[News] Microsoft 'taking security risks'

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

Microsoft 'taking security risks'

Microsoft is taking security risks with its forthcoming Vista
operating system, says software firm McAfee.

The security specialist has taken out a full-page advert in the
Financial Times to alert readers to its concerns.

It feels the tech giant is increasing risks of hacks and viruses by
locking out third-party software firms from its in-built security
system for Vista.

http://news.bbc.co.uk/2/hi/technology/5399534.stm

Wonderful. Is this our future?

--
#191, ewill3.TakeThisOut@earthlink.net
Windows. Multi-platform(1), multi-tasking(1), multi-user(1).
(1) if one defines "multi" as "exactly one".

billwg · External Since: Aug 15, 2006 Posts: 393

The Ghost In The Machine wrote:
> Microsoft 'taking security risks'
>
> Microsoft is taking security risks with its forthcoming Vista
> operating system, says software firm McAfee.
>
> The security specialist has taken out a full-page advert in the
> Financial Times to alert readers to its concerns.
>
> It feels the tech giant is increasing risks of hacks and viruses by
> locking out third-party software firms from its in-built security
> system for Vista.
>
> http://news.bbc.co.uk/2/hi/technology/5399534.stm
>
> Wonderful. Is this our future?
>
Are you talking about MS trying to harden Windows and potentially
failing or McAfee whining about losing their cash cow?

If I wasn't so involved with a bunch of other stuff, I would spend more
time learning about just how these security flaws occur. My employer
has sent us all off to a two day seminar in secure coding techniques
and we are all using the safe string stuff now, but that seems kind of
tame given the amount of sound and fury that is evoked in security
discussions.

All of the information we were given centered on controlling the input
that you might receive from outside your area of control. If you have
a form in an application or web page that is used to accept user input,
you have to make sure that you never get anything that can break you.
What I find difficult to imagine is why anyone would go to the extreme
trouble required to find a way to make one of these things work. It
would seem to me that keeping the source code very secret is better
than having a lot of casual lookers staring at it to see if there were
any vulnerabilities. The looker may be as inclined to exploit a flaw
as to report its existence.

Rex Ballard · External Since: Feb 22, 2006 Posts: 947

billwg wrote:
> The Ghost In The Machine wrote:
> > Microsoft 'taking security risks'
> >
> > Microsoft is taking security risks with its forthcoming Vista
> > operating system, says software firm McAfee.
> >
> > The security specialist has taken out a full-page advert in the
> > Financial Times to alert readers to its concerns.
> >
> > It feels the tech giant is increasing risks of hacks and viruses by
> > locking out third-party software firms from its in-built security
> > system for Vista.
> >
> > http://news.bbc.co.uk/2/hi/technology/5399534.stm
> >
> > Wonderful. Is this our future?

Absolutely, unless you are ready to switch to Linux with CrossOver or
Win4Lin.

> Are you talking about MS trying to harden Windows and potentially
> failing or McAfee whining about losing their cash cow?

No, we're talking about Microsoft openly defying the unanymous ruling
of the 3rd circuit court of appeals, which it did NOT appeal to the
Supreme Court, which stated that Microsoft was a monopoly, that they
illegally protected that monopoly, and that they illegally extended
that monopoly. Until Microsoft proves to the court that it is no
longer a monopoly, it his barred from protecting it's monopoly by
excluding competitors, even to the monopoly market, it is also barred
from extending it's monopoly into other markets by excluding
established competitors from the marketplace.

But then again, Microsoft has repeatedly demonstrated since 1978, that
Microsoft's executives and the company, are above the law, that there
is no law when it comes to Microsoft, and that they have no respect for
the law, unless it helps them exclude competitors from "their" markets.

> If I wasn't so involved with a bunch of other stuff, I would spend more
> time learning about just how these security flaws occur. My employer
> has sent us all off to a two day seminar in secure coding techniques
> and we are all using the safe string stuff now, but that seems kind of
> tame given the amount of sound and fury that is evoked in security
> discussions.

Let's see. The simplest techniques are simply to use ActiveScript to
run library routines from IE. Of course, if you can do that, then you
can run them while previewing outlook. By adding some signed ActiveX
controls you can do some really creative things like read, write,
modify, execute, hide, and delete any file on the user's hard drive, if
that user is running with "Administrator" priviledges. Furthermore,
nearly every "piracy detection" measure can also be used to crack open
the entire system, especially for identity theft.

The classic "vulnerability" of Linux and Unix variants is the
"gets(buf)" call. Normally, a buffer will be allocated, say 256 bytes
wide, longer than any line the application is likely to recieve.
However, if you send a much longer line, with no carriage return or
control character, there is the possibility that you could write, say
260 bytes into the buffer. If the buffer is an automatic variable,
it's buffer space is located on the stack, and you have just
overwritten the return address that was pushed into the stack prior to
the return of the gets routine. This will make the gets() routine try
to return to some bogus address.

Countermeasures are very simple, change the call to fgets(buf,256),
which now limits your read to 256 bytes. Problem solved.

The claim is that a "carefully crafted message could take control of
the machine". To craft this message, one would have to know exactly
which version of the program was being called, exactly which versions
of every library, and the exact addresses of all major subroutines
within the program. Even one mistake, and the program does a
segmentation fault, and if enabled, core dumps.

If the core dumps, there is enough information available in that memory
dump to convice the perpetrator in federal court. The penalties can be
very stiff, as much as 5 years in prison. Kevin Mitnik spent 14 years
in federal detention centers awaiting a trial that never came, and was
eventually offered a plea bargain in which he was still not allowed to
touch a computer for another 2 years.

