Passport Breached!

There was recently an identified breach of Passport. I work a lot with MS technology, including this stuff, and am very curious what the other tech folks have heard about it. I'm on the fence about this kind of centralized security mechanism. On the one hand, we need it. You register for 20 web sites, then move or change email...then what. The old address/email gets all that spammola unless you set up redirects/forwarding and so on. One ID in a secure place that the other sites reference is the way to go, sort of like debiting your bank account.

On the other hand, if that structure gets breached, millions of users are at risk, even if only for a couple of hours, or minutes. That's bad.

It's a conundrum. There is no FDIC for internet IDs, but internet use is far too distributed to make a different registration/ID for every resource you use practical. MS has the current lead in an implementation to solve this, but the fact of the matter is MS isn't a bank (ATMs don't have an option for a PIN reminder to be emailed to you lol imagine that) and doesn't have that level of trust and credibility.

Just curious if anybody has had to deal with this and has thoughts.

I am not a professional admin or any kind of MSC**E, but I am a person who uses the internet, and therefore have to deal with this.

I think a central repository of secrets is the WORST POSSIBLE solution to a not too serious problem.

Look at this from a few angles, using MS passport as an example.

1) Do you trust Microsoft with your secrets? Do you trust that if you give MS authority over all your secrets, basically, the keys for your life, that they will not abuse this power, that there are sufficent systems and safeguards in place inside the orginization that no one that has access to your secrets will abuse that knowledge? Many people would trust this.

2) Do you trust Microsoft's security? Security is hard. Do you believe that Microsoft will spend sufficent dollars in a smart way to keep your secrets safe from external and internal invaders? Given MS's completely abysimal, mind-bogglingly bad, fantastically craptacular track record on this front, and the most recent Passport vunerability, you would be a thundering fool to trust this.

3) Do you trust the government? Do you trust that your leaders will not simply pass a law stating that MS has to give all your secrets to the goverment? Do you trust that even without such a law, MS would not do this by request, to Fight Terrorism. Do you know the extent of the PATRIOT act, the upcoming PARTIOT II act (yes, it's really called that), the DMCA, and all the state-level laws that already pretty much mandate this? Do you believe that no government employee will abuse this power, given that time and time again we have seen police officers, FBI agents, CIA agents, IRS agents and all manner of beauracrats and other functionaries abuse this trust in other areas.

Ah Weds, the age old problem...when a cop pulls you over and says "open the trunk", and you say "nuh uh"...what are you hiding? Rights or no rights if that cop wants, he will open that trunk. Keep in mind that passport holds some very rudimentary information. And...if you plan on nefarious internet use...don't do it while using your passport. In fact, regular use of passport could actually be considered a good cover tactic, like a gangster that runs a restaurant. if you're seen working that restaurant a lot, people will ask less questions about your living.

Putting aside "who do you trust" (after all you do trust your bank, so it is possible), what is a better mechanism than a centralized repository of some kind?

Ah, but this is precisely my point. Imagine you had to carry _everything_, all your secrets around with you in your trunk? You (U.S. citizens, I mean) used to have protections agains unlawful search and seizure, but those are rapidly evaporating.

MS wants to be your single point of login, and they have the weight and the money to become that (note, for instance, that you need a passport account to submit bugs in XP, and MS will bribe, cajole and lean on more and more services to allow passport access and then ONLY passport access).

So soon it may not be possible to not use passport if you want to do anything on line. (If you don't believe me, try surfing the web using a non-IE web browser, yes you can do it, but you have to get the browser to pretent to be IE, and even then some sites will try to keep you out and just not display correctly, for no good reason).

So what I'm saying is that if everyone's secrets are in one central repository, it is a much more tempting target for the bad guys, the untrustworthy internal employees, and the less savoury parts of the government.

So, what's a better solution than a central repository? How about ANYTHING?

Or, for a specific example:
Right now, at this amazing time in our lives, processors are fast, memory is cheap, bandwidth is getting cheaper and the cryptographers are way ahead of the code breakers. We have codes that would (probably) cost more to crack than the value of any secret you would want to protect with them, that can be used to encrypt and decrypt in real-time.

