Re: How much longer..
McBurnett, Jim wrote: I hate top posting, but I want to make sure to get this out of the way first. I was not trying to defend Microsoft. I meant to point out, JUST BECAUSE YOU ARE NOT USING MICROSOFT DOES NOT MEAN THAT YOU ARE SAFE! Bugs happen. Vulnerabilities happen. Worms happen. This worm has happened. Now that it has happened, it's impact is greater because of its install base. And solely for that reason. That's all I wanted to say. Why the worm happened and whether is should have happened are a completely different issues I was not trying to address. I do not plan on addressing them. People with more eloquence, more research in hand, and much, much more time to compose thoughtful essays have debated that endlessly for years now. I doubt my limited remarks on NANOG will move and hearts or win any minds who do not already agree with the classic, well-known arguments I would trot out one more time. But I'll respond to this mail anyway. OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... No way MS has spent $60 billion on development. That's why they look s good, so much in sales versus the development costs. Or did you mispell bazjillion? $1 million for *NIX less than a million lines of code. rewritten on a whim, and source given to millions.. Bugs will be found and squashed easier. Less code, more eyes. and less complex. Less market, less users, less interest for hackers 5 less than statements for *NIX and how many more statements for Micro$oft? A pretty outlandish comparison with some broad characterizations and implicit assumptions. Where's the $1M for UNIX from? ATT gave it away since they didn't think it was worth anything. Back then, vendors made money off of the hardware, the software was an incidental. (Sony makes the money selling you the DVD player, the pretty menus and configuration screens are just soft/firmware that comes with it with no real indpendent value... Now the soft/firmware on a TiVo or an X-Box... Maybe appliance software will develop independent value of its own someday too.) Oh, and I can rewrite the source to Solaris, a direct UNIX Sys V descendant, and they give it all away? I guess they forgot to send me my copy. Could I borrow yours? And send me your source to AIX while your at it too. And SCO's UnixWare? I'd like to look into this whole SCO versus IBM thing. This is like trying to comparing the towing capacity of car to turbo diesal pickup. OK, two things which are very easy to compare. there is no comparison... Uh, no, it's pretty easy to measure the power, torque, and many other capacities of interest for each vehicle and then do an objective comparison. I don't care if MicroSoft spends $600 Million a year, there will always be bugs. Sure will. If a software package was perfect or a network was perfect how many of us would have jobs? Nothing in this world is perfect, and complaining about it does absolutely no good So your point was...? -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: How much longer..
On Wed, 13 Aug 2003, Len Rose wrote: Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. Hey I like MS bashing as much as anyone else but the fact is you could say this of any vendor.. a good recent example being Cisco
Re: How much longer..
On Thu, Aug 14, 2003 at 02:17:08PM +0100, [EMAIL PROTECTED] wrote: On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. ^ Yes, I have to understand how to operate a car. I don't need to know how to change my oil. Also, at least in the United States one must have a very limited understanding of driving. There is no real testing of driving in anything other than normal condititions. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. That may be the case in the UK, but I can assure you in Illinois it is not. Take a drive on the Dan Ryan Expressway sometime and you will see cars with bumpers and fenders held on with rope. Neither of these rules currently apply to computers. Maybe they should. Rich -- Shawn Morris
Re: How much longer..
Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. What makes it all ironic is that you can directly thank Micro$oft if the governments decide to pass more draconian laws, even further criminalizing activities which were considered marginally criminal to begin with. Instead of subsidizing the monopoly, keeping sub-standard operating systems alive, they should fine them billions of dollars for the cost of repairing damages, managing overloaded network and system infrastructures (due to the effects of the latest vulnerability). The governments should cease using all Micro$oft products and go back to UNIX which can easily be transformed into a friendly operating system for business users (it already has been of course) For the millions of dollars that are spent buying this fake operating system with it's fake applications the government could subsidize development of open software whose quality and security would far exceed that of the closed source garbage that has become standard in today's offices. Their operating systems were a joke 10 years ago, and they're still a joke today. The people administering these systems need to start learning UNIX and colleges need to go back to teaching computer science based around a real operating system. It's embarassing for a recent graduate to only know how to point and click while UNIX hackers are unemployed thanks to the disease that is called Micro$oft. Not to mention watching weeks of Micro$oft admins wondering publicly on Full Disclosure (soon to be renamed Microsoft Whining and Crying) what to do about their systems that they can't protect because those systems are rotten to the core with garbage code written by fake programmers who were trained by Universities who use Micro$oft operating systems to teach their curriculum and who are managed by ex-vms programmers (Uncle Bill hired them to write Windows Code) On Wed, Aug 13, 2003 at 11:42:59AM +, *Hobbit* wrote: I often ask the larger question, how long will it take for millions of people to realize that having to deal with winbloze has completely *derailed* their careers for the last ten years, when they could have been doing so much more productive things on their jobs? But evidently most of them can't think that deep, and get all defensive about it. If all those people had been contributing to free and better replacements in the linux/bsd/open-source arena, we'd be *so* much farther ahead, and would have saved countless dollars that are now in Bill's pocket. _H*
Re: How much longer..
