some bug regarding IE7’s sandboxing, it gets fixed and we move on. There have been privilege escalation bugs in OSX. Does that mean that the entire concept of OS privledges is flawed? No. It means that Apple issues a Security Update to fix the problem.
Look. XP was released with inherent problems. First, unnecessary services were turned on out of the box. Second, the firewall it shipped with sucked (it would block local network activity) and therefore wasn’t turned on by default. IE had idiotic “zones” that allowed for cross site scripting exploits. There were a bunch of other problems as well. These were not simply bugs, but design issues and poor choices that Microsoft made. XP SP2 fixed those (and added other security enhancements), so what we’re left with is largely bugs (buffer overflows and the like), that are easily addressed with security updates. That’s why there have been none of massive malware outbreaks (like blaster, sasser, etc (I forget their exact names)) since XP SP2 that we had with XP and XP SP1.
XP SP2 still has the general problem that most users run as admin with full admin rights. Vista’s addressing that. I’m not sure what more you want. I’m not going to say, “IE7’s sandboxing concept sucks!!” if that’s what you’re looking for.
Edited 2006-12-27 05:30
Your absolutely right. IE6 had bugs and we just moved on we don’t have the majority of machines infected with all kinds of malware.
I’m bored with the old was bad, the new is good rubbish. Seriously nobody buys that when *Microsoft* says it.
The truth is IE7 should not be included with Vista, and Internet Explorer should be removed from all Microsoft products.
//There were a bunch of other problems as well. These were not simply bugs, but design issues and poor choices that Microsoft made. XP SP2 fixed those (and added other security enhancements), so what we’re left with is largely bugs (buffer overflows and the like), that are easily addressed with security updates. That’s why there have been none of massive malware outbreaks (like blaster, sasser, etc (I forget their exact names)) since XP SP2 that we had with XP and XP SP1. //
The poor security design of Windows is not fixed in XP SP2. It is not fixed in Vista.
The essential design of the Windows API is a design for a single-user non-networked computer. The win32 API was first introduced in Windows 95, and is essentially still in use to this day. Many application CDs from Windows 95 era will still install on Vista … so Vista carries a legacy binary support for insecure, single-user non-networked programs.
Windows security is fundamentally borked. By design. I don’t know any simpler way to put this, or why people are so unwilling to accept this fact, even in the face of overwhelming evidence.
I would venture to predict that the current ratio of malware for Windows versus that for Mac or Linux combined (which runs at this time at about 10,000 to 1) will continue unabated after the release of Vista.
The most glaringly obvious points of attack at this time in Vista is the WGA timebombs and the DRM “tilt bits”.
http://blogs.zdnet.com/Bott/?p=148
http://www.geekzone.co.nz/juha/1908
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
This type of “disable the computer” functionality is built in to the OS, can you believe it? It is just sitting there waiting to be falsely triggered by malware.
I’d predict that within say six months of Vista’s release there will already be crooks using these features of Vista to hold Vista users to ransom. “Pay us or we will disable all your machines” …
Edited 2006-12-28 07:44
Rate of security patches only indicates they are fixing the vulnerabilities, not that the system is insecure as a whole.
the fact remains that in win-xp there are 13 known ways to compromise the system and Microsoft has not pathced these holes in 1 year and 4 months when the last one was found
and yes measuring security can to an extent be carried through the number of unpatched vulnerabilities.
seriously think before you speak- maybe you could use your mind for good.
lets compare the latest Kubuntu to the latest win-xp
how many ways can you get into the Kubuntu- vs win-xp
in Kubuntu/ubuntu there are 0 unpatched vulnerabilities
now you sleeze tell me which OS is more secure
go suck steve ballmer
Actually, its a bit unfair as the security of an OS will have a lot more to do with how it is managed and used than the actual number of flaws.
Not perse,i installed hardened gentoo on my mothers PC.All features of PAX+Grsec turned on.This was feasonable because she only reads her e-mail and browse a fairly limited set of URL’s.Xorg still works with the nvidia driver.As extra i further hardened the OS by disabling anything not needed.As extra i installed a hardware and software firewall and antivir with dazuko on access scanning and rkhunter running as a daily cron job.
