Back in 1998, Paul Strassmann, a former CIO of Xerox, NASA, and the US Department of Defense, wrote in Computerworld about how Microsoft's overly complex, defective, and vulnerable systems which were already a threat to national security even back then. The intervening time has shown Strassmann to have been more than correct as the problems he identified with Microsoft and its products worsen monatonically. Mitchel Lewis writes a guest post at Techrights about the current situation and how Microsoft remains a security threat against national security and systematic reliability of our computer-based society today:
That said, I think enough time has elapsed to confirm that Paul Strassmann is an authority on such matters and that Microsoft is precisely who he said they were. Further and with hindsight in our pocket, it seems as if Microsoft was merely projecting when they said Strassmann's paper was flawed and that he made errors in analyzing the state of computer security and its causes in light of their 95–99% monopoly on ransomware infections alone and that ransomware is already considered to be a national security threat.
[...] However, I'd like to think that Microsoft would get creative if the government were to sanction Microsoft by allowing allow citizens and businesses impacted by ransomware to bill Microsoft for the cost of the ransom and their losses in productivity. And although Microsoft cannot be faulted for the attacks, they can be faulted for their shit-in-hand approach to quality and security while sanctioning them until they actually take a common-sensical approach to quality and security appears to be the simplest means of combating ransomware and mitigating the threat it poses to our national security.
While 2% of known ransomware affects Android, which makes 72% of the mobile market and 41% of all clients, the rest is for Microsoft's product line which weighs in at 32% of the market nowadays. So far Microsoft's response has been weak and based on strawman fallacies with the occasional feeble ad-hominem fallacy thrown in.
Previously:
Many posts about Windows ransomware
(2021) The State Department and Three Other US Agencies Earn a D for Cybersecurity
(2016) DNC Creates A 'Cybersecurity Board' Without A Single Cybersecurity Expert
(2016) Execs: We're Not Responsible for Cybersecurity
Related Stories
Now this is scary. CNBC has a story posted: Execs: We're not responsible for cybersecurity. The story was posted on April 1, but I do not think this is a joke.
More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data," Damato told CNBC's "Squawk Box". ...
"As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now," he said.
I suppose I should not be surprised, but I find it absolutely appalling that there could be this level of active ignorance at such a high level in an organization. What would it take to make said "leaders" actually care about security?
Current practices of providing a year or two of credit monitoring seems woefully inadequate compensation. What if the affected company had to make an actual cash payout of, say, $500 to every person who had their personally identifiable information (PII) compromised? Treble that amount if the notification is not "timely"?
Submitted via IRC for TheMightyBuzzard
The Democratic National Committee (DNC), still reeling from the hack on its computer system that resulted in a bunch of leaked emails and the resignation of basically all of its top people, has now created a "cybersecurity advisory board" to improve its cybersecurity and to "prevent future attacks." .
"To prevent future attacks and ensure that the DNC's cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field," interim DNC Chairwoman Donna Brazile wrote in a memo. "The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces—today and in the future."
Sure. That sounds like a good idea. But, then there's this:
Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
[...] But none of them are actual cybersecurity experts. I have no problem with these people being on this advisory board, but it's insane to put together a cybersecurity advisory board that doesn't include at least a single (and probably more) actual technologist with experience in cybersecurity.
The State Department and 3 other US agencies earn a D for cybersecurity:
Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee.
"It is clear that the data entrusted to these eight key agencies remains at risk," the 47-page report stated. "As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."
The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner.
The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies—including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education—failed to protect sensitive information they stored or maintained.
Late last month the US Department of Defence (DoD) published a memorandum on software development (warning for PDF). It focuses specifically on Open Source Software (OSS), though it misses the fact that OSS can also be commercial in nature.
- A. The Department must follow an "Adopt, Buy, Create" approach to software, preferentially adopting existing government or OSS solutions before buying proprietary offerings, and only creating new non-commercial software when no off-the-shelf solutions are adequate.
- (1) OSS meets the definition of "commercial computer software" and therefore, shall be given equal consideration with proprietary commercial offerings, in accordance with Section 2377 of Title 10, U.S.C. (reference (e)) (see also FAR 2.l0l(b), 12.000, 12.101 (reference (f)); and DFARS 212.212, DFARS 208.74, DFARS 227.7202, and 252.227-7014(a)(l) (reference (g))).
- (2) In accordance with FAR 13.104, (reference (h)) refusal to consider all OSS based solely on software being open source may be contrary to statutory and regulatory preferences for commercial products, and would unnecessarily restrict competition. OSS should be considered to the maximum extent practical.
(Score: 3, Insightful) by Anonymous Coward on Sunday October 31 2021, @12:06PM (10 children)
All you can do is make it more trouble than it is worth to find a way in.
One way is to provide a lot of low hanging fruit in other folks systems. (Might say Msoft provides a public service?)
Another way would be to actually secure the system.
I wonder if that is even possible at this point.
A simple kernel and CPU without side channels seems reasonable even if there isn't one with performance yet.
Network and security stack is more complicated, but maybe.
Web browser looks hopelessly complex. (Even without a plugin for every media type known to man?)
Perhaps a first goal should be to make something small and tight for SCADA/IOT stuff.
Then try to get it to support a really tight sandbox which can safely run the bad guy's code.
(To be tight, it needs to be simple. Using the browser as the sandbox seems a useful layer, but not trustworthy.)
The economics of the WWW is built on other folks running code you your computer, so it seems fundamentally hard to make secure from the start.
(Score: 3, Informative) by Anonymous Coward on Sunday October 31 2021, @01:15PM (9 children)
Well, I use seamonkey (remember the old netscape/mozilla suite, that thing). And while I know it has been lacking sufficient development to keep up with the "latest and improved". I noticed past few months more and more sites stop working with it, due to some JS things... while these things could have been done just as well in HTML/CSS.
It seems like everyone is dropping standards for the new and latest to a point that only a few browsers (each with their own implementations) work, instead of having something that works for everybody.
(Score: 4, Interesting) by choose another one on Sunday October 31 2021, @02:07PM (7 children)
I see the same on some older platforms/devices.
These days "some JS things" typically means xxMB of JS framework(s)-de-jour, which the site developer doesn't have to (and so won't) understand the internals of, and they use it so they don't have to understand raw HTML/CSS either - and even if they do, CSS has become insanely complex and is only partially implemented in most (if not all) browsers. Usually nothing the site developer has done will break the site in an older-or-rare browser, it's the framework, all the dev will have done is update the framework to latest-and-greatest (very probably to fix a security issue...) and bang, new framework version breaks on your browser. Thus you will find that several or many sites will break in similar ways at around the same time - because they use same framework.
How many platforms/browsers should site devs be testing on, what is reasonable, 5?, 10?
OTOH you'd probably start with:
Windows - Chrome, Firefox, Edge?
MacOS - Safari, Chrome, Firefox
Android - Chrome, Firefox
iOS - Safari
Linux, maybe - chrome? Firefox?
-and you're over 10 already.
Maybe library/framework devs should test more platforms, maybe they do, but even then if your browser choice is down somewhere in the "other" market share slot, you are SOL.
It isn't really "dropping standards", it is frantically iterating to try and keep _up_ with (ever more complex) standards and backwards compatibility with stuff that <1% use is collateral damage. It won't change until web standards actually stabilise for several years (and at a complexity level far less than they are now....) and everything implements everything. Not holding my breath for that.
(Score: 1, Insightful) by Anonymous Coward on Sunday October 31 2021, @03:06PM (6 children)
When your monthly mobile data plan suddenly actually lasts a month despite near constant use and your battery is suddenly back to "all day" its a good thing.
There's probably a market for a barebones browser that doesn't support javascript, the more stupid things like cas overrides of user preferences, and he ability to ignore video, images, emojishit, and unicode.