On Wed, 13 Aug 2003, Crist Clark wrote: Attacks _are_ on Linux machines. There have been Linux worms, Lion attacked BIND, Ramen attacked rpc.statd and wu-ftpd, Slapper attached Apache, to name a few. Attacks are on Solaris, the sadmin/IIS worm (which also attacked IIS, a cross-platform worm, remember that, cool, huh?). Attacks are on FreeBSD, Scalper worm attacked Apache. How soon people seem to forget these things. No, I don't think people are forgetting, but what Len was originally pointing out is that Microsoft, *because* of their vast install base *needs* to take a more proactive role in producing a secure OS. And the reason you can call it a toy OS is that on one hand you have *BSD, Linux and friends all with an annual budget of what, maybe $1M? And on the other hand you have a multi-billion dollar *software* company. Which should churn out better software? :) Charles To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: How much longer..
On Wed, Aug 13, 2003 at 04:09:05PM -0700, [EMAIL PROTECTED] said: These kinds of inflated damages estimates are dubious at best. If you've lost that much productivity, odds are you should be pointing fingers at inapropriate redundancy and planning/procedures in your computing facilities and not blaming some toy programs written by kids with too much time. This kind of financial loss hype/fear-mongering is best left to politicians, and not technical discussions. indeed - and yet companies claim these kind of damages, at least publicly, whenever these worms come along (every month or two, it seems). Two questions spring to mind: 1) where are these figures coming from, and 2) if they're accurate, why in the world would a company make the same mistake that cost them a million bucks last month, again next month? That's the kind of stuff that gets executives fired (you'd think) ... (note: the figures I posted were just gathered from publicly available news sources. We all know how accurate reporters tend to be when covering technical issues, so take them with a grain of salt. The point of the post was, there are a great many companies out there throwing good money after bad, month after month, without seeming to realize it.) -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: How much longer ..
http://www.theregister.co.uk/content/55/30072.html The Klez virus last year cost businesses $9 billion worldwide in lost productivity, When I read stuff like this I always wonder if these businesses count the time spent patching their systems as 'lost' productivity. John --
Re: How much longer..
Crist Clark wrote: To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. True. I'd be curious to see the worm to software vendor ratios. Anyone have them? -Jack
Re: How much longer..
On Wed, Aug 13, 2003 at 01:07:15PM -0400, [EMAIL PROTECTED] said: How much longer will people put up with the millions of dollars of losses in time, resources and service inflicted on the net by the joke vulnerabilities in the toy operating system known as Windows? Enough is Enough. http://darkuncle.net/microsoft_rant.html -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
RE: How much longer..