I told her she can click on whatever link and/or attachment she pleases.It’s a burden to make malware that is compatible with all distros much less with a hardened gentoo box.
She did’t need the admin pass she said.So to be short how could her actions inflict serious system damage???
<quote>
Actually, its a bit unfair as the security of an OS will have a lot more to do with how it is managed and used than the actual number of flaws. I have had windows boxes running for years, and have had no trouble at all, but then again, I don’t open every e-mail attachment that happen to come my way, or install cracked software from god knows where, and I have a good external firewall.
</quote>
I feel you’re missing something crucial here.
Vista is a *consumer* OS used by people who have *no idea* about safe practices – they just want to use their computer to do stuff. They should not have to go to college just to be able to use their computer safely.
Having an insecure OS is just ripping off the consumers and leading them to insecure internet banking/shopping/etc like lambs to the slaughter.
Thankfully there is small choice available now to ordinary consumers – look at Mac OS X – people just *use* it to do stuff (email/video editing/docs/etc) – and they are effectively safe from having their bank accounts emptied. This is why when people convert to Macs they never want to go back.
Hopefully over time we will get some competition in place and consumers will benefit. The MS monopoly will not last for ever – think of the crappy Trabant car made in East Germnany by the communists.
Eventually enough of the population saw the benefits of competition (BMW’s/Audi’s/Mercedes/Porches/etc) that East Germany’s monopolistic approach was pushed over by the people.
I hope that as more apps become web based (email/word processing/Accounting/CRM/calendaring/POS terminals/Display points/Task management/Document sharing/etc) then we will get some competition between manufacturers to provide the best devices/OS’s to provide standards compliant web clients.
Once the monopoly has been broken and MS can’t force their position via breaking standards, blackmailing manufacturers, buying people off etc we can look forward to the internet becoming a fantastic resource for humankind.
“Vista is a *consumer* OS used by people who have *no idea* about safe practices – they just want to use their computer to do stuff. They should not have to go to college just to be able to use their computer safely.”
I’m a Linux, BSD and OSX person who was also an exclusive McSoft WinTrash systems admin for six years in an educational environment.
This xmass eve and day I spent well over 13 hours repairing my sis-in-laws `degraded` laptop. After recovering well over 2.8 GB of family photos I wiped the drive and its cracked version of XP media edition. Then installed a legitimate retail CD. I believe the `tech` who installed the original `cracked` version has moved out the area on a military rotation.
Aside from the cracked version she also had a `relative` come over and surf a porn site and download a `trojan` onto the system. This was a screwed little notebook PC.
After the install I was able to download all the updates and patches from McSoft. I then created a third account as an administrator and demoted the `default` user that was created during the install as a regular user.
After all the work, and I believe this is critical, I actually sat down and trained my sis-in-law on how to use the system properly. Basically I told her she would `not` like the super user or `Run as` administrator process but it would reduce the number of things that could be installed onto the system.
Will this little McSoft laptop remain clean-and-pristine? No. But hey, I’ll slow down the degradation until the next rebuild. I expect McSoft products and the users that use it to degrade their systems.
I laugh when I think this *nix geek knows more about running and repairing McSoft products both desktop and server that degrade over time and use.
Edited 2006-12-27 15:50
<quote>
I laugh when I think this *nix geek knows more about running and repairing McSoft products both desktop and server that degrade over time and use.
<quote>
Not sure what this means but I have looked after approx 40 PC’s running 98 and XP for the last four years for one client.
It is possible – but that is because we have implemented domain logons, roaming profiles, configuration policies, ghost based re-imaging etc.
Server stuff has been moved to Postfix and Samba and the setup has been very stable for the client who is happy.
My point is that your sis-in-law got hundreds of dollars of Windows support for free – most consumers do not have that luxury and so will walk head first into security and online problems.
“My point is that your sis-in-law got hundreds of dollars of Windows support for free – most consumers do not have that luxury and so will walk head first into security and online problems.”
I charge around 50 USD per hour and don’t normally do free. I raised my sis-in-law as a daughter many years ago so, in this case, I didn’t mind doing something as a holiday gift – such as it is.
