Columnist Tim Mullen from SecurityFocus wrote an interesting editorial about how the media are overeacting on some thought exploits/holes found on Windows 2k/XP, while in his opinion, other platforms/apps are also as vulnerable but they don’t get as agressive reporting: “This kind of thing damages overall security. It clouds the issue, and rains on the wrong parade. The media should give its readers all the information– not slant it in an effort to make Microsoft look like the bad guy every time.“
Media Gone Mad – “Windows XP Kills Dog, Steals Toaster”
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Hm, sorry, but there have been an uncountable number of design flaws which have even been visible to me, who I am a sometimes-sparetime programmer under Windows, so that I can only say: The whole operating system is broken; without extremely detailed administration instructions (or equivalent experiences), every admin will always have an open or at least vulnerable system with Windows.
Wow, I am totally impressed. Finally a person tells the truth, but only the truth.
In the light of the complete failure of legal processes against microsoft what other recourse is there. In the failure of law and government the media has always stepped into the breach. It tis nothing new. If exaggeration and victimisation makes microsoft sit up and take notice (and nothing else has) then it is exactly what is required.
Tim Mullen is a known schill for Microsoft. Perhaps he should take his own advice, and just once write something *bad* about them for a change.
One wonders if this were really such a widespread occurrence how long would it be before microsoft would invent something such as a new free license for ‘eligible’ media organisations
Why would the media cover security holes in linux? 95% of their viewers wouldn’t even have any clue what was going. I mean, a lot of the people I provide support for are barely aware that their operating system is windows. They are far from having a clue about what version it is. News of a linux security gets aired and we’ll hear the sound of millions of channel clickers changing the channel at once.
Excuse me, but the MS legal problems have nothing to do with the secuity overeactions we see from the Media these days. It is uncalled for and dishonest to kick that company any way you can, in any department you can, just because another department of the company did something you don’t agree with.
Most people just don’t thik straight, we are talking about 40,000 employees here, working on different things and yet, they get beaten up because people don’t like some things that others may or may did not do. In fact, you are becoming worse and more unethical than MS by reporting in such ways.
Media doesn’t hurt Microsoft, media hurts users, us. Up until I realized that some idiots in the media are actually making up stories, I always trusted them, and this caused lots of problems. For example, I delayed my upgrade to IE6 because CNet reported that it will not support Java. It turned out that it was a lie. Cnet discouraged people from upgrade to IE6, and this causes lots of problems in the whole industry. If you are a web designer for example, now you have to think about IE5 users too. So overall Cnet or similar media companies do not really hurt Microsoft, and I don’t think their goal is to hurt Microsoft. Their goal is to make money, and the only way to make money is to report news that attract attention. Cnet for example lists Microsoft related bullshit news always in front page. Because it turns out that people read those news, even I read them because I want to know what this bullshit all about. Nowadays it is a little boring though.
So some fools think that it is all about fighting against an evil company, wheras in fact it is all about bullshitting to make profit.
Didn’t OSnews link to one of these beat up stories not long ago?
>Excuse me, but the MS legal problems have nothing to do with >the secuity overeactions we see from the Media these days. It >is uncalled for and dishonest to kick that company any way >you can, in any department you can, just because another >department of the company did something you don’t agree with.
There is no hypocricy here. I have _nothing_ against MS. In fact, I enjoy WinXP PRO, but my relationship ends there. I don’t use any other products from MS except of what comes with WinXP (I have bought the MS Office X for MacOSX though, but not for Windows).
When it was not clear that the Win2k CD boot was pretty much a hoax “hole”, we did reported on it. I am no security expert, neither I want to be one. I am behind a FreeBSD firewall here, so I don’t care that much about all these things. However, when something is really big and gets a lot of attention, we do report on it, even if we agree or not. It is normal to think that something gets so much attention because it is something important. Well, later we found out that was all a big bubble.
What I was trying to say is that I see many sites (which I won’t name here, as I have friends being in their editorial team
making a big hupla-hupla in every instance about any supposed Windows/IE/OE “severe” holes, and when there are Linux or OSX holes published, they make small “silent” news post. THAT is hypocricy my friend.
