World to Microsoft: Start admitting bugs exist.

Hey y'all, I have this truly amazing idea :P Maybe the Redmond Giants should wrote better code and/or find and fix their own bugs before they release their software! Get a Mac!

Microsoft to world: Pretend they dont. What other product can you get? none! Mwahahaha!!!

Microsoft to world==they are not bugs....They are unintended product features.

Yeah, get a Mac, where you can be monopolized on the hardware AND the software side...

"Information Anarchy"

I love it!

Microsoft is not against notification of bugs in their code, they're against "full disclosure."

The term full disclosure is often used when a company, along with reporting a hole in software, releases a program or some code to exploit it, along with very specific details about how the bug works.

That (the availability of pre-written exploit code) makes it easier for the dumbass script kiddies to make scripts to exploit the hole on a large scale.

Usually, security firms will announce a bug simultaneously with Microsoft making a patch available, so as long as sysadmins keep up to date on security bulletins and follow responsible system hardening guidelines, they are OK.

hehehehe, i think it's really funny that that guy up above me just referred to people who administer microsoft systems as "sysadmins."

heehee. that's great. you've brightened my day. :-)

Yeah, they're not saying that the flaws don't exist in the software; they're just making some ( to my mind ) reasonable requests. It shouldn't be possible for novices to cut and paste their way into a destructive virus.

Sometimes I wonder whether you people even read the articles. People just flip on the anti Microsoft switch and spew.

F'U all, Go out and buy a Xbox

Xbox and Win XP rule

Dan has a small penis

Dynein, you were totally right to point out my mistake. You must admit that there are the obligatory IIS boxes on any network. That is, unless you're very lucky in finding a "clean" work environment.

My workplace is almost entirely NT... yuck.

There are certainly some other words to use in place of "sysadmin," however, I'm adverse to using them on such a P.C. place as fark.... shiat. :)

True about the Macs but they make good stuff now. Microsoft should try alot harder espcially with their resources. IE 6 still crashes, XP is mostly about MS's control (few new innovations) and the worst is that MS has the public beta test their products to save MS $, even Apple can't do that, nobody could except MS because they are a monopoly.
But I digress.

XP blows. My Dentonator XP video card drivers cause memory dumps on it when I try to watch multimedia or play CounterStrike, so I had to go to the default drivers on the XP CD.. Those wouldn't let me play Counter-Strike in OpenGL, and caused problems with Premiere. My mute button on my keyboard wouldn't work either, despite saying "Mute" either. A lot of other crap I don't like about it either. Stick to 2000 for another 6 months, when they patch all the dumb shiat they didn't fix before releasing it..

Sometimes I wonder whether you people even read the articles. People just flip on the anti Microsoft switch and spew.

Why shouldn't I? I know enough about M$ from previous experience to hate their guts, even if there is some grain of truth to what they are saying in this particular case that it warrants seeing their side of it, why the phuck should I bother looking for it? I am not treating M$ with any sort of decency until they start doing the same for me, and that seems unlikely to start happening in the near future.

(In unrealated news, KDE 3.0 Alpha was recently released - go check it out)

XP is mostly about MS's control (few new innovations)

How can you say that?? The search function uses the CUTEST animation of a doggy!

They aren't really the only ones who this can be said about though, there hasn't been a significant innovation in OS design (most importantly the UI) in 10 years - not MS, not Apple (sure Aqua looks sweet as hell, but it the same ol' OS with some eye-candy), not Gnome or KDE and certainly none of the commercial UNIX flavours.
I guess I digress as well.

Enough micro$oft bashing how about we bash apple a bit...
At least MS will let you download updates to their os that fix problems.
OS 10.1 you have to pay $20 to have them send you the upgrade from OS 10

it's really all about personal preference...
personally, i prefer cheap-ass HW, which ends up not working well on linux... but i love tux...

anyway, I wish i could get my dxr3 to run...
and what's with that stupid CSS crap? I haven't been able to watch the Matrix ever since I bought it.
gah
and I'm not getting any either...
i digress too

I have to say that I disagree with the sentiments for Microsoft.