When I ran McSoft servers and clients distributed across the main lab, minor labs and assorted classrooms, I was able to keep them off the main wire and protected. It was those directly connected to the Internet that were the most troublesome. DeepFreeze came in handy for these units.
They could not do much damage before DeepFreeze due to the way I built the user accounts but they still had to be functional and would always have one issue or another. I always had problems with the back rows of the labs and classrooms being `porn` rows.
Aside from users I also found that `non-tech` minded directors or administrators are also part of the problem. They may encourage misuse by not accepting `reasonable` use policies. Then when a McSoft WinTrash machine `degrades` it’s the fault of the product which is actually true and all the IT staff within the organization.
You can see why I’ve moved away from McSoft exclusively and into the *nix and server level.
I will say that a McSoft environment can exist in relative good shape with reasonably or properly trained users and protecting the internal network with Linux or BSD servers facing out and configured properly.
http://www.betanews.com/article/Is_Vista_Really_BugPlagued_as_the_N…
“Based on the evidence we were able to see with our own eyes, here’s what’s appears to be happening:
An old Win32 function was designed to present messages to the user as though they came directly from the operating system, without any security checks beforehand (in the early ’90s, few thought they’d ever be necessary). We know from searching existing documentation on the function that it does check the first one or two characters of message data for certain control characters, such as an exclamation point that indicates Unicode designed for typing right-to-left (called the RTL code, reserved for Arabic, Hebrew, and other scripts).
When the MessageBox function receives what may be a control code, specifically ??, prior to the crash point, the application apparently attempts to access a log file. Maybe it’s using an old method to gather this file, but in any event, it’s the SQL Server Express log file (at least on our setup) that responds with an access denial. At some point when this attempt is repeated, Windows crashes.
Determina believes that this legacy code allocates a memory buffer, which it then leaves open after the application crashes. But since the crash apparently takes the system down with it, there doesn’t appear to be a window of opportunity for a malicious user to execute random code.”
All OS’es have flaws, and all versions of Windows will have security holes. Still I believe that Vista is actually a lot safer than Windows XP.
However, this added security is only valid for the current global security situation. When 2000 and XP came, the exploits were different – mostly email virii targeted at Outlook Express and the like.
With XP came the growing threat of rogue web client scripting and the like, exploiting the practice of elevated privileges.
The threat situation will once again change. In 7 years, who knows what the threats will be. I guess that since software is moving towards more high level collaboration, data (e.g. XML) exchange, web services, and the like, future attackers will target these layers.
My point is that platforms shift and change, and threats follow these trends. The fight will never stop. New levels of abstraction will mean new services and paradigms, with new security holes added.
Vista will remedy much of the current threats, but it is not prepared for the next gen of attacks. How can it be?
Vista will remedy much of the current threats, but it is not prepared for the next gen of attacks. How can it be?
By focusing on the reason why attacks succeed – the user. But, to be fair, none of the entities guiding the development current operating systems spend any significant effort towards that end. Microsoft doesn’t because it makes no economic sense for them yet, and the *nix variant / derivative users aren’t nearly as much affected because they’re technically literate due to self-selection. (Note: That wasn’t supposed to weigh the technical merits of the security facilities in Vista versus in *nix – that’s an entirely different issue altogether, and such a comparison can’t yet be made since Vista is too young to have had a chance to prove itself).
Edit: s/literaly/literate/ *blush*
Edited 2006-12-27 02:52
This is what happens when you try to remain backward compatible with the versions developed 10 years back.
Windows is becoming overly complex because Windows maintain backward compatibility and provides new features as well.
The best example is Windows network stack in Vista. It has a new specification but there are multiple translation layers to support drivers written for older versions.
This adds so much complexity that no matter how many testers you put, in limited amount of time, you can’t test all the edge cases.
Things like this are causing longer development times in Windows with diminishing returns.
Microsoft needs to run Windows in a Virtual Machine and develop a new smaller, faster base OS. This way they can enhance the base OS and still maintain the compatibility by running older versions in VM.
