Stephen Speicher

Jihad in cyberspace

57 posts in this topic

I don't think that one piece of bad code out of thousands and thousands of articles can be used to say anything negative about MSDN, let alone Microsoft as a whole. Just think of all the great things that Microsoft has built over the years, yet when the quality of Microsoft's products comes up we're talking about a help file that says "MAXPATH" instead of "MAX_PATH."

If that's all the problem was, a minor typo, it would be nit-picking to bring it up. But, as I carefully noted in detail, and as programmers can verify, the entire example was flawed in many fundamental ways.

Share this post


Link to post
Share on other sites

Applying this to the current issue, I believe that Phillip has done nothing more than to set up a Platonic ideal. Based on what he would have done if he were Bill Gates or the others who manage Microsoft, he has created the ideal. Then, when Microsoft decides not to do what he prescribes, they’ve “dropped the ball” and are a bad company.

My name is Philip with one L, incidentally. (More "Platonism" on my part I guess.)

Perhaps you think that having every last shred of data on your computer investigated by people with criminal intent, plus having your system used to spam, participate in DOS attacks, etc., is a minor thing of no great import. Many millions of computer systems were infected with spyware using gaping security holes in Microsoft products. If you want to dispute that, you are at odds with a very large number of technically informed people. It isn't about me Platonically criticizing Microsoft. As a programmer - as many other programmers have done - I can, and I do, criticize them for making boneheaded mistakes that they were informed of but did nothing about, years ago. The perils of ActiveX controls for example were not some kind of subtle problem that required time or seeing the Form of the Good to realize.

My suggestion of Microsoft hiring the 10 smartest programmers in the world was only, at most, one-quarter serious. It was more a sentiment that they themselves should accept that, contrary to much of the company's self-reinforcing culture of "we are the best and brightest and none better", they have made some serious errors including having some, apparently, pretty sloppy programmers infect commercial software used by hundreds of millions of people, with extremely dire consequences. They have some *extremely* good programmers, but they are not the issue. Overall the company can and should do better. Not in a Platonic world, but in the real world.

Imagine a food company that - most of the time - created tasty, nutritious food. But then imagine that they introduce elements into the food that cause it to turn into a bad poison almost immediately on contact with normally expected substances in the environment, unknown to most people eating it (at the time). Further imagine that the company was *told* in advance, years ago, that this would probably happen, but ignored it. Are you saying that the people sickened by the food should just blithely go along and say "Oh, you supplied us with wonderful food, nothing else counts." ? If in fact the problem could not have been reasonably foreseen, that *would* be Platonism. Nothing humans do will ever be "perfect" in a Platonic sense, and the best programmers in the world have bugs in their code. But it is entirely realistic to expect "the best possible" from the world's largest software company, unless you consider the concepts of "poor, good, very good, and best" to be mere Platonism.

Platonism would be demanding an irrational and unattainable perfection, but that has no relationship to anything I've been discussing.

Share this post


Link to post
Share on other sites

I don't think that one piece of bad code out of thousands and thousands of articles ...

I missed this the first time. Again, you are incorrect. As I plainly said, I found the problem code randomly, by accident. It is certainly not the first time that I (and many others) have found problems in the documentation.

I certainly have not undertaken a systematic survey of the code quality contained within MSDN, so the idea that I looked at every code sample and found the single problem is completely misrepresenting what I said or implied - just to make this clear.

Share this post


Link to post
Share on other sites

I emphatically agree, and go farther: having buffer overflows in code that's supposed to be robust (like an operating system) isn't just arguably sloppy programming, it is sloppy programming.

Thanks, Jay. I'm glad to see that at least one person "gets it".

Re: the choice of 8088 vs. 68000, I did some Googling and ran in to this interesting Wikipedia article (usual disclaimers about potential accuracy but it's worth at least what I paid for it). I hadn't heard this particular story before:

http://en.wikipedia.org/wiki/8088

Share this post


Link to post
Share on other sites
If that's all the problem was, a minor typo, it would be nit-picking to bring it up. But, as I carefully noted in detail, and as programmers can verify, the entire example was flawed in many fundamental ways.