(Score: 2) by Runaway1956 on Sunday October 31 2021, @03:55PM (5 children)
Disabling javascript disables a site? Cool. Time to close the tab and move on. Load your browser up with all the necessary adblockers and malware blockers and javascript blockers and cross-site scripting blockers and tracker blockers, and whatever else you like. When you find a broken site, just quietly leave, and don't look back. If everyone would do that, the web designers would get their act together within the week.
"Hey, Boss - we've had 12 million unique visits today, and more than 11 1/2 million were blocking javascript. Only 1/4 million turned javascript on to see our page! We need to abandon javascript!"
Unfortunately, not enough people know or care.
(Score: 1, Informative) by Anonymous Coward on Sunday October 31 2021, @04:06PM (4 children)
(Score: 2) by RS3 on Sunday October 31 2021, @06:34PM (3 children)
Generally I agree, but submit: with javascript OFF, the blockers probably don't run either. And even if they do, there's so little for them to do, unless they're spy-ers themselves, they should be fairly CPU quiet.
From what I observe and conclude, the plugins / extensions each run as a separate Windows process, and certainly you can generally get stats on browser internal processes. And it's pretty easy to turn them on and off.
However,
We need better network monitoring utility / metrics. I use some, but it's not as easy as I'd like, to find out which process is talking to which IP addresses, and what kind of traffic it is. And then in that same utility: a checkbox to click to block traffic to that IP address. I know it can be done by editing hosts, firewall rules, etc., but it'd be nice if it's all in one utility. Maybe something already exists?
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @07:15PM (2 children)
Without javascript all you see is forst-party ads - and since everyone now depends on ad networks, that means no ads and if you're using the latest iOS not even tracking by embedding advID in the main page url (it's stripped out - facebook threatened to sue over this because it seriously damages their ad revenue).
(Score: 3, Insightful) by RS3 on Sunday October 31 2021, @08:36PM (1 child)
In late '90s I discovered javascript and all of the evil it can do. I ranted against it on green site in 1998, hoping techs / developers would nip it in the bud, but sadly they saw $, ignored me, and we have the horrific mess that much of the web has become today.
Around that time I discovered Opera browser, and that it allows you to globally turn javascript off, and set up per-site profiles that among many things, turn javascript on for a given site. I still use Old Opera every day (12.18- Presto, not Blink).
(Score: 0) by Anonymous Coward on Monday November 01 2021, @06:40PM
JS may permit some real horrors, but it enables a lot of really useful stuff too. I don't see a great solution but JS isn't going away. Browsers should focus more on security features to make filtering bad JS easier, and give warnings when certain functionality is triggered. Site saving dsta on my computer? Popup warning at least! Make browser standard options to filter out 3rd party assets and other easy to use tools for handling content permissions. Plugins are great, but the majority of users do not know about script blockers, etc.
(Score: 2) by DeVilla on Saturday November 20 2021, @02:49AM
That is the standard. HTML5 is a "living standard" which means the standard is what ever works with the latest and greatest versions of the major browsers. The open source community is lucky Mozilla still has a seat at the table and that's only because they've proven that they are willing enough to surrender their principles for things like DRM/EME and that they are to resource starved and distracted to try to push any kind of a meaningful community agenda.
(Score: 3, Insightful) by Anonymous Coward on Sunday October 31 2021, @12:55PM (9 children)
They have no incentive to change. It's that simple.
(Score: 5, Insightful) by canopic jug on Sunday October 31 2021, @01:19PM (8 children)
As long as ppl keep buying MS's OS...
There's a surprising amount to unpack there in that statement. It's not a choice the public can make easily, it's not offered and even if one knows it is a lot of expense and effort. Even though they no longer have a client system monopoly they do have a monopoly on the Original Equipment Manufacturers (OEMs) still and with the state of the US DoJ being the way it is, and with its few remaining resources being tied up with Google / Alphabet (though rightfully so), there is no chance of that monopoly going away any time soon. So people will keep buying that crap.
M$ has only about 32% of the client / desktop market [statcounter.com], if one counts smartphones and tablets. They are a no-show in supercomputing, mobile phones, and embedded systems. The killed off the netbook market completely, and they are an "also ran" in servers. Even if the scope is limited to just desktops they are at under 75% market share, which is far below the critical mass of high 80s which they need to retain a monopoly. But, there is a catch, and it's a big one.
They still have a lock on as good as 100% of the x86 desktop and notebook computer original equipment manufacturers, and those are about all you will find at any big box store. On those it is all but impossible to actually buy desktop or notebook hardware without some Vista10 or Vista11 infestation. Very recently it is even getting harder to find x86 hardware which will allow the OS to be replaced. TPM and UEFI are part of that. So, with it being all but impossible to get a non-M$ system off-the-shelf and with it getting much harder to replace the pre-installed operating system, the OEM monopoly matters a lot.
However, that is about the desktop. Despite being an "also ran" in the server department, the noise and damage they cause in that space gives them an outsized presence there. Cleaning M$ off of any and all servers would give the best return on effort and address many of the problems raised by Strassman and Lewis.
Money is not free speech. Elections should not be auctions.
(Score: 0, Disagree) by Anonymous Coward on Sunday October 31 2021, @02:43PM (4 children)
m$ might be crap but before linux it was the only game in town. even mac's back then cost more.
also before internet, it was fun!
(Score: 3, Insightful) by RS3 on Sunday October 31 2021, @06:48PM
You're quite wrong, but M$ salespeople did a great job of making people think there were no alternatives, or that they cost much more to buy and administer. Novell comes to mind, and the various Unix versions, including MS's version of Xenix, Banyan Vines, and I know there are many more and I'm too lazy to do a simple search. I did a good bit of Novell back in the day and it was awesome. Most efficient server OS I've ever seen. QNX was probably more efficient, but not generally used as a server OS (probably could/should have been). Of course to achieve that efficiency, Novell pretty much turned off x86 memory protection, which cuts way down on CPU cycles per operation, but server drivers and loadable modules had to be very clean code.
M$ might have been cheaper in the short run, but ...
(Score: 5, Informative) by PinkyGigglebrain on Sunday October 31 2021, @08:08PM
DR-DOS, N-DOS, OS2, BSD, UNIX, and WarpOS .also come to mind.
MS was not the "only game in town". But MS did everything they could to undermine and destroy everything else in the market and bury knowledge of their existence.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 1, Informative) by Anonymous Coward on Sunday October 31 2021, @11:30PM (1 child)
I still say that the Amiga will rise again.
(Score: 1, Funny) by Anonymous Coward on Monday November 01 2021, @12:57AM
It just needs a little blue pill, right?
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:02PM (2 children)
On the basis of TCO, apple has been cheaper for decades. If tou want an x86 laptop that will last a decade, you're going to spend the bucks (unless you buy a plain jane lower-midrange laptop using commodity parts that justs lasts and lasts because it's not trying to be cutting edge performative).
IPhone 6 still gets updates, iPhone 7 still runs the latest and greatest iOS 15 release. And unlike in the x86 space, more than a half decade of updates hasn't slowed it, despite adding features.
Try that with Android, Windows, or linux (which has become a real pig).
FreeBSD still beats the shit out of linux. There's a reason - lack of fragmentation - FreeBSD is 75% of the *BSD market.
Fragmentation sucks.
(Score: 2) by hendrikboom on Sunday October 31 2021, @10:17PM
Very much depends on which Linux you get.
Some are real pigs.
Some are demure, minimal, performant, and useful.
-- hendrik
(Score: 2) by stretch611 on Monday November 01 2021, @04:12PM
*cough* System-D *cough*
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Insightful) by martyb on Sunday October 31 2021, @01:20PM (48 children)
Background: I have a couple decades' experience reviewing and testing a large variety of computer applications and system software.