Why not keep all your secrets encrypted on a 64MB USB keychain drive? People know about keys, they are used to thinking of them as security devices, you don't give your keys to someone you don't trust. There are good methods of doing this such that you can keep a secure backup that only you can access, that the drive would be usless to someone who is not you, etc. Using this and some smart software, your on-line bank account could have an amazingly long pseudo-random password as opposed to "kitty" or your wife's birthday or whatever, and you wouldn't have to remember it, it would be secure on your keychain, accessible only by you.

The problem is that no company is really motivated to implement this in a way that does not bind you to them.

I agree with WG.

MS history security wise places them near to last place of people I want holding my passwords. I'm not saying they aren't getting better, or that any other OS is better or anything like that. But if your bank announced a new security vulnerability in their ATM software every week would you stay with that bank? Would you keep your money in that or any bank?

Have you read the liscense agreement for passport?? Like really read it? You essentially signed your soul over to MS when you agreed. <shudder> It is one of the worst agreements I have read. It has been about a year and a half since I looked - maybe its changed - but I doubt it.

There are better solutions than a central repository. Hardware solutions are better than software solutions. Even given that, I would rather all my passwords were stored, encrypted, on my computer and handled via a program on my computer that kept track of the sites I visit and my passwords for them. Combine such a system with some Biometrics (thumb prints, face recognition which is possible with nearly any webcam etc) and a good random number generator to generate a key that is both unique to you and different for each site..... could each be 1024 characters long or more as long as the software stored them encrypted and on your computer....

Better yet, as WG suggests, put it all on an external USB keychain device. No one has access to any of the stored passwords or encryption or anything, even you. Put a thumb scanner on it. It gets asked for password to X site, you put your thumb on it and it sends your unique password.

This is definatly a case where security through obscurity is not the rightway. Make it a standard, make it an open and accessable standard. IEEE standard, so things can be verified and consumers can know that it offers the security it says it offers. Standards for both the websites that support it (make the APIs available, build it into the web servers) and for the devices.

I am not Anti-MS software, I am Anti-MS business, but I seriously think passport is just a bad idea.

Ok good notion...but how do you access and use it? Plug in and allow some local application to read the data, then send it over the net for verification to the vendor? Who do you cry to if you lose the key/pin?

Keep in mind the only secrets the passport carries around are the ones you give it...and people wouldn't adopt passport if it was totally ineffective no matter how much money you put behind it. If you take out personal resentment/suspicion of authority, it appears to be the best solution on a technical level.

Unfortunately, biometrics is not the silver bullet it seems we had hoped...their are a variety of techniques to fool them. And asking your average consumer to invest in and understand this for a credit card validation is probably not a good business model.

I myself think a federated system of VPN/smartcard accessible networks is part of hte answer. But...it isn't cheap to support that, so there would be a fee to get charged a fee to buy the product.

Unfortunately, the gov't may have to get involved in this. Ultimately our system of private enterprise may not allow one vendor to step up and take this mantle. The company that does it would of course have to be king of the hill, and everybody hates that company (America loves the underdog), so this may be a leap people aren't prepared to take.

I think we're getting bogged down in the implementation details of the key thingy, but none the less, I'll respond to a couple of Tcoz's and Ama's points.

Biometrics, as they are now, don't really work. Way too many false positives and false negatives (look up what his holiness Bruce Schneier has to say on the topic). Maybe some combination of something you know (a passphrase), something you have (the keychain drive) and something you are (some biometric) would work.

As for how it actually works for the user, it could be made pretty transparent. The drive could contain your encrypted secrets and some software. Plug in the drive and run the software, which goes and sits in the sys-tray (say). When you're on a web page that needs a password, you enter some key combo that starts some IE plugin that asks you for your passphrase and biometric and gets just that password out of the drive. This is one possible implementation. I'm not a security expert and I haven't thought this through, I'm just trying to establish that there are ways it could be done that are both as secure as possible and transparent to the user.

Finally, Tcoz, you say that the only passwords passport has are the ones you give it, but what I was trying to say in my previous post is that Microsoft has the will, the muscle and the money to make passport necessary to do any on-line transaction. This is their stated goal, a single log in point for all web services. So we may end up in the situation where passport is necessary and you must give it all your secrets to do anything on line.

Oh, and saying

seems to me a lot like saying "if you take out all the pain and screaming, dentistry without anestitic is the best solution on a technical level"

Interestinlgy enough Weds, Dentistry was still practiced for the common good before anesthetic.