I don't think anyone is disagreeing that it is an incompetent piece of coding. We are disagreeing that a piece of incompetent coding in the help documentation, probably written by a technical writer to boot, has anything at all to say about Microsofts programmers as a whole. I've been in this business professionally on the sys admin side for 17 years and a hobbyist a lot longer than that. If I got a buck for every example of lousy documentation that I've seen in that time I would be rich.

Share this post


Link to post
Share on other sites
My suggestion of Microsoft hiring the 10 smartest programmers in the world was only, at most, one-quarter serious. It was more a sentiment that they themselves should accept that, contrary to much of the company's self-reinforcing culture of "we are the best and brightest and none better", they have made some serious errors including having some, apparently, pretty sloppy programmers infect commercial software used by hundreds of millions of people, with extremely dire consequences. They have some *extremely* good programmers, but they are not the issue. Overall the company can and should do better. Not in a Platonic world, but in the real world.

I largely agree with this though I'm not sure how much that attitude you ascribe to Microsofties is current or of the past. Even the most partisan employee would have to know that Google, among others, are picking some of the best programmers available. It certainly does not describe any ex or current Microsoft employee I have worked with.

And I think they are trying to do better. Is it good enough? Windows 2003 is good enough for me to trust billions of dollars of transactions a day in a high threat environment (DMZ of one the US's largest banks). They've got a long way to go on the desktop. Time will tell...

Share this post


Link to post
Share on other sites

I don't think anyone is disagreeing that it is an incompetent piece of coding. We are disagreeing that a piece of incompetent coding in the help documentation, probably written by a technical writer to boot, has anything at all to say about Microsofts programmers as a whole.

I agree that it isn't directly indicative of the "real" programmers there, but I don't think it's irrelevant either. First, Microsoft's hiring practices are - it is claimed - so good as to get the "cream of the crop", the best of the best. Examples such as that very strongly contradict any such claim. Secondly, even those writing programming examples should know what they're doing as programmers. It isn't a job for an English major. Third, the fact remains that Microsoft software *does* provably have a history of ugly security problems, many of them careless buffer overflows, and that in itself is indicative of programming that wasn't top tier.

re: your previous post, I've been wanting to completely rewrite the interface (and redo the text database structure) for the Objectivism Research CD-ROM, which if I have the time I'll do this year. If I do, it'll be cross-platform so it can run on both PCs and Mac OS X (perhaps even Linux). It has been legitimately pointed out a number of times that it could simply be in PDF form, but, at least when I first developed the product, I had doubts about the security of the PDF files. It's something I plan to look at again, though I'm not happy with the limitations of the Adobe PDF reader interface/search system.

Share this post


Link to post
Share on other sites
My name is Philip with one L, incidentally. (More "Platonism" on my part I guess.)

I apologize for misspelling your name.

Perhaps you think that having every last shred of data on your computer investigated by people with criminal intent, plus having your system used to spam, participate in DOS attacks, etc., is a minor thing of no great import. Many millions of computer systems were infected with spyware using gaping security holes in Microsoft products. If you want to dispute that, you are at odds with a very large number of technically informed people. It isn't about me Platonically criticizing Microsoft. As a programmer - as many other programmers have done - I can, and I do, criticize them for making boneheaded mistakes that they were informed of but did nothing about, years ago. The perils of ActiveX controls for example were not some kind of subtle problem that required time or seeing the Form of the Good to realize.

My suggestion of Microsoft hiring the 10 smartest programmers in the world was only, at most, one-quarter serious. It was more a sentiment that they themselves should accept that, contrary to much of the company's self-reinforcing culture of "we are the best and brightest and none better", they have made some serious errors including having some, apparently, pretty sloppy programmers infect commercial software used by hundreds of millions of people, with extremely dire consequences. They have some *extremely* good programmers, but they are not the issue. Overall the company can and should do better. Not in a Platonic world, but in the real world.