I have yet to see ANY code that has NO bugs.
I have seen many instances of "BaD" code — as in "Broken as Designed". Extensive review of Design-, Logic-, Functional-, and Implementation Specifications (as well as the ensuing code) are no guarantee that you have a bulletproof system. In my experience, errors always slip through except for possibly the most trivial "Hello World" implementation.
It is easy to throw shade on the 800 pound gorilla, Microsoft, but there are countless other creators of hardware, firmware, and software. Do they get a free pass? Are the also to be held to the same exacting standards? (Think open source as well as Adobe, Alphabet, Android, Apple, and all the other letters of the alphabet). Never mind implementations in different languages!
Don't get me wrong — I think the goal of much more reliable and trustworthy systems is laudable. Unfortunately, fallible humans are involved so mistakes will be made. And further, striving for that ideal would make anything produced much MUCH more expensive. Who would pay $10,000 for their next bare-bones cell phone?
Wit is intellect, dancing.
(Score: 5, Interesting) by RedGreen on Sunday October 31 2021, @02:19PM (1 child)
The straw man rears its ugly head again, the everybody does it garbage. Sure there are many useless morons in the computer industry without a clue to do anything right but the rot starts at the top. With their shinning example to lead by Microsoft produces trash and continues on its merry way infesting all before them. At least them assholes get no where near our phones there you only need worry about the apps installed as most times the underlying OS is mostly secure. And I have over 40 years working and playing on these things under my belt and Microsoft has been junk from the beginning of it.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Monday November 01 2021, @04:19AM
Aa fair bit of ransomware doesn't need admin/root access it just needs the same access as the user running it to encrypt that user's documents.
So even if Windows was replaced by Desktop Linux the same idiots who install bad apps on their phones would probably run ransomware. Heck in the past there was malware that spread via emailed password locked zipfiles, people had to enter the password in the email to decrypt the zipfile and too many still did it...
A lot of ransomware don't need any exploit other than convincing the user to download and run it.
(Score: 3, Insightful) by garfiejas on Sunday October 31 2021, @02:22PM (15 children)
Your right; technically it isn't possible; I'd suggest this is a civics problem, enforce warranties on software, to give customers (spec consumers, businesses should know better) a legal right to that software not failing for a certain period.
Most devices are a mix anyhow; it may slow down the current "fix on fail" out on the field and make others think twice about releasing software they know is under-tested for critical parts of a consumers machine, i.e. the OS etc
Give it a year or two to settle down, a few class actions and we'll likely see a better playing field at least where cutting corners shipping it and be damned have financial consequences....
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @02:53PM (14 children)
Pure stagnation would result.
(Score: 5, Interesting) by canopic jug on Sunday October 31 2021, @03:08PM (10 children)
Pure stagnation would result.
Not necessarily. Warranties or liability for software could actually be useful with certain conditions. Dan Geer discussed in 2014 how to approach the problem by making software and software+hardware obligated to conform to standard warranties or else provide full source code access such that end users or groups of them can make the necessary repairs. Either way the repairs get done.
There's a video of his talk floating around somewhere, but the above link is to the official text and is quite hard to find. For some reason it appears to not be in the search engine indexes.
Money is not free speech. Elections should not be auctions.
(Score: 0, Troll) by Anonymous Coward on Sunday October 31 2021, @07:07PM (3 children)
If bug-free software is easily do-able, why does open source get a pass? Why can't open source projects make that guarantee? Sounds like a case of laws for thee but not for me.
(Score: 3, Funny) by FatPhil on Monday November 01 2021, @10:19AM (2 children)
Nobody was claiming that it is. Therefore everything that follows your false predicate is irrelevant.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Troll) by Anonymous Coward on Monday November 01 2021, @01:58PM (1 child)
Sounds like you wanted a way to get out of having to address the rest of the argument, non-anonymous coward.
(Score: 2) by FatPhil on Tuesday November 02 2021, @05:27AM
Make the point clearly without using logical fallacies, and it can be discussed logically.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Sunday October 31 2021, @07:39PM (1 child)
Education - both of users and coders - is a better solution. Banning javascipt would be the quickest way to greatly increase internet security. And stop sticking shit on the cloud, where a single breech can affect hundreds of millions.
(Score: 4, Insightful) by FatPhil on Monday November 01 2021, @10:21AM
Any solution that relies on educating coders is bound to price educated coders out of the market, flooding it with cheaper ill-educated ones.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by garfiejas on Sunday October 31 2021, @07:45PM (2 children)
Thanks; I was thinking of a consumer warranty more in line with a standard electronics warranty - I don't see consumer electronics or white goods stagnating though EU law states a minimum of two year warranty (up to six or more in the UK) - in that it does what I paid for it to do; if I didn't pay for it directly - or indirectly - there would be no implied warranty - so Open Source wouldn't be affected - I do see a proliferation of EULA's and Software as a Subscription with consumer electronics, to try to end-run my legal rights; if it - say a fridge they have a ton of (needless) software in then nowadays - somehow breaks, fix it - for free - during the warranty period; if it goes down - and the fridge takes my network or my laptop offline - compensation or small claims court - the vendors choice... enough fridges break peoples networks, class action; rinse/repeat - eventually commercial developers will get the message...
(Score: 2) by Joe Desertrat on Tuesday November 02 2021, @08:40PM (1 child)
The problem is in defining what "it does what I paid for it to do" actually means. When one installs software, are they going to use it solely to do a simple defined task? If it is complex software that can do multiple things, at what point is it determined that one is exceeding what they paid for it to do?
How does one determine that it is the fault of the device being on their network or one's own crappy network security? The whole "Internet of Things" paradigm seems broken to me from the start. I can't really see any reason for these items to be communicating anything over the internet that is better than them not being able to communicate over the internet. Even a car does not really need this, let alone a refrigerator or a toaster. Alert vendors that repairs are needed? A simple panel or lights on the device can alert the consumer they need to run a check. I can't help but feel it is all solely for the purpose of more data gathering from the supposed consumers.
(Score: 2) by garfiejas on Sunday November 07 2021, @01:41PM
Thats a really interesting thing, one, I don't think thats a technical question - more a legal one esp in light of warranties, our law courts deal with this kind of uncertainty all the time, in fact I would say the adversarial system (UK/US/NZ/OZ/Canada etc) is ideally placed to deal with this rapidly, they just need the blue touch paper (laws) - and two, it expects someone to define what that software actually does - it terms that a layperson would understand, again this would be a legal thing - the current position "it can do anything" and "you have no legal rights" because "EULA" just isn't tenable anymore, it harks back to the Arpanet- actually it harks back to the 19th century and the bleeding edge of the railways (https://en.wikipedia.org/wiki/Tay_Bridge_disaster) costing peoples lives; if we want software engineering to be just that - engineering - engineers and architects and the companies that build the stuff have to step up to the plate and act like all the other engineers on the planet - stand behind your product as a first step, this will need to be legally enforced (warranties) and require our politicians to grow a pair, so maybe a pipe-dream...
I'd suggest it would work the same way British Telecom (phones) do faults; theres obvious telemetry from their back end network (it doesn't switch on/blue/black/pink screen) and then theres digital plumbers/client engineers - there folk will cost you up to $$ if they don't find a fault after a visit to your home (i.e. you've wired the kettle into the phone socket), I can imagine an entire industry - from installation, recommending whats the best, cost, features/security - and a mountain of tooling/diags - getting folks working, fixing faults - as a dev outsourcing my software product warranty care to a client facing firm, just like (good) consumer "white goods" electronics works now (Dyson/AEG/Miele etc)... at the moment that software "care ecosystem" is just a money sink/scam/malware - for a software/hardware/IoT company it would be a differentiator (like Apple) but usually a disaster/way to rapidly exit the building - unless legally enforced with warranties on all players - then not doing it would be a risk/reward calculation - and as the grandparent suggests - a way to getting people to - eventually - write better - more secure software.