Furthermore, software that is intended to be malicious or destructive
could be considered a 'terrorist act', which means that crafting a
clever message could get some lucky visitors a trip to Guantanimo Bay,
where they will get the finest medical care available. It's amazing
how painful a "nerve conductivity test" can be.

> All of the information we were given centered on controlling the input
> that you might receive from outside your area of control. If you have
> a form in an application or web page that is used to accept user input,
> you have to make sure that you never get anything that can break you.

Like the example shown above, it's usually as simple as changing the
call from a gets(buf) to an fgets(stdin,buf,maxlen). It's something
that can be done with vi using s/// statements in 10 minutes of you
know how big the buffer is supposed to be.

> What I find difficult to imagine is why anyone would go to the extreme
> trouble required to find a way to make one of these things work.

Most don't. The most common hacks, are actually deployed by "script
kiddies" who typically take ActiveScripts that call OLE objects
embedded in e-mails, attachments, or in existing Micrsoft applications
and libraries. The perpetrators generally leave "signatures" embedded
in the malware, to show how it spreads, and this signature can be used
to block the spread. The script kiddies change the signature and the
virus starts spreading again.

About 80% of the malware is harmless, essentially "digital graffitti".
But that other 20% is often far more troublesome. Carefully targeted
viruses can be aimed at specific machines, can be used to activate
surveillance only on strategic targets, and can be used to collect
information including e-mail, database records, financial records,
recently edited documents, and even recent browsing activity. It's
even possible to turn on microphones and videocams to observe the
victim without their knowledge.

Some of the more spectacular moves was a scam where the perpetrator
identified residents of hospice care, those about to die. He then
gathered the financial records, account numbers, passwords, and
balances. He then monitored coroner records, and within hours of
death, the accounts were drained $22 at a time, just below the
threshold where approvals and monitoring were required. By the time
they caught up to him, he had over $600 million sitting in various bank
accounts. This one hits particularly because my mother was one of the
victims. Wiithin 8 hours of her death, the perp had cleaned out over
$200,000 from her account. Fortunately, my father was watching the
account even before she died, and was able to notify the bank within
less than an hour of the last transfer. The banks were able to trace
the traffic (the server was a UNIX machine), and catch the perp and
prosecute him.

> It would seem to me that keeping the source code very secret is better
> than having a lot of casual lookers staring at it to see if there were
> any vulnerabilities.

The problem is that if the perpetrator knows about the vulnerability,
and the producer does not, nor do the security people, nor do the
people who could perhaps prevent scams of the type shown above, the
door is likely to be left unguarded at the worst possible time.

Even worse, if the software publisher knows of the vulnerability, knows
that it has been successfully exploited, and has not closed the back
door for their own reasons, such as a desire to prevent software
piracy, then they are very likely to do everything possible to prevent
the disclosure of the vulnerability, and their prior knowledge of it.

For example, Microsoft tried to get injunctions against web sites that
published trivial exploits using ActiveX and VBScript, some of which
demonstrated very real threats and serious damage (hard drives
corrupted so bad that they couldn't even be reformatted). This was in
1997. Several of these exploits have been used in more malicious
viruses, including Nimda, Iloveyou, Melissa, and Jane's Resume. The
last was particularly malicious, and removed word document files.

> The looker may be as inclined to exploit a flaw as to report its existence.

When there is no one looking because the police officer has been
"looking the other way", it's much easier for the perpetrator to get
away with far more loot in less time, and for far longer.

On the other hand, if there are many eyes watching, watching the
officer, watching the streets, watching the area, it's much easier to
catch the perpetrator. One of the interesting things about the World
Trade Center bombing of 1993 was that it became a matter of public
record that the FBI was able to use ATM cameras and other electronic
cameras to identify nearly everyone in the area within up to 2 hours
prior to the explosion. This made it much harder for perpetrators to
escape the eyes of the law. Suddenly, violent crimes anywhere near
ATMs began to drop. Later, traffic cameras, used to capture the
license plates of those who ran red lights, could also take pictures of
almost anything else up the street for up to 2 miles. In New York
City, the crime rate dropped to the point where people felt safe
walking the streets well into the night.

Knowing that every line of code could be scrutinized by lawyers looking
for copyright violations, NSA experts looking for potential terrorist
acts, and FBI agents looking for possible deliberate back doors, tends
to make all of the contributors a lot more careful to make sure that
they don't leave any "loose ends", accidental, or deliberate.

billwg · External Since: Aug 15, 2006 Posts: 393

The Ghost In The Machine wrote:

>
> Security by obscurity rarely works in practice, and disassemblers are
> plentiful enough anyway. The above example of course is contrived,
> but hackers don't mind looking through machine code.
>
Well, ghost, I have done my share of looking, too. I used the DOS
debug to figure out the copy protection on the VisiCalc diskette on my
first IBM PC (64K RAM, Dual single-sided 5" floppy, 160K each and
costing around $3200). That was in the early days when things were
simple.

It just seems unlikely to me that any rational person would go to the
extreme effort involved. You can find a buffer overflow perhaps if you
look long enough at hex dumps, but what do you do to get something to
run enough to actually do anything? It's like trying to assemble a
Rolex by working through a keyhole.

> (How do you think they find these things in CSS?)
>
Why do they look? Ray here had some notion that it was a crafty
criminal element that was getting rich from the electronic theft, but I
don't see that happening anywhere other than the legends told on the
internet. I have read of no cases where some poor soul was victimized
and I think that it would make the local papers if/when it happened.
After all, they print stories of how the local ombudsman can get Aunt
Sally a refund from the unethical craftsman who did a faulty repair of
her storm windows, so they would surely print the story of how some
widow or orphan lost their inheritance due to a faulty browser. But
these stories never seem to show up in any locale where they might be
validated.