What MS should have done was to write a base, highly efficient OS which could run on very low spec hardware (even 386’s) and allow users to add whatever they want as modules. So if they want to have some mega fancy interface then they could install it over then net). Or they could choose to simpler but faster interface for lower spec machines – think how much companies would love that because of saved hardware upgrade costs.
And they could have made the OS free – this would maintain a monopoly position and also dominate the new emerging markets. Money could be easily made from supplying support/setup/upgrade contracts to corporations and companies. After all, these companies want someone to turn to for support of SQL servers and VSS as well as the OS.
And if they made the source code available on the net they they would have fixes for vulnerabilities coming in before exploits are written – so security would almost be perfect.
And – thinking about it – if the source code was available then other software companies would be able to compete for the support contracts and this would be *good for the consumer* as competion would mean the best would rise and prices would be fair.
I’m sure that MS as the premium software company on the planet would positively welcome competition and would be able to stand on its own two feet with no problems.
bailey86 – I agree with you on the technical part like efficient smaller OS but disagree on the political agenda of free OS or Open Source.
I don’t think MS should open source their OS or free it. It is their Intellectual Property and they should earn money from it.
Tomorrow you will ask hardware should be free etc etc.
Sorry buddy, you have to buy food to eat and so do software engineers. Many GPL or Open source engineers like the Gentoo lead eventually abandoned their projects because of lack of money in open source.
Edited 2006-12-27 20:17
I know that you are well aware that there are an awful lot of people paid to write open source. Particularly by those who are interested in selling *hardware* not software. I’m thinking companies like small companies like IBM, Intel, Sony etc.
I won’t even comment on the IP, because the topic is so-off topic, and would become *another* off-topic flame.
I will comment on the Gentoo lead. Working on gentoo, allowed him to get a lucrative job at Microsoft. Good for him, and Gentoo did not die in his absence it continued to grow…its not abandoned by any means. In fact I am using it right now. At least make a stab at the facts.
Edited 2006-12-27 20:49
It looks like this article may be a pile of crap. Read this article:
http://www.betanews.com/article/Is_Vista_Really_BugPlagued_as_the_N…
“Yet tests of the flaw conducted by BetaNews suggest that, while the bug can crash Windows XP, its roots in the Win32 API dating back to Windows 3.1, coupled with the fact that the source code for the proof-of-concept appears to be straight ANSI C, directly contradict the Times’ implication that the bug somehow afflicts Internet Explorer 7.0.
In fact, BetaNews’ tests of the original proof-of-concept code, as posted to a Russian security researchers’ group Web site, turned up a significant flaw in that code, which would prevent it from being compiled on a modern operating system.
It’s a “type” violation, as in “type of variable:” The characters which the code passes to the MessageBox API function are declared in a standard 8-bit-per-character string that has not been terminated by a zero value. Versions of the API in use since Windows 95 use Unicode characters for strings instead, meaning the 8-bit string must be explicitly converted to a wider, 16-bit string before being passed to the newer function.
The omission of this critical conversion — which is a single-line ANSI C macro, but an obvious one nonetheless — suggests that perhaps security engineers and journalists alike merely took the programmer at his word without questioning his accuracy first.”
To quote an old Russian proverb, “Trust, but verify”.
Making changes to published exploit code so it doesn’t compile out of the box unless the user has a knowledge of that programming language and fixes it has been the standard modus operandi for years when it comes to publishing exploit code. The typical explanation is “we don’t want script kiddies to be able to compile it easily”.
Yes, it’s a pointless practice, but I suspect it’s designed more to cover the backsides of the researchers than to deter widespread usage, so I guess one shouldn’t snicker too much.
Well I guess going into denial and arguing with Microsoft whether or not it actually is a bug while casting doubt on the reporter is just another way to deal with it.
Arguing about one bug is not important. It has been pointed out earlier the real problems, better than I could do.
What will make or break this *marketing slogan* is how often and how serious the vulnerabilities are.
The most dangerous thing in windows vista right now is not the security flaws but rather the code unstability/unmaturity.