On the whole IoT, I'm with you, the concept of Zero Trust https://en.wikipedia.org/wiki/Zero_trust_security_model [wikipedia.org] should work both ways; data should not be shared by default, some data - the stuff in your house - should never be shared; Edge should be the devices you can touch - as all IoT will/can be broken at some point in the future - no networked device can be secure over an undefined time; Governments pretend to be powerless, whilst companies - like Facebook/Oracle - create profiles on everyone of the planet and sell them to anyone in the name of $$, the second half of this decade is not going to be pleasant.
(Score: -1, Troll) by Anonymous Coward on Monday November 01 2021, @09:44AM
Do you SERIOUSLY think that any sane FOSS developers in the US would continue their work under these circumstances? Especially having to keep around the software indefinitely. By making a contribution, you are opening yourself up to liability indefinitely if you made a mistake in describing your "level of care" (which might open you up to further liability of case law so dictates, remember it just takes a few tech-illiterate or politically-minded judges for THAT), and are committing to keep the software available in perpetuity at your own expense. For many volunteers it turns from a gratis contribution to an active, life-long burden.
It also ensures anyone who actually makes a fix and shares it will be under the same burden to keep that patch around for the rest of their lives, lest they be sued into the ground for breach of warranty if it fails for someone.
This will make it quite certain that only FOSS initiatives with the support of large-scale, wealthy organizations will flourish, and only comply with their sponsors' vision for how the system will work. Arguably this is much like how Android ended up - in theory FOSS, in practice very much under the thumb of large hardware manufacturers who dictate what you may or may not do with any practical device.
It would also doom relatively inexpensive software as well. Do you really think the app stores are going to be filled with free or low-cost software at that point? Granted, the mass metric-gathering that many participate in is a concern, but if anything this will only make that far more prolific as the companies are desperate to ensure that they actually make money and can defend themselves from lawsuits. There's a lot of free software out there that's "free as in beer," and even though it doesn't have the source code, it's still often a valuable tool, and in many cases, highly safe with few downsides. These resources would vanish overnight, probably taking with them a lot of older and historical archives. It reminds me of when Intel took down a ton of their drivers because they weren't maintained and weren't secure, so if you had an old-style motherboard using those chipsets, you now have to go digging for drivers elsewhere. Better you have no drivers than insecure drivers, their thinking would go. That's what you'll see on a vast scale.
If you want to make sure the only computers available to the general public for any reasonable sum are Microsoft or Google dumb terminals using their own, in-house developed software, and make sure it stays that way, software warranties are fantastic way to do it.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:28PM (2 children)
A better idea would be to educate users not to click on shit. Because the user is the weakest link. Same as idiots who fall for catfishing scams and phone calls claiming to be from customs and "warrant has already been issued for your arrest. Press 1 to talk to a police officer ".
Everyone I know gets those scam calls every few weeks. Me, I press 1, put them on speakerphone, and ask them how it feels to be a fucking piece of shit scammer who lives in a shithole there half the population shits in the street.
They DO maintain blacklists of people who it's a waste of time to call. Their motivation is money. Their overlords don't want them wasting time on the clued in.
Educate the user - even if you need to take out the "lart." (luset attitude readjustment tool). Start with their mouse or a keyboard to show them you're serious. Then replace it with the shittiest one you can find from the junk pile. When they complain, pick up the "lart."
Tossed my latest lart into the dumpster Friday - if I need another one I can just go in whe warehouse and break up another wood pallet.
(Score: 2) by canopic jug on Sunday October 31 2021, @04:35PM (1 child)
A better idea would be to educate users not to click on shit.
Bzzzt. Thanks for playing. Clicking on stuff is merely using the software as advertised. If it cannot be used as advertised the fault does not lie with the end user. See the above mention of Dan Geer's proposal for applying product liability laws to software in exchange for being allowed to keep it closed source. For those that aim for exemption from liability laws, then they would have to make the source code available under a FOSS license.
Money is not free speech. Elections should not be auctions.
(Score: 2) by sjames on Sunday October 31 2021, @05:26PM
Only in the sense that jacking up a car is just using the jack as advertised. It's still important that the users don't then just slide under without a jack stand or jack the car up on a steep hill. Answering the phone is just using the phone as advertised. You still need to know better than to spray yourself with oven cleaner or send your life savings to "The Attorney General" just because the person calling you says so. Firing a gun is just using it as advertised, but it is your responsibility to make sure it's not pointed at someone who doesn't need shooting (and to make sure children don't play with it among other things).
There are many tools and devices (even really old inventions like kitchen knives) that must be used with some modicum of care to avoid having bad things happen. Safety matches don't have a security protocol that makes sure they light only the birthday candles and not the trash can. That's the user's responsibility.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @03:14PM
"I have yet to see ANY code that has NO bugs."
Absolutely. Even with careful work, a simple system will likely have a few residual bugs.
(That might be ok if exploiting them is more trouble than it is worth.)
Remove careful and simple, and you have the state of our cyber insecurity.
" They (MSFT) are a no-show in ... embedded systems."
How many essential systems run Win95 with network connections?
(grid, water plants and industrial machine controls come to mind)
(Score: 1, Interesting) by Anonymous Coward on Sunday October 31 2021, @03:15PM (18 children)
but proprietary software is willing to pay for 3 years to develop what normal "just use open source" would take weeks to slap some shit together and throw it over the wall.
(Score: 1, Touché) by Anonymous Coward on Sunday October 31 2021, @03:32PM (9 children)
15 years 24/7 with no bugs?
OR
15 years 24/7 with no bugs found, but bugs ready and waiting if a bad guy were to turn his attention to the target?
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:15PM (8 children)
No bugs. And this is running on the internet serving 1,000 requests a second, without breaking a sweat, as well as 20,000 to 50,000 db hits to collect and formulate the results.
Proper design includes rethinking everything and not doing it "the same way everyone else does." Or using frameworks. And understanding networking at the OS level - something most "full stack" developers can't even think to attempt.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:22PM (7 children)
Are you confident in that? If so, may I have the target IP please? Just to clarify, nobody will die when I brick it, right?
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:44PM (2 children)
104.95.221.23
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @10:16PM (1 child)
Sorry, but you don't work for Akamai or the NBA.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @10:53PM
Why, you are correct! Almost like you are too stupid to recognize obvious trolling!
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @07:32PM (3 children)
But seriously, you wouldn't even know how to attack it. I was writing shit that looked at incoming requests byte-by-byte and sending anything not conforming to the expectations (2nd parameter is 1 or more bytes 2 long or below the expected minimum? Redirect to goatse, close the socket, do not bother getting any more bytes off the wire.
So no buffer over/under-runs possible, unlike scriping languages that retrieve the whole client request even when it's obviously bogus. Like a form fied that was limited to 15 bytes and it returns 100,000 bytes. The socket should have been closed at the 16th byte. Any sane developer should be able to do that. Then again, most of your web developers are fucktards, they can't even open a socket and examine the bytes as they come over the internet.
Doing actual raw network coding is far beyond their reach.
Buffer over/inder runs are the number one method, and this eliminates them.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @07:45PM
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @07:59PM
I do & note how to map it to do so https://soylentnews.org/comments.pl?noupdate=1&sid=45804&page=1&cid=1192254#commentwrap [soylentnews.org] (since you listed another IP address vs. the one I used, that shows as an AT&T box & doesn't have any open ports in the 1st 1000 ports I did nmap on it with via the -Pn parameter (I could scan all 65535 too) - oh, I could look for expired certificates too IF I wanted to take the time also using nmap but why BOTHER?)