I don’t know…
But unless someone is exaggerating things, they are fetching loads of information from your machine (just saw at Slashdot).
Of course, not everything on the net is true.
Are they bad? Who am I to judge?
But I don’t want to be seen in their company.
Maybe Darius want.
You mean like SlashDot?
Thats why people for logical reasons expect a working system without backdoors or bugs!
Thats at least my opinion!
If I don’t wanna pay I use BSD’s or Linuxs or <PUT HERE SOMETHING IN> and
must always keep in mind this OS could have a bug, because some programmers have done some work in their free time for it…
I know about the commercial OpenSource OS too, but this does not count since I do not have to buy them most of time but can download the ISO’s…
And Windows before 2k was a BUG, so media keep their eyes on it until MS get it managed to release some Windows without a *needed* SP a few weeks later.
-A
:If you are a web designer for example, now you have to think about IE5 users too.
And the myriad of other browsers if your worth your salt and at least the various netscape clones. Any web designer who designs only for IE6 should be taken out an shot.
I wouldn’t consider anything on CNet to be news. I would discourage people from ‘upgrading’ to IE6 becaue it offers absolutely no perceivable benefit and certainly give a perceivable performance hit on my low end 800MHz machine and every other low end machine I’ve used.
But that is besides the point.
The media has always had it’s scape goats and there has always been some sort of concerted exaggeration and victimisation it might as well be put to some use.
:Up until I realized that some idiots in the media are actually making up stories, I always trusted them, and this caused lots of problems
I’m sorry that people are still naรฏve enough to believe such things, it always gives me the horrors to thing that there are a large proportion of the world whos main source of journalism are tabloid papers, cable channels and entities such as Fox and CNN.
Post World War II the media exaggerated facts and figures in an effort to discourage further conflicts and dispel any romantic, patrioticm, heroic illusions people had. Even then people were so desensitised to media that they multiplied figures by ten in futile effort to get across the true horror of the war.
It is Microsoft itself who announces highly critical security patches for its IExplorer about every two-three months. It won’t “steal the toaster” but watch out the credit card.
I would discourage people from ‘upgrading’ to IE6 becaue it offers absolutely no perceivable benefit and certainly give a perceivable performance hit on my low end 800MHz machine and every other low end machine I’ve used.
Actually, Outlook Express 6 SP1 gives users the ability to disable HTML mail – probably the most noteworthy feature since Active Desktop
(And yes, that should be included in OE5.5, but we don’t live in a perfect world.)
There is a difference between Microsoft and the rest of the software industry. When Microsoft finds a hole in their software, or some third party finds it, the first thing they do is go into damage control and put their PR department in overdrive to dismiss ANYONE and ANYTHING being raised by rival companies, prominany IT people or commentators from IT orientated papers and magazines. Then several days later they squeeze out a patch and a low key announcement that no one in the media can be bothered even announcing.
On the other hand, for example, when UNIX/Linux/*BSD vendor has a security hole, it is annouced on the media and either two things are said. If it affects just a distribution, the respective distribution annouces that they currently working on a fix and will be ready in a couple of days and then gives advice on a work around until the fix has been issued. If the affected party is a certain project, say, the KDE project, a press release is given, information is given on the status of its fix, either its in the next release or the distribution is going to distribute an up-to-date package.
Actually, Outlook Express 6 SP1 gives users the ability to disable HTML mail – probably the most noteworthy feature since Active Desktop
Active Desktop was noteworthy? Is that the technical vernacular for ‘slow as frozen crap’ or ‘crashes a lot’?
That sounds like a useful option HTML mail can be a curse, but I would not assume to refer in any way to Outlook Express when I talk about IE6 though that have become almost inseparable you don’t have to use either
Gimme a boot floppy/ CD and physical access and I can take on any OS – Linux, Solaris, XP, NT, DOS, OS 9, OS X, it doesn’t matter.
If by “hack/ crack” you mean to render the PC unusable, you don’t even need to know anything about the software – physical access and a hammer are good enough. You can also disable the #1 vulnerability – the user – with the same tool. How versatile. In a server farm, just shut down the AC. To shut down or slow East Coast net access you just need a well-placed backhoe or a drunk MCI worker.