You have to keep it off the client. It's too open to hacking. Sooner or later somebody will figure out a way to read the hard drive/technology, or spoof an id from it, or something. The client-centric approach has been dismissed as unfeasible in a distributed secured environment, primarily for admin purposes and in the event of a bug/breach. In the end, the creds need to be kept somewhere no client can physically get to them...so somebody can throw the off switch.

Ah, right...edit, the EFS (encrypted file system) that started shipping with Win2K is exactly this...an attempt to secure credentials/files/whatever via automatic encryption on the harddrive, and transmission of those encrypted files. This technology still exists, was used by the state department, and ultimately found to be expensive and not as effective as they had hoped, largely due to simple human error (like leaving that encrypted key lying around). One story is of a guy that just left his computer on in a cab, then left the cab in a rush. Not hard to decrypt the files when a file named "passwords" lives on the users desktop.

Good topic, good discussion.

Agree WG - a combination of the three is needed.

I disagree Tcoz that a central database has to be better than a per user solution.

Here is my idea of how the ideal system would work.

- USB keychain device with a unique serial ID. Extensions cables so it sits on the desk, or can be pluged right in (laptops etc).

- User turns on the computer. It asks for a password (the device drivers etc.). This password is entered once per login.

- User visits a site that supports IEEE 61604 security. (just made that up, spiffy eh?).

- To create an account the user selects the password field, and presses their thumb to the key device.

- The device generates a password based on 4 things: a random number, the password given at login, the ID of the device and the thumb print. All that is stored on the device is the site and the random number for that site - encrypted.

a while passes

- user turns on computer another day

- logs in with a password for the device

- opens web browser and goes the the site

- it asks to log in so the user presses their thumb to the pad.

- pad regenerates the password from the one entered at log in, the thumb print, the ID of the key and the stored random number and sends it to the site. That is the device is given the IP / site when the password is asked for and the device sends straight to the site. Over an SSL session, I dunno heh.

- user is then in.

Thats very high level, pretty darn secure (as I see it) and all the user sees is: type in password when turn the computer on, press thumb to get into site. No site has the password for a user for any other site just because they have the one for their own. The user has no way to access the memory on the device. It isn't soley biometrics, key or anything.

Well one thing is what if it breaks? Or you lose it? Sell the keys in pairs, and allow ones to be ordered with specific IDs. Allow daisy chaining the devices to back up data. Even if someone figures out what key ID you have its one piece in 4 to getting in any site - they still need your thumb, your login and the table of random numbers. Or allow the memory chip to pop out - use a standard smart media card or something. There are solutions to this that are as painless as losing a password can be.

With good algorithms I see this as an infinatly better solution than any central database.

Dude, I think you're drinking the Kool-Aide, "has been dismissed as unfeasible"? By whom? People trying to sell passport?

What's "too open to hacking if it's on the client"? My 2048-bit key encrypted files? That's a task time on the order of the possible age of the universe.

How do you mean "for admin purposes and in the event of a bug/breach"? Of course password cancelation needs to be possible, but that is a totally seperate task from what we're talking about. And how is it better, in the event of a breach, that someone has access to everyone's passwords instead of one persons.

The server that controls the resource still has to verify that you are you, it doesn't just trust your client to say "yep, he's ok, I checked him out". It's just a question of who has posession of the secrets.

My opinion is that you should always own your secrets and should not have to trust them to anyone else, and have to trust them to keep your secrets safe, and it is my contention that there are secure and transparent ways to do this that would end up in a situation that is more secure than a Passport style central auth server and much much more secure than what we have not.

(Also, it's not a false analogy, yes dentistry was praticed without anestitic in the past, but I think that most people think that "with anestetic" is better and would not want to go back. Same as this, done but painfully in the past, could be done better in the future).

Hmm...did you know that this is basically how Passport works? You visit the site, and a random token is generated which is stored on your computer. This token is the one that is referenced when you log in to a "passport enabled" site. If that token is in anyway determined to be non-original, or is missing, you will be required to log in again. If you log in anywhere else while that first session is active, you will be logged out at the other location and a new token will be generated and sent to the new computer.

