Breaking Windows

“Tavis Ormandy has discovered a security vulnerability in Windows which can be exploited by any user on the system to obtain administrator privileges.”
see Google researcher discloses zero-day exploit for Windows

Sigh. Here we go again, a billion PCs with little or no security simply because they run M$’s OS. Even if you love M$’s software for other reason, no sane person should let all their IT rest on M$. They are an unreliable “partner”. With all the money they have they are not able to secure their OS because it is defective by design.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , . Bookmark the permalink.

84 Responses to Breaking Windows

  1. matchrocket says:

    Quibbly the troll like his beloved Microsoft was blaming the user. I didn’t notice it as such until now. Damn! I hate it when they slip one by me.

  2. Quibbly, having proven to be a serial troll is now banned: “You were serially incompetent.”

  3. oiaohm says:

    Quibbly I have some nice bad news. Yes Windows XP and up has slipstream functionality. Some of the educational applications still drive me nuts today. Why someone hard coded Windows version check in installer. wpkg and other solutions that run installers in a set order works out better than slipstreaming.(yes horible but true)

    http://drbl-winroll.org/ I have used this beast. drbl winroll is dependable. Issue is NT design creating more work. Lets say you have multi core and single core machines. Quibbly.

    Quibbly is most likely not aware those require different NT hal files that the NT bootloader loads by reading registry key files that are hard set by the Windows installer. Result Windows dies at kernel load. There is not a default boot option to go hey I have a multi core cpu/single core lets still boot. Reason Windows is design to only support 1 group motherboard properly after installed.

    Now say you have a mix if Intel, ATI and Nvidia graphics. Issues only get worse under Windows. Nvidia and ATI drivers can screw each other up. So you now need a image for single core machines x by Nvidia and ATI then a image for multi core x by Nvidia an ati. Then if a board has some odd ACPI some more for this.

    This is why windows networks end up replace all machines with identical over and over again.

    Windows is a pain in but to clone compared to Linux. Linux grew a lot from the livecd experience.

    This is the clear difference between Linux Linux its possible to clearly install nvidia and ati drivers at the same time. The kernel default sorts out if it multi core or single at boot.

    Yes a customised high performance Linux kernel can behave like Windows. This is the differences in requirements I am talking about.

    Mass installing you want a OS that is not hard set in as many areas as able. For a gamer/home that are single installs you might want something hard-set.

    Linux can be cloned easily. Windows is out for vengeance if you use a cloning solution.

    Then you come to preconfigured installer options. http://www.instalinux.com This is the common Linux one Quibbly. Linuxcoe is many times simpler than AIK and other MS solutions for slipstreaming applications in. Its rare for Linux to have a slipstreaming installer failure. Unfortunately highly common on Windows if you are slipstreaming third party installers to make mistakes and install wrong order. (yes Linux package management saving ass here)

    Quibbly Linux extended hardware usage life comes from the fact its clone images don’t have to be made hardware picky. So the is no major difference in maintenance with Linux between 10 totally different machines and 10 identical machines. With windows you want the 10 identical machines less pain.

  4. Maou Sadao says:

    Mr. Pogson is a trained physicist. How dare you all to demand from him to think logically?! He has feelings, too, you know.

  5. Quibbly says:

    I’m sorry, Mr Pogson, but that’s awfully difficult to believe. Thousands have managed those six steps, and you for some reason did not.
    <blockquote.I did all those things -slipstream. I used Clonezilla. The problem is M$ shipping flawed software.<

    Possibly you went wrong with Clonezilla.

    Who knows? You almost certainly didn’t slipstream SP3 into XP.

    It’s very difficult to believe that, whatever else you did, you set up each and every XP machine with a User account that you could blitz at will, at very little cost.

    It’s possible that you set up an XP firewall and maybe even a proxy server.

    But you’ve never even mentioned a single one of those, have you?

    And let’s be honest with ourselves, you didn’t even implement a single one of them, did you?

    Basically, and it’s statistically a certainty given the school districts that have successfully implemented all of these tiny and simple (and I do mean tiny and simple) safeguards, the reason that you had problems in Nunavut with XP/SP3 is nothing to do with the fact that Microsoft couldn ‘t hack it.

    You couldn’t hack it, could you, Mr Pogson?

    You were serially incompetent.

    It’s difficult to admit, I understand that, but you will be a better man when you can look yourself in the mirror and say:

    I am totally incompetent and I have no clue whatsoever on the simple basics of maintaining an XP/SP3 network in a small school north of the Arctic Circle.

    Go on, try it! Honesty is good for you!

    And once you’ve admitted that, we can start to talk about why Linux is better for the world at large.

    Frankly, since you can’t even manage a tiny little job involving an XP network, it’s difficult to take you seriously.

  6. bw says:

    “Whether or not Lose ’95 came out of a time-warp it was still crapware”

    You take a useless position here. Win95 was a far better product than its predecessors and better than any contemporaneous version of Linux. The world thought so, too, and Win95 is a notable milestone in the development of personal computer technology, heralding in the 32 bit age. Win98 was better yet and Win2K became yet another milestone leading to today’s versions of Windows OS.

    Would you use the 1994 version of Linux today? I doubt it, but you can claim to disagree. Would you have used it instead of Win95 in 1994? No one else would. The new replaces the old and that has been going on for over 30 years now in regard to personal computers.

  7. bw wrote, “In 1994 when Win95 was released to commercial users, Linux was brand new, there were no apps to speak of, and I don’t think more than 10 people had even heard of it. For your purposes, you would have to compare Linux in 2001 to Win2K, followed quickly by XP.”

    Whether or not Lose ’95 came out of a time-warp it was still crapware. The passage of time does not create vulnerabilities. M$ does.

    The version of GNU/Linux I installed was Caldera eDesktop 2.4, circa 2000. Lose ’95 was still supposed to be “supported” but we had no support. CFS shipped those machines the year before with software “donated” by M$. How generous of them to ship place-holder crapware. The school system in which I worked indeed support MacOS which also was pure crap. It was version 7, I think. So, we are talking five years after release. The stuff we used should have been well debugged by then but it wasn’t.

  8. Quibbly wrote, “Which makes me wonder where the problem is.”

    I did all those things -slipstream. I used Clonezilla. The problem is M$ shipping flawed software.

  9. Quibbly says:

    Mr Pogson, I hate to quibble. Howeever:

    The last place I worked did use XP SP1 when I arrived and try as I might, I could not keep out the malware or keep them bootable. End of story.

    This might be the Director’s Cut of your story, but it lacks forensic detail. Specifically, you mentioned that you had SP3 available.

    Now, assuming this is in Nunavut, which I understand has no direct road link to the rest of the country, you obviously busted a gut to have SP3 available in the first place. This is hugely commendable, considering your experiences with Windows 95. (What date was that again?)

    Here’s the basics of what you do with an XP/SP3 network.

    1. You slipstream SP3 on to an XP installation image. Did you do that?
    2. You pick a “server” (actually a bog-standard PC would do) to distribute this slipstreamed image. Did you do that?
    3. You use the power of the network (for some unaccountable reason, Microsoft has decided to run over TCP/IP and support drivers for small cheap networking thingies) and push the image out. Did you do that?
    4. Since you can’t trust kids not to muck the system up, you have an Admin account and a (several) User account. Did you do that?
    5. You want to protect against malicious port-hunters, so you need to configure the XP firewall. Did you do that?
    6. It isn’t necessary, but with kids it’s probably useful to set up a proxy server for things like adult content. XP makes this easy. Did you do that?

    If you did all that, and you still had problems, then it would make for a boffo article.

    And I know you can do all six of those things, because you’ve done the exact equivalent on Linux.

    Which makes me wonder where the problem is.

  10. bw says:

    ” Lose ’95 was horrible and GNU/Linux was nearly perfect on the same machines…”

    How would you know? You didn’t even use Linux until 2001 per your side bar here. In 1994 when Win95 was released to commercial users, Linux was brand new, there were no apps to speak of, and I don’t think more than 10 people had even heard of it. For your purposes, you would have to compare Linux in 2001 to Win2K, followed quickly by XP.