* I say "why bother" since YOU yourself give away HOW to knock it over - you noted sockets? Fine - a DDoS (or even DoS possibly) can KNOCK THE SYSTEM'S ENTIRE IP STACK OVER, flooring anything you wrote above it using sockets...
APK
P.S.=> You'd be DONE & you KNOW it (& yes, I know how to write DoS software of MANY KINDS here if I wish)... apk
(Score: 0) by Anonymous Coward on Monday November 01 2021, @06:16AM
Actually scripting languages can be less prone to buffer problems. Firstly you don't necessarily have to retrieve the whole client request. You can often use stuff like sysread just like C stuff and unlike C it's really easy to make sure the stuff you sysread fits with no overflows- just read it into the variable - no buffer overflow possible.
Many years ago I wrote a DHCP server in perl. 100% no buffer overruns/underruns possible in my code - there's no hard fixed buffer. Maybe there were buffer overruns in perl but those are for the perl developers to fix not me and I doubt those would affect my DHCP server - typically such bugs are in stuff like sprintf or fancier regular expression features which are not present in my code.
FWIW it performed better than ISC dhcpd (which I believe was written in C) for our use case (1000+ VLAN interfaces) and was a lot more flexible. Blasted it with thousands of DHCP requests per second and it didn't fall over.
The maximum DHCP and UDP message sizes are easily handled without any problems - perl stuff won't be bothered by such small sizes. If the code is somehow getting something much larger then either there's a Linux kernel bug and/or a hardware problem.
I'm pretty sure more security bugs have existed in ISC dhcpd than my DHCP server. I've seen ISC dhcpd code and their BIND code.
(Score: 2) by sgleysti on Sunday October 31 2021, @06:00PM
I will believe there are no bugs after you show me a formal, machine checked proof that the code conforms to its specification. That, or a report from a state checker capable of exhaustive search.
(Score: -1, Troll) by Anonymous Coward on Sunday October 31 2021, @06:19PM (5 children)
C is SHIT for SECURITY (& there was a time it was my favorite too, & 3rd language I learned up into the early 1990's, until I learned of these facts about its downfalls for security)
C, a language known among other things for its lack of memory safety https://www.theregister.com/2021/02/02/patching_apache_rust/ [theregister.com]
PLUS, C uses null-terminated strings it is subject to BUFFER OVERFLOWS GALORE due to that stupidity.
Additionally, Were I to do a "what's that site running" query, IF there is ANY "std. off-the-shelf" COTS type software that has bugs? Finding their CVE of any known remote errors & that IS a "doorway in" (or to crash it).
An nmap 104.95.221.23 -p 1-65535 will show me what ports are open there (80 & 443, which indicates a GOOD CHANCE that SOMETHING there is soliciting webbrowser/webserver type connections to it in fact).
* By way of comparison, my favored language Object Pascal, via FreePascal + Lazarus IDE or Delphi they were patterned on has NO SUCH SECURITY ISSUE in STRINGWORK since it incorporates STRING LENGTH into it's 1st 2 "ParamStr" parameters for stopping string buffer overflows (as well as a reference counter to said strings)...
So much for C!
Object Pascal even beats C++ in performance HUGELY, especially on strings! (which TRIES to overcome those buffer overflows due to null-terminated string use, but the speed-hit is INCREDIBLE since it has to do a length calculation parse of said string 1st in the std. string templates library functions) http://pascal-central.com/compare.html [pascal-central.com] & it does so on features AND safety combined.
BETTER SAFE than SORRY (& going faster to boot in Pascal).
I literally saw & STILL HAVE this issue where a benchmark done in a competing trade rag Visual Basic Programmer's Journal sept.-oct. 1997 issue "Inside the VB 5 compiler" where Object Pascal BLEW AWAY even MSVC++ in 4/6 tests done (tied only 1 & lost only 1 (form loading, not all programs do that, as they may be non-GUI)) & especially in MATH + STRINGS work (by almost 5x margin in stringwork due to what I noted, it is EXACTLY why, & DOUBLE in math) which EVERY PROGRAM DOES WORK IN!
APK
P.S.=> There was a REAL SERIOUS FOOL named BarbaraHudson who used to post here OR on /. that I had to "SCHOOL" on the facts above MANY times in fact (disappeared now, ill as hell from various maladies including being a mentally unbalanced LOON "TraNsTeSticLe" that thought "it" was a WOMAN instead of the man "it" was BORN as, ala TomHudson "its" REAL name @ birth)... apk
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @07:03PM (4 children)
Is the apk loser still around? Or did someone give a cup of coffee to a monkey?
(Score: -1, Spam) by Anonymous Coward on Sunday October 31 2021, @07:16PM (2 children)
Windows NT Magazine April 1997 "BACK OFFICE PERFORMANCE" pg 61
(For SuperSpeed.com PAID CONTRACT (wrote SuperCache 40% performance boost) & SuperDisk finalist @ MS Tech Ed 2x in a row 2000-2002 HARDEST CATEGORY: SQLServer Performance Enhancement)
WINDOWS MAGAZINE 1997 "Top Freeware & Shareware of the Year" issue pg 210 #1 entry
PC-WELT FEB 1998 pg 84
WINDOWS MAGAZINE, WINTER 1998 pg 92 MUST HAVE WARE
PC-WELT FEB 1999 - pg 83
CHIP Magazine 7/99 - pg 100
GERMAN PC BOOK Data Becker "PC Aufrusten und Repairen" 2000
HOT SHAREWARE #46 issue pg. 54 2001
Paid for article @ PCPitstop in 2008 http://pcpitstop.com/news/winners.asp [pcpitstop.com]
UltraDefrag64 Process Priority Control credited by lead devs of it in the programs credits section.
---
* You've done more, earlier & better than the list above? PROVE IT & MAYBE THEN? Maybe then you could call me LOSER but I doubt it
APK
P.S.=> That list's not including the fact that INDUSTRIAL WARES I've done are STILL to this day running entire companies' lifeblood from sales to shop floor to reports to government etc. to this very day from the 1990's no problem, bulletproof & bugfree (afaik & I do check periodically over the years for the resume (not that I need to anymore, I did well enough to retire @ 47 yrs. of age back in 2007 - occasionally I contracted IF a job interested me & PAID well too of course, but since 2016 or so? I haven't had to work for ANYONE but ME since my MONEY WORKS FOR ME, not the other way around))... apk
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @08:24PM (1 child)
Looks like a copycat to me. Too bad, apk used to bring some very interesting level of unhinged. These posts might as well been written by a Care Bear!
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @08:34PM
Apk was right about you. You haven't done anything at all but be a chattering troll on forums. He has though and
you clearly have not. Ever. Your troll replies minus results in your favor prove it for us. Thank you.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @01:57PM
See my subject-line above & answer vs. this PARTIAL LIST ONLY of some of my favorites over the decades I've done well in others recognized (in publications on wares I wrote on the side of doing my day job as a professional software engineer circa 1997-2007):
Windows NT Magazine April 1997 "BACK OFFICE PERFORMANCE" pg 61
(For SuperSpeed.com PAID CONTRACT (wrote SuperCache 40% performance boost) & SuperDisk finalist @ MS Tech Ed 2x in a row 2000-2002 HARDEST CATEGORY: SQLServer Performance Enhancement - they ended up BUYING OUT MY SOURCECODE & they are a certified MS partner...)
