Microsoft Plans An Overhaul For Patch System 402
sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site."
As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.
now? (Score:5, Funny)
No comment necessary =)
Re:now? (Score:3, Funny)
recent bad patches? (Score:5, Insightful)
Re:recent bad patches? (Score:3, Informative)
Re:recent bad patches? (Score:4, Informative)
You have a choice today. But you may not in the future [theregister.co.uk].
Re:recent bad patches? (Score:5, Insightful)
I think that Microsoft could very well make system updates (ie not DRM related ones) obligatory but I don't think they will. And, seriously, even if they do, what stops you from blocking windowsupdate.microsoft.com at your firewall?
User problem (Score:2, Insightful)
If you turn off this feature, it's really your own fault that you get hacked. If it is true that most attacks occur *after* the patch has been issued, there is no one to blame but the user.
But I'm sure we can twist this into an anti-MS thread anyway.
Double standard with Linux? (Score:4, Insightful)
Double standard, anyone?
Of course. (Score:5, Insightful)
Not so with MS. They can do no good ever. According to Slashdot, MS has NEVER come out with anything decent. They could compile an exact duplicate of Linus' personal kernel, and somehow, the Zealots would find something wrong.
It's amazing how MS is slagged as not having an ounce of innovation, what about Linux itself? This is not an OS that was developed independently, with no legacy ties. In fact, it was written to be a substitute for Unix, a copy, a clone. Linux could not exist with Unix.
This is the thinking of the supplicants who recently touted "Feet of Fury" as innovative.
Of course, this will be modded down. Contrarian opinions are not tolerated here (the supposed bastion of free thinking). You think Bill is the Borg? You haven't met a Zealot.
Re:Of course. (Score:5, Interesting)
Also, even though you didn't mention it, some repliers did, I don't use Linux because it's free as in $$$. I can afford the $200 XP Pro price tag. I use Linux (1) becuase I am able to see/change the source as I see fit, (2) it's modular structure lets me tailor the kernel for each box/purpose, (3) I like and use the command line extensively (not all of us are point-and-clickers), and (4) because it's not built around the asinine all-your-eggs-in-one-basket registry concept.
One final point on the $$$ argument. I would guess that over half the XP installs out there are pirated copies anyhow. Every time I see a pirated copy of XP it pains me to NOT call the BSA but I refrain. In fact, I'd bet that most MS backers on this board have one or more pieces of pirated MS software in their possession. It's a little hippocritical to stand up for a closed source software company all while stealing (yes, it's theft) at the same time.
Re:User problem (Score:5, Interesting)
I will presume you mean that as a joke.
You do know Microsoft's history of releasing "updates" that have a high probability of making matters worse than the bugs they claim to fix, right?
I believe their last proof of this idea occurred... Oh, last week? And who can forget the legendary NT4 "even numbered SP plague"? They should have released 6a as 7, just to keep their f'd up patches consistantly named.
Re:User problem (Score:3, Interesting)
Re:User problem (Score:3, Funny)
As a MS apologist, please remember you are held to strict rules when starting any and all arguments.
Not true at all! (Score:5, Insightful)
How is a user supposed to trust a patch being issued by a company that is known to release vulnerable software in the first place?
Yes, it's not a reasonable standpoint for a user to have, but it's still valid!
Take this example: My system works. Apple releases Quicktime 6.3, iMovie 3.0.3, iSync 1.1, and Bluetooth 1.2.1 today. You expect me to update all of them?
Why? Just because? Because there are new features? Because they fix bugs? Because they improve performance? Just because Apple decided to release them?
But the difference is that I do trust Apple. Having used their OS and system for 2 years, now, I have found that Apple updates don't introduce more problems, do increase functionality, performance, and reliability, so I *will* update just because.
However, there *are* pieces of software I haven't updated. I haven't updated my base station software, yet, because it works and I don't want to restart it. I haven't updated my iPod software, again for the same. I haven't updated my IE because I don't use it, and have deleted it.