  11. Quibbly wrote, “Were you so scarred by your unfortunate experiences with Windows 95 that you didn’t even bother to look into the possibilities of running a small school network with Windows XP/SP3? “

    I wasn’t going to wait around a year or more for a budget allocation. The last place I worked did use XP SP1 when I arrived and try as I might, I could not keep out the malware or keep them bootable. End of story. GNU/Linux ran like a Swiss watch in both places.

    Quibbly wrote, “Don’t you find it at least a little peculiar that yours is the only voice in the wilderness, pointing out all these fatal flaws that everybody else somehow misses?”

    For Goodness’ sake, learn to search the web. There are $billions spent every year trying to keep M$’s XP going. Read about the waves of worms, the vulnerabilities found in image files to be handled by XP, file-sharing holes etc. There’s no end to the vulnerabilities in XP because they keep turning up years later. Estimates are that XP shipped with 50K bugs and thousands of vulnerabilities. Only some of those have been fixed.

    Read about the French National Police who switched to GNU/Linux. While licences were a huge saving, they also saved on maintenance:
    “Moving from Microsoft XP to Vista would not have brought us many advantages and Microsoft said it would require training of users,” said Lt. Col. Guimard. “Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. Games are not our priority.”

    “It has found that open source software is better at handling open standards. Linux has also simplified remote maintenance tasks.”

    Well, teaching in one classroom and managing PCs in other locked classrooms is a remote management task so I had the same experience as those guys. I am not a loose cannon of IT.

  12. Quibbly wrote, “(December 31st 2002, if you’re interested) would have been a big mistake. That’s roughly the timescale you were talking about, isn’t it?”

    No. My encounter with Lose ’95 was in the fall of 2000. I found ten cartons of PCs in the computer lab. They had arrived the previous year and no one had even bothered to open them. Out of 10 machines, I was able to get 9 working and I converted 5 to GNU/Linux. The others were distributed in several other classrooms. They were supplied by Computers for Schools and shipped by barge to the Arctic, probably from Montreal. The HP machines were solid. With GNU/Linux there was no real problem except storage. The drives were 700-800 MB if I recall correctly. With our low-speed Internet that really didn’t matter. We used them for word-processing and browsing mostly. CPU was Pentium Pro…

  13. Quibbly says:

    I think we can all agree here, Mr Pogson. Using Windows 95 after EOL (December 31st 2002, if you’re interested) would have been a big mistake. That’s roughly the timescale you were talking about, isn’t it? You were left in a difficult position and at the very least deserve to be commended for lateral thinking.

    However, your more typical complaints revolve around Windows XP, which is an entirely different OS. I believe you were even talking about SP3 recently, which some would consider an acceptable PC platform even today.

    Were you so scarred by your unfortunate experiences with Windows 95 that you didn’t even bother to look into the possibilities of running a small school network with Windows XP/SP3? It’s quite a simple matter, I assure you. But you don’t have to believe me: look around. Hundreds of thousands of schools and schools administrative areas are doing just that.

    Don’t you find it at least a little peculiar that yours is the only voice in the wilderness, pointing out all these fatal flaws that everybody else somehow misses?

    Has Microsoft gotten around to bribing every single school district in North America?

    That would be unconscionable. I think it’s time for another open letter on the issue.

  14. bw wrote, ““Lose ’95 used to crash just with normal use after a few hours …”

    This is the sort of over the top claim that makes much of what else you say subject to interpretation as mere hyperbole.”

    Are you ignoring the fact that Lose ’95 had tons of defects and particularly memory leaks?

    see

    So, don’t revise history. Lose ’95 was horrible and GNU/Linux was nearly perfect on the same machines, HP Vectras with 72MB RAM, supposedly plenty for Lose ’95.

  15. oiaohm says:

    ted
    ==“why is someone with evil intent going to follow Recommended Industry Practise and report to Vendor. The answer is they are not. Are those who will not report to vendor be tempted to show off on Mailing lists and other social forums sharing security flaws yes some of them will.”

    So your position is that Ormandy’s public disclosure of this exploit was malicious?==

    In fact no it was not. Quibbly spots it. Because you have not checked the Exploit Ted you miss it. Just like everyone else.

    Quibbly June 8th, 2013
    –Just to help you out, Mr Oiaohm, I’ll repeat the link to the source code here.

    It breaks, on my Windows 7 machine, forty nine lines of C before the actual exploit. I’d imagine that you can improve on that, given that you know what you’re doing.–

    Quibbly at least you did look at the real report. Yes Ormandy’s public disclosure is DOA. The clue is straight in your face if you compare comment detailing how the is meant to works to example code provided. They don’t match. So example cannot work and as expected its cost Quibbly hours. Example is something that looks approximately right. It does not work on any version of Windows as is. Following the commented information on the other hand does lead to some interesting issues.

    “If you had asked Robert Pogson the right question ted I might not have stepped in.”

    –The “right question” being what? —

    Both ted and you asked this.

    The right question is Should Microsoft Be Tested for checking on and Intercepting reports in the criminal side??

    Does a Google Secuirty Expert have the right to post defective code about a discovered flaw to open mailing lists seeing if Microsoft is monitoring?

    This case Microsoft failed the test. The fact the sample code is DOA. In itself show lack of hostile intent. The question is what was he really looking for.

  16. bw says:

    “Lose ’95 used to crash just with normal use after a few hours …”

    This is the sort of over the top claim that makes much of what else you say subject to interpretation as mere hyperbole. Windows 95 was not the best PC OS ever produced, that title goes to Windows 8 today and will likely be eclipsed itself in the future. But it was head and shoulders above the predecessor Win 3.1 and MSDOS combo and was hailed as a great leap forward by just about everyone. Linux was still in the starting chute back then, too. Compare Win95 to Linux in 1994 and you have no contest in anyone’s terms for beneficial and easy use. The dragon that Win95 slayed was OS/2.

    I remember being thrilled with Win95 precisely because it did not crash with the new 32 bit apps. I don’t remember any problems at all myself, but I would be sure that they were associated with the Win16API and involved older application programs that did not follow the new technology guidelines.

    Your side bar states that you started using Linux in 2001 which would mean that you tolerated whatever was nettling you for some six or seven years and that you ignored the release of Win98 and Win2K as well, either of which would likely have fixed your broken wagon, Win2K for sure.

  17. matchrocket says:

    Ted wrote: “The position is that you switched to Linux because you were *incompetent* at administering Windows computers.”

    “The position”? Whose position? What position? Where the hell did you learn to write like that? You are trying personify a word. Why? What are you trying to hide Ted? Squirm Ted, that’s what you’re good at. Let’s see it.

  18. Ted wrote, “The position is that you switched to Linux because you were *incompetent* at administering Windows computers.”

    I was a teacher in the Arctic using Lose ’95. It’s supposed to work “out of the box” isn’t it? What competence is required to point and click? Lose ’95 used to crash just with normal use after a few hours of normal use with very little happening, perhaps only a web browser or word-processor running. It wouldn’t stay running for any of my students either on five different PCs. The OS was installed by the supplier, not me. I, as an incompetent, was able to install GNU/Linux, configure X, and with no other effort had those same machines “working out of the box” for months. The incompetence was M$’s.

  19. Ted says:

    “Ted, imagining that I am irrational and switched to GNU/Linux for no good reason all the while arguing that there are no good reasons to use GNU/Linux, wrote, “if they ever did in thte first place.””

    Pogson wrote; “I am irrational and switched to GNU/Linux for no good reason [..] there are no good reasons to use GNU/Linux”

    Sauce for the goose, Pogson. I can quote out of context and selectively quote too.

    “imagining that I am irrational”

    The only thing “irrational” is your all-consuming hatred of Microsoft. The position is that you switched to Linux because you were *incompetent* at administering Windows computers.

    “while arguing that there are no good reasons to use GNU/Linux”

    I said or argued no such thing. The closest I have come to this is saying there are no compelling reasons for gamers to switch to Linux for Steam.

    “I switched to GNU/Linux out of necessity to escape Lose ’95. It wasn’t until then that I grew to hate M$.”

    You “grew” to hate the company that created a product after you stopped using that product?? I once drove a hired car and did not enjoy it – I did not grow to hate Toyota.

