On 2006-08-05, Rex Ballard <rex.ballard@xxxxxxxxx> posted something concerning:
>
> Sinister Midget wrote:
>> On 2006-08-05, Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> posted something concerning:
>> > __/ [ Rex Ballard ] on Saturday 05 August 2006 00:34 \__
>> >
>> >> Sinister Midget wrote:
>> >>> http://news.yahoo.com/s/ap/20060803/ap_on_hi_te/microsoft_hacker_challenge
>> >>>
>> >>> LAS VEGAS - After suffering embarrassing security exploits over the
>> >>> past several years, Microsoft Corp. is trying a new tactic: inviting
>> >>> some of the world's best-known computer experts to try to poke holes
>> >>> in Vista, the next generation of its Windows operating system.
>> >> [snip]
>> >>
>> >> So they put a padlock on their cardboard box, didn't tell them about
>> >> the doggie door for the St Barnard, and give them 10 minutes to try and
>> >> figure out the combination to the padlock.
>> > *LOL*
>
>> > FWIW, the crackers broke Vista last night! Well ahead of its date of release
>> > (the prematurity being a bad thing for Microsoft, not a positive thing)
>> >
>> Typical. To fix the security problem, you have to break another thing
>> (which is how these things nearly always work).
>>
>> Rutkowska brought suggestions that could potentially prevent the
>> subversion of the Vista kernel. One of them involves denying raw
>> disk access from usermode, though she said that approach would
>> likely break many applications.
>
> Like nearly ALL of them!
>
>> The bitching will start somewhere down the road. So the fix for the
>> newly b0rken thing will be to reverse the process and not worry about
>> it until kiddies find out the old access door is opened again.
>
> Classic gambit number one. Keep the information buried, get
> injunctions to prevent disclosure, and pretend there is no problem.
If I was a script kiddie, I'd keep a catalog of every exploit I'd used
before. Every Patch Tuesday I'd pull all of the old exploits out and
test them, and release the ones that started working again. I'd bet
that after 2 or 3 years of collecting malware one could re-exploit
Winders nearly every week forever.
>> Or, as happens sometimes, they'll really hose something up trying to
>> make the first fix work at the same time the new fix does.
>
> Gambit number two. Have a "cripple-ware" patch which is so onerous and
> so completely disables the machine that everything stops working. The
> machine is functionally useless, but it's "secure".
>
>> After people
>> start uninstalling the second patch and continue whining about their
>> broken programs for awhile
>
> Gambit number three. Once people remove or refuse to install the
> "cripple-ware" patch, you are legally off the hook, because they did
> not install ALL of the patches reccomended by Microsoft. Virus
> completely trashes your PC, but you didn't install every security
> patch, so Microsoft is not liable.
>
>>, /then/ M$ would follow the usual path of
>> just rebreaking the first broken thing to fix the second one.
>
> Gambit number four. Break things strategically. Issue "security
> fixes" which don't break Microsoft applications (which have been
> patched to be unaffected), but break all competitor software. This
> gives Microsoft the best of both worlds. A "security fix" (meaning it
> can't be ignored), that kills competitors. Eventually, the third party
> vendors will get the appropriate fix for the "secure" system, but it's
> still weeks or months where corporate systems are either exposed or
> disfunctional.
Also use the patches as an opportunity to push more :features"
(aka' malware that gets released by the vendor'), a new, more
restrictive EULA and inspect whatever is on the machine to ensure
the monopoly's been properly overpaid for crappy "software" that's
being used.
>> IOW more of the same.
>
> Yep.
>
>> But what can one expect from what amounts to a service pack for XP
>> (with monstrous additional hardware requirements)?
>
> Lets' be fair. Microsoft is offering a whole new brand of eye candy in
> the form of 3D interfaces. Now every pixel of your word processor
> document has to be plotted in 3 dimensons, which can gobble up billions
> of CPU cycles and yield absolutely no increase in real productivity.
> Microsoft is pretty much saying "With Vista you will have NO ROI, no
> increase in productivity, and no real value, but we want you to pay
> three times more than you are paying now and buy new hardware".
This point right here can be the killer. If the hardware is so
expensive that OEMs can't keep prices down, PCs don't sell so well. If
PCs aren't doing too hot, M$ can't keep the bottom line up except
through the typical nefarious means, and OEMs are going to have to look
another place to get stagnant or supressed sales to pick up. Such a
situation may or may not benefit linux. But there's no doubt that won't
help M$.
> OEMs may have the same issue that came with Windows NT 3.x. Too much
> capital expendature, for not enough return or value, and lack of
> advantages could result in sales of very few machines. Committing to a
> "Vista Only" strategy could result in a total restructuring of the
> entire PC industry.
A restructuring they probably won't have the stomach for. There's no
assurance (not even a strong probability, not even a fifty-fifty
chance) that Vister will attract enough people to buy it to make sales
brisk enough for companies to survive. Weaker ones (like, say, Gateway)
could easily put themselves out of business if they roll the dice and
their strategy is a huge mistake (which is why they're already among
the weakest of the weak, since they've been rolling the dice regularly
and crapping out most of the time).
>> Rutkowska said she disabled kernel memory paging on her own machine
>> and is just using physical memory instead. She did admit, however,
>> that her machine had 4 GB of RAM and as such paging makes little
>> sense.
>
> That's pretty close to the limit for a 32 bit machine. If Vista is
> gobbling 4 gig already, and kernel paging has to be disabled, then a 32
> bit Vista machine is useless already.
>
>> There goes the "minimum" or "recommended" memory requirements. You'll
>> need to increase it massively just to get around one security bug. Moms
>> and pops everywhere will know *exactly* what to do.
>
> So will CIOs, CTOs, and CFOs.
>
>> Microsoft Marketing: The art of making you think the money you spent
>> was worth it.
>
> Actually, the art of making you think that spending someone else's
> money on something they don't want, don't need, and will result in
> layoffs, inconvenience, and extra work for the people whose money you
> are spending - is a good idea, and will make YOU rich and important.
>
> I didn't NEED to upgrade from Windows 2000. I got Windows XP when I
> got a newer machine. I didn't even want it. I would rather have
> gotten the same hardware and Linux.
There *is* no upgrade from W2K in the M$ product line. There's "tossing
more money into the bottomless pit" and there's "making Blammer richer
than he needs to be". But there're no upgrades from those guys.
--
All things are possible. Except making Windows secure.
|
|