But I *don't* trust Microsoft. I've been using them for 10 years, and I won't update until there's feedback on whether there are new instabilities, problems, crashes, etc.
That... and did I mention I don't trust Microsoft?
Re:Not true at all! (Score:3, Informative)
Re:Not true at all! (Score:3, Insightful)
Is what I'm doing 'blind'?
I actually still read the reports; do I need the update? Do I want the update? Is there any fixes or improvements I'll see? Do I want to restart?
But the first thing I don't ask is 'Do I trust Apple?'
I *know* mistakes happen. I work as a tester. I don't update software when I don't expect there to be an advantage, or a crucial fix.
Re:Not true at all! (Score:5, Interesting)
(I don't know if any patch system does this...just asking)
Re:Not true at all! (Score:2)
That would be *interesting*, but the issue is, if you don't trust the company issuing the patch, would you trust the comments on that patch system?
I go to Ars Technica to read coments on patches and updates before I update, myself.
Re:User problem (Score:3, Interesting)
Too bad most patches only dire
Re:User problem (Score:3, Insightful)
Windows escaped restarting for driver updates, and now has restarting for security patching. The more things change...
A very tough task (Score:5, Informative)
Re:A very tough task (Score:2)
Restrictive software licenses have no impact upon the distribution of patches, and Microsoft Update is designed to distribute third party patches as well as Microsoft's own.
Re:A very tough task (Score:2)
I mean, not *could* they, but *has* MS actually distributed patches for Netscape or Apache when it needed doing?
Re:A very tough task (Score:2)
Re:A very tough task (Score:3, Informative)
Don't remind me, those fscking driver updates can be a real disaster when they go wrong.
Re:A very tough task (Score:2)
Microsoft has a framework in place for patch distribution; it's not their fault if nobody takes advantage of it.
Re:A very tough task (Score:3, Insightful)
Your comment illustrates the nature of the problem. In the Open Source world the creation of the software separate from the support.
The Apache guys rightly consider their job done once they've put the patch on their web site. It's up to the distributor, or whoever else wants to make money from support, to deal with it from here.
Proprietary software writers, however, want to support the products themselves. That's good sometimes, but it means the end-user has to deal with each software vendor separate
Re:A very tough task (Score:4, Insightful)
Redhat provides patches for everything it distributes.
Microsoft provides patches for everything it distributes.
I fail to see the problem.
Re:A very tough task (Score:3, Interesting)
I'm not trying to defend Microsoft here -- they certainly were acting in an anticompetitive manner -- but it wouldn't surprise me at all if Redhat starts to get into antitrust problems.
Yes, Redhat is only distributing free stuff; but as MSIE vs. Netscape shows, even free stuff can raise antitrust issues.
Re:A very tough task (Score:3, Insightful)
I would.
The difference is that:
1. MS distributes it's own products with Windows. If they distributed Netscape then it wouldn't be antitrust.
2. RedHat is not a monopoly and therebefore cannot get into antitrust problems.
If you're a monopoly then you have less freedom. That is the law.
Re:A very tough task (Score:3, Insightful)
Redhat is coming close to establishing monopoly status within the linux market.
Hardly. They can't raise the price of their distro with impunity, barriers to entry are low, and there's little vendor lock-in.
Re:A very tough task (Score:3, Insightful)
Yes. I can always download the CDs or copy from a friend or create a derivative distro.
MS Patch (Score:5, Funny)
Maybe with this overhaul they'll come out with better microtine patches and I'll be able to look my friends and family in the eyes, once again.
Corporate Administrators Rejoice! (Score:3, Insightful)
We take a risk by delaying patches, we take an even bigger risk by patching without decent amounts of testing.
The last thing we want is to have tested the patch and find out we rolled it out incorrectly. MS appears to be going some way to help us good guys out.
While it's laudable that they're at least trying.. (Score:5, Insightful)
It's kind of like a balding man with a really bad comb-over. It looks okay from a distance, but it doesn't really fool anyone.
