-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 18 Oct 2001, Jay D. Dyson wrote:
> On Thu, 18 Oct 2001, Tomasz Rola wrote:
>
> > > I could not possibly disagree more. They are blaming the discoverers
> > > of their flaws for their security problems. That's not only poor
> > > judgment, it's deceptive to the consumer.
> >
> > Contrary to the popular belief I don't think they are able to judge
> > poorly. Remember, they have bigger part or so of the market - this was
> > not done by a chance.
>
> Having a large share of the market means they have only succeeded
> in avoiding similar mistakes in marketing. Most customers don't care
> about security; they only care about convenience. That doesn't excuse
> Microsoft's gross oversights with respect to security.
Ops, perhaps you haven't understood me - I never wanted to excuse them
during my whole life (nor do I expect to do so in the future). I just want
to understand the underlying mechanism, even if I dislike it. I don't use
them, I am not shareholder, I decided to switch to Linux after having a
little bit of win 3.1 and win95. And I've never regretted this move.
(Side note: win 3.x was much better - simpler, smaller, pity it wasn't
32-bit. But I would still switch to Linux, even if they didn't make
win95, which wasn't fully 32-bit too, AFAIK).
My opinions may seem to be approving for their practices, because I tell
nasty things while trying to be as objective as possible. I don't tell I
dislike them (truly), hence you've got the false view of myself and
perhaps decided I am "one of those opportunists" while I am not.
> > They may not be very subtle but I don't think they are stupid and they
> > can patch their deficiencies with brute force when required.
>
> Okay, I require clarification on this. What do you mean "they can
> patch their deficiences with brute force"? Explain that.
Well, I didn't mean a black dressed commando coming after me because of
writing something bad about MS :-). By brute force I meant, first of
all, using market position to crush the opposition. All the so called
"monopolistic practices". That's the force too. And not very subtle, I
think. They don't need to be subtle having their position, but I doubt if
they could manage when such need arose. Subtlety requires some training...
They don't have this - it's their deficiency no. 1. No. 2 - they react to
changes (other people inventions, designs, software) instead of making
them.
I'm not sure if they have more to worry about, besides I wouldn't mind if
they payed me for writing such things. That is, I have another job than
helping them for free. And besides, if they really cared about such
things, they would have hired someone much better than me long long ago.
So I don't want to waste my time for them.
But even if they're not ideal, they can easily use their money to overcome
difficulties. That's another example of brute force. "Don't use the engine
- - that would require some real changes - just put more horses to do this
work." :-).
BTW, by reacting to changes I mean they are looking for other people to
act and err, and if those people are succesful this causes some change.
Than MS looks around, 'a-ha! a change!' it says and makes their own
'innovation' which is most of the time (if not always) at best a good
immitation. But I must admit, that after selling halfproducts for a few
years, they eventually become full-products. Or at least they seem to be.
It wouldn't that bad if they decided to stop making all those useless
changes, which introduce new bugs of course.
It's only that I don't need to do my job using a half-knife or half-fork.
Not to mention half-spoon. So Linux is much better for me - I dont'n need
to have a silver half-fork when steel full-fork works so great.
> > Their real problem, at least for me, is that there is no mandatory
> > applying of security patches.
>
> How do you propose to make it mandatory? Passage of more laws?
> How will those laws be enforced across national boundaries? Will
> violations of those laws be an offense subject to extradition?
Nope. I would rather suggest, that after selling a buggy product, the
communication channel should be established. Perhaps they should make a
wizard subscribing a customer by default to some of their announcement
lists (do they have anything like this?). They are good in making wizards,
so... :-) Besides, there should be a better way of uninstalling software
or a patch, should something go wrong. For me, the ideal solution (let's
say a 80-95% ideal) is packaging system in some Linux distributions. This
would make a change, because even those installing everything with default
settings will get warnings, and when the patch can be withdrawn (really,
no forgotten dll's) people are more willing to install it. The biggest
part of trouble with worms comes, as far as I can see, from the fact that
many users won't install security patch, even if it is available for quite
a long time. So, for me, the real solution is to enable making security
upgrades as soon as possible instead of bashing people doing the job that
MS should do.