What you propose is to add a hardware layer. A good measure if you ahve control of your environment - I use smartcards to vpn into my network. But joe "the internet is for geeks but my wife wants this italian lamp" won't do it. SmartCard security is part of the Win2K+ secure login approach, and was even being looked at for public use...but it is not commonly implemented due to admin problems (who will replace your encrypted key? Where do you report it stolen? Who do you trust?) and the simple fact that it adds responsiblity to the user. You and me may go for that, the other 8 guys won't. And their money is green too.

Oh Weds, me and kool aid. You have no idea how wrong you are. I beat on MS mercilessly because I often have to count on them. I see a lot of proposals...but no practice. Hating MS for the sake of it is a kool aid to ya know.

This is great stuff, I talk to a lot of people about this, and am waiting to see a well-funded practical alternative. IBM and Sun appear content to watch.

Schneier on biometrics
http://www.counterpane.com/insiderisks1.html
http://www.counterpane.com/crypto-gram-0109a.html#3

"Drinking the Kool-Aide"
http://catb.org/esr/jargon/html/K/Kool-Aid.html

Microsoft forcing people to use passport
http://www.theregister.co.uk/content/archive/24923.html
http://www.theregister.co.uk/content/archive/24938.html

Interesting discussion. I'll add a few tidbits that haven't been covered yet...

I personally think biometrics are a good mechanism. Its hard to forge fingerprints, harder to forge your retina, and some combination of retina, voice, fingerprint and maybe even a pasword plus a security device would certainly make you feel secure against someone breaking into your account.

But that misses the point of what happened with the Passport system entirely!

No encryption mechanism that could possibly be devised would have stopped the Passport hack and here is why:

"The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase "emailpwdreset," he could seize any Passport account. He said he sent 10 e-mails to Microsoft explaining his findings but never received a response. Sohn said the company was investigating how it might have missed those reports."

Here is the full article:

http://story.news.yahoo.com/news?tmpl=story&cid=528&ncid=528&e=1&u=/ap/20030508/ap_on_hi_te/microsoft_hackers

Sloppy programming and back-door mechanisms will ruin perfect security every time, and when you combine that with a company that really isn't paying attention, there are bound to be problems.

When did Microsoft start paying attention?....

"Microsoft shut down the affected Web address late Wednesday night, just over one hour after details were published on the Internet. "

Most likely what really got their attention was a sudden spike in these password reset events happening. Lets imagine a thousand or so an hour where they would expect to see a few hundred a day.

Whats at stake for Microsoft? Their reputation for one thing, but they have shown a remarkable lack of interest in that over the years too, how about this:

"The Fair Trade Commission and Microsoft reached a settlement last year over the software maker's claims over the security features of Passport, which included a fine for future violations of up to $11,000 for each incident. "

Which as it turns out amounts to $2.2 TRILLION if somehow all Passport users were affected.

Full article:

http://story.news.yahoo.com/news?tmpl=story&cid=582&ncid=582&e=3&u=/nm/20030508/wr_nm/tech_microsoft_security_dc

Microsoft likes the steady income, but they are not so crazy about the potential liability that the Passport system carries with it. I wouldn't be surprised to see them sell off this operation in the not too distant future. It doesn't make them a lot of money and the upside potential is far less than the downside potential.

Going beyond Microsoft, from my reading MOST of the problems that have occurred involving credit card information on the internet has happened in this same way. The little lock that shows up on your browser that shows that your transaction is "secure" is great, but it has more to do with making you feel good than with actual security. There just aren't that many bad guys out there sniffing internet packets. What they do instead is look for weaknesses in SERVER security. Most of the Credit card losses have been from servers with easy to guess passwords on their databases. The other common problem is web interfaces that use cryptic LOOKING URLs to mask data. If the URL can be converted in any way to a users name, or any other well know property of the user then it has no business being used as a URL in any secure transaction. Careless coders do this all the time though, and eventually some hacker figures it out.

Personally, I don't leave my information with a vendor unless I am required to, certainly not as a convenience. The first time I trusted any company this way it was Amazon.com, next thing you know the credit card company CALLED me and asked if I had just ordered $800 worth of books. My guess is that a whole bunch of numbers got let loose somehow on that one.

The good news is that in most cases the individual is not liable for fraudulent charges. It's still a pain in the but to get a new card issued... not something you would want to have to deal with several times a year.