My Patch (Score:4, Funny)
PATCH THIS [textfiles.com]"
Your idiotic anti-microsoft fervence (Score:3, Funny)
If anything will topple Microsoft's dominance of the operating system market, it's an ascii middle finger.
Bravo, good sir, you have done us all a service.
Please attribute any typos in this post to the numerous tasty newcastles I have consumed.
Re:Your idiotic anti-microsoft fervence (Score:2, Interesting)
Maybe...just maybe...my post was done with a certain irony. Consider it a poke at how petty most of the criticism is around here. Or perhaps a jab
Re:My Patch (Score:2, Informative)
Automated patches for pirated copies? (Score:5, Interesting)
But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.
I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.
I agree (Score:2)
Re:Automated patches for pirated copies? (Score:5, Funny)
Dude , i suggest you remove the URL to your website. It is not that difficult to find your address [register.com].
Re:Automated patches for pirated copies? (Score:5, Insightful)
So if you have a pirated copy, and you constantly get infected by worms because you can't get any security patches, wouldn't that make you more inclined to BUY THE SOFTWARE?
Re:Automated patches for pirated copies? (Score:2)
The pirate culture is totally different. They're not that bad anyway since the majority of pirate sites are adwhores, unreliable, and clones of each other. Very few of the rest ever use the software so they're not actually getting any direct benefit. Extremely few ever sell CDs of pirated software. Granted the culture for game pirates is probably the antithesis
Re:Automated patches for pirated copies? (Score:5, Insightful)
Oh, I'll hapiily pay! ... For quality software against a reasonable price, that is. Now if Windows XP didn't cost me a kidney but 50 euros or something OR MS would drastically improve/cough up some versions of their OS worth the money, (stable*, secure*, fast*, bloat-free, no evil licensing schemes/integrated crap) then I'd happily pay! Unfortunately, right now, I'm not going to fork over 300 euros for Win XP Pro only so I can have one huge piece of bloat slow down my computer while MS monkeys/lawyers are constantly trying to think up the holy grail of licenses which in legal terms state that MS will own my house, car, wife, first born and have the right to sell my soul to Satan for favours.
* = Surprisingly, they already managed this. A windows machine CAN be made fairly stable if properly taken care of, same with security. And XP Pro boots pretty fast on my Celeron 300, faster then 2k on an AMD XP 1900 :\ Remember kids, while MS is still evil, most faults can be attributed to human error/incompetence still!
Re:Automated patches for pirated copies? (Score:5, Insightful)
* = Surprisingly, they already managed this. A windows machine CAN be made fairly stable if properly taken care of, same with security. And XP Pro boots pretty fast on my Celeron 300, faster then 2k on an AMD XP 1900
So let me get this straight. You'll pay if the software is stable, secure, fast, bloat-free, and has licensing you like. You admit Windows XP is stable, secure, and fast (even though you later go on to contradict yourself and say that it will slow down your computer). If it is stable, secure and fast (as you admit it is), bloat just means it has extra features you don't use, which don't affect any of the previous 3 apparently. So because you don't like the licensing terms (but apparently approve of the rest of the product) you will pirate the software. This seems like the whiniest protest I've ever heard. The software is great, but until they change their licensing and price (which I can afford, since I can afford a computer) I'm going to steal their software. Jesus, and people wonder why non-geeks think
Re:Automated patches for pirated copies? (Score:5, Insightful)
Re:Automated patches for pirated copies? (Score:2)
Re:Automated patches for pirated copies? (Score:3, Interesting)
Yes, my more recent microsoft installs are pirated. Not because I dont own the software (I do have licenced versions that I don't install) but because I won't install software that I can't reinstall. If you have to authenticate with microsoft, then you can't truly reinstall it.
I live in fear that microsoft won't reauth
sweet irony (Score:5, Insightful)
Re:sweet irony (Score:2)
I'd suggest this [suse.com] as a suitable patch for Windows. Ever since I installed it I haven't had a single complaint about MS products.
Max
Re:sweet irony (Score:3, Insightful)
Sure, there's a learning curve, but IMO it's well worth it.