I think you could find the route to ruin a lot faster if you could look
at the source code.

> --
> #191, ewill3 RemoveThis @earthlink.net
> Useless C++ Programming Idea #992398129:
> unsigned u; if(u < 0) ...

billwg · External Since: Aug 15, 2006 Posts: 393

Hadron Quark wrote:

>
> The argument is that the OSS community will spot any errors and fix
> them.
>
That is often said, but who is so lacking in other amusements as to
read through someone else's code with an eye to finding potential flaws
before they are exploited? And does it for no pay? It makes more
sense that an antisocial vandal would do it for the thrill of creating
pain and suffering.

billwg · External Since: Aug 15, 2006 Posts: 393

Rex Ballard wrote:

>
> > Are you talking about MS trying to harden Windows and potentially
> > failing or McAfee whining about losing their cash cow?
>
> No, we're talking about Microsoft openly defying the unanymous ruling
> of the 3rd circuit court of appeals, which it did NOT appeal to the
> Supreme Court, which stated that Microsoft was a monopoly, that they
> illegally protected that monopoly, and that they illegally extended
> that monopoly. Until Microsoft proves to the court that it is no
> longer a monopoly, it his barred from protecting it's monopoly by
> excluding competitors, even to the monopoly market, it is also barred
> from extending it's monopoly into other markets by excluding
> established competitors from the marketplace.
>
You are incorrect, rex. It was the District of Columbia Circuit Court
that heard the USA vs Microsoft appeal. They gutted the DOJ case of
any significant findings, but they did agree that Microsoft had
monopoly power in the Intel-compatible desktop operating system
software market and that MS had taken actions that were primarily
useful only for maintenance of that monopoly position. They also held
that the actions were NOT causual, i.e. they had no effect on the
monopoly position and so the corrective action was essentially simply
requiring MS to cease the practices, which they had already done in
most instances. MS complied with those issues years ago.

The rest of your conclusions are inaccurate and show a general lack of
understanding of the situation.

> But then again, Microsoft has repeatedly demonstrated since 1978, that
> Microsoft's executives and the company, are above the law, that there
> is no law when it comes to Microsoft, and that they have no respect for
> the law, unless it helps them exclude competitors from "their" markets.
>
In 1978 Microsoft could hardly have been said to have a monopoly in
anything, rex! LOL!!! The PC didn't even show up until 1980 or so.

Oliver Wong · External Since: Apr 27, 2006 Posts: 1398

"The Ghost In The Machine" <ewill.DeleteThis@sirius.tg00suus7038.net> wrote in message
news:og58v3-odq.ln1@sirius.tg00suus7038.net...
> Microsoft 'taking security risks'
>
> Microsoft is taking security risks with its forthcoming Vista
> operating system, says software firm McAfee.
>
> The security specialist has taken out a full-page advert in the
> Financial Times to alert readers to its concerns.
>
> It feels the tech giant is increasing risks of hacks and viruses by
> locking out third-party software firms from its in-built security
> system for Vista.
>
> http://news.bbc.co.uk/2/hi/technology/5399534.stm

Note however that McAfee is not a "neutral" party in this debate. They
make money from the perception that Windows (and related OS) are insecure.

http://arstechnica.com/news.ars/post/20061002-7875.html
<quote>
The allegations are difficult to substantiate because the two companies
[McAfee and Symantec] have not given many specific details on what aspects
of their approach to security have been affected by Microsoft's moves. So
far neither Symantec nor McAfee have indicated that the basic functionality
of their applications has been broken, but they are suggesting that
patchguard should be, well, patched to allow select third-parties to make
changes to how the operating system runs. Scott Field, an architect working
on Windows Kernel Security, described the behaviors Microsoft is looking to
stop with patchguard. "'Kernel patching' or 'kernel hooking' is the practice
of using unsupported mechanisms to modify or replace kernel code," he wrote.
"Patching fundamentally violates the integrity of the Windows kernel and is
undocumented, unsupported and has always been discouraged by Microsoft." The
difference now, he indicates, is that the OS will enforce the lock-out. From
Microsoft's point of view, locking out third-parties from the kernel makes
good sense.
</quote>

- Oliver

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, billwg
<bill DeleteThis @magnoliaplantation.net>
wrote
on 2 Oct 2006 13:28:37 -0700
<1159820917.048151.195950 DeleteThis @e3g2000cwe.googlegroups.com>:
>
> The Ghost In The Machine wrote:
>> Microsoft 'taking security risks'
>>
>> Microsoft is taking security risks with its forthcoming Vista
>> operating system, says software firm McAfee.
>>
>> The security specialist has taken out a full-page advert in the
>> Financial Times to alert readers to its concerns.
>>
>> It feels the tech giant is increasing risks of hacks and viruses by
>> locking out third-party software firms from its in-built security
>> system for Vista.
>>
>> http://news.bbc.co.uk/2/hi/technology/5399534.stm
>>
>> Wonderful. Is this our future?
>>
> Are you talking about MS trying to harden Windows and potentially
> failing or McAfee whining about losing their cash cow?
>
> If I wasn't so involved with a bunch of other stuff, I would spend more
> time learning about just how these security flaws occur.

A trivial flaw of this type is the buffer overflow. A routine such as

int badread(char * res)
{
char buf[32];

printf("Enter something: ");
gets(buf);
strcpy(res, buf);
}

has two buffer overflows, for example. Given the standard
stack arrangement in an x86 PC, overwriting buf[36] through
buf[39] might very well give the erstwhile hacker a method
by which to execute arbitrary code. (Buf[32]-buf[36]
can also be hacked, as it contains a copy of EBP, if
this routine uses the more or less standard method of
saving EBP.)