Every single time that a security bug is discovered there should be FULL DISCLOSURE. It is how it has been done for years, not just for MS products but for OS/2, *nix, VMS, etc, etc. Somebody believes that they may have found a security flaw. So they create a script that exploit that security flaw regularly on their own system, they then distribute that script to other people so that they to can test it on their own systems. The reason for this is that a security flaw could be caused by a misconfiguration, corrupt system files, or a hardware problem. Just as in the scientific community it is important for there to be independent verification of experimental results, there has to be the same thing in the computer security community.

You can download from Apple. Apple is like a BMW, MS is like a Yugo. Apple costs more (now somewhat competitive) and works, MS never ever gets fixed, its one frickin tune up after tune up till the overhaul i.e. money grab. Most important go look the variety and QUANITY of fixes at MS.
XP is not going to be the hit MS expects. Apple is not perfect but at least they been trying, they have to. They would be outta business if they put out the software that MS does. Apple innovates, MicrSoft imitates. But I digress

Why shouldn't I? I know enough about M$ from previous experience to hate their guts, even if there is some grain of truth to what they are saying in this particular case that it warrants seeing their side of it, why the phuck should I bother looking for it? I am not treating M$ with any sort of decency until they start doing the same for me, and that seems unlikely to start happening in the near future.

The short answer: because your wasting your time.

i'm still not getting any...

and just the other day i was filling out a form on netscape and i got the mac equiv of a BSOD...
that's quality progging for you.
i think that microsoft is being too pussy with their OS, too many fancy li'l features that no serious computer user really needs...
"my pictures" and the likes...

... and because people who refuse to acknowledge something that's contrary to what they believe are just setting themselves up.

Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.

At least MS isn't ignorant about whom they're trying to send the message of "stop giving out our code" to...

Well the article is not really about Microsoft OS content, its about Microsoft security alerts. Microsoft is a big big target for script kiddies and hackers because they have made themselves ever present. I do not though see why Microsoft should be treated any differently than any other OS manufacturer when it comes to dealing with security bugs. As I said in an earlier comment, you HAVE to release scripts that expose a security flaw so that there can be independent confirmation of the flaw.

I can tell you right now as a developer that if somebody tells me there is an error in my code and that error can not be reliably reproduced... then I do not consider it my problem. And neither does any other software developer out there. The only way you are going to get a developer to get back into the code and correct something is if that developer can be shown unequivocable evidence that there is a reproduceable error.

Long term though, I think Apple amd MS are screwed. Open source and Linux are a few developments with ease of use for the masses from making both OS minor preferred systems. Apple already is to a degree.

Hell its 12:45 and I know I'm not getting any but I remember...

yeah but while we're bashing MS policy, we might as well bash MS.
I agree w/ Code_arch though
I mean, where's the incentive to fix something if no-one knows about it?

Code A: you're right completely. MS has to be forward about it. I can't see an alternative. Honor system yeah right.

am i the only one who cant get to this page?

Well no its not just an honor system really. It has to do with being able to expediently fix the problem. For instance if somebody has a problem with something in an application that I wrote it is thousands of times easier for me to fix the problem if they can show me something that consistently reproduces the problem. With that information I can then sift through the code quicker and be able to fix it.

Microsoft may be whining about these exploit files that get distributed when an security whole is found. But what they are not telling you is that their guys use those exploit files to find where the problem is and fix it. Those exploit files make MSs job easier.

If MS wants the exploited code scripts controlled/limited then they should pony up. Nothing is free and that Coda A says that their own MS people use them to make their job easier, I can't see MS getting it both ways. It makes MS's rep on software bad which induces more flaws. May a monetary reward/system for ir is required. Expensive as hell but is there another approach?

It amazes me that institutions can still vilify white hat crackers and retain their credibility. Within the cryptanalysis community it has been essentially universally accepted for over 100 years that the bad guys can figure out at least as much about your security system as the good guys are able to publish.
The problem is that it's not a choice between hacking and no hacking; it's a choice between knowing about vulnerabilities (albeit with a larger volume of attacks while the problem is being fixed) and having them exploited indefinitely without detection.
In principle, the vendor should be notified before the attack is published to the world, but in a political environment in which the DMCA is law, that can be hazardous to the cracker's health.
Bottom line: if M$ isn't willing to invest the resources necessary to stay ahead of the hackers, then it should count itself luck to be fully informed of the attacks to which it succumbs, and not go crying for sympathy.

Seems to me that M$ is still adhering to the ancient tradition of going after the messenger.