Put an Optical Disk Emulator on vista which is incompabile with it, then the whole OS will stop fuctioning; Put a non compatible Firewall and the system would stop again, put a backup software that access hardware while not compatible with vista and it would crash; solving security issues got nothing to do here. So IMO, code unstability, unability to revert changes cleanly and the unability to predect hardware/device drivers malfuntion and to heal it is more dangerous than security vulnerability at least at the level of the consumer OS.
Also, I can add other disadvantages to vista before I finally care about security, like doggy performance, unavailability of drivers, huge hardware demands, unbelievable privacy breech for MS tools, extremely unfair prices, bad customer support, limited hardware changes, unfair license agreement, inconsistent interface, nested windows,…and many many more.
So, security is not the most dangerous thing to MS for now even though it is a valid problem.
this made me laugh, IMO Vista was released to early, Wait for SP1 for Vista an then buy it, Vista shoulda been renamed to ” Windows lawnMower ”
Edited 2006-12-27 05:38
Microsoft’s previous operating system, Windows XP, required two “service packs” issued over a number of years to substantially improve security, and new flaws are still routinely discovered by outside researchers.
This is an unfair statement, and betrays the authors naivety regarding the task of releasing software that is perfect.
All software has flaws. I feel more comfortable when a vendor is releasing patches to fix vulnerabilities. It just means they’re being honest and responsible about their product.
So far the rewritten code.
this is a stone cold point, if you’d like to refute that then please do
Microsoft is not concerned with security, just look at xp
win-xp has i beleive 13 upathced vulnerablities (secunia)
tel me how a company can be security consious and still not patch their products
It is very easy why they have 13 upatched vulnerabilities! They want to increase the gap between XP and Vista. That will force you to go to the next version, not for it’s “security” but mostly for it’s holes of the actual version.
They state that MS is working for security and they have critical errors in a virtual machine (.NET 2.0), what trust you may write about security, when the basic virtual machine is on trouble? I think that a browser like IE7 has similar value with Firefox 3 Alpha on matter of bugs, which makes it risky for use and hard to think that you must wait for one year to get biggest issues fixed.
I think that Gartner has right: you must wait one year to be fixed most Windows flaws, secondly you will be able to use (after 6 years of development) a somehow secure OS. If you will not use in the meantime Mac OS X Leopard or the new Linuxes.
your on the money
i wish everyone had the clarity you do
There is no crisis.
This is business as usual for MS and how anyone expected that anything would change with a new Windows release is beyond me.
I’ll trust MS has enough resources to make the OS somewhat running and secure, in itself a major achievement. ‘The strainer that would not sink.’
“And so it begins”
The woes that will begin to plague Longhorn/Vista is the direct result of too many indians/chefs in the same pot. Too many meetings to actually attempt accomplish any goal. It is unfortunate that with 4000 Microsoft programmers, that this Longhorn/Vista project took so long.
If Microsoft took its time and wasn’t too ambitious to conquer the world of the PC, they could have achieved its initial goal. This is the problem when management gets involved and miscommunication erupts and the end result is a delayed product with investors wondering the heck is going on.
My advice to Microsoft, the next version of MS Windows, make it available when it is READY. Make no time commitments and let the media do all the speculation for you. Linus Torvalds said it correctly, nothing gets released until it is thoroughly tested and no time commitments are made. How can one compete with that philosophy? The problem? The shareholders!
Is the DRM that’s being forced down the end users throats. The systems in place in Vista are there for MS to try and control content distribution and they are trying to control it at the hardware level.
This is Bug Number 1 and has to be dealt with. I personally will not invest in Vista or any DRM hobbled hardware if I can humanly possibly avoid it.
If I want to buy a HDVD and then store a copy on my hard drive then MPIA and MS can deal with it but it’s my choice not theirs to make. Fair Use, we need to fight hard for this one and boycotting Vista until such time as the underlying DRM is pulled and code has been verified by independant 3rd parties.
Fair Use, we need to fight hard for this one and boycotting Vista until such time as the underlying DRM is pulled and code has been verified by independant 3rd parties.
Boycotting Vista will not do it. To get rid of DRM you need to boycott the entire film and music industry. Don’t go to the movies, or buy proteced DVDs or music recordings, don’t download pirate copies. Demonstrate outside movie theaters, and shops selling DRM protected material. Then you may have a chance of stopping it.