    “transparency, DRM and other crap”

    Well there’s a veritable shopping list of fatal flaws, right enough. Window transparency (I suppose Compiz/Kwin does not feature in your computer? I thought transparent terminals were all the rage amongst you CLI types?) DRM (That other people want to play back media is of no importance to you, obviously) and unspecified “other crap”. I suppose your usual tired litany of “EULA, malware, re-re-reboots (do you describe APT-GET as “up-up-updating”?), BSODs” and the rest cannot be far away.

    Now, is there any chance I can have an answer to my question? Or are you deliberately avoiding it?

  20. Ted says:

    “why is someone with evil intent going to follow Recommended Industry Practise and report to Vendor. The answer is they are not. Are those who will not report to vendor be tempted to show off on Mailing lists and other social forums sharing security flaws yes some of them will.”

    So your position is that Ormandy’s public disclosure of this exploit was malicious?

    “Ted sorry your request itself contained a lie.”

    Where, exactly?

    I posited a hypothetical situation. I asked for Pogson’s reaction to that situation. Nothing in there comes close to “lie”.

    “If you had asked Robert Pogson the right question ted I might not have stepped in.”

    The “right question” being what? One he can look good answering? And Pogson’s a grown-up – he does not need you to step in and try to field my questions. Unless you feel that he’s too stupid to answer a fairly simple question.

  21. TEG wrote, “Pogson, on the other hand, concluded that, since he had forty machines to put back into service, the proper way to deal with the situation would be to Ghost the machine that looked the least broken and apply the image to the rest 39 of them.”

    With no installation media, that’s the best anyone can do. What do you suggest, invoke magic?

  22. Quibbly says:

    Just to help you out, Mr Oiaohm, I’ll repeat the link to the source code here.

    It breaks, on my Windows 7 machine, forty nine lines of C before the actual exploit. I’d imagine that you can improve on that, given that you know what you’re doing.

    I’m still reserving the right to talk about the actual exploit (if indeed it exists), but here’s an interesting little quote from the comments:

    We’re somewhat limited with what we can do, as we don’t control what’s written, it’s always a pointer to a PATHRECORD object. We can clobber a function pointer, but the problem is making it point somewhere useful.

    No, wait, that’s not the interesting quote I meant. Although it is quite interesting. This is the one I meant:

    Windows NT/2K/XP/2K3/VISTA/2K8/7/8 exploit.

    Well, it clearly doesn’t work on Windows 7. I imagine they must have started with the more esoteric versions of Windows, worked upwards, and run out of time before they got to the one that 60% of people worldwide use.

    An understandable lack of resources there.

  23. Quibbly says:

    Ted exactly why is someone with evil intent going to follow Recommended Industry Practise and report to Vendor. The answer is they are not. Are those who will not report to vendor be tempted to show off on Mailing lists and other social forums sharing security flaws yes some of them will.

    Don’t you think that’s rather the point? Ormandy is a malicious little prick, or, in your words, has “evil intent.” Have we both missed something here?

    Ted sorry your request itself contained a lie.

    Well, there’s a difference between lies, misconceptions, misguided thoughts, and uninformed opinion. For what it’s worth, I don’t think Ted is guilty of any of the four. You, on the other hand …

    If you had asked Robert Pogson the right question ted I might not have stepped in.

    Which “right question” would that be, Mr Oiaohm? And how do you define a “wrong question?”

    Instead Ted you want to make out that it is against industry. Microsoft and other Vendors don’t want to have to put in the resources to monitor many of the common hang outs of those who create exploits.

    Thus explaining, in a pithy way, why Microsoft acts with the FBI to take down servers that host botnets. One example of this happened just last week.

    Not that it’s important. Ormandy published an “exploit” before giving the vendor (and I honestly don’t care who the vendor is. If it was Canonical, I would still be outraged) a chance to fix it.

    What’s more, and with only a small amount of help from somebody who can actually program, he published the code for the exploit.

    Now, Mr Oiaohm. You are clearly a man who can program his way around the outback. You are a resourceful chap. I understand you are even a Microsoft OEM or something.

    Would you care to compile said code (I’ve provided a link) and explain why it doesn’t do what Ormandy says it does?

    Not that I suspect him of barefaced lying just to get publicity, of course. I’m sure I have it wrong, and it actually works.

    So, Mr Oiaohm. Prove it.

  24. TEG says:

    “To make a golden machine in that situation, I hunted for a little-used PC that appeared to have no malware and actually worked properly”

    Here is Sysadmin 101 for anyone caring to learn:

    You had forty machines in front of you.

    You had no idea what the last guy had done to them.

    You knew at that very moment half of the machines were bungled in some serious ways.

    Anyone with reasonable intellect would come to the conclusion that, since there was no way to find out what the last guy did deliberately/unintentionally to all forty of those machines, and since you would be the one taking the blame if anything went wrong after you had rolled them out, the only reasonable move would be to build an image from scratch and put it on every single one of the forty machines.

    Pogson, on the other hand, concluded that, since he had forty machines to put back into service, the proper way to deal with the situation would be to Ghost the machine that looked the least broken and apply the image to the rest 39 of them.

    I’ll let the readers figure out the fatal flaw in Pogson’s logic and/or approach.

  25. Ted, imagining that I am irrational and switched to GNU/Linux for no good reason all the while arguing that there are no good reasons to use GNU/Linux, wrote, “if they ever did in thte first place.”

    I cared nothing at all about M$ until I switched to GNU/Linux out of necessity to escape Lose ’95. It wasn’t until then that I grew to hate M$. The same people who made that crap are still running M$ and I did use Vista and knew it was crap too. I have used “7” briefly but certainly had no use for transparency, DRM and other crap it carried.

  26. oiaohm says:

    –@oiaohm.
    I did not ask you. And you did not answer either.–

    Sorry Ted there is a difference between Recommend Industry practice and Performed industry practice.

    Accepted Recommend Industry Practice is report to vendor.

    Reality is Performed Industry Practise is less than 20 percent will be reported that way.

    Ted exactly why is someone with evil intent going to follow Recommended Industry Practise and report to Vendor. The answer is they are not. Are those who will not report to vendor be tempted to show off on Mailing lists and other social forums sharing security flaws yes some of them will.

    Ted sorry your request itself contained a lie.

    If you had asked Robert Pogson the right question ted I might not have stepped in.

    Instead Ted you want to make out that it is against industry. Microsoft and other Vendors don’t want to have to put in the resources to monitor many of the common hang outs of those who create exploits.

    Reality testing if Microsoft and other are monitoring the common forums and when they turn out not to be kicking sand in their face is a good thing.

    Yes where the Google guy posted Microsoft should have been monitoring. Not for the Google guys post but for the other evils out there.

  27. Ted says:

    @oiaohm.

    I did not ask you. And you did not answer either.

  28. Ted says:

    “Why are you picky about software faults that happened more than a decade ago? ”

    Because *YOU* keep banging on and on about them as an excuse to bash *current* Windows systems, where they no longer apply, and that’s if they ever did in thte first place.

  29. oiaohm says:

    –I asked for *your reaction*.

    [Someone] finds exploit in Linux. They then post details of the exploit and code without following the accepted industry practice of notifying vendor first.

    How would you feel towards this person in this scenario?–

    Its status F normal. Lot security flaw fixes done to Linux Kernel and software on it is found by watching those mailing lists.

    “Accepted industry practice” Is kinda a lie when 80 percent of reported defects are not reported to vendor first.

  30. TEG wrote, “If you want people to be convinced that you actually know something, then show them you do by telling them what you understand, not by waving around silly “credentials” that you can’t even get an admin gig with in any organisation worth a darn.”

    Go away. Why do you bother us with your drivel? Why are you picky about software faults that happened more than a decade ago? I think that PC was bought around 1992.

  31. TEG, needing to learn some sysadmin 101 stuff, wrote, “What the heck is a “golden” machine?”.

    To make a golden machine in that situation, I hunted for a little-used PC that appeared to have no malware and actually worked properly. I found one that was XP SP1 with very little software installed. I removed a few things I did not need like .NET and added Sophos anti-virus, and updated to XP SP3 and later. I converted the file-system from FAT to NTFS. I installed LibreOffice and Google Chrome browser. Having verified that everything worked properly, I made a backup with CloneZilla. I had to do that for several different types of PC in the building. That was a lot of work but I was able to dump that onto any PC that wouldn’t work and get it to run and authenticate after entering the silly code.

