The Archives of The Evil Empire2001 November
| ||
|
30 November: Commentary: Microsoft gets off easy
The technology donation to U.S. schools by which Microsoft could settle most of its civil antitrust-related lawsuits would hurt Apple Computer in the education market but leave a "business as usual" situation for Microsoft customers. A creative idea, this settlement represents a win for many, including Microsoft and recipient school systems. The only exceptions will be Apple, whose share of the education market will likely be negatively affected, and the original plaintiffs, which will not likely miss the estimated $10 each they may have received. The settlement enables Microsoft to get out of more than 100 lawsuits in one fell swoop without any admission of wrongdoing. In addition, giving schools PCs, software, training and technical support creates positive public relations for Microsoft, and in so doing, Microsoft gains an even larger installed base than it has. 28 November: Apple Rips Microsoft Settlement
Apple Computer has criticized Microsoft's plan to settle its consumer class-action lawsuits by donating refurbished computers, hardware and other resources to the nation's poorest schools. "We're baffled that a settlement imposed against Microsoft for breaking the law should allow, even encourage, them to unfairly make inroads into education, one of the few markets left where they don't have monopoly power," said Steve Jobs, Apple's chief executive, in a court filing on Tuesday. 28 November: Why can't we stop the worms?
Within the last few weeks, several worms have taken advantage of a single vulnerability in Internet Explorer to assault computers worldwide. It's a vulnerability that allows the worm's code to execute automatically on some computers. Fortunately, Microsoft's MS01-020 patch for the Incorrect MIME vulnerability has been available since March 29, 2001. What? Never heard of it? Well, neither did I, until Nimda came along in September. Yes, the same patch that prevents Nimda can also prevent these new worms from spreading. So why haven't more people patched their systems? Simply put, the patch itself is confusing as hell to install. For example, if you are still running Internet Explorer 4 or before, you're fine but missing much of the Internet. If you are using Internet Explorer 5.01, then download the MS01-020 patch. However, if you already loaded the Service Pack 2 for 5.01, then you don't need to run the MS01-020 patch. If you're running Internet Explorer 5.5, then download the MS01-020 patch. Now that you have figured out whether you should or should not download the MS01-020 patch, you scroll through the lengthy digressions on the Microsoft site only to discover that MS01-027 has superseded MS01-020. What? 26 November: Is Microsoft playing Santa or Grinch?
Is Microsoft a do-gooder, or up to no good? That's the question a federal judge in Baltimore will consider on Tuesday at a hearing on the company's billion-dollar antitrust settlement of private, class-action lawsuits. U.S. District Judge J. Frederick Motz will have to decide whether the settlement proposed by the company is a creative solution that will put computers in the hands of poor school children or a legal ruse that will further the company's dominant position in the computer business. Gene Crew, an antitrust attorney heading one of the cases against Microsoft on behalf of California consumers argued that the settlement deal is actually a "marketing device" that "allows them to further entrench their monopoly" by spreading free Microsoft software into primary and secondary schools. Microsoft CEO Steve Ballmer has denied the settlement is aimed at boosting the company's market share in American schools. He said money from the settlement can be used to buy software from Microsoft competitors. 26 November: New Worm Replaces Sircam as No. 1
Yet another worm that takes advantage of an old and well-known vulnerability in Microsoft software is on the loose. The worm, dubbed "BadTrans.B" by antiviral application vendors, installs a piece of spy software on infected computers. This program attempts to record and relay private information such as user names and passwords to an e-mail address that is presumably accessible to the worm's author. 26 November: Microsoft dispatches phone OEMs to knife Bluetooth
Microsoft has a long-history of trying to derail Bluetooth, either in the SIG's standards committee, or in public. For very good, selfish reasons; as a network of interoperable Bluetooth devices shifts the centre of gravity for electronic transactions away from the cumbersome desktop PC, and into your hand, forever. And if you had a desktop PC monopoly, you'd be doing your best to kill Bluetooth, too. But this encapsulates quite neatly the problems and opportunities that a Microsoft phone OEM faces. It doesn't really matter how keenly an OEM signs up to the proposition, Microsoft essentially doesn't need to win the smartphone war. It only needs to draw - and to prevent the Nokias of the world from winning. 21 November: Deal may put Microsoft at head of the class
A proposed settlement agreement in a series of antitrust suits may not only give Microsoft a fairly inexpensive legal resolution--it may also help the company and its PC allies further erode Apple Computer's position in education. Under a settlement proposal in a series of private antitrust lawsuits announced Tuesday, Microsoft agreed to donate approximately $500 million to help bring technology to some of the nation's most disadvantaged schools. The deal will also allow these schools to obtain a virtually unlimited supply of Microsoft software for the next five years. Those terms could hurt Apple and other software providers, according to analysts and educators. 21 November: Microsoft's fairy-tale punishment