I have to agree with Ejay. Microsoft is not the only software vendor. It seems silly to argue that one OS is better than the other. Linux needs to be patched to, as do all the various flavors or Unix, solaris, etc from time to time and with varying degrees of urgency. This is a fact of life. Dan -Original Message- From: Ejay Hire [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:53 To: Len Rose; *Hobbit* Cc: [EMAIL PROTECTED] Subject: RE: How much longer.. From my perspective, I don't care what defective operating system a worm uses. If a malevolent worm is spreading via a vulnerability in IIS and I can keep from answering support calls by blocking it at the edge I will. If one of the 31337 crowd ever catches a clue and launches a worm that spreads via the OpenSSH vulnerability, I'll block that too. My objective in blocking is not to bail Microsoft out, my objective is to make sure the people I work with can accomplish useful work and don't have to spend days repeatedly explaining how to download a patch and remove msblast.exe. For the record, I have two folders that catch Microsoft security bulletins and Red hat package update notifications. Right now the score is close at MS 12 vs RH 9. -e -Original Message- From: Len Rose [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:26 PM To: *Hobbit* Cc: [EMAIL PROTECTED] Subject: Re: How much longer.. Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. What makes it all ironic is that you can directly thank Micro$oft if the governments decide to pass more draconian laws, even further criminalizing activities which were considered marginally criminal to begin with. Instead of subsidizing the monopoly, keeping sub-standard operating systems alive, they should fine them billions of dollars for the cost of repairing damages, managing overloaded network and system infrastructures (due to the effects of the latest vulnerability). The governments should cease using all Micro$oft products and go back to UNIX which can easily be transformed into a friendly operating system for business users (it already has been of course) For the millions of dollars that are spent buying this fake operating system with it's fake applications the government could subsidize development of open software whose quality and security would far exceed that of the closed source garbage that has become standard in today's offices. Their operating systems were a joke 10 years ago, and they're still a joke today. The people administering these systems need to start learning UNIX and colleges need to go back to teaching computer science based around a real operating system. It's embarassing for a recent graduate to only know how to point and click while UNIX hackers are unemployed thanks to the disease that is called Micro$oft. Not to mention watching weeks of Micro$oft admins wondering publicly on Full Disclosure (soon to be renamed Microsoft Whining and Crying) what to do about their systems that they can't protect because those systems are rotten to the core with garbage code written by fake programmers who were trained by Universities who use Micro$oft operating systems to teach their curriculum and who are managed by ex-vms programmers (Uncle Bill hired them to write Windows Code) On Wed, Aug 13, 2003 at 11:42:59AM +, *Hobbit* wrote: I often ask the larger question, how long will it take for millions of people to realize that having to deal with winbloze has completely *derailed* their careers for the last ten years, when they could have been doing so much more productive things on their jobs? But evidently most of them can't think that deep, and get all defensive about it. If all those people had been contributing to free and better replacements in the linux/bsd/open-source arena, we'd be *so* much farther ahead, and would have saved countless dollars that are now in Bill's pocket. _H*
RE: How much longer..
But we digress and this horse is dead. Can we move on?
RE: How much longer..
The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich I've been considering lobbying for the imposition of an Internet license for years now. I could think of a few people that need theirs yanked. -Bob
RE: How much longer..
Users, both corporate and at home, need to be taught that there is no such thing as plug and play. For as much as I agree with the philosophy here, we must realize it is the wrong approach. Cars did not become more popular because owners had to learn how to swap more parts. Wireless phones don't require a contract and setting up your own frequency band. Computers are becoming a utility, and with greater sophistication more and more embedded. Back to cars, remember when a mechanic could fix a problem in a day? How many cars do we all own that now start a service check with a CPU diagnostic? This is not a trend that will be reversed. The emphasis must be placed on other market forces to correct things, like liability for failure and greater RD for secure systems. Forcing the consumer to learn more has never worked in the market before, and won't here. Jim
Re: How much longer..
Len Rose wrote: How much longer will people put up with the millions of dollars of losses in time, resources and service inflicted on the net by the joke vulnerabilities in the toy operating system known as Windows? Enough is Enough. Sure, let's just filter everything..all service providers please become M$'s virtual firewall now please. Haven't you windows lamers learned anything yet? You could of course just filter spoofed traffic, which would then stop a lot of the DDoS attack that I'm suffering with. For the second time in 2 weeks, 2 of my IPs have been null routed at the USA - Australia International links because of a massive DDoS attack. If anyone is seeing traffic directed at: 203.15.51.34 203.15.51.44 or 216.168.20.77 and 216.168.20.77 (the latter 2 not being my hosts but seeing DDoS traffic as well) you might be well advise to shutdown/disconnect the machines as they are likely hacked and/or trojaned. Last attack was a mixture of SYN flood (which has virtually no effect here), 1k packets UDP send at a high volume from distributed machines all aimed at ports arounf 1024. ICMP echo floods, and bogus DNS requests from hosts with the IP: 'x.x.0.0' Obviously some of the floods are not using sppoofed addresses, but I am really at a loss to see why I see _any_ spoofed traffic, I would have expected ISPs out there to be filtering traffic not from their networks by default nowadays. I must just be nieve. Yours Mat
RE: How much longer..