    After all that work I still had machines needing re-imaging about every week out of 40 working machines. When I arrived there were only 20 working machines. I eventually got fed up and installed GNU/Linux on all but a few and everything worked. I no longer needed backups of the OS because I had a local repository. We added two more batches of 20 machines and 12 new machines on which we installed GNU/Linux ASAP. With ~90 machines running GNU/Linux I had no more problems with software. QED.

    I did make notes which I kept in a MySQL database but I have no copy here. I am not going to bother my former employer to please you. The effort needed to maintain a much larger system went from hours every week to minutes.

    The A-V used was Sophos. We had it turned up to checksum every executable and still malware got through to XP. With the checksumming updates became a bigger task because every update required the checksum-list to be updated. I was sick of Sophos as much as I was sick of M$ and its poor excuse for an OS.

  32. Ted says:

    “I am behind a rigorous firewall on the router. I doubt any particular vulnerability in Linux would bring me down promptly. I expect Linus would fix it soon enough if it had any impact. ”

    You do not answer my question. I did not ask for what effect it would have on your computer, or the impact on the Linux kernel team.

    I asked for *your reaction*.

    [Someone] finds exploit in Linux. They then post details of the exploit and code without following the accepted industry practice of notifying vendor first.

    How would you feel towards this person in this scenario?

  33. Ted wrote, “What would your reaction be if a Microsoft researcher found a Linux exploit and released it to the world without informing Linus or the kernel team first?”

    I am behind a rigorous firewall on the router. I doubt any particular vulnerability in Linux would bring me down promptly. I expect Linus would fix it soon enough if it had any impact. Linus would probably say something like “FU, M$!”, but I don’t think it would bother me much.

  34. TEG says:

    “I installed the AV on the “golden” machine and made a backup.”

    What the heck is a “golden” machine?

    Also, care to name the AV you used?

    “I did not keep written records”

    It’s always nice to hear someone taking an administrator position not documenting anything he has done, isn’t it?

    “Every week I needed to re-image an XP machine with just 40 running.”

    One thing for certainty is that the majority of enterprise Windows set-ups do not employ or require such ritualistic re-imaging. Since you are the odd one who somehow needs to perform this peculiar exercise weekly, by intuition one can only conclude that you are the cause of the problem, not the operating system.

    Kind of reminds me of this comic panel from The Oatmeal.

    “Like the PCs that picked up hundreds of infections despite having a checksumming anti-malware package? Like the PC that took five minutes to respond to a click? Half the machines were not working at my last school before I arrived.”

    Signature-based AV is useless without current signatures, and by your admission:

    “I found PCs with expired anti-malware software and when I installed a new professional copy recommended for schools we got the counts, lists etc.” (emphasis mine)

    So, in a nutshell, you were put in charge of a set of machines that had already been neglected, abused and quite likely misconfigured in several dozen different ways, but nonetheless you felt it was fair to put the blame on the OS rather than the slob that couldn’t even be bothered to configure the peroidic updates properly? Guess what, IT workers are not created equal – and that applies to you as well.

    “Yep. I had one game I like to play, Comanche… That PC died and my next used GNU/Linux. It’s interesting that old PC would play Comanche all day long but would crash/freeze frequently with many desktop operations. I used to cross my fingers when saving a file or printing…”

    Haven’t you learned to be more specific? A general protection fault is a crash. An unhandled exception is a crash. A hardware failure is a crash. A botched address hack between 16-bit and 32-bit code can result in a freeze. A misconfigured/buggy XMM/EMM can result in a freeze. A badly written piece of software (particularly under non-preemptive scheduling) can result in a freeze. If you want people to be convinced that you actually know something, then show them you do by telling them what you understand, not by waving around silly “credentials” that you can’t even get an admin gig with in any organisation worth a darn.

  35. Ted says:

    @Pogson

    A hypothetical…

    What would your reaction be if a Microsoft researcher found a Linux exploit and released it to the world without informing Linus or the kernel team first?

  36. oe says:

    “backwater schools”…what’s with all the drive by ad hominuim attacks….Pogson must be getting close to the truth here.

  37. Quibbly says:

    Oops, I didn’t include a link to the original code. How remiss of me. Here it is.

    Share and enjoy!

  38. Quibbly says:

    I have to thank you for a couple of hours of fun open-source examination, Mr Pogson. Eventually, I tracked down the code for this particular exploit, compiled it, ran it, and tested it.
    That’s the whole point of FLOSS, isn’t it? I haven’t yet redistributed it (although I had to modify it to figure out how it worked), but here we have the Four Freedoms in action.
    Now, I don’t expect tech journalists such as your cite to do this, because — and here they might have a focus on Windows, Apple, Linux or Android/Linux — they’re not really equipped to do so. It would be nice if they had a “program boy” in the back office to help them out, but let’s face it, they’re not up to our rigorous standards. If it looks newsworthy, they’ll publish it without checking it.
    Which is a shame, really, because I’ve just compiled and run this exploit on Windows 7. And the first thing I noticed is that it falls flat on its face with a null pointer exception.
    I’ll save your expert commentators the work of finding out where that exception occurs (they’d probably have to debug Wine first, which is hardly the point). It’s here:

    KernelHandle=LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);

    This returns a null pointer. There’s no checking and it’s nowhere near the alleged “exploit,” but eventually this finely-crafted program falls over.

    My takeaway on this? You cannot really tell whether some anonymous irritant on the Web has found a genuine issue unless you are fairly meticulous. It’s called the Scientific Method. Unless you can replicate it, the basic assumption must be that the issue does not exist.

    There’s probably a bug in my code, and I await with interest the floods of comments from interested parties on this blog.

    In mitigation, the security hole quite possibly exists as advertised. I have my own theories on the importance, or not, of this security hole, but I’ll leave those until somebody explains to me why anybody would get their panties in a twist over something that clearly fails to get anywhere near that security hole.

    All very fascinating stuff, and thank you for bringing it up.

    BTW, if you want me to follow the Four Freedoms to the letter, I’m happy to publish my modified version of the code. It’s just the original, with a bit of logging thrown in.

  39. TEG wrote, “Your ex-regular “Oldman” told me (on that site that you have banned everyone here from mentioning) that you were still using Windows 3.1 in 1999. Great choice, that.”

    Yep. I had one game I like to play, Comanche… That PC died and my next used GNU/Linux. It’s interesting that old PC would play Comanche all day long but would crash/freeze frequently with many desktop operations. I used to cross my fingers when saving a file or printing…

  40. Quibbly wrote, “(Actually, in a school environment, I’d probably just reimage them, but I’m not going to second-guess you here.)”

    That’s exactly what I did. I installed the AV on the “golden” machine and made a backup. There is a possibility that the golden machine had an undetected infection but it’s the best I could do without an installation medium.

    I did not keep written records and I am not going to fly hundreds of miles and re-install that other OS to amuse you.

    Do the maths. Every week I needed to re-image an XP machine with just 40 running. When I installed GNU/Linux, I never had to re-image another machine the rest of the year with 80 machines installed. For a time we had 90 machines but 10 were mine and I brought them home. They all ran GNU/Linux flawlessly from two images (32/64 bits). I needed three images for XP just for 32bits. I never made an image for 64bit Windows because I just wiped those right out of the box. I had installation media for 64bit Windows and did use it on one PC for one silly teacher who wanted less capability. She needed to use GNU/Linux to print on her own printer and to do reports…

  41. bw says:

    “bw, attacking the messenger…”

    That is not attacking the messenger at all. Rather, I am asserting that your experience in schools is not relevant to what business needs are today. Further, you seem to have no experience whatsoever in the application of modern network architectures. I think that is why you have such odd notions on what could possibly replace use of Windows in commercial settings.

    You have no current experience in how Windows works either. Your quaint references to BSOD, malware, “reboots”, login delays, and such are not issues anymore, if they ever were, with Windows users. Consequently, your expectations for buyer behavior are incorrect and your conclusion that Microsoft must be doing something evil behind the scenes to thwart adoption of Linux is misplaced.

  42. bw, attacking the messenger, wrote, “Your experience is obviously very limited in terms of what companies do internally.”