The real world isn't a fairy tale. The evil giant isn't always evil, and the plucky villager isn't always saintly. In this case, the founder of the PCs for Kids charity in Australia is now on the lam after $60,000 went missing from the accounts, while Bill Gates is trying to inoculate half the world: clearly, there are better ways to help the poor than to give them software. Yet I can't be alone in thinking that punishing a company by giving it a huge competitive advantage in a brand new market, at minimum expense to itself, is one of the queerest examples of justice outside of the Grimm Brothers. Forget Harry Potter, this is the real fantasy for our times. Read the entire commentary by Rupert Goodwins... 20 November: MS issues patch for 'critical' security issue in Windows Media Player
One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player because the code that processes ASF files contains an unchecked buffer. By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player would fail; in the more complex case, code chosen by the attacker could be made to run on the userÕs computer, with the privileges of the user. 20 November: Microsoft moves on weakened rivals
All over the high-tech industries, a looming recession and a collapse in stock prices have forced companies to cut spending, lay off workers and slow product development and sales efforts. For Microsoft Corp., that means it is time to wrest important new markets from its weakened rivals. At the top of its target list: software for hand-held computers, online services and servers. 19 November: Microsoft apologizes in security flap
Microsoft has acknowledged that it knew about an Internet Explorer security hole--and failed to issue a fix--a full week before it accused a security company of placing IE users at risk by publicly disclosing details of the flaw. A Microsoft representative retracted an earlier claim that the company first heard of the flaw on Nov. 8--the date of security company Online Solutions' public disclosure--and said Microsoft was actually notified by Online a week earlier, on Nov. 1. 16 November: Microsoft to bring Product Activation to the Mac
According to the German computer magazine c't, Microsoft is planning to bring forced product activation to the Mac OS. "If we'd had the time and people, we'd already have product activation implemented in Office v. X," says Kevin Browne, head of the Microsoft Mac division. Thus Office v. X will still ship without product activation, but it is expected that future MS applications for the Mac will. Under product activation, users will have to contact Microsoft for a product key after buying the software, or their copy will cease to function after 30 days. Note: this article is in German. 15 November: WinXP: log on as admin if you want to play games, MP3s?
Home users seem to be coming badly unstuck when tangling with the new security features of Windows XP. Now it's possible for them to set up one account on their machine with administrator rights, and lesser accounts for the kids, less significant other, cat and so forth - but setting things so that the right people get access to the right programs? Moreover, quite a lot of programs (Microsoft's Age of Empires II apparently being one of them) don't grasp the wonderful new world of multi-layered security that is XP, so you end up with them demanding administrator rights from you before they'll let you run them. 14 November: MS 'Security Framework' is another .NET vulnerability settings
Microsoft's dominance in operating systems represents a new threat to the national security of our information-based society. The government is trying hard to contain the expanding power of Microsoft by antitrust litigation that would prove present harm to consumers. That's insufficient. The government also should address the risks from information warfare attacks on a largely homogeneous systems management environment. Inevitably, infoterrorists and criminals will take advantage of flaws in the gigantic Microsoft operating systems that are on their way to becoming the engines for running most of our information infrastructure. Given its track record, one has to wonder if the company is genuinely concerned with addressing software security or simply trying to convince the world that its products are secure enough for the public to entrust their private data to Microsoft's .NET system, the software monopoly's new business model. As it stands now, nobody in their right mind would use .NET or rely on Microsoft Passport for any significantly-important services, and that's probably driving their out-of-the-blue emphasis on security. After all, the company's image as purveyors of secure, reliable software is lackluster at best, given the almost-comical nature and frequency of their security bulletins. Click here for the full article by Richard Forno 14 November: How WinXP can make non-MS files invisible
Windows XP's search system includes a bizarre feature that appears to exclude files with non-Microsoft file extensions, under some conditions. It is however so odd that it's surely got to be a bug, rather than monkey business. But you could go as far as saying it's one of those MS things that inconvenience other companies if they don't do things the new way we're doing them in Redmond. 13 November: Win XP turns off AMD power saver