WINDOWS MAGAZINE 1997 "Top Freeware & Shareware of the Year" issue pg 210 #1 entry
PC-WELT FEB 1998 pg 84
WINDOWS MAGAZINE, WINTER 1998 pg 92 MUST HAVE WARE
PC-WELT FEB 1999 - pg 83
CHIP Magazine 7/99 - pg 100
GERMAN PC BOOK Data Becker "PC Aufrusten und Repairen" 2000
HOT SHAREWARE #46 issue pg. 54 2001
UltraDefrag64 Process Priority Control credited by lead devs of it in the programs credits section (for use in not only UPPING cpu priority but ALSO downing it for background operations)
Paid for article @ PCPitstop in 2008
* ... & of course, my A P K H o s t s F i l e E n g i n e which has over 1/2 million users going strong & was recommended by Malwarebytes' Mr. Steven Burn
---
* You've done more, earlier & better than the list above? PROVE IT!
(... & MAYBE THEN? Maybe then you could call me LOSER but I doubt it since I KNOW you've never even done a SINGLE THING worth noting (or that others noted as good)).
APK
P.S.=> That list's not including the fact that INDUSTRIAL WARES I've done are STILL to this day running entire companies' lifeblood from sales to shop floor to reports to government etc. to this very day from the 1990's in my "day job" as a software engineer for decades, no problem, bulletproof & bugfree (afaik & I do check periodically over the years for the resume (not that I need to anymore, I did well enough to retire @ 47 yrs. of age back in 2007 - occasionally I contracted IF a job interested me & PAID well too of course, but since 2016 or so? I haven't had to work for ANYONE but ME since my MONEY WORKS FOR ME, not the other way around))... apk
(Score: 0) by Anonymous Coward on Monday November 01 2021, @01:31PM
C, a language known among other things for its lack of memory safety https://www.theregister.com/2021/02/02/patching_apache_rust/ [theregister.com]
PLUS, C uses null-terminated strings it is subject to BUFFER OVERFLOWS GALORE due to that stupidity.
By way of comparison, my favored language Object Pascal, via FreePascal + Lazarus IDE or Delphi they were patterned on has NO SUCH SECURITY ISSUE in STRINGWORK since it incorporates STRING LENGTH into it's 1st 2 "ParamStr" parameters for stopping string buffer overflows (as well as a reference counter to said strings)...
* So much for C!
Object Pascal even beats C++ in performance HUGELY, especially on strings!
(Which C++ TRIES to overcome those buffer overflows due to null-terminated string use, but the speed-hit is INCREDIBLE since it has to do a length calculation parse of said string 1st in the std. string templates library functions))
I literally saw & STILL HAVE this issue where a benchmark done in a competing trade rag Visual Basic Programmer's Journal sept.-oct. 1997 issue "Inside the VB 5 compiler" where Object Pascal BLEW AWAY even MSVC++ in 4/6 tests done!
(Tied only 1 & lost only 1 (form loading, not all programs do that, as they may be non-GUI)) & especially in MATH + STRINGS work (by almost 5x margin in stringwork due to what I noted, it is EXACTLY why, & DOUBLE in math) which EVERY PROGRAM DOES WORK IN!)
For language features http://pascal-central.com/compare.html [pascal-central.com] & Pascal wins again on features AND safety combined.
BETTER SAFE than SORRY (& going faster to boot in Pascal).
Additionally:
Were I to do a "what's that site running" query, IF there is ANY "std. off-the-shelf" COTS type software that has bugs? Finding their CVE of any known remote errors & that IS a "doorway in" (or to crash it). Wouldn't HAVE to be YOUR ware - it could be any others there.
Also, an nmap 104.95.221.23 -p 1-65535 will show me what ports are open there (80 & 443, which indicates a GOOD CHANCE that SOMETHING there is soliciting webbrowser/webserver type connections to it in fact). IF I knew EXACTLY what your app took in for data & the program's purpose? It'd be ENOUGH to find its "Achilles Heel" given time...
Blocking ping replies? nmap 104.95.221.23 -pN will STILL yield back answers as well - can't beat it - it IS the "swiss army knife" of network reconnaissance (that or netcat are).
APK
P.S.=> There was a REAL SERIOUS FOOL named BarbaraHudson who used to post here OR on /. that I had to "SCHOOL" on the facts above MANY times in fact (disappeared now, ill as hell from various maladies including being a mentally unbalanced LOON "TraNsTeSticLe" that thought "it" was a WOMAN instead of the man "it" was BORN as, ala TomHudson "its" REAL name @ birth)... apk
(Score: 4, Insightful) by Runaway1956 on Sunday October 31 2021, @04:08PM
Sure, everyone makes mistakes. Unix, Linux, BSD, you name it, there are mistakes. But, most of them tend to learn from their mistakes, and work hard to improve whatever went wrong. Microsoft doesn't seem to learn very quickly. I'm not bothering to look up exact dates, but it took forever for MS to close down the Win9x branch, and move on with NT in the form of WinXP. What did they do next? Vista. There was Win7, but then they did a quick go around with Win8, then dove into the deep end of the surveillance, tracking and advertising pool.
*nix users revolt when the most benign telemetry is introduced. Windows users just accept whatever MS throws at them, because they're accustomed to shoddy crap that only works sometimes. MS was insecure by design from the very start, and no amount of bolt-on aftermarket security crap is ever going to allow Windows to catch up to *nix.
(Score: 2, Interesting) by Anonymous Coward on Sunday October 31 2021, @04:34PM (1 child)
Eliminate bugs? No.
But, Microsoft is in its own special category for heinous design decisions.
E.g.,
It took Microsoft well over a decade to fix a bug where windows considers a password hash as password equivalent. You didn't even need to bother cracking hashes with MS, just use the captured hash. See, "Pass the Hash" exploits. For all those years, MS stated that it was due to design issues, and they couldn't fix it.
And, MS still hasn't corrected their insane design where font parsing is done in kernel space. So, every year since forever, there are one to three new remote kernel exploits against windows where all you need to fully take over a windows box is include a malformed font e.g., in a web page, an html email, a pdf, an office document, a chat, etc.
The MS print spooler recently made the news, twice, for two separate kernel level exploits in one month. A service that has been repeatedly exploited since MS first introduced it. And, is unnecessary for it to run on the vast majority of windows systems. Still, MS enables it by default.
MS didn't look to what other systems had already been doing for many years to make password hash cracking harder e.g., UNIX has salted passwords since before time, but MS uses unsalted RC4 (a weak hash) passwords. But, that wasn't enough for MS. They used to uppercase all passwords before hashing to make them even easier to crack. But, that was not all. They also split any password over 8 characters into a block of 8 characters that was hashed, and a separate block of the remaining characters. So, if you made an 11 character password on windows, an attacker only had to crack a three character password hash, then use the information from that to recover the rest. Yay. MS windows, the only major platform where you could crack passwords in real time before the advent of gpu crackers.
Due to MS embrace, extend, extinguish, we are stuck with a microsoft+cisco designed protocol for wireless authentication, EAP-PEAP (MS doesn't [or, at least didn't, the last time I had to care] support the standard EAP-TTLS for enterprise wireless password auth in their supplicant, only their own PEAP). PEAP requires MS LANMAN hashes, so the uppercase, crack only a couple few chars to crack the whole password, etc. shitty MS Lanman password hashes are sitll in active use, the world over.
There have been some, "what the hell were they thinking?" design bugs in non-MS software too, but I'm unaware of anyone besides Microsoft that has allowed for active exploitation for decades without addressing their flaws. Nor any entities products with the sheer volume of WTF?! as Microsoft products.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @06:26AM
(Score: 3, Insightful) by sjames on Sunday October 31 2021, @05:00PM
I agree that there are VERY few bug free applications out there much less entire operating systems.
But there IS a such thing as carelessness and foolishness, and that is a good description of Microsoft's history. Even when actively warned that their next great "feature" like hiding file extensions and being able to run attachments directly from Outlook would be a security disaster, they plow forward.