Furthermore support artists that offers unprotected material.
Sure, you could boycott Vista as well, but as I see it the DRM in Vista is just a symptom of the contempt RIAA and MPAA shows the public and even law, that in most countries allow for fair use that is prevented by DRM.
The alarming thing about having DRM in Vista is that it provides a premier target for denial of service attacks, as it is mainly aimed at protecting the computer from the user. As such, any tampering would most likely trigger the protection mechanisms. E.g. if some kind of malware was able to successfully emulate an unprotected device it could be impossible to play premium media, or make use of high resoluton display technology.
“Sure, you could boycott Vista as well, but as I see it the DRM in Vista is just a symptom of the contempt RIAA and MPAA shows the public and even law, that in most countries allow for fair use that is prevented by DRM.”
I’m absolutely 100% certain that its Microsoft. I actually find it offensive that the RIAA and MPAA are being used as scapegoats like this.
Edited 2006-12-27 23:53
I agree, I also think this is 100% Microsoft. They approach movie/music producers and offer them a way to keep their product “safer”, but they have to use Vista.
If it was the RIAA or MPAA, they would also be pushing DRM on OSX users and Linux users.
I live in the UK, which is part of the EU. Every country in the EU has fair usage policies in place. If I buy a movie, I am free to make a back up copy, and to use this back up copy. I can copy this film/song onto any player I wish.
However, pressure from US companies and a few court cases, (later thrown out of court), has people in these countries thinking that they cannot copy a film they bought, as that is against the law.
No…. Microsoft are pushing DRM, then, they will be the only system capable of delivering the goods.
Boycott them, and write to your MP/Senator/Government representative….
Edited 2006-12-28 01:20
Now I am not the biggest MS fan but the DRM issue is 50/50 in this case.
On Microsofts side they are thinking: Hummmmm If we piss off the Music guys or the Movie guys then we can’t push: Windows Media Center, Zune movies and music at good prices better then Apple and we can’t push media onto the Xbox and our set top boxes we are selling.
And the Music and Movie guys are thinking: Hummmmm, well if they want to get the best deals from us then MS better play ball. On the media side MS doesn’t have the market position yet that Apple has! And also we plan to use Windows DRM for pushing movies and movies more on to PC’s and other devices!
Ether way, we poor slubs are stuck in the middle.
“On Microsofts side they are thinking: Hummmmm If we piss off the Music guys or the Movie guys then we can’t push: Windows Media Center, Zune movies and music at good prices better then Apple and we can’t push media onto the Xbox and our set top boxes we are selling.”
Not even close. Its about *Total Control*.
Not even close. Its about *Total Control*.
Agreed. Microsoft doesn’t really care about DRM, but it’s a tool that can give them an edge.
The RIAA/MPAA is all about control of media, and MS is leveraging that to exert control over the platform. They’re using each other.
The sad part is that those of us in countries that still protect fair use are ultimately screwed anyways.
I hope that the fair land of China comes to the consumers rescue (insert cynical laughter here).
This is similar to Region zoning on DVD players where the consumer eventually was able to get around such crap by buying hardware from a few vendors that made Region Free DVD Players. Only thing though is that this DRM crap is going to be a hell of a lot more pervasive, as in all hardware components are going to be DRM embedded and have to verify with each other that they are legit on a constant basis.
I mean come-on. Not bad enough we have to waste computing cycles on bloat and memory leaks but now we have our hardware validating itself constantly to make sure we are legit to play DRM content. F-off!
I hope we can as consumers get around this and have a viable alternative in hardware or MS will completely dominate the Digital Sphere (yes it affects everyone elses platform).
“If it was the RIAA or MPAA, they would also be pushing DRM on OSX users and Linux users.”
They are not too concerned about Linux yet, as the DRM’d CD’s and DVD’s will not be able to play. OS X has had DRM for a bit already, ever hear of iTunes? The RIAA and MPAA are the ones pushing this. They will deliver content that requires the DRM.
“No…. Microsoft are pushing DRM, then, they will be the only system capable of delivering the goods.”
No, they are not pushing it. OS X will be able to run it as well. See above.