--- St. Clair, James [EMAIL PROTECTED]
wrote:
I've lived in the UK, and never had a license to
maintain or update the
engine.
But I bet that you DO have someone maintain the engine
in your car (and so do most people).
Additionally, I could drive on the M1 or M5 at
speeds rarely found in the
US, certainly not legally. You don't get any
additional training to do this
- its implied in your licensing.
The computers as cars analogy applies to
commoditization of a utility. The
message is 99% of the world's computer users
(private and otherwise) view
their PC/laptop as a gadget like their phone or
TV. They plug it in, they
turn it on, it works. That is what the expect and is
all they will
culturally accept. Placing the burden on the user
will not work.
But the expectation is there that you will regularly
take your car to a mechanic for various maintenance
which will be nebulously explained by technicians
using words like bearings, valves and rings.
I believe that the model we need to follow is
something like this - train users that they need to
follow some { simple, quick } process for regular
maintenance, and then make sure that the mechanics are
looking for things which are out of order (i.e. you
brought the car for an oil change, but your air filter
is shot). This could be an opportunity to say you
have 4 ad-bots on your computer, which reduce
performance. do you want them removed?
-David Barak
=
David Barak
-fully RFC 1925 compliant-
__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Re: How much longer..
Well, two things here.. First, UNIX has more than it's share of vulnerabilities. For those of you who can remember the HP Bug a day list? Or how about the numerous problems with sendmail or BIND? Sure, all these problems have been corrected as they've been discovered but I wouldn't wanna take odds on how many older instances of these programs exist. And the vulnerabilities still come in for local users from the various OS vendors. Not to mention various problems with IP stacks and so forth. For those of you who think this is just a windows problem, think again. The reason for the severity of impact is simply because of the pervasiveness of the single OS. You don't find these things under UNIX simply because it's too hard to make it work. (You have so many different OS varients, people running different MTA's, web servers, nameservers, etc, etc.) With Microsoft, it has become so ubiquitous that it's easy to find 10,000 servers running the same buggy stuff in a short period of time. Second: Isn't OS bashing just a bit off topic? On Wed, Aug 13, 2003 at 07:48:08PM +0100, Stephen J. Wilcox wrote: On Wed, 13 Aug 2003, Len Rose wrote: Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. Hey I like MS bashing as much as anyone else but the fact is you could say this of any vendor.. a good recent example being Cisco --- Wayne Bouchard [EMAIL PROTECTED] Network Dude pgp0.pgp Description: PGP signature
Re: How much longer..
McBurnett, Jim [EMAIL PROTECTED] wrote: OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... Problem is, you can't engage in gunfights with 5-0, rob banks or pimp your grandmother out on a *nix. On Windows you can do this in Grand Theft Auto 3. Its going to be OS of choice for home users (and thus a lot of businesses as people will be familiar with it) for a long time to come. The XP firewall was a step forward for MS. Now they need to turn it on and block by default giving the user an intuitive interface they can point and click at: I want to use kazaa, e-donkey, etc. TT
Re: How much longer..
On Wed, Aug 13, 2003 at 02:09:41PM -0700, [EMAIL PROTECTED] said: On Wed, Aug 13, 2003 at 01:07:15PM -0400, [EMAIL PROTECTED] said: How much longer will people put up with the millions of dollars of losses in time, resources and service inflicted on the net by the joke vulnerabilities in the toy operating system known as Windows? Enough is Enough. http://darkuncle.net/microsoft_rant.html for those financial types reading the list (courtesy /. post): http://news.bbc.co.uk/1/hi/sci/tech/737353.stm California-based IT consultancy Computer Economics estimated worldwide damage to be $2.6bn by the end of Thursday. It said that figure could soar to $10bn by next week. http://www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm Lloyds of London put the estimate for Love Bug at $15 billion. http://www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm the economic damage from the Melissa virus in 1999 to be about $1 billion. http://atlanta.bizjournals.com/atlanta/stories/2001/10/22/focus4.html Code Red, which started in mid-July, so far has cost the U.S. economy $2.6 billion. http://www.theregister.co.uk/content/55/30072.html The Klez virus last year cost businesses $9 billion worldwide in lost productivity, http://www.bstpierre.org/Articles/fog73.html SirCam, which also propagates through email, cost $1 billion. Summary: ILOVEYOU virus: $2.6 - 15.0 Billion Melissa:$1 Billion CodeRed:$2.6 Billion Klez: $9 Billion SirCAM: $1 Billion Estimated Total TCO:$16.2 - 28.6 billion -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
RE: How much longer..