What will fix this (beyond things like biometrics) is extremely stiff penalties for offenders, no more slap on the wrist for first timers, and extremely high penalties for companies who want to reap the rewards of holding your information. There ARE companies who know how to do this stuff, Microsoft just doesn't happen to be one of them.

I like that line. There are so many places where microsoft thinks that just because they can make an OS and an Office Suite they can do this too. And you are 100% correct about it being the backdoors and lazy code that causes security problems.

A general note about security: a password or system only needs to remain secure for as long as information being secured is sensitive. What does this mean? For storing credit cards or credit card numbers any system that takes as long as a credit card takes to expire or longer to crack is good. CCs last 3 or 4 years? I dunno, but any security that takes more than 5 to crack will be sufficient. You of course have to account for technology speed increases etc. etc.

Now here is the transferrence of that idea to what we are talking about. Forced -effen- password changes. So in the system I stated above here is how that works. When you create an account the date is stored. if you log in past one month after that, a new random number is generated and stored and the date updated. The password update system is built into the site - it knows how to handle a password followed by a reset command from the same IP followed by a new password. Or something. The user never notices. However every month they have a new password.

As for joe common user .... prices need to drop. If the cost of secure internet was $10 - $20 a person, they would do it. Companies should support it because it means less chance for fraud - and in the case of fraud it is often the retailer that bites the bullet, or the credit card companies. So the credit card companies should offer one to everyone who opens an account with over a certain limit (meaning they have enough credit rating to warrent the $15 - $25 cost (shipping incl ).

It can work. It can work better than passport.

And I will pass on the kool aid thanks. I'm currently not taking any from MS, Linux or anything. I'm raggin on em all.

Starting to see the model fall together. We're missing the deploy and admin points though. What do you do if you lose the key, or believe somebody is spoofing it, or want to "cancel" it? And how are the upgrades to the device acquired? Dowloaded firmware?

Making it practical for credit card companies (or whatever) needs to be dealt with too, which gets back to deploy and admin. Earlier when I mentioned that in a distrib'd environment (like all your card holders), putting the onus on the client is problematic, which is why public deployments of client centric security architectures are generally considered not practical; so we haven't advanced beyond bank card (easy to deploy and admin) and pin. There are some attempts, but if it's a money maker I don't know...how often do you actually see American Express Blue?

Incenting people that aren't interested in dealing with technology is a huge part of the equation. Passport does this with advertising and so on, ease of use, integration/convenience etc., and at least that part of the model is working; millions of people use it. And keep in mind the technology itself wasn't breached, it was the administrative processes around it (somebody enabeld a password reminder redirect).

But the point on centralized store of data is pretty commonly felt; people don't like the idea. (Btw a lot of people don't know you can purchase your own passport infrastructure). If you could make a client mechanism pretty much transparently easy to use, free (or CC attached small fee), determine who is accountable for fraud/deployment/admin and make it worthwhile for them to get involved...well then we'll be rich and can judge status by who gets to sit on the top deck of the yacht and throw the ice from his expensive scotch drink down at the others sunning themselves below.

Here is something I just got in the mail... not related directly to Passport, but to the Microsoft culture. Its a bit long.... moderators feel free to delete...


From:� Russ <Russ.Cooper@RC.ON.CA>
Reply-To:� Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
To:� [email]NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM[/email]
Subject:� Windows Update is a dog, again!
Date:� 14 May 2003 16:42:10 -0400
Well, looks like Windows Update has once again shown how untrustworthy Microsoft can be. For at least the past several days Windows Update has been providing consumers with false information. WU users would connect, initiate the scan, the scan would complete and inform the user their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.

In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.

It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)

A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.

I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.

Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)

Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.

If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist. The fact that so many possible solutions were seen to correct problems with Windows Update also suggests the environment is far less stable than it even appears to me.

Consider, to use Windows Update reliably I need to;

1. Ensure my system date is reasonably correct.
2. Ensure my IE language setting hasn't disappeared for some reason. Even if it hasn't disappeared, try adding another language too.
3. Ensure I don't have a network share connected which has more capacity than the drives on my own machine.
4. Ensure that I am not setting up a new system and have set IE to check for certificate revocation.
5. Ensure I'm checking from the system I want patches for, meaning all of the systems in my environment must be the same OS or I, as Administrator, have multiple systems to check for updates.
6. Try HTTPS instead of HTTP if it says I need no patches, it may not have checked properly.
7. Wonder if the backend systems for Windows Update are down, under maintenance, or just configured incorrectly if it says I need no patches, it may not have checked properly.
8. Try MBSA, that's handled by a different development group than Windows Update so the errors might not occur in both environments, or may be different, so you can then have fun deducing the differences yourself.
9. Wait some undetermined period of time and try again!
10. Contact Microsoft and not get a response.