//They are not too concerned about Linux yet, as the DRM’d CD’s and DVD’s will not be able to play. //
How do you figure this?
If a CD plays on a normal stand-alone CD player, then it should play on Linux.
Linux will ignore any DRM Windows/Mac executable info on the CD and just skip straight to the CD tracks just as a standalone player would.
For CDs, manufacturers have two choices …
(1) Give it files for DRM that Windows and Mac computers will honour, but allow it to play on existing standalone CD players and therefore on Linux as well, or
(2) Encrypt the entire CD with DRM so that it won’t play on Linux but also won’t play on any existing CD player.
AFAIK, all existing “protected” CDs follow (1) above. The market represented by existing satndalone CD players is just too large to ignore.
Linux also can play any DVDs that will play on stndalone players.
Edited 2006-12-28 08:16
I’m absolutely 100% certain that its Microsoft. I actually find it offensive that the RIAA and MPAA are being used as scapegoats like this.
Bullshit – media companies have DEMANDED FROM THE TECHNOLOGY SECTOR DIGITAL RIGHTS MANAGEMENT! heck, look back at the NUMBER of sound bites from the MPAA and RIAA demanding some sort of ‘digital control’ over content; unless you’ve been living under a rock, you sir are plain out nothing more than a shill from the US media industry and its backers.
Do I need to write that in 2000 foot lettering? The media company want to control their output; how you use it, how many times you use it, and their ultimate wet dream is a subscription model where by you’re forced to pay a monthly fee, regardless of whether they’ve produced something worth while.
For them, once they’ve shoved the subscription model down our throats, they can go further down the drain in terms of making crap quality, third rate, Americana movies of puerile quality and plot.
Quite frankly, if you want someone to blame for the content control, the RIAA/MPAA are just as, if it not more guilty than the technology industry – and its the gullible pea-brain public with their low attention span who prop up the industry by going along like lemmings every time one of their ‘movie stars’ (vomit) appears on the screen.
When was the last time I watched a movie? its been so long, I can’t remember, thats how long; Hollywood isn’t getting a damn cent from me, neither are RIAA and their merry band of poorly innovative glorified go-go dancers being pawned off as ‘singers’ and half witts with produce music with little or no edge, innovation or willing to challenge the status quo.
Edited 2006-12-28 04:34
I think the bigger question is; does anyone actually knows what the f*ck DRM is besides the 1984 alarmists who seem to be pimply faced 15 year olds with a chip on both sholder? DRM is merely digital rights management, it can be applied to *ANYTHING*, be they documents, system files, and yes, music as well – it is the distributor who sets the conditions of what you can do with the file, and the DRM infrastructure merely reads and complies with those restrictions, if you want someone to blame, blame the media industry.
Also, DRM isn’t forced on you; you can still go off, purchase CDs, you can still rip them off the cd without protection, although a dialogue does appear warning you of your legal requirements.
For once and a bloody while, it’ll be nice for people on osnews.com to actually bloody well read up on the topic before spouting such utter crap about issues they know nothing about.
@blitze how will china come to your age when china produce hardware not software?
“1984 alarmists who seem to be pimply faced 15 year olds with a chip on both shoulder?”
I’m neither of those. I understand the technology thats why my statements are so simple? DRM is about control.
I’ll pose a simple question, which sells more CD players or DRM players?
Your thinking is simply out of date.
Edit.
=====
An extra question do you not think that Microsoft would not just ignore the RIAA/MPAA if it was in their interest, when like they did with the European government?
Edited 2006-12-28 04:26
Who said I wanted DRM?
I don’t want DRM either, and I right now don’t understand why people want to purchase mp3s for download given the inferior quality that they present – until I can purchase DRM free FLAC/Lossless music off the net, at a reasonable price, I’ll keep hauling my wide load down to the store, purchasing my cds, and ripping them once I get home.
Given that my music that I purchase is of the vintage variety – music circa 40+ years ago, I hardly see the music industry rushing to protect this stuff, so I can, in the future still rip without any problems.
btw, if they ignored the MPAA/RIAA, they would lose market, not only desktop (Windows) but Mobile (Windows Mobile) marketshare to competition willing to get into bed with those organisations – maybe its the old story of Microsoft hoping that maybe they can change these organisations by getting on their side, and moving them.