On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich
RE: How much longer..
On Thu, 14 Aug 2003, St. Clair, James wrote: I've lived in the UK, and never had a license to maintain or update the engine. See point number 2: 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. The computers as cars analogy applies to commoditization of a utility. A computer is a computer. Analogies like this only serve to add to the confusion. Rich
RE: How much longer..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Or perhaps the recently disclosed compromise of ftp.gnu.org? A Unix (or Unix-Like) system running software based on established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. And to the people who think that Unix only has a budget of about $1 million and Microsoft should do better with their $60 billion budget (or however big it is)...guess again. IBM, Sun, HP...those names ring any bells? When you come up with a secure replacement, let us know, because *nix certainly ain't it. Doesn't matter how rabid a proponent of MS, or Red Hat, or Sun, or SUSE you are, ignoring that fact is a quick way to get rooted. - -- William S. Duncanson[EMAIL PROTECTED] The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance that is inexpensive and easy to use if they choose to do that. - -- Scott Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wayne E. Bouchard Sent: Wednesday, August 13, 2003 16:19 To: Stephen J. Wilcox Cc: Len Rose; *Hobbit*; [EMAIL PROTECTED] Subject: Re: How much longer.. Well, two things here.. First, UNIX has more than it's share of vulnerabilities. For those of you who can remember the HP Bug a day list? Or how about the numerous problems with sendmail or BIND? Sure, all these problems have been corrected as they've been discovered but I wouldn't wanna take odds on how many older instances of these programs exist. And the vulnerabilities still come in for local users from the various OS vendors. Not to mention various problems with IP stacks and so forth. For those of you who think this is just a windows problem, think again. The reason for the severity of impact is simply because of the pervasiveness of the single OS. You don't find these things under UNIX simply because it's too hard to make it work. (You have so many different OS varients, people running different MTA's, web servers, nameservers, etc, etc.) With Microsoft, it has become so ubiquitous that it's easy to find 10,000 servers running the same buggy stuff in a short period of time. Second: Isn't OS bashing just a bit off topic? On Wed, Aug 13, 2003 at 07:48:08PM +0100, Stephen J. Wilcox wrote: On Wed, 13 Aug 2003, Len Rose wrote: Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. Hey I like MS bashing as much as anyone else but the fact is you could say this of any vendor.. a good recent example being Cisco --- Wayne Bouchard [EMAIL PROTECTED] Network Dude -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBPzsgP/NxJ1tT9oUNEQIxDwCbBo9NCqgA8gDkk7FEklzw0i0pV/UAoM0i mUyDo5/AUbXTzxXB7shLUM09 =wRa6 -END PGP SIGNATURE-
RE: How much longer..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387 It's also a factor that a lot of people are running Windows blindly, with no experienced administrators at the helm. This has traditionally not been the case for *nix, because of the difficulty factor, but I can see that changing. Users, both corporate and at home, need to be taught that there is no such thing as plug and play. Everything requires maintenance, or at least a cursory inspection once in a while. At least half the non-IT folks I warned about this worm a few days back (Run Windows Update tonight, there's a nasty worm coming) responded with How do I do that?. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPzt5cEsAmEL5Zda/EQL8UgCgkDxgAuJoI7b9ogHKWfRKrkh0KFsAoNQE YPp2QYygqqMWJFS6V6WB+bSu =yOqb -END PGP SIGNATURE-
RE: How much longer..
At 12:53 PM 8/13/2003 -0500, Ejay Hire wrote: I don't care what defective operating system a worm uses. Yes. Lets recall that the first worm on the net was a sendmail worm, and attacked UNIX systems. I'm no friend of Windows either, but a little humility is in order. Windows is attacked because it is ubiquitous, not because it is vulnerable. If the whole world ran Linux, the attacks would be on Linux machines.