    Many schools still make very little use of IT. Schools in which I had a say actually used servers for more than file-sharing and authentication. I set up multiple databases, web-applications and search engines for instance. Schools often have similar needs for IT as SMB: reporting, correspondence, planning, collaboration, e-mail, in addition to personal computing. With GNU/Linux I not only taught students how to use certain applications but I taught them how to set up whole IT systems right from the router to the server to the clients. I taught networking too.

    The only thing I see in all my reading on diverse parts of the web that is different between businesses and K-12 schools is that businesses do scale up more on seats and size/speed of databases. GNU/Linux is used by many large businesses so scale is not any issue. Google for instance uses mostly GNU/Linux in its own business from desktops to servers.

    So, bw, shut up.

  43. oiaohm wrote, “Every extra hard drive in a business or school network is a extra item to audit in case of infection. So objective least number of hard drives possible.”

    Exactly. In a building there might be 100 hard drives spinning but not being used. A smaller number of drives on a server can be kept fairly busy making that configuration more cost-effective. This has a compounding effect by keeping data off the network and making caching much more efficient. Same goes for RAM. I was often in a lab with 24gB of RAM being wasted on thick clients. A few gB on a server accomplished so much more and better because of caching.

    With a truly networked OS like GNU/Linux a lab or a school can be treated as a single computer with a multitude of simultaneous users. It’s the right way to do IT. About 10% of computer seats on Earth are run as thin clients so it’s catching on. The smart thingies with web applications can do the same thing for an organization but they still tend to move data over the LAN which does not scale well.

  44. oiaohm says:

    bw there is a clear difference in needs of a computers of businesses and schools and home.

    Business and Schools being more identical improves productivity. Windows activation and other things makes Windows less able to be identical and interchangeable.

    bw Windows 3.11 support running in a boot from network setup. This was nicely highly dependable. Reason 1 copy of Windows 3.11 hosted read only on the file server. Updated on the file server. Turn off the client machines perfect reset. Basically flick the main breaker and scan everything coming back in instant virus control.

    Every extra hard drive in a business or school network is a extra item to audit in case of infection. So objective least number of hard drives possible.

    Please don’t say you can do this with a modern KMS server and Windows 7/8. Last windows you could do this is Windows XP volume SP1. SP2 added in updates network activation checking.

  45. bw says:

    “Nope. Most PCs already had serial ports long before the Internet became popular. That’s all we needed to communicate with a telephone modem.”

    Is that is your idea of “networking”? Your experience is obviously very limited in terms of what companies do internally. They do not operate in any way close to whatever apparently happens in native schools in remote areas of Canada.

    “Clearly, being a user of M$’s OS, bw has no sense of the capability of a modern PC.”

    Clearly, with experience limited to the needs of underfunded native schools, you have no sense of the notion of “personal computer”, thinking them to be simply smaller than before or able to be lifted and moved by a single individual or some other definition for “personal” that does not convey ownership and access exclusivity. Unix did not take advantage of such a concept and its cloning in the guise of Linux didn’t either. I think that is where you are being blinded to modern concepts. You focus on centralized execution of software programs in the old server/client architecture and worry about CALs and such when just about everything today uses network services to marshal information that is consumed by client apps on a just in time basis.

  46. TEG says:

    “You have been previously banned here and automatically go to spam. It is for my amusement and extreme humanity that I bother to dig your posts out of the spam bin at all.”

    You mean banned under false pretences? You had no evidence to justify there were any more than human factors (i.e. you, the one primarily responsible for the machines in question) contributing to the alleged “re-re-reboot” or “slowing down”, and, naturally, you took the easy route – silencing the detractors – to avoid going into the details, which you have never seem to be able to articulate as demanded even once. This is not to mention the many other individuals that have been banned under these same dubious circumstances.

    Am I supposed to be surprised by that?

    “The whole discussion is about the merits of M$’s OS versus a real OS like GNU/Linux that handled multi-user networking securely from the early days.”

    Which, as I have explained to you, is a subject that you have completely failed to properly comprehend from start to finish. There is no merit in that “whole discussion” just as there is no merit in Linux handling “multi-user networking securely” in numerous contexts (e.g. unkerberised NFS). The debate is over: you have already lost, and no amount of Linux advocate talking points is going to change that.

    “DOS from 1994 or so was severely out-classed by GNU/Linux yet M$ used it for years later.”

    Linux came about in 1991, and it was in no shape or form ready for production use. As bw has already mentioned, any commercial Unix systems worth a damn would set you back several thousand dollars per pop around that time (and that trend persisted throughout the 90s, btw), and NetWare was what reigned supreme in networking. As someone who admittedly only began using Linux since 2001, the least you could do would be to sit up and take notes when grown men do the talking.

    “Malware is essentially another user on a PC.”

    Maybe that’s why I felt so lonely back in the days. 😉

    Again, Zone Alarm – grab it, install it, and Bob’s your uncle. It’s not exactly anyone else’s problem that you didn’t know what even kiddies knew about, was it?

    “That DOS could care less about multi-user meant that Lose ’95 and ’98 shipped with no security whatsoever and the resulting malware with the web growing like a weed meant huge burdens to mankind.”

    Again, did you pay attention to anything that I painstakingly explained to you in the easiest way even you could understand? No?

    “Multi-user OS” has nothing to do with low-level and/or network security. Null, zero, zilch, nada. It’s a wrong-headed approach to a problem that requires a completely different set of strategies. Get it?

    “In fact, the low quality of M$’s OS was what drove me to GNU/Linux”

    Your ex-regular “Oldman” told me (on that site that you have banned everyone here from mentioning) that you were still using Windows 3.1 in 1999. Great choice, that.

    Also, in case your so-called “40 years” of observations fails you, the vast library of 16-bit applications and low system requirements were part of the main reasons that the Chicago line existed. But who cares about backward compatibility and, ahem… “cheap” computers anyway?

  47. Quibbly says:

    Correct me if I’m wrong here.
    At a particular time and place, we’ll call it Reference X for convenience, you were presented by an entire portfolio of PCs running Windows, all of which had an expired anti-virus license. I can certainly sympathise with that. Inheriting an IT mess is all too common.

    Many, most of those PCs were infested.

    Correctly, you got new licenses for the anti-virus programs and did your best to clean them. (Actually, in a school environment, I’d probably just reimage them, but I’m not going to second-guess you here.)

    So, let’s see. You have perfectly good anti-virus software with a perfectly good license. You know it’s perfectly good because it told you the number of viruses.

    … You still haven’t revealed the exact number or an average or anything, but I sympathise with that, too. It was 2003. After ten years, we tend to forget anything but the horrible headline details …
    … And you still haven’t come up with a single name of any of those hundreds of viruses, and I’m slightly less sympathetic here. Surely one of those names seared itself into your memory? I know it would have done mine …

    But perhaps the most interesting question here is why, after getting the anti-virus licensing mess cleaned up, you didn’t just stick with what worked?

    Which was, in this case, Windows.

  48. Quibbly wrote, “I think you should probably have counted them so that you could present an accurate figure.”

    Anti-malware software was used to do the counting. I found PCs with expired anti-malware software and when I installed a new professional copy recommended for schools we got the counts, lists etc. There were even a few cases where simple removal of the malware was not enough to make things work and re-imaging was required. That was my preferred solution because it was quick and put things in a definite state. Managing the anti-malware software became a larger task than managing GNU/Linux, hence the need to migrate. Time spent managing IT was generally time wasted. IT should just work.

  49. Quibbly says:

    That’s a really worryingly large number of viruses, isn’t it? Hundreds, on a single PC! In the interests of scientific accuracy, I think you should probably have counted them so that you could present an accurate figure.

    Not being an expert, I’m not sure how you’d count them. And if there are hundreds, I doubt I would even be able to log on to the machine to count them.

    Did you have a favourite amongst these hundreds of viruses, or were you only able to ascertain their number rather than, say, their names?

  50. Maou Sadao wrote, “the truth is that he couldn’t be bothered to do his job and “downgraded” perfectly fine computers to Linux out of spite.”