MPAA/RIAA have nothing to do with protecting artists, and everything to do with maintaining absolute control over the creative process via share marketing and technology power.
Edited 2006-12-28 04:29
Tere you go… both you, Cyclops and I all agree on one thing, DRM is about control. We just all need to decide who are trying to do the control.
On a side note, you seem to like FLAC, how do you find OGG ?
There are a few OGG players hitting the shelves now
Ogg is a nice format for music devices, but it is too bad my player, Creative M:Vision doesn’t support it due to a lazy, and possibly, in Microsofts back pocket arrangement – the hardware can support the format, but its Creative who chooses not to.
As for ogg as a music format to purchase; no. I’d prefer to purchase my music via FLAC, write them to a cd, and then rip them in ogg format; the cost in regards to transcoding and quality loss is terrible, no matter which format is used; hence, I’d rather take the long route.
Regarding the Ogg format in general, the problem is, it is marketed poorly, there needs to be a leader in charge of the project who is not a programmer, can motivate companies to support it, hype the benefits over competing formats, and more importantly, there needs to be an easy and accessibly way for people to get ogg support on their computer, both for play back and listening.
There needs to be a plugin released for Windows Media Player so that ripping and play back, for example, can be done via the same common user interface everyone is used to; same goes with iTunes as well – it makes no sense creating another player for the platform, but it does make sense to release versions via a nice exe file that can be doubled clicked so that 2 minutes later the end user can jump right into ripping their songs without needing to jump through hoops of configuration and tweaking.
@hal2k1 This is not about CD’s this is about next gen disks and Online-music through DRM players.
@DrillSgt your right Microsoft are not “pushing it”…Its mandatory.
@raver31 I 100% say Microsoft. The fact that many parties want this is of little interest, as Microsoft is the one implementing it.
//@hal2k1 This is not about CD’s this is about next gen disks and Online-music through DRM players. //
The comment to which I responded said this: “They are not too concerned about Linux yet, as the DRM’d CD’s and DVD’s will not be able to play.”
If that comment was not about DRM on CDs and DVDs, then why did it talk about “the DRM’d CD’s and DVD’s will not be able to play”?
“the DRM’d CD’s and DVD’s will not be able to play”
Never did. I’m sure your aware that I am not talking about a simple encryption key. If you think we are you need to seriously read about DRM.
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
What I have said over and over about CD’s/DVD’s is this is last century technology.
“”the DRM’d CD’s and DVD’s will not be able to play””
That was my comment he was referring to. To clarify I was talking about next generation. Since we have no idea what that medium will be called, or I don’t anyway, I used the terms for todays medium.
“Update by Thom: Ars thinks the situation is hot air, mostly, something I agree with (a cracker already has to have login credentials for the flaws to be of any use).”
We all know how simple this is to do with the initial user being an administrator. Oops!
“Update by Thom: Ars thinks the situation is hot air, mostly, something I agree with (a cracker already has to have login credentials for the flaws to be of any use).”
We all know how simple this is to do with the initial user being an administrator. Oops!
What’s your point, exactly? There’s nothing wrong with the initial user being granted an administrative account in Vista, no moreso than having users in the wheel group or the sudoers file in *nix.
Besides which it’s already been noted that the most damage this flaw has been shown to do is to crash the system; the rest is unfounded speculation at this point. I daresay that there are better ways for one to shut down a machine one has an account on than purposefully crashing it.
LOL. Regardless of what you `dare say` McSoft apparently has the same idea.
“A significant focus of Windows Vista and a fundamental piece of Microsoft’s overall vision is security. Windows Vista provides a simple and secure mechanism for running end-user accounts with standard user privileges, while eliminating the need for administrator privileges when performing many common tasks, such as installing a printer driver or connecting to a secure wireless network. This fundamental shift provides security at the OS level by preventing malware and root kits from damaging company-wide files and settings.”
See: http://technet.microsoft.com/en-us/windowsvista/aa906021.aspx
“What’s your point, exactly?”
I actually got his. I failed to get yours.