The second buffer overflow is more subtle; res is passed
in from somewhere and could be used as well to overwrite
*its* stack frame or some static memory.

Of course gets() is a bad routine to use anyway; everyone
uses fgets(), which can allow for the specification of
a byte limit.

> My employer
> has sent us all off to a two day seminar in secure coding techniques
> and we are all using the safe string stuff now, but that seems kind of
> tame given the amount of sound and fury that is evoked in security
> discussions.

Sounds like you're on top of that already, then.

>
> All of the information we were given centered on controlling the input
> that you might receive from outside your area of control. If you have
> a form in an application or web page that is used to accept user input,
> you have to make sure that you never get anything that can break you.
> What I find difficult to imagine is why anyone would go to the extreme
> trouble required to find a way to make one of these things work. It
> would seem to me that keeping the source code very secret is better
> than having a lot of casual lookers staring at it to see if there were
> any vulnerabilities. The looker may be as inclined to exploit a flaw
> as to report its existence.
>

Security by obscurity rarely works in practice, and disassemblers are
plentiful enough anyway. The above example of course is contrived,
but hackers don't mind looking through machine code.

(How do you think they find these things in CSS?)

--
#191, ewill3 DeleteThis @earthlink.net
Useless C++ Programming Idea #992398129:
unsigned u; if(u < 0) ...

Hadron Quark · External Since: Sep 10, 2006 Posts: 1621

"billwg" <bill RemoveThis @magnoliaplantation.net> writes:

> The Ghost In The Machine wrote:
>> Microsoft 'taking security risks'
>>
>> Microsoft is taking security risks with its forthcoming Vista
>> operating system, says software firm McAfee.
>>
>> The security specialist has taken out a full-page advert in the
>> Financial Times to alert readers to its concerns.
>>
>> It feels the tech giant is increasing risks of hacks and viruses by
>> locking out third-party software firms from its in-built security
>> system for Vista.
>>
>> http://news.bbc.co.uk/2/hi/technology/5399534.stm
>>
>> Wonderful. Is this our future?
>>
> Are you talking about MS trying to harden Windows and potentially
> failing or McAfee whining about losing their cash cow?
>
> If I wasn't so involved with a bunch of other stuff, I would spend more
> time learning about just how these security flaws occur. My employer
> has sent us all off to a two day seminar in secure coding techniques
> and we are all using the safe string stuff now, but that seems kind of
> tame given the amount of sound and fury that is evoked in security
> discussions.
>
> All of the information we were given centered on controlling the input
> that you might receive from outside your area of control. If you have
> a form in an application or web page that is used to accept user input,
> you have to make sure that you never get anything that can break you.
> What I find difficult to imagine is why anyone would go to the extreme
> trouble required to find a way to make one of these things work. It
> would seem to me that keeping the source code very secret is better
> than having a lot of casual lookers staring at it to see if there were
> any vulnerabilities. The looker may be as inclined to exploit a flaw
> as to report its existence.
>

The argument is that the OSS community will spot any errors and fix
them.

While this is, often, the case, it also leaves huge opportunities for
the con men to send out patches and fixes for the "non C programmers" to
compile into their kernels and programs which will leave even more
gaping holes.

It will happen.

--
QOTD:
"You might as well say "yes", the sheets are messy already."

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, Peter Köhlmann
<peter.koehlmann DeleteThis @t-online.de>
wrote
on Tue, 03 Oct 2006 01:15:10 +0200
<efs6fa$crn$01$1@news.t-online.com>:
> Hadron Quark wrote:
>
> < snip >
>
>> The argument is that the OSS community will spot any errors and fix
>> them.
>>
>> While this is, often, the case, it also leaves huge opportunities for
>> the con men to send out patches and fixes for the "non C programmers" to
>> compile into their kernels and programs which will leave even more
>> gaping holes.
>>
>> It will happen.
>>
>
> If you say so, Erik
>

It has already been attempted. Fortunately, it was caught.

But that doesn't mean they won't try again, which is why vigilance
is liberty's watchword. Smile

(Or something like that.)

Not sure how I'd Google for this, but somebody submitted a patch that
would have been rather nasty.

--
#191, ewill3 DeleteThis @earthlink.net
Linux. The choice of a GNU generation.
Windows. The choice of a bunch of people who like very weird behavior on
a regular basis, random crashes, and "extend, embrace, and extinguish".

billwg · External Since: Aug 15, 2006 Posts: 393

Peter Hayes wrote:
> In <1159836358.045020.123250 DeleteThis @b28g2000cwb.googlegroups.com> billwg wrote:
> >
> > The Ghost In The Machine wrote:
> >>
> >> (How do you think they find these things in CSS?)
> >>
> > Why do they look? Ray here had some notion that it was a crafty
> > criminal element that was getting rich from the electronic theft, but
> > I don't see that happening anywhere other than the legends told on the
> > internet. I have read of no cases where some poor soul was victimized
> > and I think that it would make the local papers if/when it happened.
> > After all, they print stories of how the local ombudsman can get Aunt
> > Sally a refund from the unethical craftsman who did a faulty repair of
> > her storm windows, so they would surely print the story of how some
> > widow or orphan lost their inheritance due to a faulty browser. But
> > these stories never seem to show up in any locale where they might be
> > validated.
> >
> > I think you could find the route to ruin a lot faster if you could
> > look at the source code.
>
> Don't forget the very public leaking of Windows source code a few years
> back, then ponder on how much XP or Vista source code may have leaked
> out from Redmond either unknown to Microsoft or not reported.
>
Well sure, peter, but it is a lot easier to get the source for linux
and OSS stuff, eh? Even the casual hacker has access to it whereas you
have to be fairly devious to get genuine Windows code.