Like the author says, drop any site that posted this from your security/ admin list. They’re full of it. Have any of these critics actually used a Recovery Console? Open it up and use it for once, it is very easy to verify whether this is a true “exploit” or not. Anyone who supposedly “administers” 2K/ XP machines should be fairly intimate with the Recovery Console – XP’s hasn’t changed much from 2K’s – if at all.
I thought it was an early April 1 deal, or maybe a “rope-a-dope” hoax at first, but I saw the originator defending it. Too much time in the OS backwoods or something.
I wasn’t expecting you to understand what I wrote anyway, but it seems that you are not much different that those idiots either.
I told about a story related with upgrading to IE6, and you made two unrelated stupid statements. One you said if a web designer designs for only IE6, you have to shot him/her. Unless you are an idiot who claims that sites should support text browsers, shouldn’t use css, shouldn’t use any javascript at all just to support old browsers, you are the other idiot who just wants to bash Microsoft in any case.
About the perceivable performance hit, I also think you are bullshitting, since I also use 800Mhz machine and IE6 works fine. Especially it is a total lie to claim that there is no benefit at all. IE6 has better support for many new web technologies, Css, XHMTL, XSLT and so on. Your ignorance may also be the reason behind your stupid claims, but at the end I don’t see you comprehend and understand any technology and make a reliable statement here.
I’m sorry that people are still naรฏve enough to believe such things, it always gives me the horrors to thing that there are a large proportion of the world whos main source of journalism are tabloid papers, cable channels and entities such as Fox and CNN.
Certainly media is not a reliable source, however I don’t see you realizing this at all, since what you say is actually the same as the media.
However it is much better to be a person who realizes that he/she didn’t know, rather than being a person who doesn’t know that he/she doesn’t know.
Mattheww, you are making things up. Show me a report which studies the behavior of companies, open source people about security problems, which also take into account the fact that there are more people that bullshits about Microsoft security than there are people who bullshits about BSD reports.
The reason that you explained is another lie about these issues. You have absolutely no evidence, whatsoever against Microsoft that they deny anything knowingly. Even they do deny certain things, what you never think, and I guess you will never be able to think, is that these companies have responsibilities. When you think you found a vulnerability in windows, and you want Microsoft to admit it immediately you also risk users that you never want to think about. Microsoft first has to confirm what you found. As we see many many times, many claims about windows security is bullshit. So, you want Microsoft to confuse people by admitting things that they couldn’t confirm immediately. That’s the stupid logic that Microsoft bashers have, and actually they don’t care about security. They want to hurt Microsoft, even at the cost of confusing and hurting users. I have seen so many security vulnerability claims about Windows, but I have never experienced a problem with my PC. I didn’t do anything special.
:However it is much better to be a person who realizes that he/she didn’t know, rather than being a person who doesn’t know that he/she doesn’t know.
Is that bad grammar or just a tongue twister
I don’t disagree that IE6 has better support for all those things. You seem to believe that just because a new web-browser comes out we should all upgrade immediately so that the world will be a beautifully standardised environment.
There are many reasons people don’t upgrade to IE6 I would imagine the worldwide media is a one, Cnet a tiny part of that. My father doesn’t upgrade for example because he still has an 850MB hard drive hapilly running 98/Office 95/Outlook Express/IE5 with just enough room for a swap file and a few minor bits and pieces. He does his banking online, check the shipping and sea area forecast, communicates with friends world wide and it works just fine. Tell him about “Css, XHMTL, XSLT and so on” and then tell him he needs a bigger hard drive, faster processor and more memory. I know what he’ll tell you.
As regards my machine how could you possibly hope to comment there are many windows 2000 machines in my university running with 64MB RAM and only a few MB free memory, stick on IE6 and say hello to disk trashing land
There are also those in administration in my university still running IE4 remember that beast. Now go and tell computer services that those staff need new computers and IE6. I also know what they’ll tell you.
>>>>My father doesn’t upgrade for example because he still has an 850MB hard drive hapilly running 98/Office 95/Outlook Express/IE5 with just enough room for a swap file and a few minor bits and pieces. He does his banking online, check the shipping and sea area forecast, communicates with friends world wide and it works just fine.
Precisely because your dad does internet banking — from a security point of view, he should have installed IE6SP1.