Security patches used with political means? (Score:5, Insightful)
Re:Security patches used with political means? (Score:5, Interesting)
Kept you from sharing your playlists off your subnet I think...there is a /. story about it here [slashdot.org]
The dumb thing is that everyone who cared about it caught it before hand, and every one who doesn't care most likely doesn't share their lists.
I was going to post that MS should go to a Apple Software Update sort of thing - it's easy, the patches usually work flawlessly and you can get self contained disk images of all of them to install at your leisure.
Then I realized that this probably wouldn't work, as Apple has a much smaller subset of hardware to deal with than MS.
Which got me thinking that perhaps MS isn't all bad? Maybe its all the crap that people try to use with their PCs from ISA days, and all the spyware that seems to be omnipresent in any shareware install that's causing all the problems. I mean, a browser intergrated into the OS can't be that bad can it?
Then I remembered that Bill Gates eats babies with the devil every afternoon at 4 pm.
Whew! I almost fell to the dark side!
Innovation (Score:3, Informative)
Re:Innovation (Score:2)
Re:Innovation (Score:2)
Re:Innovation (Score:2)
Max
Re:Innovation (Score:3, Interesting)
Had they kept this under their own control a bit earlier (with a centralized dependency check and resolve system like Yast+RPM or the equivalent on other systems, there would be no need for "Windows file protection" and all Windows 2000
Re:Innovation (Score:3, Insightful)
You're right, everyone knows that Linus invented dependency checking, and Red Hat were the first to use it.
Get over yourself and get a clue.
What they also need... (Score:4, Insightful)
Re:What they also need... (Score:3, Informative)
You can, when writing your unattend.txt, specify a batchfile that is to be run after the install. In that batchfile you can put the patches, with the correct switches to install them silently and without reboot.
Unfortunately, and this is where the patch program mess comes in, not all patches have the same set of switches and not all of them can be run silently.
For those, you need to use a script (kix, vbscript, whatever) to send the keypresses needed to
Microsoft Secuirty! (Score:2)
Get a hint. Code clarity and maintainability first!
What's broken (Score:5, Insightful)
Sorry, Charney, it's not the patch installation software that's the problem. Sure the changes you suggest will make things a lot easier, but their absence isn't why people don't install your patches. The problem is the patches themselves.
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken. And in some cases those patches can't be backed out without a complete wipe and reinstall of the system, witness the recent VPN protocol "fix". As long as this is the case, people will still not install the patches no matter how easy the installation process is.
If MS wants to improve their patch process, they need to do a few things:
It needs a patch: it IS broken (Score:5, Interesting)
That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.
Re:It needs a patch: it IS broken (Score:5, Insightful)
That's a rather simplistic view. In practice you have to decide if the odds of being affected by the bug the patch fixes are greater than the odds of the patch screwing up the system in some unknown way. Sometimes it comes down to "the devil you know vs. the devil you don't"
Re:It needs a patch: it IS broken (Score:5, Insightful)
To quote Morpheus, "welcome to the real world". What if your choice is between these two:
1) running software with a security hole, but being able to bill your customers, and
2) not running software because the patch breaks the application that allows you to bill your customers, thus not making any money and going out of business.
Unfortunately, sometimes this is a real situation, and not just with microsoft software.
Re:It needs a patch: it IS broken (Score:3, Interesting)
A lot of patches may not be needed on a production system, like a patch that prevents a malicious web site operator from inserting some rogue active x control t
Re:What's broken (Score:5, Insightful)
Isn't having fewer patches a step in the wrong direction? I would think that by combining patches together, you would have more chances of things going wrong (ie. breaking your system) than if each patch just fixed one little thing. Even if that means having to install many more patches.
Also, fewer patches means that there will be more time between patches, thus more systems running longer unpatched, and that can't be good.
This might be a good example of the difference in design philosophy between MS and the *nix world: MS always want to make the "one big program that does everything" instead of analyzing problems and breaking things down into small packages.
took them that long? (Score:2, Insightful)
I don't think this patch problem is all about number play, i.e. reducing from 8 to 2. They should be more focused at producing a good product in the first place, not just creating a quick podge-job and then bombarding their customers with patches (which are usually also full of bugs).