And with that list can anyone say Windows Update is reliable, or to use their words, trustworthy computing?

But hey, what's Windows Update after-all. Its just a consumer platform for trying to fix a problem which really isn't Microsoft's after all (read the Breakseal.) Corporate users aren't using Windows Update, they're running Software Update Services...if they have a Windows 2000 system that is, and if they have one for every group they're trying to update, and if have a test environment to check every fix, and if they don't mind handling a very long list of patches they've chosen not to deploy...etc...

If anyone was serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, have a look at my previous musings and then tell me what's been fixed or improved. If, like me, you see nothing...then the Trustworthy Computing Initiative once again gets an "F";

The following URLs are wrapped to 2 lines, you'll have to piece them together for them to work;

<http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886>

<http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990>

Hello, Microsoft, are you listening???

Everyone is free to reprint, quote, or forward any or all of this message anywhere they'd like, preferably to places where people with more influence with Microsoft than I will see it.

Cheers,
Russ - NTBugtraq Editor

Fair enough...lot of anti.

Let me ask this.

Hey Linux/Open source type. If you factor out the "don't believe MS" data, what do you have left? We have reasons (now, five years ago of course this was different) not to believe TPC-C. We have reasons not to believe the middleware company (world class java vendor). We have reasons not not believe Don Box (hello CORBA).

Please, look at the 2k3 numbers. Try to respond with something other than "the reason you shouldn't believe it...". As a solutions specialist, from a performance and cost measure, I can't ignore this data, but the non-MS type would have you do it willingly.

I subscribed to the NTBUGTraq list when part of my duties included administering some NT servers. The people that administer the list are as far from being anti-Microsoft as you can get (since they sell Windows oriented security products).

In this case telling Microsoft that they should get their act together is like telling an alchoholic that they might want to skip going to the bar again tonight, an act of friendship, not hostility. Russ is frustrated because he, as a friend of that company continues to be ignored.

For my part I don't use Windows at home for "production" activities, but I have lots of friends that do. I warn them about problems I've heard about whether it involves Windows, Linux, OS/2 or something else.

In the case of the Passport system I've already run across someone who's parent's Hotmail IDs had been compromised. They were clueless about all this, now they know at least what might have happened. For Windows users, I'd just say not to be so certain that your "up-to-date" Windows system is quite up-to-date after all. As the message says, there is no workaround or fix for this that makes sense. Thats frustrating, and probably unessesary. If Microsoft would focus more on the technical issues and less on the PR issues they would do much better at dealing with BOTH. As far as competing products form Sun an IBM, all I know is that they are still working on the standard (I think its called Liberty.) When they are done you won't have to pay Sun or IBM a royalty to use them. Sounds like a good deal to me. In the mean time there are MANY security systems in use by banks and internet companies. Some work beter than others, and I don't claim to be an expert on them. Microsoft's intent is to convince everyone to dump what they are using and switch to Passport. Based on recent news I hope that doesn't happen any time soon.

I actually DON'T ENJOY seeing Microsoft fail, any more than I would want Boeing, McDonalds, or any other large American company to fail. But when they screw up, it is to no one's advantage to pretend it didn't happen (particularly if it still hasn't been fixed). If you work at Microsoft or know someone who does, use your influence to get some action on this.

I use automated update features of Windows, Linux and OS X. There is currently an update to OS X that people are having trouble with so I am holding off on it. The last MAJOR Linux security issue involved SENDMAIL and was fixed (online and downloadable) less than 6 hours after it was reported. There is no question that all software has bugs. The question is whether the best policy for a company is to just FIX the bugs versus waging a PR campaign to hide their existence.

The message posted above was not in a vacuum, it was in reponse to messages from several Windows Sysadmins who are stuck and not being helped. There is a good chance that some people reading here might benefit from the info. Take it for what it was.

yea I trust my Bank just fine its a 450pound safe thats bolted to a concrete floor in the back part of my basement that no fool would dare to travel into with all the cob webs dangling about since the house is 160 years old ...I believe at one time they called it the "root " celler part of the basement....if MS would keep there files in my safe there would be a hella lot less infiltration LOL

Anybody see the OpenHack numbers?