After going to a great deal of trouble to obfuscate the difference between opening a file and running a program, they blame the user for running the wrong untrusted program. It took Microsoft to turn the "e-mail virus" from a running gag on the internet to a reality causing multiple billions a year in losses (see "goodtimes" [wikipedia.org] and "The honor system virus"). And seeing the horrors they unleashed, did MS back away and say "oops"?, Hell No, MS can do no wrong (just ask them) and the bugs remain to this day.
Security was bad in the heady days when the Internet was mostly used in academia. It took MS to make it even worse.
There's not building your house like a bank vault level insecurity, then there's going on vacation with the front door left open and an open house banner over it level insecurity.
(Score: 2) by Beryllium Sphere (r) on Sunday October 31 2021, @06:29PM
>except for possibly the most trivial "Hello World" implementation
Not even that. IBM mainframes had a program which was an executable analog of /dev/null, which returned after doing nothing.
It had a history of multiple bug fixes. See IEFBR14.
That said, some things are more usable than others.
(Score: 2) by PinkyGigglebrain on Sunday October 31 2021, @08:11PM (1 child)
You've never seen some of the NASA/JPL code then. Sure they've gotten a little sloppy in recent decades but they used to write some solid 100% bug free code back in the day. The code for Pioneer, Viking, and Voyager missions comes to mind.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2, Touché) by Anonymous Coward on Sunday October 31 2021, @10:58PM
That code is downright simple and closer to a "hello world" than windows. And, IIRC, over $1,000 per SLOC, which is even more today. They also had their share of bugs even in the days where they weren't "a little sloppy." Of course, that could be why you left out Mariner 1 or Gemini 5 out of your list.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @09:24PM
Micro$erf shilling worthy of frojack! Whataboutism up there with the best! Up next, a few words from janrinok on systemd.
(Score: 2) by hendrikboom on Sunday October 31 2021, @10:54PM
The only significant piece of code I've heard of with the reputation of being bug-free was the Kruzeman Aretz Algol 60 compiler that ran on an Electrological computer in the 60's and early 70's.
Oh yeah. There was the one-instruction clear memory code that we used to clear the memory of the IBM 1620 in the 60's. It would clear memory until you stopped the machine by powering off or rebooting it.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @10:24AM
int main() {
return 0;
}
You're welcome.
(Score: 5, Interesting) by Mojibake Tengu on Sunday October 31 2021, @03:05PM (3 children)
Microsoft is definitely in a public spotlight concerning software insecurity, that attributed to MS-DOS originally designed without any security by design, which was technically slightly rational on 16-bit technology, but inexcusable for later architectures. That was a significant decline from security level common on previous generation of mainframes and minicomputers technology.
The damage was done not only to so called national security of the United States, but to all nations of the planet. It's a planetary scale disaster, which is not just tolerated but intentionally cultivated by most intelligence agencies of the world. It's the hypocrisy of the competent what made things even worse. The infestation of FOSS projects by agency personell assets is no less then their infestation of industry.
That's already 4 decades, think about it, two generations of people having a real "just technical" problem failed to cooperate to solve the situation to fix it at planetary scale. It's an absolute shame.
But, William Henry Gates III in person is evil to the bone. Now it's getting really serious. After he recently changed his focus from computing to bio-weapons, he became threat to survival of all the humanity. That's not exaggeration. The damage he did to humanity up to now is irreparable, which is something what is usually intolerable even in lodges (rules of conflict : "The damage must be repairable or compensative.").
I may only ask: Why? Why was he allowed to do that?
Petty thieves or drug dealers or murderers or terrorists are disposed off from society or executed swiftly. Today, even remotely.
But why is the mere existence of such people like Bill Gates tolerated by responsible agencies for a lifetime?
Respect Authorities. Know your social status. Woke responsibly.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:32PM (2 children)
(Score: 2) by RS3 on Sunday October 31 2021, @07:03PM (1 child)
Very good point. I used to believe that most of the computer flaws / security issues are due to MS (and others) not adhering to the x86 internal protection designs: rings 0-3, proper exception handling, etc. And I still think that's largely to blame: lazy shortcut programming.
Intel (Cyrix, AMD, etc.) don't necessarily dictate CPU functionality. Like any company they add / change features to suit the market, which is largely M$.
I say: if M$ had done a better job of utilizing CPU privilege rings and other protections, Intel hopefully would have done a better job of refining CPU design, especially considering security.
But I might be wrong, and I'm hoping someone with more knowledge and experience will confirm or correct this.
MS has always done a pretty good job with development tools, example code, tutorials, training, etc. On one hand I commend them, but it did / does usher in more crap code on crap OSes.
Ultimately I blame non-technical business-types for buying MS products and forcing developers to use them. I'd love to know what the world would be like if we tech-types made those kinds of decisions (which OS to buy, for example).
(Score: 0) by Anonymous Coward on Monday November 01 2021, @06:34AM
I bet an entire sub-category of security exploits would go away once people stop doing unhygienic stuff like that.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @03:13PM (4 children)
Do you like job security? You want more bugs and security breaches, not less.
(Score: 4, Interesting) by canopic jug on Sunday October 31 2021, @03:29PM (3 children)
Do you like job security? You want more bugs and security breaches, not less.
Nope, bugs and security breaches are never desirable. The microsoft apologist's assertion that destruction is good for the economy is a fallacy, often referred to the the broken window fallacy. It was famously debunked in the mid 1880s by Frédéric Bastiat in his essay, That Which is Seen, and That Which is Not Seen [bastiat.org]. The resources spent repairing and getting back to square one cannot be spent advancing technology or society.
What M$ products do provide is butts-in-seats for empire builders. It doesn't matter if your team of 5 computer experts take care of 3000 GNU/Linux and *BSD machines, the 50 microserfs taking care of 75 Windows machines will outnumber them and outvote them in any corporate politics. And for that the late David Graeber addressed that in his work on eliminating "bullshit jobs [strike.coop]".
Money is not free speech. Elections should not be auctions.
(Score: 2) by Opportunist on Sunday October 31 2021, @03:50PM
Actually, for us in security, it IS job security. If companies don't see time and again that they get pwned by hackers, they wouldn't throw the amounts of money our way that they do.
(Score: 2) by shortscreen on Sunday October 31 2021, @07:03PM
It's not good for the wider economy, it's good for the developer. Most developers of non-entertainment software could all use some variation of the advertising slogan "buy our new version! because our last version was crap!" Lack of quality is part of the business model.
MS just rolled out Windows 11 (LOL) and then surpassed Apple to become the world's "most valuable" company. What does that tell you?
(Score: 0) by Anonymous Coward on Tuesday November 02 2021, @02:01AM
Wish I had mod points - the link to Bastiat deserves some. Thanks.
(Score: 3, Funny) by Runaway1956 on Sunday October 31 2021, @04:35PM (3 children)
A story about aphantasia.
A story about "the science of fear".
A story about Microsoft.
OK, what's next in the horror story series? Can it get any worse?
(Score: 3, Touché) by Runaway1956 on Sunday October 31 2021, @04:58PM (2 children)
I see how it got worser. Next up is a story about Facefook Meta.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @08:26PM (1 child)
Replying to yourself to appear more relevant? You're getting old bruh, gotta click that post as ac box bruh! Don't worry, no one laughing at you bruuh.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @08:33PM
You failed to make inane remarks on some April comments. You're falling down on the job, troll.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @11:56PM
When I read through the article and the comments, I kept thinking, "it's not just Microsoft, it's the software market generally". And why is this? It is because the market, when including pros and cons, does not reward security. Basically, it is cheaper and more profitable to sell products with security issues, and maybe fix the security bugs later when you get around to it, than it is to produce secure products from the start.