Secondly, IE6 takes the same amount of hard drive space as IE5. It’s just the installation process that takes a lot of hard drive space, but you can do a miniumum upgrade first and then upgrade outlook express later.
It wasn’t the media that decided to pay for millions if not billions of dollar of advertising on how Microsoft is ready for enterprise class applications. It wasn’t the media that decided that Microsoft should consider itself to be providing a total solution for all business.
Microsoft continues to claim they sell enterprise ready software. If they want to state they:
a) offer a very rich office desktop setup which is so-so on security
b) sell a bunch of server products that work really well at the departmental level
c) Have some iffy stoftware that scales pretty large
d) Have a very rich development environment
e) Allow companies to use commodity hardware.
No one would be up in arms about their security flaws. Windows Server isn’t close to offering enterprise class security. Windows doesn’t offer close to the kinds of clustering and DR that systems like iOS, zOS, VMS offer or many Unixes offer. IIS is a major danger to any corporations security infastructure unless it is firewalled off, unlike say VMS web server which has gone 8 years without a security incident. SQL server is a really nice multi-user version of access not a feature competitor to Oracle and DB2.
If Microsoft wants to claim to replace existing enterprise systems it is reasonable to hold them to enterprise standards.
>>>>If Microsoft wants to claim to replace existing enterprise systems it is reasonable to hold them to enterprise standards.
The problem is that the “ENTERPRISE STANDARDS” you are talking about precisely shoots down your argument. If you are a ENTERPRISE player, you want ACCURATE information.
Enterprise locks down their computer servers (armed guards and motion sensors) —- they already know that PHYSICAL access to their computers is bad. So they DON’T need to read about how Windows 2000 recovery disc can by-pass Windows XP security — at least they don’t need to read about it as though it’s “the end of the world” vulnerability.
Samething like the famous pivx (a security consulting firm) website about the ALLEGED 19 unpatched vulnerabilities in IE6SP1. To a real enterprise player, that website is useless — because only about 4-5 out of the 19 listed vulnerabilities were specifically listing IE6SP1 as vulnerable. So you have to guess whether IE6SP1 is immuned to those vulnerabilities in the first place OR IE6SP1 has patched the problem (but pivx forgot to mention it on their website) OR IE6SP1 is still vulnerable (but pivx tested it and vulnerabilites are still there but pivx forgot to mention it on their website) OR pivx never tested those vulnerabilities on IE6SP1.
Microsoft **IS** the bad guy
*ducks*
I dont care about phantom security holes like the one that was reported here. I am a linux user yet I enjoy Windows XP, I cant wait for Windows Server 2003, believe it or not I think MS makes great products, what I hate tho is that people seem to pick on Gates more than anyone else. Bill made his money fair and honestly. Its not like anyone tied you into MS Windows, you people always had a choice, you could have gone OS/2 or BeOS back in the day,even with the Mac, but for some reason you chose Windows. Lotus SmartSuite ran on OS/2 so there goes the excuse of Office Suite, WordPerfect at one time was for OS/2 and OS/2 had a Windows 3.1 emulation layer so you could have run MS Office and if there was enough call for it they probably would have done a win32 emulation layer. We had a chance to get vocal about MS and wanting choice yet the consumer decided to be silent, Bill Gates made his money off of our silence, dont cry about it now. Its like wanting a Lexus yet you complain about having a BMW, you hate the BMW, you talk crap about BMW. Well my friend go buy that Lexus, No one held a gun to your head and made you buy the BMW…
The problem is that the “ENTERPRISE STANDARDS” you are talking about precisely shoots down your argument. If you are a ENTERPRISE player, you want ACCURATE information.
Enterprise locks down their computer servers (armed guards and motion sensors)
Some do some don’t. In any case I agree with your basic drift just think your specifics are over what tends to be the case.
—- they already know that PHYSICAL access to their computers is bad. So they DON’T need to read about how Windows 2000 recovery disc can by-pass Windows XP security — at least they don’t need to read about it as though it’s “the end of the world” vulnerability.
I never mentioned that physical vunerablility, reread my post. If you have physical access you own the machine. Heck there are dozens of admin exploits for XP/2000/NT all over the web that just require booting the system; Knoppix included them on their CDRom.