Real World Example: My company has found several vulnerabilities in Allaire's ColdFusion app server. We reported it to them but since we didn't publishiat they have not acknowledged the problem, either privately to us or publicly.

Companies don't want to acknowledge security holes because maintenance takes a huge cut from development budget. If a vulnerability isn't published or verifiable what is the incentive to fix it?

Anyone who says that a bug is verifiable without the script to reproduce it has never worked with tech support before...

It's fine to announce a bug as soon as it is discovered, but releasing the code to exploit that bug before a fix is available? That's irresponsible.

How is it irresponsbile? It's done in the *nix community all the time? And it's another way that developers can fix holes. This reminds me of the that Eeye security group found the Jill.c exploit in IIS. MS paid them off to be quiet while they worked on getting a patch made for over a month. Whereas the ntpd buffer overflow (just an example and what sticks out in my tired mind at the moment) was released and within 5 hours the new patched version of the ntp server was up on mirrors for sys admins to download and apply.
And like Code_Arch said. It can be used for purposes of good **download code test your machines, now you know if your vuln. or not** I'm not a programmer, but I know many who are, and it's a point of MS writing shiatty code to quick, hurry up and get the OS out the door so it capitalize on whatever year it is. Win98 works great still, but it's "old" it's back in the 90's I want Windows 2000 because it's more up to date, It's a marketting thing. Most people want bigger newer, MS gives them newer on the box. And Microsoft had a choice, security or ease of use. I think they we all know what they chose. And it has all sorts of little tiny bubbles and cartoons to help remind us of it.

And things like this remind me of the bbspot article Microsoft Bundles Worm with IIS It's a great piece. Give it a read.

I guess exploiting a bug repeatedly, giving it to friends to exploit, who in return give to other friends to exploit only makes a software developer's job easier. Sounds a lot familiar to something else I know. Oh yeah, WAREZ!

Hrmpw you just brought back some painful memories on working with Allaire's (Cold Fusion's) support reps. Without going into all the gory details, upgrading from 4.0 to 4.5 broke a lot of our code, and it was 'all our fault' because we hadn't followed their variable locking rules. In other words, to fix our code, we had to make our site almost single-threaded.
(for the non-programmer, imagine taking a highway from 10 lanes down to one, then back again)

Proud to say that we rewrote most of our system and we are now using unix boxes & Java. Take that, M$ and Allaire wankers!

they don't want to hear that their stuff SUCKS?

Awwwww......

I'm an information technology student. I have to have a professor and a textbook to figure out Word. When I used to use Lotus Wordpro, I never once needed a farkin' book to figure something out. What does that tell you?

x---X--The Filthy Sanchez--X---x

Microsoft doesn't do anything that doesn't make them money.
How does leaving these gaping security holes in the OS and applications make them money? That's the one question I'd like to see answered.

I can't beleive MS can't hire people as smart as any 'security expert' and fix these problems themselves, long before its a public issue. What monetary gain does MS have by allowing these wormholes and other huge flaws?

The better way to put it would be to ask what monetary gain they'd see if they did put security experts onto projects and had security audits of programs. Would more people buy Microsoft products if they were more secure? Programs would take longer to create, and Microsoft is continuously in a develop-faster-than-the-other-guy mode or they'll lose their iron grip.

RandomAccess: Exacty.
Making decently reliable and secure programs really fast is why we should love this company. MS push the whole industry and keeps upto date with new technologies. Like developing XP 64bit for the upcoming Hammers and Itaniums. MS, intel and AMD are making these technologies as fast as they can and if its not for XP 64bit only DEC and SGI systems would really be using this technology to its fully potential. Granted its prolly gonna be terribly flawed, but its better to have people buying a somewhat stable OS that will get homes assimilating this new hardware so that others in the industry can develop for 64bit systems and making new technologies for these systems. Same thing happened with the original pentium and win95. 95 sucked but the industry as a whole progress a tremendous amount since its release and technologies and programs developed for it. No OS or app is free from flaws and granted MS apps have more than others, but seriously how would the state of technology look with out those crappy apps MS makes.

back on topic, I think MS is making a resonnable request. If people adhire to what this guy is asking, MS would still be admitting it has a flawed APP, but the would be revealing the problem and the cure at the same time. Instead of releasing the cure after some has planted 6million worms on computers and the damage is already done.