Re: How much longer..
Fred Baker wrote: At 12:53 PM 8/13/2003 -0500, Ejay Hire wrote: I don't care what defective operating system a worm uses. Yes. Lets recall that the first worm on the net was a sendmail worm, and attacked UNIX systems. I'm no friend of Windows either, but a little humility is in order. Windows is attacked because it is ubiquitous, not because it is vulnerable. If the whole world ran Linux, the attacks would be on Linux machines. Attacks _are_ on Linux machines. There have been Linux worms, Lion attacked BIND, Ramen attacked rpc.statd and wu-ftpd, Slapper attached Apache, to name a few. Attacks are on Solaris, the sadmin/IIS worm (which also attacked IIS, a cross-platform worm, remember that, cool, huh?). Attacks are on FreeBSD, Scalper worm attacked Apache. How soon people seem to forget these things. To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
RE: How much longer..
I've lived in the UK, and never had a license to maintain or update the engine. Additionally, I could drive on the M1 or M5 at speeds rarely found in the US, certainly not legally. You don't get any additional training to do this - its implied in your licensing. The computers as cars analogy applies to commoditization of a utility. The message is 99% of the world's computer users (private and otherwise) view their PC/laptop as a gadget like their phone or TV. They plug it in, they turn it on, it works. That is what the expect and is all they will culturally accept. Placing the burden on the user will not work. -Original Message- From: [EMAIL PROTECTED] To: St. Clair, James Cc: '[EMAIL PROTECTED] ' Sent: 8/14/2003 9:17 AM Subject: RE: How much longer.. On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich
RE: How much longer..
I've been considering lobbying for the imposition of an Internet license for years now. I could think of a few people that need theirs yanked. -Bob - Even if you are kidding -- which I hope you are, then the Internet would turn into a pretty meaningless endeavor the entire point of the Internet is that anyone can use it, from anywhere in the world. Who would enforce these licenses? The US? What about the people in Korea, do they need to come to the US to receive an Internet license? This idea made my stomach turn ;-) -Drew
RE: How much longer..
I don't know if you've driven in the East End of London recently, but I assure you there those rules don't always apply! The computers as cars metaphor is perfectly correct in many aspects: 1. You don't have to know how a car works to drive it: If everyone had to be a qualified mechanic in order to drive safely then there'd be very few drivers. Also, if everyone had to study car mechanics to drive nobody would be able to study anything else. For the majority of people computers need to be simple enough that anyone can use it without advanced knowledge. The thought of teaching my mother to use a linux system makes me shudder. 2. Computers, like cars, need regular maintenance in order to function properly: Cars need oil changes, computers need regular updates. With cars there is a maintenance infrastructure to maintain them and, more importantly, there is a basic understanding throughout the population about what a car needs in order to function. When you have a problem with a car, there's no shortage of people who have at least a basic understanding of what to do. Plus everyone knows you can call a mechanic. Computers don't have this infrastructure or basic permeated understanding yet, to most people they are a magic box that flashes things on the screen-thingy. Most have no idea that windows-update exists and wouldn't understand what it does, and just as important doesn't know anyone who can tell them. Their question is: what do I need to click on to fix it? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 14 August 2003 14:17 To: St. Clair, James Cc: '[EMAIL PROTECTED] ' Subject: RE: How much longer.. On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
RE: How much longer..
On Wed, 13 Aug 2003, Fred Baker wrote: : attacked UNIX systems. I'm no friend of Windows either, but a little : humility is in order. Windows is attacked because it is ubiquitous, not : because it is vulnerable. If the whole world ran Linux, the attacks would I think that'd be only partially correct. I think it's also because they're a monopolistic corporate bully and they have a large installed base of pissed-off-at-them people due to that bully attitude. scott
RE: How much longer..