Rex Ballard · External Since: Feb 22, 2006 Posts: 947

billwg wrote:
> Rex Ballard wrote:
>
> >
> > > Are you talking about MS trying to harden Windows and potentially
> > > failing or McAfee whining about losing their cash cow?
> >
> > No, we're talking about Microsoft openly defying the unanymous ruling
> > of the 3rd circuit court of appeals, which it did NOT appeal to the
> > Supreme Court, which stated that Microsoft was a monopoly, that they
> > illegally protected that monopoly, and that they illegally extended
> > that monopoly. Until Microsoft proves to the court that it is no
> > longer a monopoly, it his barred from protecting it's monopoly by
> > excluding competitors, even to the monopoly market, it is also barred
> > from extending it's monopoly into other markets by excluding
> > established competitors from the marketplace.
> >
> You are incorrect, rex. It was the District of Columbia Circuit Court
> that heard the USA vs Microsoft appeal. They gutted the DOJ case of
> any significant findings,

Not correct. They overturned 3 out of 7 judgements against Microsoft.
The judgements they upheld were further reinforced by even stricter
language which when beyond Judge Jackson's rulings.

It was the DOJ that seems to have ignored the courts. They appointerd
a Complaince Officer, but that Compliance officer was also tasked as
part of Microsoft's marketing deparment - talk about conflict of
interest!

They appointed a technical committee, but then let Microsoft pack the
3rd position, which means that the "Watchdog" member is routinely
overruled.

They set up a "Complaints Department" where people could file
complaints, but didn't provide a public access to this input source.
As a result, only a handful of complaints have even been processed.
Nearly all of these have been found to be "without merit", even when
the EU, and other regulatory bodies have found nearly identical
complaints to be well grounded examples of Microsoft's further attempts
to violate the spirit and intent of the agreement.

> but they did agree that Microsoft had
> monopoly power in the Intel-compatible desktop operating system
> software market and that MS had taken actions that were primarily
> useful only for maintenance of that monopoly position.

They also stated that these actions were illegal, and that any further
attempts by Microsoft to protect or extend the monopoly WERE ILLEGAL.

Microsoft defies the court anyway, because they know that Bush won't
stop them. They had GW Bush in their pocket during the 2000 Republican
primaries. With $30 million in campaign funds from OIL companies and
Microsoft, other candidates like Liddy Dole, John McCain, and others
simply "dropped out". Microsoft, Enron, and Halliburton had bought the
election.

Democratic party primaries seem to be going the same route. It seems
like Microsoft has been "rigging the game" wherever it can. After all,
they are entitled to free speech, and if they want to say something
good about someone, or bad about someone else, it's their right. If
they want to donate to someone who wants to say it for them, it's their
right.

$30 million can buy a lot of opportunities to say anything you want, on
television, radio, or web sites.

> They also held
> that the actions were NOT causual, i.e. they had no effect on the
> monopoly position and so the corrective action was essentially simply
> requiring MS to cease the practices,

Not exactly. They ruled that Microsoft established it's monopoly
legally. When MS-DOS was first deployed on computers, it was not
possible or practical to place 2 operating systems on the same
computer. When Microsoft added Windows to this computer, especially
with Windows 3.0, it was still not practical to put both systems on the
same hard drive.

The issue of Applications had been decided in a previous case.

The only example of Microsoft illegally excluding a competitor provided
during direct testimony was the OS/2 example, and no reference was made
to the way Windows 95 wiped out partitions, boot managers, and boot
tracks, therefore it was not considered in the final ruling. Judge
Penfield-Jackson was only concerned with establishing a burdon of proof
that would merit a structural remedy such as divestature. Because of
this, he limited direct testimony to 25 witnesses per side, mostly to
keep either side from waging a "war of attrition", or waging a
political debate in the guise of a trial.

Ironically, the most damaging evidence was not that given by the DOJ,
but that provided by Microsoft executives themselves. When Thomas
Penfield Jackson told a reporter that Microsoft executives were
criminals, he was stating a legally supportable opinion. He may have
wanted Microsoft to challenge these statements (he didn't like ordering
an involuntary divestature because it set a dangerous legal precedent).
The court actually AGREED with Jackson, stating that while his
statments were "Inappropriate" they were not grounds for impeachment.
In effect, they agreed that Microsoft executives were criminals, but
felt he should have made such statements to prosecutors rather than
reporters.

> which they had already done in
> most instances. MS complied with those issues years ago.

Actually, Microsoft has NOT complied with ANY of the remedies imposed.
They have neatly dodged the matters and the direct wording of the
judgement by using evasive arguments, but they have NOT complied.

They have repeatedly engaged in further anticompetitive actions against
OEMs who have attempted to release "Linux Ready" products. They won't
even allow the OEMs to state which configurations are "Linux Ready" let
alone, which machines could be purchased with Linux. When confronted
with their demand that the OEMs state "<OEM> Reccomends Windows XP" -
Microsoft evaded the issue, claiming that this was to discourage
customers from trying to downgrade to Windows 2000 or Windows 98.