Of course, this won't solve the whole problem. But I suppose it can make
the problem much smaller.
Bypassing the problem, either by making a stupid law or by making
faulty upgrades behind admin's back is, however, more probable. It is
perhaps because of the fact, that in some firms, not excluding the
biggest, strategic decicions seem to be made in marketing dept ('yes,
manager, now you can layoff your admin and we will upgrade your server
at night, by, er, insecure channels by default, who cares').
> It's all fine and dandy to suggest a panacea to the problems we
> face, but there are far greater logistical concerns to make sure those
> ideas are even workable.
I don't think that abovementioned solution takes so much logistic to be
done.
1. I suppose writing one wizard in VB (I don't know it but I have
made a window or something with it so this will suffice) can take - say -
a few days (I would have to learn it a little bit more right?).
Experienced VB programmer can do even better. Gluing this wizard to
Outlook shouldn't be hard.
2. Making real service pack, that really helps instead of destroying
things is not a matter of logistics but rather a matter of corporate
policy - i.e., do we want to solve a problem or to sell a solution. As
long as their biggest customers don't care, there is no sense in doing any
extra work.
> All told, the whole mess would be resolved if Microsoft (and other
> vendors) simply released only products that were more secure than they are
> today. An ounce of prevention and all that.
This is what I meant too - it's just that I understand the word
differently. Making more secure product is very important. However, after
releasing more secure product someone will surely invent a wiser hack for
it. Such things will happen all over again - more secure, wiser hack,
more, wiser... The art of writing software is still in its infancy. Things
that humans do tend to be erratic. There is no methods of ensuring that a
program (I mean really big one) doesn't have errors, so the errors may
still occur. To catch more secure solution may become like catching a
horizon. It should be done, sure, but with current development methods I
doubt if this can be ever achieved. And, what is the use of secure solution
if users don't install it? I mean, securing software is really most
important, perhaps, but this alone may not suffice. And writing secure
software is really hard, especially in their case. A wizard, mailing list
and good patches are easier, perhaps.
Prevention is a multilevel act, don't you think?
> > > That's not just stupid, it's just another shining example of their
> > > anti-competitive tactics.
> >
> > Well, why do you think that business is about competition :-). It's
> > about making money and nothing else.
>
> Tell me something I don't already know. The bottom line is that
> Microsoft is selling a wolf and calling it a sheep. They claim they want
> what's best for the user, but they go out of their way to destroy all that
> opposes them. I don't fault them for ambition, but I do fault them for
> hypocrisy and dishonesty.
When you look around, there is plenty of this. Personally I don't believe
that truthtelling and honesty is rewarded so much in today's world. It
pays better to tell people that they have wisely invested their money (in
an insecure system they don't really need, for example). I don't feel too
bad with it, it's just a mechanism that I want to understand. Maybe it is
too cynical but at least my own cynicism doesn't hurt me. By 'cynicism' I
don't mean being a bastard, but rather something related to philosophical
movement of the past (this one meaning of the word, which is totally
different, has been almost forgotten nowadays).
And, don't take me wrong - I really don't like things you mentioned above.
But, however disgusted I feel, it doesn't matter. It does not help, it can
be even disturbing. It is much better to do something instead of just
feeling bad. For example switch to Apache, or to StarOffice. Secure
yourself. Tell your friends. Or something like this. So this is what I do.
bye
T.
- --
** A C programmer asked whether computer had Buddha's nature. **
** As the answer, master did "rm -rif" on the programmer's home **
** directory. And then the C programmer became enlightened... **
** **
** Tomasz Rola mailto:tomasz_rolaat_private **
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBO89GxxETUsyL9vbiEQJh0wCaA85hOLDSmjtZ0sS8WDhd2P6NW2AAoPX2
gDnEC3Dhd3QxYH5hRcztWWR+
=qYrH
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 17:01:19 PDT