Imagine a food company that - most of the time - created tasty, nutritious food. But then imagine that they introduce elements into the food that cause it to turn into a bad poison almost immediately on contact with normally expected substances in the environment, unknown to most people eating it (at the time). Further imagine that the company was *told* in advance, years ago, that this would probably happen, but ignored it. Are you saying that the people sickened by the food should just blithely go along and say "Oh, you supplied us with wonderful food, nothing else counts." ? If in fact the problem could not have been reasonably foreseen, that *would* be Platonism. Nothing humans do will ever be "perfect" in a Platonic sense, and the best programmers in the world have bugs in their code. But it is entirely realistic to expect "the best possible" from the world's largest software company, unless you consider the concepts of "poor, good, very good, and best" to be mere Platonism.

Your example is incorrect. In the case of the food company, it is making a food that is poison. It is the food that is poisonous. In such a case, it is not food at all but poison. The food company is harming those who consume it and is committing fraud by telling people that it is food (since they know that it is poison).

This is not the case for Microsoft’s software. At no time is Microsoft, through their software, harming the users of such software. What harms others are those who take malicious advantage of the software. The only way that I could ever see Microsoft at fault is if they claimed that there was no way for others to use the software to others’ harm when they knew that there was. In that case, they committed fraud. If your criticism is valid, then you may criticize gun manufacturers for not creating a product that was safe.

Platonism would be demanding an irrational and unattainable perfection, but that has no relationship to anything I've been discussing.

That’s exactly what I claim you do. When evaluating a product of man one must evaluate it on this basis: does it do what the creator wants it to do? Microsoft released their software so I believe that it does do what they wanted it to do. You have reversed this and are evaluating it on what it doesn’t do.

Share this post


Link to post
Share on other sites

Philip, I am curious as to how you judge the goodness or badness of Microsoft. You seem to be doing it based upon their product saying that it could and should be better. But I wonder, even if it can be better, why is it that it should be better? If they are selling a product that people are willing to buy, then why must they try for more? If there are flaws in their design that they fail to correct and this enables someone to produce a better product which competes with them, then so much the worse for Microsoft. But I see no moral mandate for them to put out a product which holds to certain standards. Unless as Nick stated they promised those standards to their customers, do they do so?

Share this post


Link to post
Share on other sites

That’s exactly what I claim you do.

Well, claim away, I completely disagree and I can't see anything to add to my previous rebuttal.

Share this post


Link to post
Share on other sites

Philip, I am curious as to how you judge the goodness or badness of Microsoft. You seem to be doing it based upon their product saying that it could and should be better. But I wonder, even if it can be better, why is it that it should be better? If they are selling a product that people are willing to buy, then why must they try for more? If there are flaws in their design that they fail to correct and this enables someone to produce a better product which competes with them, then so much the worse for Microsoft. But I see no moral mandate for them to put out a product which holds to certain standards. Unless as Nick stated they promised those standards to their customers, do they do so?

Well, thank you for asking reasonable questions, seriously.

In a nutshell, Microsoft should have done better, and still should do better, (focusing now on security issues, notwithstanding other areas of potential improvement) because, by the nature of the internet, it is *completely* unreasonable to have an attacker's software automatically, or easily, installed onto your computer, simply by clicking a link to a web page or opening an email or installing a DSL or cable modem. The concept is *negligence* - just as it would be negligence for a food company to create a product that easily turns into something toxic without a customer's reasonable knowledge, if they had been informed of that possibility and then proceeded to ignore it.

There are certain reasonable standards of performance that apply to any product or service, and innocently clicking on a link or opening an email should not result in the contents, and processing power, of your computer becoming an open book to the bad guys. Yes, of course the bad guys are morally culpable, but their existence was predictable and known. To have your computer, with potentially all of its data, be taken over by them, by performing completely normal operations, is entirely unacceptable and entirely avoidable, not in a Platonic world but in the real one.

The situation now is better - Microsoft has reactively fixed problems over years (long after others had identified such things as ActiveX controls as very dangerous) - but tremendous damage has already been done, and hundreds of thousands if not millions more PCs running Microsoft software every *month* are still being compromised, if the statistics are to be believed. Anybody finding that acceptable, certainly has very low standards.

That's about as simple as I can put it. I hope that helps.