In practice, all ad copy, promotional materials, and published
information which uses the Microsoft trademarks and logos, must be
approved prior to publication, by Microsoft. Failure to get prior
approval could result in nullification of the entire OEM agreement,
meaning that all licenses would be "up for grabs" - how much to pay,
what additional concessions... would be uncertain. A prior public
example of this was the way Microsoft revoked all licenses to Compaqs
top selling line. Appearantly they gave compaq a "good deal", allowing
them to reinstate their licenses for a nominal increase, along with
additional stiff contract terms, but Compaq wasn't very happy about it,
and disclosed the documentation to the DOJ.

> The rest of your conclusions are inaccurate and show a general lack of
> understanding of the situation.

I've been following the case since about 1997, before they even filed
charges. I've also been following most of Microsoft's legal woes since
about 1987. They have been trying to put a leash on this dog for over
20 years and it's more vicious and rabid than ever.

GW Bush sent almost 185 people to their deaths, but he can't handle one
criminal because he's a Billionaire? Actually, 4 criminals were named
during the case.

> > But then again, Microsoft has repeatedly demonstrated since 1978, that
> > Microsoft's executives and the company, are above the law, that there
> > is no law when it comes to Microsoft, and that they have no respect for
> > the law, unless it helps them exclude competitors from "their" markets.
> >
> In 1978 Microsoft could hardly have been said to have a monopoly in
> anything, rex! LOL!!! The PC didn't even show up until 1980 or so.

Actually, in 1978, Bill Gates of Microsoft told MITS that unless MITS
agreed to pay him in advance for 30,000 licenses, at $50/copy, that
they would port Micro-Soft BASIC to the SWTP 6800 machine, which was
MITS' biggest competitor at the time. MITS settled, and Microsoft even
promised not to port to the 6800 processor as part of the deal.

Before MITS had sold even 1,000 of these Altairs, Gates had already
signed a deal to do Micro-Soft basic for the Commodore PET. Which
wiped out the MITS Altair completely.

About that time, Bill Gates III was arrested. His father, Bill Gates
II came out on the first flight he could catch, arranged a settlement
that involved getting Bill Gates III out of the state, and having the
records expunged or sealed. Notice that the first state Microsoft
approached with a settlement deal in the DOJ case - was New Mexico. In
a full remedy hearing, the criminal records were now up for grabs.
They could be unsealed, because Microsoft asserted that the Judge had
no right to make the statements he made to reporters.

Judge Kollar-Kotelly telegraphed her intentions, telling Microsoft "you
really want to get this settled" - because after reviewing the case,
she was likely to come down with similarly tough judgement.

When the settlement was watered down and turned out to be a toothless
puppy. A slap on the wrist with a velvet cloth, Kollar-Kotelly, in
here description of the judgement, made it very clear that this case
would establish the groundwork for numerous other lawsuits.

25 states ended up with free "upgrade licenses" to Windows XP, even
though the hardware wouldn't run XP. Heck, most of those schools
couldn't even run Windows 98. But they could run Linux. And Microsoft
settled the private lawsuits first, with those who were using Linux,
and offered "blanket coverage" for all PCs in the school system.

The states that just wanted a piece of the action, just got minimal
licenses for the machines already in the classrooms.

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <8764f27251.fsf.DeleteThis@geemail.com> Hadron Quark wrote:

> The argument is that the OSS community will spot any errors and fix
> them.
>
> While this is, often, the case, it also leaves huge opportunities for
> the con men to send out patches and fixes for the "non C programmers"
> to compile into their kernels and programs which will leave even more
> gaping holes.

There needs to be a measure of social engineering before that happens
and I doubt if many users knowledgeable enough to be able to compile a
kernel will at the same time be gullable enough to accept a kernel patch
from an untrusted source.

Sure, RedHat or SuSE/Novell could suffer an exploit that would fool the
uninitiated, but it wouldn't be up for very long before it was caught.
But the chances of this happening is roughly the same as someone hacking
into Microsoft's servers and distributing an exploit disguised as a
critical security patch.

> It will happen.

Indeed. Just as surely as Vista will be racked with exploits from day 1.

--

Peter

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <1159836358.045020.123250 DeleteThis @b28g2000cwb.googlegroups.com> billwg wrote:
>
> The Ghost In The Machine wrote:
>>
>> (How do you think they find these things in CSS?)
>>
> Why do they look? Ray here had some notion that it was a crafty
> criminal element that was getting rich from the electronic theft, but
> I don't see that happening anywhere other than the legends told on the
> internet. I have read of no cases where some poor soul was victimized
> and I think that it would make the local papers if/when it happened.
> After all, they print stories of how the local ombudsman can get Aunt
> Sally a refund from the unethical craftsman who did a faulty repair of
> her storm windows, so they would surely print the story of how some
> widow or orphan lost their inheritance due to a faulty browser. But
> these stories never seem to show up in any locale where they might be
> validated.
>
> I think you could find the route to ruin a lot faster if you could
> look at the source code.

Don't forget the very public leaking of Windows source code a few years
back, then ponder on how much XP or Vista source code may have leaked
out from Redmond either unknown to Microsoft or not reported.

--

Peter

Hadron Quark · External Since: Sep 10, 2006 Posts: 1621

Peter Hayes <not_in_use.TakeThisOut@btinternet.com> writes:

> In <8764f27251.fsf.TakeThisOut@geemail.com> Hadron Quark wrote:
>
>> The argument is that the OSS community will spot any errors and fix
>> them.
>>
>> While this is, often, the case, it also leaves huge opportunities for
>> the con men to send out patches and fixes for the "non C programmers"
>> to compile into their kernels and programs which will leave even more
>> gaping holes.
>
> There needs to be a measure of social engineering before that happens
> and I doubt if many users knowledgeable enough to be able to compile a
> kernel will at the same time be gullable enough to accept a kernel patch
> from an untrusted source.