    Like the PCs that picked up hundreds of infections despite having a checksumming anti-malware package? Like the PC that took five minutes to respond to a click? Half the machines were not working at my last school before I arrived. I got all but one working by re-imaging. I upgraded those images to XP SP3 from SP1 and enabled auto-update. I had to re-image about one PC per week and I needed several images for the school’s fleet. When I migrated to GNU/Linux I stopped needing to restore OS and two images served the whole fleet, one 32bit and one 64bit. We doubled the number of PCs in that school with GNU/Linux and had no more trouble with PCs. My IT work went from hours per week to minutes.

  51. Maou Sadao says:

    It’s a well-known fact that Mr. Pogson’s knowledge of Windows is superficial. He still wants to convince us that Windows XP at his precious backwater schools made him nearly go insane, but the truth is that he couldn’t be bothered to do his job and “downgraded” perfectly fine computers to Linux out of spite.

  52. Quibbly says:

    I’m still looking forwards to your identification of a “favourite” Windows virus, Mr Pogson, but I’m glad to see that you’ve come clean and admitted that you have no personal experience of such things since 2003. Presumably, then, for the lifetime of this blog, you have been relying entirely on anecdotal evidence from other people.

    Ten years seems quite a long time to base a central plank of your existence on pure hearsay, don’t you think?

    Anyway, failing a “favourite,” I’d be interested to know which virus caused your employers and yourself such problems back in 2003. It seems to have made quite an impression on you, one way or the other, so I assume you can remember its name?

  53. TEG whined: “I find it interesting that you simply will not allow my comments to show up here directly.”

    You have been previously banned here and automatically go to spam. It is for my amusement and extreme humanity that I bother to dig your posts out of the spam bin at all.

    “1 min ago – admin changed the comment status to approved
    8 mins ago – admin reported this comment as not spam
    3 hours ago – Blacklisted because the email matched ‘…’
    3 hours ago – Comment was caught by wp_blacklist_check
    3 hours ago – Akismet cleared this comment”

    TEG wrote, “what does DOS being a single-user system have to do with anything in this context? “

    The whole discussion is about the merits of M$’s OS versus a real OS like GNU/Linux that handled multi-user networking securely from the early days. DOS from 1994 or so was severely out-classed by GNU/Linux yet M$ used it for years later. Malware is essentially another user on a PC. That DOS could care less about multi-user meant that Lose ’95 and ’98 shipped with no security whatsoever and the resulting malware with the web growing like a weed meant huge burdens to mankind. In fact, the low quality of M$’s OS was what drove me to GNU/Linux, not the freedom or flexibility which I came to appreciate shortly.

  54. bw, revising history, wrote, “Networking of PCs at that time was generally along the lines of file sharing between workstations and a central repository and required fairly expensive adapter interfaces and fairly obtrusive wiring for coax runs.”

    Nope. Most PCs already had serial ports long before the Internet became popular. That’s all we needed to communicate with a telephone modem.

    Demonstrating supreme ignorance, bw wrote, “Even today the name of the game is “Personal Computer” and multi-user operation is unnecessary for sharing a computer among numerous users.”

    Clearly, being a user of M$’s OS, bw has no sense of the capability of a modern PC. Even with a stock PC, I can run a dozen users simultaneously using GNU/Linux while one complains of sluggish performance from that other OS. Such configurations are commonplace in schools where space is at a premium and per-seat cost is very important. Security may or may not be very important in schools but school administrators like grades and correspondence and private information about students and staff to remain private. There is a need for a proper OS in schools. Windows is not it.

  55. TEG says:

    Again, I find it interesting that you simply will not allow my comments to show up here directly. You do realise that whether or not you get my comments out of the spam filter, they are all going to stay on pastebin, right?

    So, forget about pulling a Dietrich Schmitz on me – if that’s what you have in mind.

    “Uh, networking certainly was a necessary part of IT when Lose 3.1 came out but it was an afterthought.”

    Is “uh” the sound one emits when he’s frantically looking up Wikipedia for an answer?

    I don’t know about you, but I found this just by casually typing “ms-dos networking” into Google Search. Maybe you should try that some time.

    “Once networking became commonplace, the OS had to be multi-user to have any kind of security and DOS was single-user.”

    Again, what does DOS being a single-user system have to do with anything in this context? A computer used and managed by one person is a single-user system. Period. Whether there is any benefit in having a multi-user OS in this context is completely moot since, regardless of the technical competence of this one person the system has to cater to, it has to give him/her full administrative privileges in one way or another.

    If you can find a way around that, by all means tell me how.

    “There are some things that can be done reasonably safely by a single-user OS like a slice of FTP, say, but file-sharing and the like require processes which can multi-task and maintain some semblance of safety.”

    Maybe you didn’t pay attention to my link on NFS? What you should understand from NFS is that the OS being multi-user has fundamentally no relevance to whether there is any form of identity verification to establish the credentials of a client. Instead, one should focus on if there is any the verification process taking place between the server and the client prior to the client being allowed to access any object on the server. Your insistence of “multi-user OS” being pertinent to this discussion is a clear indication that you don’t even have the slightest comprehension of common network authentication protocols (e.g. Kerberos) to begin with.

    And let’s not mention such irrelevancy as “multi-tasking” (which the Chicago Windows line does anyway): it’s so dumb it literally hurts.

    “You don’t want Bad Guy over there overwriting an executable here…”

    It seems that Deputy Pogson is hopelessly confused about proper security on client-server architectures.

    Credentials, along with what your client is actually allowed to do to an object (i.e. “capabilities”), are supposed to be established before you allow the client to access anything on the server. Then you verifies that, for each request, the client is permitted to use a given object in the way it asks (e.g. “write to program.exe”) at the protocol level. No “multi-user OS” is necessary in this context.

    Of course, all this is very academic, but one must ask him/herself two questions:

    1) Who in the right mind would use Windows 95, a clearly non-server OS, as a “serious” file server, even back in the 90s (notwithstanding that it allowed you to create read-only shares anyway)?
    2) What is with all this nonsense about MS-DOS and the Chicago Windows line, which hardly anyone uses anymore (I have been a user of NT since the mid-90s, by the way)?

  56. TEG says:

    “Translation: I don’t have any strong argument so I will try to discredit the messenger.”

    Again, way to sidestep the original question. Or is that your supposed credential does not even cover proper reading comprehension?
    Let me repeat the same question for you, once again:

    ‘Which one was your “favourite” huge vulnerability?’

    Instead of answer the question at all, you chose to (again) go the “king of the North Pole” route and tell people everything that is irrelevant and brandish some shaky credentials in the hope that people will never notice what you have said is just a load of sweet nothing. As far as being a “messenger” goes, you sure lack in the delivery just like every poseur that has walked the earth.

    Typical.

  57. bw says:

    “Uh, networking certainly was a necessary part of IT when Lose 3.1 came out but it was an afterthought.

    I don’t agree with that at all. Networking of PCs at that time was generally along the lines of file sharing between workstations and a central repository and required fairly expensive adapter interfaces and fairly obtrusive wiring for coax runs. I remember it fairly well since I was selling stuff for factory automation and those components were a big ticket item for system quotes. Most companies insisted on Novell Netware or else Sun Microsystems products for those installations. Windows For Workgroups spurred some real competition with Novell who started fire-selling their peer-to-peer stuff and even threw in a DR-DOS at some point. I remember spending a good amount of time refereeing a debate with the engineers as to DR-DOS with Netware and Win3.1 or MSDOS and WFW3.11, the former being a little less expensive. We went with Microsoft on the idea that Novell was going to be a loser in the long run.

    “Lose ’95 still relied on DOS in a world full of networking. What’s with that? Meanwhile UNIX OS had decent networking since ~1980, a decade or more earlier.

    Only in the minds of grumpy nerds. Win95 was a complete package and did not require DOS to run. Architecturally, perhaps, you could point to low level elements that were essentially identical to elements of MSDOS and those that were comparable to Windows 3.x, but from a product point of view, which is what was being sold to consumers, it was a single, self-contained product and how the gear heads thought about it was not very important to business.

    The only Unix that had any viability in systems use in that era was SCO UnixWare and that was a costly piece of goods. A typical station cost close to $3000 and required a pretty maxed out PS/2 to run it. OS/2 was less expensive then, about $1999 as I remember, but no one wanted to work with it on our staff. None of this stuff was consumer grade like Win95, though, and no one ever tried to sell it to home users.