My post addressed the more general issue regarding the other bugs that Microsoft products have on everyone of their lines.
>>>>My post addressed the more general issue regarding the other bugs that Microsoft products have on everyone of their lines.
It’s all about risk management. Even the old NT is rated C2 for specific configuration. There is nothing wrong with enterprise this and enterprise that.
The main discussion is about how very tiny security problems are posted as “the end of the world” vulnerabilities just because it’s a Microsoft product.
Explain why there are still uncorrected security issues still open in Internet Explorer and have yet to receive any coverage by the media:
http://www.pivx.com/larholm/unpatched/
Sergio, how about shutting your trap, you tried to sound “educated” in the SUN thread and now you’re trying to sound “educated” in the Windows Security thread, how about giving already. Until you have been in the real world and actually worked in the IT for a little longer than a 3week work experience, may I suggest that you keep quiet, get some knowledge, then come back in 20years after you have the experience, then, and only then will I listen to you.
How about trolling somewherelse, kiddie. I don’t think anybody take you seriously, unless they are also trolling here. As I said first prove that there is a vulnerability, then speak up. Posting an uncredible link doesn’t prove anything. I can post as much link as I want which bashes Microsoft. If you want to be taken seriously, first study which companies are good at the security, and then post links from those companies. Otherwise you can also go to Slashdot and you will find lots of Microsoft security related posts. But you can’t find a job in the market if you depend your reasoning on Slashdot or similar web sites.
1st I am not trying to offend you in any way. Microsoft has security issues, just like SUN, Linux and *BSD, and sure, alot of the times people in the media make is worse than these bugs really are.
I mean, just take the ext3fs bug for example that could cause data corruption, there were so many if’s and cercumstances involved that unless althose were in place, only then you would get data corruption.
2nd Na, slashdot is way to pro-Microsoft for my likeing, I’ll stick with SUN press releases ๐
3rd Most people’s problems are based around the fact that most users are morons. I have worked on a hell desk and no matter how much noise we make to the customers regarding updating their virus checker, installing Microsoft updates and not opening attachments that are from people they don’t know, they still continue to do it. Now, unless there is a way to stop this, regardless of what operating system these idiots use, it will still happen. oh, btw, I left after a year, it was hell on earth. I swear, it was though the ISP I worked for was the epicentre for all morons to make contact with each day to complain that their cup holder, accelerator peddle or air conditioner wasn’t working.
// it offers absolutely no perceivable benefit and certainly give a perceivable performance hit on my low end 800MHz machine and every other low end machine I’ve used. //
Hmm.. IE 6 works just zippy on my 900 Mhz machine. Not much faster than yours. Perhaps your system is crap-ola?
//But that is besides the point. //
Then why bring it up?
Microsoft never did anything wrong.
>>>>Explain why there are still uncorrected security issues still open in Internet Explorer and have yet to receive any coverage by the media:
As I told you before, the pivx website is useless. If you read through the whole thing, only 1 out of the 13 unpatched vulnerabilities specifically listed IE6SP1 as vulnerable.
So does it mean that IE6SP1 is not vulnerable at all in the first place to the other 12 out of the 13 unpatched vulnerabilities OR IE6SP1 patched the problems (but pivx forgot to mention it) OR IE6SP1 still have the problems (but pivx forgot to mention it) OR IE6SP1 was never tested at all against those 12 alleged vulnerabilities.
The reporters just don’t know, and they always exagerate. If you look at the local news, you will be made to think the civilization is ending. If a press release is about boring patches and updates nobody would read. Their only goal, is to make you pay attention for advertisement. It is just a buisnesss of making you pay attention. After having said that, Microsoft does rush stuff to market.
>>>>The reporters just don’t know, and they always exagerate. If you look at the local news, you will be made to think the civilization is ending. If a press release is about boring patches and updates nobody would read. Their only goal, is to make you pay attention for advertisement.
It’s the security consulting firms who want to make a name for themselves that are exagerating. Most reporters don’t have tech background, so they just repeat what the security consulting firms told them.
Microsoft has security issues, just like SUN, Linux and *BSD, and sure, alot of the times people in the media make is worse than these bugs really are.