And almost every corporation "doesn't do anything that doesn't make them money." MS is not the only one here.

Read the article. They do have some points about disclosing the information so that someone else can use it again for another attack. 'Nuf said about that. What is the alternative ? Back when CERT was created, it fell down in 3 areas. One, the bugs were not reported in a timely manner, two the companies involved did not fix the problems in a timely matter, and three, the results of the fixes were not reported in a timely manner. This lead to widespread distrust of the very process that this pie hole form m$ is putting forward. In come BugTrack, etc. that makes everyone sit up and listen.

So what we are suppose to do is treat M$ like crazy aunt ... and say, "Don't mind the bugs in M$ software, we know they are a little touched in the head, just humor them"

HAHAHAHAHAHAHAHAHAHAHA

"There's a little Bill running through my head, saying things better left unsaid".

The next step after complaining about it is to pay for a law making release of exploit code illegal.

See, its just like the Adobe case. You sell the product as secure, and you enforce that security by prosecuting violators (rather than improving the security).

Its like a bank saying, "Yes, your money is safe." Then they put a $0.99 lock on the door. Of course, they pursue prosecution of anyone who breaks that lock, but they don't build a better lock.

What MS won't admit is that, by having their code subject to attacks, daily, it will by necessity grow stronger. Bill Gates probably does have a good understanding of Darwin. And he doesn't have to pay the "security testers" a dime.

I have been looking through my web server logs and I am noticing a common trend here. With only one exception, every IIS server that scans me with SirCam is running a default installation (usually of IIS4). Windows would not be terrible for security if it did not enable all of these services by default. Then, if you want to run IIS, go get the 942 patches for it, and THEN start running the service. Just to demonstrate how insecure it runs by default, WITHOUT patching the server I removed ALL unused ISAPI mappings (everything except .asp and .asa) and all unused files in wwwroot. CodeRed and SirCam couldn't touch me. Just showing that Microsoft packages tons of unused CRAP which allows these exploits to work.

Also, Code_Archaeologist is correct. Releasing exploit codes is how things get well known and fixed. Otherwise, there is little incentive to fix it. From an administrative viewpoint, I like to know what buggy component the attack relies on so I can make sure my servers are protected. From a programming viewpoint, it's nice to know what the problem is so I don't need to search through insane amounts of code and try to recreate the problem myself.

Now, why would Microsoft be afraid of more widespread exploits like this? Could it be because this was the final straw for masses of administrators who have had enough of trying to keep up with the mind-boggling number of 'hotfixes' they need to apply? Probably.

<Evangelist>Finally, everyone keeps saying the word 'bash'. Funny, since 'bash' is a beautiful shell. Download Linux and try it out. I would suggest Mandrake Linux - I think it is easier to install than Windows. It is certainly more enjoyable to use an operating system instead of being used by it.</Evangelist>

How do most system admins usually find out about security holes:
Its either threw Patches/Hotfixes or usually the virus that exploites them. Not through exploit codes that the virus can be based off of. If your running any proprietary software (not necessarily MS stuff) and a virus/worm is exploiting a hole in it thats deep rooted in the prog, chances are the admin can't sit down and write his own patch for it. But that doesnt mean that someone can't make a virus/worm from the "beneficial" exploit codes. Its helluva easier for some cut-n-paste script kiddie to make a virus that exploites the situation than for someone to make a patch to fix it.
Exploite Codes don't benefit security if someone is basing virus off of it.

the problem with friggin M$ and with any other large crappy bloatware company(Lotus, Adobe, Novell, etc..etc..) is that individuals that discover these security flaws do not like to release full disclosure until M$ or whoever releases a patch..

They will contact X company and say hey here's a problem you need to fix it, I can help you pinpoint the problem if you will fix it. Then X company says fark you don't be telling us our software sucks.. so the guy then says well fark you too I'm just trying to help you sell better crap software, if you don't fix this by X date then I am putting this exploit out in the open. Then X Company refuses to patch anything until the exploit is out in the open and causes damage.

That my friends is the typical way it happens.

Most administrators only apply hotfixes as they come out.
Other than myself, I actually don't know of any that check Neworder constantly for new exploits. But most Windows administrators don't understand exploit codes, anyway... they only understand "applying a hotfix makes a problem go away".