They claim to be
Re:took them that long? (Score:4, Insightful)
story of a billion dollar company, run by a 10 cent brain, i.e. Bill Gates
Out of curiosity, if you're so much smarter than Mr Gates, why haven't you started your own billion dollar company?
Come on now, we don't need to resort to petty ad hominem attacks--stick to actual problems with microsoft please (which you did allude to), not your jealousy over one man's incredible success. Not to be a grammar troll either, but if you're going to call someone stupid, you might want to spell correctly as well..
peace
Re:took them that long? (Score:3, Insightful)
Oh thats just f'n GREAT (Score:3, Interesting)
My wish of MS, would be to improve their OS and application design philosophy BEFORE they make it, so these patches aren't so damned regular in requirements or DIRE in consaquences.
Mongrels.
>:-|
Interesting patch counts.... (Score:5, Interesting)
So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.
First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):
32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)
Now lets do VMS (this is scary...)...
A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...
Re:Interesting patch counts.... (Score:4, Interesting)
While doing an install of Windows SUS [microsoft.com] I came up with roughly 400 patches for all versions of windows capable of windows update. The number soars to over 2,000 when you introduce all the other various languages, but these patches are all duplicates.
Protecting Us From Joe User (Score:4, Insightful)
I see this as Microsoft taking a much needed step towards addressing the #1 security problem plaguing the Internet: Joe User.
Joe User doesn't even know what Windows Update is, so never installs any patches for the operating system. Joe User clicks on any E-mail he gets that says "L@@K NEW WINDOWS SECURITY PATCH!" or "ANNA KOURNIKOVA NAKED!!1" As a result, Joe User is running several different trojans, and his system is being used as a DDoS attack drone whenever it is online.
As much as we might decry a percieved invasion of our right to run our own systems, forcing Joe User to keep his system up to date with the latest patches is a good thing for all of us. Fewer packet floods, fewer lamers on compromized hosts, and possibly less spam. It's likely that Joe User doesn't even CARE that Microsoft is installing whatever it wants, whenever it wants, on his box. In the end, as long as those of us who know what we're doing can disable this feature (and those of us who don't CAN'T), I can only see this being a good thing for everyone concerned.
Re:Protecting Us From Joe User (Score:3, Insightful)
What a crock of shit. 'Forcing Joe User'? I guess the fact that it happens to be Joe User's machine that *he* paid for doesn't amount to squat, eh? Joe User doesn't get a choice because he's too fucking stupid to find his ass with both hands anyway?
Ramming a code change down Joe User's throat without his consent is a violation of Joe's property rights - a violation neither you nor Microsoft has any bus
Re:Protecting Us From Joe User (Score:3, Insightful)
You don't. It's that simple. If this is beyond your comprehension then I pity your understanding of 'freedom' and 'private property'.
And any asshole can claim that thing x, which he doesn't approve of, is a 'public danger'. No matter how you phrase it, a compromised sy
More patching (Score:2)
That explains a lot... (Score:2, Funny)
So, uh... what's changed, exactly?
Microsoft Bob Windows Update Metaphor (Score:5, Funny)
Good 'ol Bob.
Path, According to Webster (Score:5, Funny)
"A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear. "
- or -
"Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases. "
Temporary correction... Microsoft, I'm afraid, took this literally.
Why is the patch system not a part of the OS? (Score:5, Interesting)
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a
Re:Why is the patch system not a part of the OS? (Score:3, Insightful)
Re:Why is the patch system not a part of the OS? (Score:3, Insightful)
And even with the MSI installing engine, would you really trust Microsoft integrating the engine into the operating system? Think about it, every time you connect to the internet it would look for patches, and automatically install them, breaking everything (i
Re:Why is the patch system not a part of the OS? (Score:3, Insightful)
Because the software needed to support MSI isn't installed as part of the base OS package, so they can't be sure it would work.