Share this post


Link to post
Share on other sites

Philip, I am curious as to how you judge the goodness or badness of Microsoft. You seem to be doing it based upon their product saying that it could and should be better. But I wonder, even if it can be better, why is it that it should be better? If they are selling a product that people are willing to buy, then why must they try for more? If there are flaws in their design that they fail to correct and this enables someone to produce a better product which competes with them, then so much the worse for Microsoft. But I see no moral mandate for them to put out a product which holds to certain standards. Unless as Nick stated they promised those standards to their customers, do they do so?

Following that line of reasoning Aurelia, would you have also not had a problem with Roark deliberately producing second-rate Architecture because he knew that he could become just as wealthy doing so?

Are you saying that there is nothing to condemn in someone choosing not their integrity as the standard for determining the quality of their product, but the degree to which others approve or are willing to pay for it?

Share this post


Link to post
Share on other sites

Well, claim away, I completely disagree and I can't see anything to add to my previous rebuttal.

Well, thank you for asking reasonable questions, seriously.

Well, now I feel like an idiot. I was trying to have a discussion of the issue, but it seems I've done nothing but upset you. I don't know what I did to do this as I see what Aurelia and I did as the same.

Following that line of reasoning Aurelia, would you have also not had a problem with Roark deliberately producing second-rate Architecture because he knew that he could become just as wealthy doing so?

Are you saying that there is nothing to condemn in someone choosing not their integrity as the standard for determining the quality of their product, but the degree to which others approve or are willing to pay for it?

Well, "Integrity as their standard" is integrity to what? I say that it is integrity to their virtues. Now, given that Roark was a genius, then his work will be amazing, but what is morally mandated is not that he create the best and most amazing work, but that he creates (productivness).

I really don't think that Microsoft is a company that sits around and half-asses their software. They are acutely aware of the perception of others of thier company. They are constantly lambasted on all sides (government, Linux& Mac die-hards, people who think that they're a monopoly and charge too high a price for their crappy stuff). That Microsoft is so well known and so highly scrutinized puts them in a position of almost never having to make a mistake. Think of the flak they received when they released windows 95 (or ME for that matter) and how they were the but of the computing world for all of the bugs that the software had when initially released. I'm sure you're well aware of the "blue screen of death" jokes that continue to circulate even today about Microsoft.

I think that you are incorrect to think that they can do any more to solve the security problems. I believe that they know all about them and have been scrambling since day one to solve them.

Share this post


Link to post
Share on other sites
Well, thank you for asking reasonable questions, seriously.

In a nutshell, Microsoft should have done better, and still should do better, (focusing now on security issues, notwithstanding other areas of potential improvement) because, by the nature of the internet, it is *completely* unreasonable to have an attacker's software automatically, or easily, installed onto your computer, simply by clicking a link to a web page or opening an email or installing a DSL or cable modem. The concept is *negligence* - just as it would be negligence for a food company to create a product that easily turns into something toxic without a customer's reasonable knowledge, if they had been informed of that possibility and then proceeded to ignore it.

The difference, I think, between your view and mine is that I don't think Microsoft is necessarily obligated to protect us from such vicious attacks because they offer a product that may expose us to them. If consumers are willing to take that risk as a part of the product that Microsoft sells then I don't see any problem whatsoever. The only exception I make is if those consumers are forced to take that risk because Microsoft promises to protect them from it and then fails to meet those standards. I've never seen Microsoft make any assurance to it's buyers that it hasn't kept. I mean, I have a Microsoft OS because it's easy to use and does what I want it to, but I specifically use Firefox as my browser and run a few other programs that protect/weed out spyware, adware, and viruses. I know the risk in using Microsoft and I account for it. Do others believe that Microsoft is bulletproof? Was it Microsoft that perpetrated or encouraged such an assurance? If so, then that is fraud, they aren't selling the product they advertise.

By the way, I agree with Nick that you're example is invalid for two reasons:

  • The poison is in that actual food, in this case the company is entirely to blame. But with Microsoft they are failing to provide the antidote to the poisons other people use.
  • They sell their product as food. By adding poison they no longer sell food, they sell poison in the guise of food which is fraud and possibly attempted murder. And as far as I know, Microsoft successfully sells the product they claim to have.