See the myriad of "how tos" that take the nOOb by the hand : in fact -
"cut and paste following bash script into cli".

easy.

>
> Sure, RedHat or SuSE/Novell could suffer an exploit that would fool the
> uninitiated, but it wouldn't be up for very long before it was caught.
> But the chances of this happening is roughly the same as someone hacking
> into Microsoft's servers and distributing an exploit disguised as a
> critical security patch.
>
>> It will happen.
>
> Indeed. Just as surely as Vista will be racked with exploits from day
> 1.

There are a lot of hackers out there targeting it. It surely will. While
Linux is a niche hobbyist desktop for the home user, it will remain
relatively protected through its obscurity.

--
Linux: Because a PC is a terrible thing to waste.
(By komarimf.TakeThisOut@craft.camp.clarkson.edu, Mark Komarinski)

billwg · External Since: Aug 15, 2006 Posts: 393

Rex Ballard wrote:
> > >
> > You are incorrect, rex. It was the District of Columbia Circuit Court
> > that heard the USA vs Microsoft appeal. They gutted the DOJ case of
> > any significant findings,
>
> Not correct. They overturned 3 out of 7 judgements against Microsoft.
> The judgements they upheld were further reinforced by even stricter
> language which when beyond Judge Jackson's rulings.
>
Well, you either didn't follow the case or do not understand it, rex.
The DCCCoA reversed the finding that MS had created a browser monopoly
by leveraging Windows and remanded the finding that MS had illegally
bundled IE with Windows. That was the major part of the DOJ case and
the only reason for going to trial. It was also the foundation for
Jackson's break-up order, so that was tossed as well.

What was left were things like using highly favorable pricing to keep
an OEM dealing exclusively with MS or else making direct payments to
channel partners for exclusively dealing with MS. Now as it turned
out, MS hardly had any need to incent their partners and MS readily
agreed to cease and desist these practices. The courts ultimately
found no need to take any corrective, remedial action in terms of
breakups or divestitures of any MS business unit. Rather, they
accepted the creation of a committee comprised of MS competitors per
the terms of the DOJ settlement and comprised of supposedly neutral
reviewers, all selected by Microsoft, as part of the judgement given to
the last group of states in the case.

> It was the DOJ that seems to have ignored the courts. They appointerd
> a Complaince Officer, but that Compliance officer was also tasked as
> part of Microsoft's marketing deparment - talk about conflict of
> interest!
>
> They appointed a technical committee, but then let Microsoft pack the
> 3rd position, which means that the "Watchdog" member is routinely
> overruled.
>
> They set up a "Complaints Department" where people could file
> complaints, but didn't provide a public access to this input source.
> As a result, only a handful of complaints have even been processed.
> Nearly all of these have been found to be "without merit", even when
> the EU, and other regulatory bodies have found nearly identical
> complaints to be well grounded examples of Microsoft's further attempts
> to violate the spirit and intent of the agreement.

No need to invent all these things in your head, rex! LOL!!! They are
well enough documented. See the USDOJ website:

http://www.usdoj.gov/atr/cases/f201100/201135b.htm

http://www.usdoj.gov/atr/cases/f200400/200457.htm

>
> > but they did agree that Microsoft had
> > monopoly power in the Intel-compatible desktop operating system
> > software market and that MS had taken actions that were primarily
> > useful only for maintenance of that monopoly position.
>
> They also stated that these actions were illegal, and that any further
> attempts by Microsoft to protect or extend the monopoly WERE ILLEGAL.
>
It was a civil case, rex. The term is "prohibited conduct". And MS
has complied with that order for the past 4 years and even before the
order was made as part of the settlement with the DOJ and half the
state AGs.

> Microsoft defies the court anyway, because they know that Bush won't
> stop them. They had GW Bush in their pocket during the 2000 Republican
> primaries. With $30 million in campaign funds from OIL companies and
> Microsoft, other candidates like Liddy Dole, John McCain, and others
> simply "dropped out". Microsoft, Enron, and Halliburton had bought the
> election.
>
> Democratic party primaries seem to be going the same route. It seems
> like Microsoft has been "rigging the game" wherever it can. After all,
> they are entitled to free speech, and if they want to say something
> good about someone, or bad about someone else, it's their right. If
> they want to donate to someone who wants to say it for them, it's their
> right.
>
> $30 million can buy a lot of opportunities to say anything you want, on
> television, radio, or web sites.
>
You have no faith in the US political system it would seem, rex. Are
you a communist?

> > They also held
> > that the actions were NOT causual, i.e. they had no effect on the
> > monopoly position and so the corrective action was essentially simply
> > requiring MS to cease the practices,
>
> Not exactly.

Exactly, rex, exactly.

>
> > The rest of your conclusions are inaccurate and show a general lack of
> > understanding of the situation.
>
> I've been following the case since about 1997, before they even filed
> charges. I've also been following most of Microsoft's legal woes since
> about 1987. They have been trying to put a leash on this dog for over
> 20 years and it's more vicious and rabid than ever.
>
> GW Bush sent almost 185 people to their deaths, but he can't handle one
> criminal because he's a Billionaire? Actually, 4 criminals were named
> during the case.
>
And who might that be, rex? Let's have a cite since you have been on
the case so long. How does that follow from a civil trial?

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <1159880972.846765.77390.DeleteThis@c28g2000cwb.googlegroups.com> billwg wrote:
>
> Peter Hayes wrote:
>> In <1159836358.045020.123250.DeleteThis@b28g2000cwb.googlegroups.com> billwg
>> wrote:
>> >
>> > I think you could find the route to ruin a lot faster if you could
>> > look at the source code.
>>
>> Don't forget the very public leaking of Windows source code a few
>> years back, then ponder on how much XP or Vista source code may have
>> leaked out from Redmond either unknown to Microsoft or not reported.
>>
> Well sure, peter, but it is a lot easier to get the source for linux
> and OSS stuff, eh? Even the casual hacker has access to it whereas
> you have to be fairly devious to get genuine Windows code.