Yeah, Microsoft does this, but so do many of the other large software houses. Because economically, it is more rewarding.
How to fix it? That is more complicated. You can punish offenders -- with liability for example -- and/or create standards and make some sectors follow them, but at the end of the day (large) companies generally do what is most profitable.
Bruce Schneier has a good essay on this at https://www.schneier.com/essays/archives/2007/01/information_security_1.html [schneier.com] which, like many of the comments above, sees liability as part of the solution. It's a good read.
(Score: 3, Informative) by ElizabethGreene on Monday November 01 2021, @12:07AM (9 children)
(I work for Microsoft, therefore my opinion is invalid. The following is my own opinion, not that of my employer.)
Assume you are a malware author.
If you write Android ransomware you encrypt that device and steal banking credentials for that user or force the user to pay to return it to service.
If you write Windows ransomware you encrypt that device, every network share the user can access, steal corporate banking credentials, and force the company to pay to return to service.
Which of these is the more lucrative opportunity? As a profit motivated engineer, which would you choose?
Saying Android or MacOS are more secure because they have less malware is a does-not-follow logical fallacy.
For what it's worth, I won't argue that Android or MacOS aren't more secure than the average corporate IT device. They almost certainly are. On my non-jailbroken Motorola Android phone the only applications I can install come from Google's locked-down app store where each application is digitally signed and I assume passes at least some form of cursory review. That's a given. When Microsoft tried to implement those features, Windows 10 S, it was widely panned.
My observation is that people are far more willing to tolerate breaking changes for security from Apple and Google than Microsoft. I'm at something of a loss as to why that is.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @01:03AM
"If you write Windows ransomware you encrypt that device, every network share the user can access, steal corporate banking credentials, and force the company to pay to return to service."
Given the higher likely consequences of a bug, should that not put some level of 'gee, maybe we should get this right' on the Msft folks writing and testing the code.
My feeling from 25 years of Msoft releases is that instead, the focus is that 'gee, instead of making the old stuff just work, we should add something to make the new stuff look new and glitzy and unnecesarily use more resources'.
Perhaps Apple and Android are getting some tolerance because Msoft keeps shipping so much low hanging fruity attack surface that the bugs in Apple and Android cause fewer problems.
Admitting loss to see this might be the first step to recovery?
(Score: 0) by Anonymous Coward on Monday November 01 2021, @01:04AM (3 children)
Because Raymond Chen and the like-minded others at Microsoft spoiled them rotten. People got used to the idea that if your software didn't work on a new version of Windows then it was a bug in Windows. Soon that became the way it is as Microsoft spent more and more effort to keep broken things working. Windows and other desktop/server OSes have the same sort of expectation. Apple and Google and most other vendors do not. Any update that breaks other software is a bug in that other software and because they aren't desktop/server OSes, the expectations are different. There, not only can you "break userspace," and such breakages routine, but they are expected and anticipated, and often embraced. There is no Chen or Torvalds in Apple/Google land.
(Score: 1, Touché) by Anonymous Coward on Monday November 01 2021, @01:50AM (2 children)
"Because Raymond Chen and the like-minded others at Microsoft spoiled them rotten. "
That seems an alternate reality from the one I've seen.
If one were concerned about breaking the userspace/OS interface, the one should focus on just fixing things and not adding silly features to make the old stuff look new.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @02:58AM (1 child)
It's OK to admit you don't know who Raymond Chen is, what he works on at Microsoft, and what his design philosophy is. But lets try it this way: "If Linus/McGrath were concerned about breaking the userspace/OS interface, Linus/McGrath should focus on just fixing things and not adding silly features to make the old stuff look new." vs "If Riddell/Fourdan were concerned about breaking the userspace/OS interface, Riddell/Fourdan should focus on just fixing things and not adding silly features to make the old stuff look new." Seeing the difference there might help you unpack things.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @03:30PM
Hmm, found an apparently interesting spot to tickle. Hopefully we can use it to get to some understanding of how the state of cyber security got in this pickle.
My starting point is that with the state of software engineering, the only way to make someting secure is to keep it simple and the current trend in OS/app interface is anything but.
Sure others have bugs as well, and do wierd things to how programs and OS interact (SystemD?) but the question was if the consequence for MSft doing this were much worse.
(Both in how wierd, and the consequence multiplier due to where they are deployed.)
Mr. Chen appears to be a guy who wrote about a lot of things in this interface which ideally had no business being there in the first place.
If you make this interface this complicated, then it is no wonder that it will have issues, require adjustments, which in turn cause compatibility and reliability issues.
A cynic would say, this appears a marketing choice to sell hardware and lock programmers and users in to doing things the Msft way.
An optimist might say that it was a result of a competing and evolving understanding of how to make a collection of separate apps cooperate and act in a unified manner.
The truth is probably some mix of these, but the result is the same. The OS we most depend on is a complicated and continually changing and so has lots of fruitful attack surface.
An alternative strategy, what would the world be like if there had been a feature freeze at say W7 and only bugs fixed since.
Would we really have missed much?
Would we currently have ransomware?
As a side issue, is it a good idea that Linux seems heading towards being and integrated, feature for feature parity desktop OS?
(Score: 3, Insightful) by deimtee on Monday November 01 2021, @05:25AM (1 child)
That's almost certainly due to phones and PC's being perceived as different things. You expect a phone to be secure, and the App Store model was introduced with the device. Vetted apps only was normalised from the start. It might be a powerful pocket computer now, but people still call them phones. They are perceived as being always on the telecoms network, and as such the telecoms have an interest in the devices performing as they are supposed to. That translates into controlling errant programs and the fact that it is Apple and Google rather than the phone company flies right over most people.
Microsoft trying to add that security to home PCs is different. There is no history of someone else authorising your use of software on your home PC, and microsoft trying to arrogate that control to themselves is what was rejected. Microsoft's generally bad reputation for both security and dirty tricks didn't help.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Monday November 01 2021, @10:19AM
That's because most phone makers realized that most users would shoot their own feet if they were allowed to, so they added walled gardens and tons more restrictions. For example you had pwn your own phone if you wanted to get root on it.
So all of them started making phones like that thus people got used to that. And even then many people still get pwned not by exploits[1] but because they actually installed the malware.
Microsoft might be trying a similar thing with more recent Windows. e.g. try to get more users to use the app store where supposedly fewer apps would have the permissions to shoot feet.
[1] That said I notice many websites seem to show more suspicious/bad ads when I use mobile chrome. So I've switched to firefox and opera with adblocking and adguard.
(Score: 2, Interesting) by Anonymous Coward on Monday November 01 2021, @10:36AM
Your opinion is invalid. More to the point, nobody is arguing that.
Your opinion is invalid. How much old hardware did Microsoft break with the transition from XP->7->10? Microsoft breaks things all the time, even when they don't intend to, and people just shrug it off like it's the weather.
(Score: 2) by Entropy on Tuesday November 02 2021, @03:12PM
>My observation is that people are far more willing to tolerate breaking changes for security from Apple and Google than Microsoft. I'm at something of a loss as to why that is.
It's because Windows has one job: Run whatever application I need on the hardware I have. 99% of the "Windows" garbage that is added with every patch, every new version is not only useless it's actively destructive. Windows itself should use as close to zero resources as possible. Windows it not my web browser. Windows it not my email client. Windows is not an app.
I've actually had Windows 10 auto install some garbage update, force install Facebook and break the one single application that I actually need that machine to run. That's absurd.
Want an example of the security nightmare MS is? How about merely viewing an email and being infected by a virus. NOT opening an attachment: Just viewing an email. Now that's innovation that we have the DLL nightmare to thank for.