There are certain reasonable standards of performance that apply to any product or service, and innocently clicking on a link or opening an email should not result in the contents, and processing power, of your computer becoming an open book to the bad guys. Yes, of course the bad guys are morally culpable, but their existence was predictable and known. To have your computer, with potentially all of its data, be taken over by them, by performing completely normal operations, is entirely unacceptable and entirely avoidable, not in a Platonic world but in the real one.

I agree there are standards, but I don't think a company is obligated to produce by them. Most probably doing so would increase the value of your product. Again, it is horrible to be attacked so, but I can't blame Microsoft for not protecting the consumer until you show me where they said they would.

The situation now is better - Microsoft has reactively fixed problems over years (long after others had identified such things as ActiveX controls as very dangerous) - but tremendous damage has already been done, and hundreds of thousands if not millions more PCs running Microsoft software every *month* are still being compromised, if the statistics are to be believed. Anybody finding that acceptable, certainly has very low standards.

ActiveX controls are actively dangerous? As in they perpetuate attacks on your PC, besides simply not stopping them, when they are advertised as a safety?

That's about as simple as I can put it. I hope that helps.

Thank you for your patience, I'm really interested in this discussion. :)

Following that line of reasoning Aurelia, would you have also not had a problem with Roark deliberately producing second-rate Architecture because he knew that he could become just as wealthy doing so?

Are you saying that there is nothing to condemn in someone choosing not their integrity as the standard for determining the quality of their product, but the degree to which others approve or are willing to pay for it?

I am neither intimately familiar with the employees nor the operators of Microsoft. I don't know what they're capable of; if they're compromising the integrity of their work or not. To compromise the height to which one may achieve is indeed condemnable.

But I question how you judge the quality of said product. What is the judge of a product's quality if not how much others approve and are willing to pay for it? One of the first rules of economics is that the value of something is only finally decided after it's been traded, ie once you've ascertained how much someone wants it and is willingly to pay for it. What is the value of a product, say, if you expend all your effort and genius on it, perfecting it, and no one wants to buy it [whether because it doesn't suit their needs or it's too expensive]? What value have you created?

I'm saying that Microsoft is a good company because it excellently performs the function of a company. That is, it makes an enormous profit by selling a product that consumers demand [demand meaning, desire and willing to pay].

Share this post


Link to post
Share on other sites
But I question how you judge the quality of said product. What is the judge of a product's quality if not how much others approve and are willing to pay for it? One of the first rules of economics is that the value of something is only finally decided after it's been traded, ie once you've ascertained how much someone wants it and is willingly to pay for it. What is the value of a product, say, if you expend all your effort and genius on it, perfecting it, and no one wants to buy it [whether because it doesn't suit their needs or it's too expensive]? What value have you created?

So assuming Michelangelo was living at the same time as Jackson Pollack, and Pollack created "Galaxy" ( http://upload.wikimedia.org/wikipedia/en/8...lock_Galaxy.jpg ) at the same time Michelangelo created David, then if Pollack sold his "painting" for $80,000 and Michelangelo was unable to find someone interested, following your statement then is Galaxy a product of higher quality than the David? Are you saying that Michelangelo did not create a value when he made this: http://www.humsci.auburn.edu/pmachine/imag...ds/david_08.jpg

I'm saying that Microsoft is a good company because it excellently performs the function of a company. That is, it makes an enormous profit by selling a product that consumers demand [demand meaning, desire and willing to pay].

So an arms dealer network that makes a kaboodle of money selling AK-47's to Hamas, is a good company?

Somone correct me if I'm wrong, but I thought Capitalism isn't doing anything it takes to make a dime, but rather, to be allowed to freely trade the productive labor of the best within us with others who do and seek the same.

Share this post


Link to post
Share on other sites

The difference, I think, between your view and mine is that I don't think Microsoft is necessarily obligated to protect us from such vicious attacks because they offer a product that may expose us to them.