I'm sure the Russian mafia and others have little difficulty obtaining
Windows code.

--

Peter

Oliver Wong · External Since: Apr 27, 2006 Posts: 1398

"Peter Hayes" <not_in_use.TakeThisOut@btinternet.com> wrote in message
news:20061003111341444+0100@news.individual.net...
> In <8764f27251.fsf.TakeThisOut@geemail.com> Hadron Quark wrote:
>
>> The argument is that the OSS community will spot any errors and fix
>> them.
>>
>> While this is, often, the case, it also leaves huge opportunities for
>> the con men to send out patches and fixes for the "non C programmers"
>> to compile into their kernels and programs which will leave even more
>> gaping holes.
>
> There needs to be a measure of social engineering before that happens
> and I doubt if many users knowledgeable enough to be able to compile a
> kernel will at the same time be gullable enough to accept a kernel patch
> from an untrusted source.

I don't think this is all that infeasible. It could be disguised as a
HOWTO on enabling mp3 support in Ubuntu, for example.

>
> Sure, RedHat or SuSE/Novell could suffer an exploit that would fool the
> uninitiated, but it wouldn't be up for very long before it was caught.
> But the chances of this happening is roughly the same as someone hacking
> into Microsoft's servers and distributing an exploit disguised as a
> critical security patch.
>
>> It will happen.
>
> Indeed. Just as surely as Vista will be racked with exploits from day 1.

I'm not sure about "racked"... If I had to gamble, I'd bet on 1 new
exploit within the first week of Vista's release, and between 2 and 4 during
its first month (including that one from the first week).

- Oliver

Peter KÃ¶hlmann · External Since: Jun 27, 2005 Posts: 1500

Oliver Wong wrote:

>
> "Peter Hayes" <not_in_use RemoveThis @btinternet.com> wrote in message
> news:20061003111341444+0100@news.individual.net...
>> In <8764f27251.fsf RemoveThis @geemail.com> Hadron Quark wrote:
>>
>>> The argument is that the OSS community will spot any errors and fix
>>> them.
>>>
>>> While this is, often, the case, it also leaves huge opportunities for
>>> the con men to send out patches and fixes for the "non C programmers"
>>> to compile into their kernels and programs which will leave even more
>>> gaping holes.
>>
>> There needs to be a measure of social engineering before that happens
>> and I doubt if many users knowledgeable enough to be able to compile a
>> kernel will at the same time be gullable enough to accept a kernel patch
>> from an untrusted source.
>
> I don't think this is all that infeasible. It could be disguised as a
> HOWTO on enabling mp3 support in Ubuntu, for example.
>

You need to be stupid enough to get your downloads from untrusted sources
A typical windows user might qualify. A typical linux user certainly not

>>
>> Sure, RedHat or SuSE/Novell could suffer an exploit that would fool the
>> uninitiated, but it wouldn't be up for very long before it was caught.
>> But the chances of this happening is roughly the same as someone hacking
>> into Microsoft's servers and distributing an exploit disguised as a
>> critical security patch.
>>
>>> It will happen.
>>
>> Indeed. Just as surely as Vista will be racked with exploits from day 1.
>
> I'm not sure about "racked"... If I had to gamble, I'd bet on 1 new
> exploit within the first week of Vista's release,

You've already lost. There already were exploits used for the beta/RC
versions

> and between 2 and 4
> during its first month (including that one from the first week).
>

You are extremely optimistic. And forgot *at* *least* one trailing zero

Why do you think that only the "good guys" have downloaded the RC version?
--
Micro$oft. What's broken today?

Oliver Wong · External Since: Apr 27, 2006 Posts: 1398

"Peter Köhlmann" <peter.koehlmann DeleteThis @t-online.de> wrote in message
news:eg3aob$cr2$00$2@news.t-online.com...
> Oliver Wong wrote:
>
>>
>> "Peter Hayes" <not_in_use DeleteThis @btinternet.com> wrote in message
>> news:20061003111341444+0100@news.individual.net...
>>> There needs to be a measure of social engineering before that happens
>>> and I doubt if many users knowledgeable enough to be able to compile a
>>> kernel will at the same time be gullable enough to accept a kernel patch
>>> from an untrusted source.
>>
>> I don't think this is all that infeasible. It could be disguised as a
>> HOWTO on enabling mp3 support in Ubuntu, for example.
>>
>
> You need to be stupid enough to get your downloads from untrusted sources
> A typical windows user might qualify. A typical linux user certainly not

Not stupid, but ignorant. And everyone is born ignorant.

[...]
>> If I had to gamble, I'd bet on 1 new
>> exploit within the first week of Vista's release,
>
> You've already lost. There already were exploits used for the beta/RC
> versions

How does exploits used for the beta/RC falsify my prediction of 1 new
exploit within the first week of Vista's release?

>
>> and between 2 and 4
>> during its first month (including that one from the first week).
>>
>
> You are extremely optimistic. And forgot *at* *least* one trailing zero

Okay, so it's a bet: I say 2 to 4; you say... 20-40? 200-400? Give me a
number, or a number range, and we'll see who's closer.

>
> Why do you think that only the "good guys" have downloaded the RC version?

I don't understand this question, or what you're trying to imply by
surrounding "good guys" with quotes.

- Oliver