Here's how the _real_ interview went. (Score:4, Funny)
"And we'll not be stopping there. Their second biggest concern after patch management was patch suitability and correctness. And that's when I realized that the patches themselves were broken!
We had this engineering group making patches for this and that public relations group announcing patches for that vulnerability and management saying 'why don't you patch the hardware so the bandwidth will be smaller.' And what ended up happening is that no one was actually checking to see if the patches fixed anything." (Nervous Laughter)
So one of the next things I will be doing is to create a Patch Verification working group. Get all the people together to agree on a common nomenclature. What's a "bug" anyway? And how does it differ from a "feature?" No seriously. Can anyone define those terms for us?
Anyway, another thing that seems to bother our hostages. I mean customers. Yes, customers. That's it. It seems to bother our
We are furthermore developing 'New Technologies' within Microsoft including one we're calling 'debugging,' that I'm very excited about. We think it'll vastly improve the quality of our "MacOS Jagger OS" 'Longhorn' release in 2010. From there we'll be setting our sights on matching Linus Redtop 7's innovation and code quality. [I'm pretty sure he means "Jaguar" and "Redhat 7" -ed]
By then of course, our "Trustworthy Computing" initiative will be in place. Microsoft Big Brother (TM) will impliment Software Update Services to push 'Code we Trust' on enterprises so we can prosecute those who try to back out patches from any of our 25 installer applications, 13 hotfix downloaders or 7 service pack updaters."
[At this point some Microsoft Thugs (TM) confiscated my recorder, though I managed to switch out the tape first -ed]
It's not enough. (Score:4, Insightful)
Instead of having the large full time support staff they do, as well as the crews of people scanning the web for new exploits, how much time, effort, and money could they save by hiring a couple of full time people to check _all_ buffers on all code after it's been committed to sourcesafe? Also, it would reduce data loss due to crashes and other problems. Wow, Microsoft increasing their bottom line in a way that actually helps consumers. What a thought.
Screw windowsupdate (Score:4, Interesting)
Re:Screw windowsupdate (Score:3, Informative)
OS and Applications? (Score:4, Insightful)
Patches via win-apt-get (Score:3, Interesting)
From reading this story closely, it appears that Microsoft has once again run into a problem which the open source community has successfully solved: how to effectively deliver patches and security updates to a wide audience across the internet. Existing mechanisms for distributing updated software for Microsoft's operating systems and applications are currently only semi-effective and are in urgent need of overhaul. They certainly do not represent a best-of-breed, enterprise-level approach.
At this point, I would like to put forward a suggestion to both the readers of Slashdot, and to the management of Microsoft which may address the aforementioned shortcomings: win-apt-get. As Debian users across the planet know only too well, apt-get is a robust, convenient, scalable and enterprise-ready solution for managing not only Debian packages, but also the rapid dissemination of updates and patches when they become available. Apt-get is in fact listed as the number one reason for choosing the Debian GNU/Linux distribution above other competing distributions by respondents in a recent LinuxWorld survey. Given such tremendous community support and technical advantages, why is it not worth considering a version of apt-get tailored specifically for Windows...a win-apt-get, if you will.
Please...I hear you reaching for your 'Troll' and 'Offtopic' moderator buttons. Certainly many high-ranking Debian luminaries exhibited similar responses when I approached them with this idea at this year's Open Source Expo. However upon listening to my plans, they were all convinced. Bruce Perens was particularly enthused, as I had offered to buy him lunch at the cafeteria if he listed to my pitch, an offer which he accepted vigorously, let me tell you!
But enough ancedotes of rubbing shoulders with the 'Debian doyens'. What I need are volunteers to help with the porting of apt-get to the Windows platform. This is in fact part of a much larger initiative, which unfortunately has been met with much hostility by the overwhelming Gentoo community on Slashdot. This initiative is the production of a new version of Debian, one which uses a new underlying operating system: Debian GNU/Windows XP.
Let it sink in. I will be back shortly to tell you more. I'm excited!