Part of the problem is that this is a technical issue. I can only say, based on my knowledge and the knowledge of many other people, it was massively stupid for Microsoft to have let ActiveX controls run in an uncontrolled fashion - and they were told that, many, many, many times, before they were forced to fix a problem that had become enormous, costing probably *billions* of dollars of economic damage if you count identity theft. This was not some obscure thing like a bolt out of the blue that you would have to be a Platonic god to see.

As for my food analogy, I can only suggest that you and Nicholas re-read it. I didn't say that the company in my analogy was selling poison. They were selling food. The analogy is that they were selling a kind of food that could *become* poison, spoiled if you will, very rapidly, in normal circumstances that no customer would reasonably expect. To me that's an almost perfect analogy to buying Windows and then having it introduce a security hole a truck could drive through the first time you click on a Googled link to a malign web site or open a spam email with a virus attached (before they finally fixed many of those holes). I can assure you that a spyware compromised Windows installation might as well be considered poison, until it is either fixed (very hard to say with certainty) or wiped clean and reinstalled.

I'll probably respond to the rest of your post later, I have to get going.

Share this post


Link to post
Share on other sites

Been a bit busy lately to respond to the other posts in this thread, but I thought I would drop in this quick post before I goto sleep. :)

I would actually argue that Capitalism is about neither and that it is about pursuing your values.

I love protecting and distributing digital content. I am passionate about it. I get excited about not only my work but also my competitions work. Both of us are achieving wonderful things.

To do the research nessessary to build my product tho, I have had to do smaller contracts that are unrelated. I could spend my entire time polishing those to perfection, but that would leave no time or money to do the central purpose. I build those smaller projects to accomplish the job as given to me instead of polishing every last statement to be the best possible programming statement.

Capitalism is not about sacrificing my goals and what I love in order to deliver the most perfect(defined by lack of bugs) code ever, it is about using your judgement to better your own life. When you deal with others, It is about working on certain projects by mutual rational agreement to accomplish goals that are chosen by all people involved in that project.

An example, you know a once off task will take 10 hours but you can see that it will be automated easily. You might throw together a quick tool that is buggy and has lots of other problems with it that will shave off 5 hours off the completion time, giving you that profit of 5 hours back of your life.

Polishing it and debugging that program can take several days. If you do so, you make a heavy loss on that project in regards to your goals. Build fine things, but never lose sight of your what for question. It is not a cherry picked example either, I have faced that very situation on a number of times in my programming. :)

Share this post


Link to post
Share on other sites
So assuming Michelangelo was living at the same time as Jackson Pollack, and Pollack created "Galaxy" ( http://upload.wikimedia.org/wikipedia/en/8...lock_Galaxy.jpg ) at the same time Michelangelo created David, then if Pollack sold his "painting" for $80,000 and Michelangelo was unable to find someone interested, following your statement then is Galaxy a product of higher quality than the David? Are you saying that Michelangelo did not create a value when he made this: http://www.humsci.auburn.edu/pmachine/imag...ds/david_08.jpg

I think Aurelia was referring to market value. Consider this from Capitalism: The Unknown Ideal, p. 24-25).

It is in regard to a free market that the distinction between an intrinsic, subjective, and objective view of values is particularly important to understand. The market value of a product is not an intrinsic value, not a "value in itself" hanging in a vacuum. A free market never loses sight of the question: Of value to whom? And, within the broad field of objectivity, the market value of a product does not reflect its philosophically objective value, but only its socially objective value.

[...]

Thus, a manufacturer of lipstick may well make a greater fortune than a manufacturer of microscopes—even though it can be rationally demonstrated that microscopes are scientifically more valuable than lipstick. But—valuable to whom?

A microscope is of no value to a little stenographer struggling to make a living; a lipstick is; a lipstick, to her, may mean the difference between self-confidence and self-doubt, between glamour and drudgery.

I'm saying that Microsoft is a good company because it excellently performs the function of a company. That is, it makes an enormous profit by selling a product that consumers demand [demand meaning, desire and willing to pay].

So an arms dealer network that makes a kaboodle of money selling AK-47's to Hamas, is a good company?