Of course Microsoft has security issues, and what I am pissed off is really not that Microsoft has no problem. I also get mad at Microsoft for various reasons, and I also critize it for various reasons. However, right now it is out of balance. Right now, it is mostly bullshit. In totally unrelated issues, people bash Microsoft, accuse Microsoft for things that Microsoft didn’t do. I think overall that doesn’t necessarily hurt Microsoft, it also hurts consumers, and also open source. The only people who really profit here is the competitors of Microsoft. Companies like Sun, Apple, Oracle benefit here. Cnet benefit here, because people do read that bullshit. I think we have to make sure that people are reading mostly bullshit about Microsoft, so that we can force media to correct their behavior.
2nd Na, slashdot is way to pro-Microsoft for my likeing, I’ll stick with SUN press releases ๐
Slashdot is by no means a pro-Microsoft site. There is no way Slashdot can be considered even slightly pro-Microsoft. Sun may be more unreseaonable though, because if you look at the claims made in the court, you can see how much Sun hates Microsoft. They even prevent their employees from using Microsoft Office.
3rd Most people’s problems are based around the fact that most users are morons.
I partially agree. Microsoft’s problems may be based on its own faults. Maybe they really didn’t care much about security. The problem is really not whether Microsoft is at fault or not. Microsoft is at fault in some cases, may be at fault in more, but people stretched the logical limits too much. Nowadays, if you see anybody who hates Microsoft, says all sorts of stuff about Microsoft, then I know rightaway from the start that guy is either too ignorant, or is a complete idiot, moron or the guy works for Sun. It may be that he/she is a moron Sun worker too of course.
) I don’t see too much logic anymore.
I think it is true that people are morons. People really don’t think much. It is an education problem I think, people don’t know how to interpret a piece of information, and they don’t know how to question that piece of information.
There is also the issue of controlling Microsoft of course. The fact that they charge too much for certain products to subsidize its other businesses doesn’t make me happy. However this is done by every company, but Microsoft is different. Microsoft has to understand its responsibility in the industry. It has to know that it is a giant, so it has to move carefully. When Microsoft ties its products, it has to think about its effects. So I understand the heat coming from those reasons, but I don’t see the logic to blame Microsoft for not shipping Service Pack 1 to every XP user in the world in a CD. That’s stupid.
Wait, wait, wait. Firstly, I’m not sure who I side with here, but there are good reasons to the supposed hypocrisy. Any time a hole is found in Windows, especially a major one (I agree that the one that sparked this topic was anything but), it is all over the media. This is a Good Thing(c). If there’s a simple fix that stops remote intrusion, etc. then the public should know about it, and the general Windows-using public does NOT read Slashdot, OSNews, or C|Net. Anytime you need to convey something to the Windows populace, you’re pretty much announcing to the United States. Microsoft still does retain a huge marketshare over personal computers, and the vast majority of these people do not read tech-savvy publications. If there is a valid need for these people to install fixes, then a little media or word of mouth hyperbole is only to be expected. Also, Linux and OS X errors are NOT merely whispers in the wind. On average, you’ll find that most of these people are community-oriented, usually congregating about with other users on one community website or another, and thus it’s easier to broadcast these messages. Also, if we are talking about a serious Windows exploit for say a worm, the base population on which the worm operates is much higher. How many worms are written for Jaguar? Not many, it’s not because they can’t be written, it’s because it’d be a rather limited worm.
>>>>When Microsoft ties its products, it has to think about its effects. So I understand the heat coming from those reasons, but I don’t see the logic to blame Microsoft for not shipping Service Pack 1 to every XP user in the world in a CD. That’s stupid.
That’s especially true when the fact is that it’s the OEM’s themselves who are refusing to pre-install SP1 on their computers.
http://news.com.com/2100-1040-957077.html
>>>>If there is a valid need for these people to install fixes, then a little media or word of mouth hyperbole is only to be expected.
The issue is “the boy who cried wolf” problem. Too many hyperbole and people don’t listen anymore.
“Windows XP Kills Dog, Steals Toaster”
It’s interesting to note, however, that if you accept the EULA you agree not to hold Microsoft responsible when/if this happens. : )