    Once networking became commonplace, the OS had to be multi-user to have any kind of security and DOS was single-user. There are some things that can be done reasonably safely by a single-user OS like a slice of FTP, say, but file-sharing and the like require processes which can multi-task and maintain some semblance of safety. e.g. You don’t want Bad Guy over there overwriting an executable here

    Multi-user has nothing to do with security other than increasing the difficulty of it. Multi-tasking is the only element that pertains here and Win95 was the ticket that started things working. Win2000 started the modern era. Even today the name of the game is “Personal Computer” and multi-user operation is unnecessary for sharing a computer among numerous users. Most people have more than one, particularly if you want to call phones and tablets PCs as you are wont to do.

  58. TEG wrote, “Which is what? A short walk away from the North Pole? It’s hard enough to imagine that a place made out of mostly islands could have any sort of stable electricity supply, let alone computers.”

    Translation: I don’t have any strong argument so I will try to discredit the messenger.

    The point stands that M$’s OS which is supposed to be easy to use suddenly requires experts to run in schools. What’s with that? If I am an amateur, how come I can convert a whole school over a weekend and never have any problems thereafter? apt-get update;apt-get upgrade really does the work or at least exploit the work of Debian and all the upstream developers. That’s reason enough for a school to prefer GNU/Linux and the absence of malware and re-re-reboots and slowing down are there as well.

  59. TEG says:

    “I worked in Nunavut twice.”

    Which is what? A short walk away from the North Pole? It’s hard enough to imagine that a place made out of mostly islands could have any sort of stable electricity supply, let alone computers.

    What you claim, as far as I can see, is effectively the same as being the king of a nation of one person: the reason you got the job at all was not because you were qualified to do it but because literally no one else wanted to even consider it or was there to take care of it.

    It’s a shaky credential you are claiming here, I am afraid.

    “Between the two stints a wave of malware was wreaking havoc so my employer disconnected from the Internet.”

    Which should be expected from organisations that have no proper security policies, no regular auditing, no knowledge of any such things as Zone Alarm or Comodo Firewall (which have been around free-of-charge since the 90s/early-00s) and hire handymen for positions that are meant for trained personnel with relevant qualifications (and at least mentally capable of handling checkboxes in the adapter dialogue box).

    “That’s huge.”

    I don’t mind an occasional story or two about someone’s adventure in the land of the Inuit (although I do find the subtle abuse of an indigenous population a little too offensive for my taste), but this is not what Quibbly is asking from you here. The question being asked here is, in his/her own words:

    Which one was your “favourite” huge vulnerability?

    In other words, you are requested to point out a specific vulnerability that is considered your “favourite”, not regurgitate email about some employee accidentally spreading “ILOVEYOU” over a school computer network because he/she was desperate enough to believe there was a living human being (let alone a secret admirer) sharing the same frozen rock in the Artic Ocean he/she was standing on.

  60. bw wrote, “MSDOS was very much appropriate to the needs of the IBM PC when it originally shipped and versions of MSDOS and Windows have kept pace with users for 30 years as capabilities and needs have continuously evolved.”

    Uh, networking certainly was a necessary part of IT when Lose 3.1 came out but it was an afterthought. Lose ’95 still relied on DOS in a world full of networking. What’s with that? Meanwhile UNIX OS had decent networking since ~1980, a decade or more earlier. Once networking became commonplace, the OS had to be multi-user to have any kind of security and DOS was single-user. There are some things that can be done reasonably safely by a single-user OS like a slice of FTP, say, but file-sharing and the like require processes which can multi-task and maintain some semblance of safety. e.g. You don’t want Bad Guy over there overwriting an executable here…

  61. Quibbly wrote, “when is the last time you have had personal knowledge of a “huge vulnerability” on a Windows OS”

    I worked in Nunavut twice. Between the two stints a wave of malware was wreaking havoc so my employer disconnected from the Internet. That’s huge. I believe it was 2003. I read it in the e-mail archives on my second stint.

    If you think that’s not huge, compare it to an army at war with rifles that exploded with regularity. That would be very bad for morale.

  62. Quibbly says:

    Mr Pogson, you’re always an interesting one for a challenge, aren’t you?
    There have been so many huge vulnerabilities in Windows that it’s hard to pick one that’s worse than the others.

    That’s a darned fine parlour game, and I think your regulars should be encouraged to jump right in.
    Which one was your “favourite” huge vulnerability? (By “favourite” I’m obviously asking for the one you found most outrageous/notable/humorous; not actually the one you’d like to contract on your own PC. Although feel free to share on that, too.)
    And, as a bonus question, when is the last time you have had personal knowledge of a “huge vulnerability” on a Windows OS?
    Warning: check between the keyboard and the chair before you tackle the bonus question.

  63. bw says:

    “No, that’s not correct. An OS designed from the start to be a multi-user/multi-tasking OS will have huge advantages over an OS designed as a single-user OS for 8 bit computers.”

    No that is not correct. Any OS that is so woefully mismatched to its task like trying to use unix on a 1980s era PC would garner less attention than even Linux does today. MSDOS was very much appropriate to the needs of the IBM PC when it originally shipped and versions of MSDOS and Windows have kept pace with users for 30 years as capabilities and needs have continuously evolved. Smug pronunciations about what might be appropriate for a personal computing device notwithstanding, the continued success of Microsoft operating system software in the PC world is overwhelming proof of its harmonious fit with personal computing.

  64. TEG says:

    “Yes there is Full Disclosure Security Mailing directly meets the requirements.”

    Full Disclosure is run by some guy in the UK and has fundamentally nothing to do with NSA.

    “A copy is forwards to the NSA. Sending a report to Microsoft may not see copy forwarded as required.”

    It seems that someone doesn’t even know how cc and bcc work, let alone the NSA.

    “Yes the rules don’t even say you have to directly send it to the NSA. Sending to an approved mailing list is enough”

    Even if NSA gave a toss about the issue (they didn’t), what would they do about it?

    And what on earth would they do about places that are outside of their jurisdiction (i.e. almost the entire world)?

    It seems that someone is just tossing around three-letter names just to sound knowledgeable.

    “Quibbly basically the biggest security flaw with computer software has nothing todo with software. The reporting system rules are horible ineffective and cause more trouble than they are worth.

    “Ormandy this is what deregulation gives us.”

    The whole saga has nothing to do with de/regulation (whichever side you are on).

    It is about a brash, young hacker with overt prejudice against a company (which presumably also explained his claimed unpleasant experiences with MSRC in the past) decided to disclose something that a responsible security researcher should only share with trusted individuals over channels inaccessible to the public.

    And that excludes GitHub, public mailing lists etc., which Ormandy gleefully employed.

  65. TEG says:

    First off, if you are so eager to have a discussion with me, then do away with the spam filter/moderation nonsense that you put on every single one of my recent comments. It simply reeks you want to cut yourself loose when things don’t swing your way.

    “An OS designed from the start to be a multi-user/multi-tasking OS will have huge advantages over an OS designed as a single-user OS for 8 bit computers.”

    1) What gives you the impression that the kernel was designed for a single-user OS for 8-bit computer or developed on an 8-bit computer or even an x86 machine for that matter? In fact, let me rephrase that: what evidence do you have to support this assertion other than your sheer imagination?

    2) What makes you think the 12-bit PDP-8 (rather than the GE system slated for the MULTICS project) used by Ken Thompson et. al. could in any way support the implementation of a proper multi-user system at all?

    3) What causes you to believe that high-level access control is a proper way to defend against low-level vulnerabilities used in most, if not all, local and remote exploits? I can think of at least one reason not to.

    “Each layer adds its own insecurities.”

    And here you have missed the entire point of a fundamental software development concept known as “abstraction”. libc.so is a layer above the Linux kernel. Your desktop environment is a layer above libc.so plus sundry other things. Each layer, of course, presents its own vulnerabilities to the entire system. Unless you are advocating the use of barebone systems that hardly allows you to do anything, then I suppose this is nothing more than some rhetoric you have borrowed from a 12-year-old know-it-all on a Linux forum.

    “There have been many vulnerabilities found in SMB”

    Then I implore you not to look at NFS lest you die from a heart attack.

    “M$’s windowing, just opening images”

    I suppose you mean the WMF vulnerability back in 2006.