This statement drops the context. Clearly the context was doing business within the general confines of the morally proper.

Share this post


Link to post
Share on other sites

The difference, I think, between your view and mine is that I don't think Microsoft is necessarily obligated to protect us from such vicious attacks because they offer a product that may expose us to them.

Part of the problem is that this is a technical issue.

I don't think so. Regarding Microsoft's mistakes, I can unhesitantly admit that your technical knowledge of these is far superior to my own and, most likely, superior to that of others here who have also supported Microsoft. But, even granted your technical judgment that Microsoft made mistakes that were "massively stupid," I personally am still deliriously happy with the result. When I judge all the threats, annoyances, and inconveniences of security and nusiance problems -- when I consider the money and time that those "massively stupid" mistakes cost me both directly and indirectly -- the value that Microsoft has given me far, far outweighs those costs. As a consequence of that judgment, I tend to focus on the positive side of what Microsoft has done and not belabor the negative. Whatever your reason, you tend to focus on the negative side of what Microsoft has done and not belabor the positive. So, I think the problem is not "a technical issue" as much as an evaluative one.

Share this post


Link to post
Share on other sites

Regarding the statistics for "zombie" machines: I would be interested in what percentage of those computers run fully patched versions of Windows XP. Another figure I would like to see is, how many run fully patched, licensed versions of XP with anti-virus and anti-spyware while practicing relatively safe browsing habbits.(no warez, porn, peer-to-peer internet file sharing)

Secure computing does not necessarily have everything to do with software architecture either. I could set a friend up on a unix based OS like OpenBSD with firefox and he could easily be tricked into giving out sensitive information. I had a friend at school who kept getting emails from "Ebay" with the subject line stating that his account had been improperly accessed. Hovering the mouse pointer over the link provided in the email to verify and recover his account pointed to an address that was clearly not Ebay's or Paypal's. This shows that HOW a computer is used and maintained affects security as well. I could build a house with 8 foot thick walls of concrete all around the perimeter and roof, but if I leave the door open my efforts are meaningless. Coincidentally, Microsoft knows this and has built anti-phishing measures into IE7.

BTW, I am not interested in an overly technical discussion nor one that involves any of Microsoft's shortcomings alledged or otherwise. My purpose was to bring up the point that security is not solely a matter of programming. :) I am not saying that any one here has made that claim, only that has been an aspect that has not been presented.

Share this post


Link to post
Share on other sites

My purpose was to bring up the point that security is not solely a matter of programming. :) I am not saying that any one here has made that claim, only that has been an aspect that has not been presented.

Oh, I agree. That's only part of the issue. In the end, as usual, it's largely a management issue. It is managers who decide who to hire, quality procedures, when code is ready to be released, etc.

Share this post


Link to post
Share on other sites

Aurelia and Nick wanted me to inform everyone that their internet is currently down and this is why they are not responding.

Nobody has stumped them, so if that's what you were thinkin'...stop ;-)

Share this post


Link to post
Share on other sites

When I judge all the threats, annoyances, and inconveniences of security and nusiance problems -- when I consider the money and time that those "massively stupid" mistakes cost me both directly and indirectly -- the value that Microsoft has given me far, far outweighs those costs. As a consequence of that judgment, I tend to focus on the positive side of what Microsoft has done and not belabor the negative.

I haven't denied the great value that Microsoft has brought to the world. But in my view, to repeat one last time because this thread has become very depressing to me, they really have made some big mistakes that are very expensive for their customers. To have all of your financial and personal data potentially transmitted to some criminal organization is a pretty big hit to take in exchange for the value of Windows - it isn't like a misplaced pixel somewhere.