From my perspective, I don't care what defective operating system a worm uses. If a malevolent worm is spreading via a vulnerability in IIS and I can keep from answering support calls by blocking it at the edge I will. If one of the 31337 crowd ever catches a clue and launches a worm that spreads via the OpenSSH vulnerability, I'll block that too. My objective in blocking is not to bail Microsoft out, my objective is to make sure the people I work with can accomplish useful work and don't have to spend days repeatedly explaining how to download a patch and remove msblast.exe. For the record, I have two folders that catch Microsoft security bulletins and Red hat package update notifications. Right now the score is close at MS 12 vs RH 9. -e -Original Message- From: Len Rose [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:26 PM To: *Hobbit* Cc: [EMAIL PROTECTED] Subject: Re: How much longer.. Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. What makes it all ironic is that you can directly thank Micro$oft if the governments decide to pass more draconian laws, even further criminalizing activities which were considered marginally criminal to begin with. Instead of subsidizing the monopoly, keeping sub-standard operating systems alive, they should fine them billions of dollars for the cost of repairing damages, managing overloaded network and system infrastructures (due to the effects of the latest vulnerability). The governments should cease using all Micro$oft products and go back to UNIX which can easily be transformed into a friendly operating system for business users (it already has been of course) For the millions of dollars that are spent buying this fake operating system with it's fake applications the government could subsidize development of open software whose quality and security would far exceed that of the closed source garbage that has become standard in today's offices. Their operating systems were a joke 10 years ago, and they're still a joke today. The people administering these systems need to start learning UNIX and colleges need to go back to teaching computer science based around a real operating system. It's embarassing for a recent graduate to only know how to point and click while UNIX hackers are unemployed thanks to the disease that is called Micro$oft. Not to mention watching weeks of Micro$oft admins wondering publicly on Full Disclosure (soon to be renamed Microsoft Whining and Crying) what to do about their systems that they can't protect because those systems are rotten to the core with garbage code written by fake programmers who were trained by Universities who use Micro$oft operating systems to teach their curriculum and who are managed by ex-vms programmers (Uncle Bill hired them to write Windows Code) On Wed, Aug 13, 2003 at 11:42:59AM +, *Hobbit* wrote: I often ask the larger question, how long will it take for millions of people to realize that having to deal with winbloze has completely *derailed* their careers for the last ten years, when they could have been doing so much more productive things on their jobs? But evidently most of them can't think that deep, and get all defensive about it. If all those people had been contributing to free and better replacements in the linux/bsd/open-source arena, we'd be *so* much farther ahead, and would have saved countless dollars that are now in Bill's pocket. _H*
RE: How much longer..
McBurnett, Jim [EMAIL PROTECTED] wrote: OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... Brooks' Law (in its various forms) applies to software houses, not open source projects. Since open source (rarely|never) commits to a schedule/deadline, GNU projects accomplish what Microsoft et.al. will never be able to as their products bloat. (for case study consider RH Linux 4.0 in 1996) IMHO, Andrew
RE: How much longer..
OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... $1 million for *NIX less than a million lines of code. rewritten on a whim, and source given to millions.. Bugs will be found and squashed easier. Less code, more eyes. and less complex. Less market, less users, less interest for hackers 5 less than statements for *NIX and how many more statements for Micro$oft? This is like trying to comparing the towing capacity of car to turbo diesal pickup. there is no comparison... I don't care if MicroSoft spends $600 Million a year, there will always be bugs. If a software package was perfect or a network was perfect how many of us would have jobs? Nothing in this world is perfect, and complaining about it does absolutely no good J -Original Message- From: Charles Sprickman [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 4:30 PM To: Crist Clark Cc: [EMAIL PROTECTED] Subject: Re: How much longer.. On Wed, 13 Aug 2003, Crist Clark wrote: Attacks _are_ on Linux machines. There have been Linux worms, Lion attacked BIND, Ramen attacked rpc.statd and wu-ftpd, Slapper attached Apache, to name a few. Attacks are on Solaris, the sadmin/IIS worm (which also attacked IIS, a cross-platform worm, remember that, cool, huh?). Attacks are on FreeBSD, Scalper worm attacked Apache. How soon people seem to forget these things. No, I don't think people are forgetting, but what Len was originally pointing out is that Microsoft, *because* of their vast install base *needs* to take a more proactive role in producing a secure OS. And the reason you can call it a toy OS is that on one hand you have *BSD, Linux and friends all with an annual budget of what, maybe $1M? And on the other hand you have a multi-billion dollar *software* company. Which should churn out better software? :) Charles To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