Win2.3k, unbreached. Linux...well, I won't post the numbers.

And to show my general attitude on fact vs. religion...MS is releasing a .Net version of Quake 2, all managed C++ (they say). Aside from Q2 file format being more a learning tool now than a real example of modern gaming dev, I wrote a response stating why at this point in time, based on the nature of getting max FPS out of hardware (and the subsequent need to work directly with the OS...), and the fact that a simple client demo of a dated product raises more questions than it answers, support models, and so on, that the MS model is just no good. I was unaware I had so many heads to rip off. So much easier to just pick a side and fight for it.

OpenHack??

Why not post a link. Searches I did turned up results for 2002 (which would be 2.002K right?)

The Openhac.com site timed out for me...which could mean several things.

As far as I know this isn't a this-OS vs that-OS competition, but since it's run by e-Week, I'd expect some bias towards their advertisers.

While we are at it... the Ziff Davis empire is struggling along at the moment, cutting back on a lot of their online content, laying off the CNet Radio staff and cutting the e-labs back to bare bone.

This is what happens when one company buys out all its major competitors and then decides to invest in real-estate while office rental rates are at their peak. Quite frequently their product reviews have two or three product placement references hot-linked to their own virtual store for which they get credit if you make a purchase. They've come a long way from what used to at least resemble journalism. Maybe they are borrowing journalists from the New York Times eh?

As far as OS religion goes, I went from DOS, to Windows, to OS/2 to Windows NT, 2000, Linux, OS X. At no point did I consider myself "loyal" to the operating system or company(s) involved in producing it. Along with the OS changes were frequent hardware upgrades, from which I have quite a menagerie of computers each of which runs one OS or the other optimally, and mostly never get switched on.

After 20 years of this I have basically gotten tired/bored with the whole thing. I look back at all of this and realize how much I have had to throw out at each generation, not just hardware but software and I see this as a tremendous waste. I even WROTE programs that did things for me in DOS that I could only run now in some emulation mode to be of any use. I don't think I am alone in this. We have reached a technological plateau where many businesses and individuals are waiting for the next big thing, except this time, the next big thing needs to be really new, and not just a slightly faster processor or an OS with twice the memory footprint. I've reached the point where to keep upgrading to the newer hardware and software I have to actually stop using perfectly usable systems, or in business terms "write them off". I'd like an operating system that can grow, without having to obsolete everything that came before. In retrospect I realize that if I had been using just about any form of Unix for those utilities I wrote, I'd still be able to use them, and fully. Excuse me, but I'm a bit POed about that.

If one must make a religious argument out of this I'd start with the following chant:

"Ohmmmmmmmm, General Electric, RCA, AT&T, Kodak, General Motors, Sears, Zenith, Nikon, Hotpoint, Maytag, Motorola, Philips, Sony, Toshiba, K-Mart, Casio, Toyota, Bic, Sharp, Minolta, Ohmmmmmmmm, Standard, Esso, Exon, Enron, Ohmmmmmmmmm"

PCs and their operating systems are transitioning from R&D to commodity and companies like the above (who don't go out of business) will get to participate for a long time. Competition will insure that I have a choice between a basic refrigerator for $300 or a really deluxe one with a mind-reading ice-maker for $1000.

Microsoft and Intel will have to figure out what part of the commodity computer space they want to control when they grow up. They can't have it all though, not any more.

Here is a great video on the early days of the "PC" that had a few tidbits that I didn't even remember. Clears up some of the myths about how IBM and Microsoft hooked up too...

http://archive.org/movies/movies-details-db.php?collection=computerchronicles&collectionid=1814&from=BA

If that link doesn't work, go to http://archive.org

then to the Computer Chronicles section and then to the special on Gary Kildall.

I hadn't been aware that Intel turned down the offer of an OS for the 8080, thinking that it was only useful as a device controller. (But the revelation didn't surprise me).

FYI...

http://story.news.yahoo.com/news?tmpl=story&cid=582&ncid=582&e=1&u=/nm/20030528/wr_nm/tech_microsoft_glitch_dc

In case you know someone who suddenly can't connect.