    I suppose you are also aware that gdi32.dll is more than just part of a “windowing” subsystem, then.

    Of course, xorg is such a fish in a barrel it’s not even worth mentioning… Oh, wait – I just did.

    “I know many users of M$’s OS who are afraid to click on links because they have been infected by doing so often in the past.”

    And I can understand why, perfectly.

    Instead of helping them remove/disable unused/unsafe plugins (e.g. Java, Adobe PDF) and teaching to understand saying “yes” to everything from the Internet is like saying “yes” to random strangers, you keep scaring them – as you do here – that their computers will be compromised unless they start wiping their hard drives and join your open-source religion. Of course, this will be minus the benefits of actually knowing secure online practices evidenced by Linux advocates often casually disclosing their personal information on the Internet.

    But what do I know?

  66. TEG wrote, “Any operating system around long enough will have a long history of serious flaws.”

    No, that’s not correct. An OS designed from the start to be a multi-user/multi-tasking OS will have huge advantages over an OS designed as a single-user OS for 8 bit computers. M$ has always had to justify a new round of licences to users by adding layers to the painted barn. Each layer adds its own insecurities. Windows is/has been/always will be if M$ is managed by salesmen, an insecure mess. There have been so many huge vulnerabilities in Windows that it’s hard to pick one that’s worse than the others. Waves of malware so bad that organizations pulled the plug to continue using the hardware they owned is just a symptom of that. Of course, in FLOSS such nonsense gets short shrift from guys like Linus T. and the fussy guys who create FLOSS.

    There have been many vulnerabilities found in SMB, M$’s windowing, just opening images, for pity’s sake, etc. I know many users of M$’s OS who are afraid to click on links because they have been infected by doing so often in the past. I have never seen any user of GNU/Linux so fearful or lacking confidence in the reliability of the OS. I have never seen any malware in GNU/Linux. I have seen machines sluggish as hell with the burden of malware running that other OS.

  67. oiaohm says:

    Please note not just Microsoft.

    Everyone has basically been asleep at the wheel of security flaw reporting.

  68. oiaohm says:

    –They have protested, oiaohm. Back when Ormandy pulled a similar stunt. It’s even in H-Online’s story, complete with a link. Nobody seems to read anymore.–

    One case this has been going on for years. Thousands of bugs reported this way. Just because someone from MS competition does it. Its a big stink.

    The reality MS should have been screaming about this for at least the past 15 years.

  69. TEG says:

    “M$ has such a long history of serious flaws in its software that I think, like a jail’s inmate, they have renounced polite society and it is correct to treat them roughly like this.”
    Any operating system around long enough will have a long history of serious flaws. It’s plain silly to think that non-Windows operating systems do not have serious, exploitable vulnerabilities just because you have never heard of them or the media are reluctant to mention them.
    All this is to put aside issues such as “silent patching” that fanatical Linux evangelists such as yourself are unaware of, by the way.
    “As far as sabotaging the world of IT, M$ did that, not the messenger.”
    Really? Care to explain this then.

  70. Maou Sadao says:

    They have protested, oiaohm. Back when Ormandy pulled a similar stunt. It’s even in H-Online’s story, complete with a link. Nobody seems to read anymore.

  71. oiaohm says:

    Quibbly
    “And is there any evidence that Ormandy reported to the NSA first?”

    Yes there is Full Disclosure Security Mailing directly meets the requirements.

    A copy is forwards to the NSA. Sending a report to Microsoft may not see copy forwarded as required. This is one of these ugly messes Quibbly.

    Security Circus perfectly matches the current rules for reporting. Yes the rules don’t even say you have to directly send it to the NSA. Sending to an approved mailing list is enough.

    Quibbly basically the biggest security flaw with computer software has nothing todo with software. The reporting system rules are horible ineffective and cause more trouble than they are worth.

    Ormandy this is what deregulation gives us.

  72. oiaohm says:

    Yes publishing on the Full Disclosure Security Mailing list meets the requirements.

    Ivan most major distrobutions have someone watching Full Disclosure Security mailing lists and others.

    There is a big problem here that there is no rule requiring reporting to vendor. So vendors are required to invest staff to watch many locations.

    Now if Microsoft does not like this where has been there public protests about it.

  73. Maou Sadao says:

    Wow. Using the tag works beautifully. Someone needs to learn CSS.

  74. Maou Sadao says:

    I hate the way the oldest comments are now at the bottom of the page.

    That’s Mr. Pogson innovating. It’s on par with Gnome and KDE crapping on users with Gnome 3 and KDE4, then taking years to make them usable again.

  75. gewg_ says:

    I hate the way the oldest comments are now at the bottom of the page.

  76. Quibbly wrote, of actions and employment with Google, “Your thoughts on this?”

    M$ has such a long history of serious flaws in its software that I think, like a jail’s inmate, they have renounced polite society and it is correct to treat them roughly like this. Also, Google should control their employees if they want them to follow certain policies. What this guy does on his own time may or may not concern Google. I noticed Google from time to time is very demanding and then laissez-faire… As far as sabotaging the world of IT, M$ did that, not the messenger. With all the $billions spent by them on R&D, they should be able to do better. They certainly could afford to do away with the registry and all the cruft that presents huge surfaces for attack.

  77. Quibbly says:

    Fascinating, oiaohm.

    And is there any evidence that Ormandy reported to the NSA first?

    I’ve added you to the list of apologists for Mr Ormandy’s incontinence. Mr Pogson or Mr Oiaohm, would you care to explain why you are defending this dangerous maniac?

    And would you still defend him if it was an exploit against anything other than a Microsoft system?

    Doesn’t have to be Linux. Could have been *BSD, iOS, absolutely anything.

    After all, we’re none of us monopolists around here.

  78. oiaohm says:

    Quibbly one of the shocking things is to technically follow USA law you should not report to the vendor first. You should report to National Security Agency first. Then that should be forwards from National Security Agency to the vendor(that basically does not happen). Technically the 7 days now start from the point it sent National Security Agency.

    Quibbly its not only Mr Ormandy. He does min that is required under law in case of possible system braech. That fairly much screws the Vendors because the system is bust. The report to the National Security Agency is secret for so many days.

    Quibbly the mandatory reporting system in the USA is a dangerous little ass. Since there is zero requirement to inform vendors.

  79. Quibbly says:

    Since Google’s policy on these things, as plainly stated in your link, Robert, is “responsible disclosure,” I’m waiting for you to roundly criticize Mr Ormandy.

    He [Ormandy] has also been known to take the shortest route when it comes to sharing information on vulnerabilities he has discovered: full disclosure, meaning rapid publication without informing the organisation behind the vulnerable software beforehand.

    What a caring, sharing, individual Mr Ormandy is. And he has to be applauded for sharing with progmboy, because he’s apparently deficient, not just in the moral sense, but also in the programming sense.

    Apparently he had to borrow a hacker to do the dirty work for him.

    Now, what does that tell you?

    Let me explain what it tells me. If this dimwit had done the same to, say, Android/Linux, I’d be up in the air and calling for Google to fire his sorry dangerous little ass.

    Your thoughts on this?

  80. dougman says:

    M$ could just threaten Tavis, and have him charged as a ‘hacker’, instead of doing the right thing and paying the guy for finding the vulnerability.

    Problem solved…

  81. GIMPer Artist wrote, “How the heck are you escalating your privileges, on an artwork, that isn’t your own?”

    I didn’t choose the image. I will check into that.

  82. Ivan wrote about hypocrisy while ignoring that GNU/Linux and the FLOSS community is a vibrant ecosystem while that other OS spawns a fragile monoculture exposing hundreds of millions to the next wave of malware that comes along.

    Having hundreds of distros ensures that there will be dozens of kernel-builds and hundreds of builds of various applications running diversely. In my home there are five different kernels running and I use a single distro.

  83. Ivan says:

    Google security expert Tavis Ormandy has discovered a security vulnerability in Windows which can be exploited by any user on the system to obtain administrator privileges. Rather than reporting the vulnerability to Microsoft, he posted details to the Full Disclosure security mailing list in mid-May and has now published an exploit to the same mailing list.

    It’s not hypocritical at all to complain about this exploit but cheer on one for Microsoft.

Leave a Reply