Best regards,
Debian Troll
Hey Micro$haft: Try This Hypothesis! (Score:3, Informative)
"Bug" - a serious flaw or unforseen condition that results in unexpected or unintended consequences or actions.
"Exploit" - a creative use of a "bug" to utilize a program for uses not intended by it's user and/or developer.
Premises:
(1) If we assume that every networkable and sizable program contains is not perfect; meaning, it contains one or more bugs.
(2) That bugs are the basis most exploits.
Conclusion:
Every networkable, sizable program is likely to contain one or more bugs, resulting in an possible exploit.
The sad truth is that OSes that use unsentry'ed stacks for method invocation are inherently susceptible to stack overflow xploits. Btw, everyone STOP USING strcmp() && gets() in your programs!!!!!!! use strncmp() && fgets() damnit !!!!! Buffers (fixed & malloc()ed) must NEVER be exceedable from command-line or other user actions!!! In fact, there should be no way to exceed a buffer, though u ALWAYS have the first byte available AFTER the end of an array as a safe place. Write defensive code!!! Code as you would drive in Oakland, CA. assert() never hurt anyone (just never put any code w/ side-effects inside asserts()). I've ran sec audits on so much source, there's always some little util around somewhere that checks argv's with these suckers. Instant buffer-overflow exploit, no water neccessary! There are modified linux kernels that check the stack pointers and the integrity of stack w/ so-called "canaries" random, magic bytes on either size of the stack frame to check for stack overflows. For buffer overflows, it's a little harder, since u need something checks array indicies and malloc(). Even then, there are some exploits that write to valid portions of a user-space app to gain some privileges. My solution: use a language w/ tons of security already in it -- Java.
"You can take that to the bank!" -- I dont know.
Patches won't fix the problem (Score:4, Insightful)
The majority of hack attacks happen immediately after a patch is announced, implying that announcing the patch announces the vulnerability. So MS is saying the problem isn't the vulnerabilities themselves, it's that hackers respond more quickly to the announcements than ordinary users do. Microsoft's solution is to speed up the response. So what if the users have to give up control of their computers? They're going to have to turn over the keys anyway when Palladium gets shoved down their throats, right?
Casting users as the weak link is ultimately a lame defense for the fix-it-later commercial software development philosophy. Rushing software out the door because the marketing dept has promised it to retailers who want to sell it before Xmas is not the only possible way to do development.
The free software world may not be perfect but it doesn't suffer from that particular disadvantage. One way to make your system more secure might be to run code that was released when the developers decided it was actually ready.
EULA's (Score:3, Informative)
No patches for pirated copies.. (Score:5, Insightful)
This doesn't mean all the pirates are going to say "gee, guess I'll go legit and buy a copy", it more likely means they'll stay unpatched.
It would be interesting to know how many systems that are participating in DDoS attacks are not patched because they can't patch because they're illegal copies of Windows...
(Yes, patches are available in other ways than Windows Update, but Microsoft is doing all their work to make Windows Update easy - maybe what we need is a "rogue Windows Update" for the pirates
- Steve
Re:www.Linuxcad.com (Score:3, Insightful)
After the spam legislation becomes law I hope to see your ass in the slammer.
Re:And the rest 5%??! (Score:2)
This isn't really an option when you have thousands of legacy applications, which depend on layer after layer of services and interfaces written over more than a decade, which *HAVE* to work because that's the main selling point of your platform.
Re:And the rest 5%??! (Score:5, Insightful)
That's besides the point. Microsoft is stuck with what they have right now, which is this giant, semi-monolithic applications platform. The best they can do is try to audit it for security and hope they don't break anything, and even that is a trying job. Give credit where credit is due, because for all its clout Microsoft lacks much of the flexibility of its competitors.
not necessarily... (Score:3, Insightful)
Just because passwords are being sent in the clear, doesn't mean you can necessarily intercept them. You need to be able to intercept the packets containing the username/password combination from the remote user. You could do this at one of three locations: the remote machine, the server, or in transit. If you own the remote machine, you could just trojan *any* client used, so telnet isn't any worse off than a