Share this post


Link to post
Share on other sites
Regarding the statistics for "zombie" machines: I would be interested in what percentage of those computers run fully patched versions of Windows XP. Another figure I would like to see is, how many run fully patched, licensed versions of XP with anti-virus and anti-spyware while practicing relatively safe browsing habbits.(no warez, porn, peer-to-peer internet file sharing)

Secure computing does not necessarily have everything to do with software architecture either. I could set a friend up on a unix based OS like OpenBSD with firefox and he could easily be tricked into giving out sensitive information. I had a friend at school who kept getting emails from "Ebay" with the subject line stating that his account had been improperly accessed. Hovering the mouse pointer over the link provided in the email to verify and recover his account pointed to an address that was clearly not Ebay's or Paypal's. This shows that HOW a computer is used and maintained affects security as well. I could build a house with 8 foot thick walls of concrete all around the perimeter and roof, but if I leave the door open my efforts are meaningless. Coincidentally, Microsoft knows this and has built anti-phishing measures into IE7.

Jason, thanks for focusing on this important point and making it so explicit. In addition to the machines that are not kept up-to-date, I too wonder what percentage of security breaches are a consequence of the way the machine is being used and therefore might be avoided. I regularly get the sort of phishing emails you describe, and they appear to come from a large variety of different popular banks and companies that most people do business with. The html emails look just like the face of the real company. I would love to see some reasonable studies or estimates on what percentage of this particularly harmful security breach is a consequence of the user rather than Microsoft.

Share this post


Link to post
Share on other sites

The html emails look just like the face of the real company. I would love to see some reasonable studies or estimates on what percentage of this particularly harmful security breach is a consequence of the user rather than Microsoft.

Using Eudora (my email client of many years), the program has a notification if you attempt to click on a hyperlink to a URL that does not match the displayed hypertext. I don't know if Outlook does this (if so it would probably be from a relatively recent security patch - anybody using Microsoft Office should certainly visit http://office.microsoft.com and Check for Updates to see if they're missing any program updates, including security patches).

People should also be aware that using Internet Explorer to view HTML emails (which is optionally the case in Eudora and almost certainly the default in Outlook) is riskier than viewing emails as straight text (or, in the case of Eudora, using their own, unfortunately very limited HTML viewer). Historically there are a number of instances where HTML spams took advantage of security holes in I.E., so the very act of viewing it activated a malicious program embedded within the email. (See http://www.google.com/search?hl=en&q=inter...orer+html+email for that.) Also, more subtly, viewing the email as HTML can cause retrieval of external data, usually images, from a remote server - this is problematic in at least two ways, re: spammers or worse: (1) the URL generally contains a unique code identifying that this was the email sent to *you* in particular, meaning that their spam got through, so they can sell your address as especially good to other spammers. If your email client has an option to turn *off* retrieval of external URLs from an HTML email, I strongly advise doing so.

(2) the act of retrieving the external data identifies your IP address to the remote server, which could easily trigger an automated port probe of your computer. This is probably less of a problem, because port scanning across vast IP ranges are routinely done by malicious systems. If you have a computer with a fulltime connection to the internet, you need a physical firewall in my opinion, which is usually included in any decent broadband router these days.

One method that I have used for years is very effective, but it pretty much relies on controlling your own email server, a luxury many don't have unfortunately. But, if you can, or if you can at least generate a large number of different ones, then I strongly suggest not having just one email address. Try to make email addresses as specific to the recipient as possible. That way if you start getting spam from one particular address, you can much more easily block it wholesale by dropping all email from that source. If necessary, you can generate a new email address for that particular sender (say, a mailing list) then block the old one. This is also extremely useful to immediately detect phishes. If you use a particular email address *only* to get email from a particular bank, it is far more likely that email from that address is legitimate, and very easy to detect phishes that are purportedly from that bank but sent to another address.

There are many non-Microsoft ways to acquire a problem. Security, outside of not having the simple act of browsing to a page or opening an email toast your system, is a state of mind. For any financially related site (bank, credit card, Ebay, Paypal, etc.) you should *never* click on a URL purporting to be an email from them. It is much safer to assume that it's a phish. Open a browser independently and access it from there by typing the address or preferably using a bookmark (URLs can be mistyped, and some mistyped URLs are traps.)

Also, if possible, I recommend good spam filtering, preferably at the server (ISP) level, and also at the client (your own computer) level. Good spam filters will identify and remove most of the phishing junk before you ever see it.

Share this post


Link to post
Share on other sites