Microsoft has quietly fixed a problem with Windows XP that disables the power management functions of AMD's line of mobile processors. The fix allows users of laptops based on Athlon 4 and Duron mobile chips to use PowerNow! technology, which extends battery life by reducing processor power when it isn't needed by applications. The glitch affects users who upgrade AMD notebooks to Windows XP from an earlier version of the OS. The version of XP available on retail shelves doesn't include a driver--amdk7.sys--needed for PowerNow! to function, although the driver is included with new AMD laptops running Windows XP, according to AMD. The incompatibility has not been widely publicized, however, and may be a blow for AMD's hardware platform, which is advertised as delivering "outstanding performance with Windows XP". 9 November: Security leak in IE allows malicious web site to change cookie settings
Web sites use cookies as a way to store information on a user's local system. Most often, this information is used for customizing and retaining a site's setting for a user across multiple sessions. By design each site should maintain its own cookies on a user's machine and be able to access only those cookies. A vulnerability exists because it is possible to craft a URL that can allow sites to gain unauthorized access to userÕs cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a userÕs cookies, it is also possible that personal information could be exposed. Microsoft is preparing a patch for this issue, but in the meantime customers can protect their systems by disabling active scripting. 9 November: MS throttles research to conceal SW bugs
Microsoft Security Manager Scott Culp revealed unilateral steps the company has taken to throttle the exchange of vulnerability information relevant to their famously buggy products, clearly in hopes that patches and fixes can be fed to consumers discreetly, without ever realizing they've been at risk to attack. Briefly, the scheme requires vendors to withhold detailed security data and to suppress the exchange of exploit code, which, unfortunately, is the only means of verifying that a patch actually works. Vendors will exercise "best efforts" to avoid disclosing details that can be used to exploit a vulnerability for a period of thirty days from the initial discovery. 8 November: New FBI Top 20 list: MS IIS stays on top
The prestigious SANS Institute in Bethesda, Maryland, working with the FBI, has developed a top 20 list of common vulnerabilities that leave Internet sites open to attacks. The list includes descriptions of the vulnerabilities, the recommended means to fix them, and descriptions of any products that managers can use to help plug the holes or check to confirm that things are fixed. What Alan Paller, Director of Research for the SANS Institute, and the FBI found is that some problems are more widespread than others. "This year it's Microsoft IIS," Paller says, "because it's so widespread and so easy to break into." Adding to the problem is that so many installations aren't known to the companies that have them. Unfortunately for security managers, installations of Windows NT, Windows 2000, and Windows XP can also include a fully functional Web server that's created at the time the operating system is installed, depending on the options you select. Because the installation isn't obvious, many managers don't know it exists. But if they don't explicitly disable it, the hidden version of IIS can simply run in the background, providing a back door into the computer on which it's installed. 7 November: IE Bug Can Lead to Strange Search
If a plethora of pornography pop-up ads appear on your screen whenever you try to do a search, if misspelled URLs lead to you to strange corners of the Internet -- your computer may have been commandeered by a malicious bit of code planted by a greedy website owner. Internet Explorer is configured to load Microsoft's own MSN search page whenever users click the browser's search button or enter a wrong URL. But a small program embedded in a website or an e-mail can automatically change the system's default settings to direct users to websites that they may prefer not to see. 7 November: You're free to think
Dave Winer writes: "At a certain level I'm just beginning to understand how powerful Microsoft has become. They own the chokepoint for most of the electronic communication over email and the Web. Now, they have to get people to upgrade to Windows XP -- that's the final step, the one that fully turns over the keys to the Internet to them, because after XP they can upgrade at will, routing through Microsoft-owned servers, altering content, and channeling communication through government servers. After XP they fully own electronic communication media, given the consent decree, assuming it's approved by the court. "Here's how it works. Because their operating system is a monopoly, so is their bundled Web browser. If one day my site were not reachable through MSIE I'd lose most of my readers. They could shut down any site they want to, and with their new partnership with the US government, they could have justification, if not moral, at least legal and pragmatic. The government has law on its side, and the FBI, CIA, NSA, FAA, FDA, the Army, Navy, Marines and Air Force. Nukes and biological weapons. They're a powerful partner, and a now, a Friend of Bill." 7 November: Microsoft, researchers trade security blame
Computer security researchers on Tuesday accused Microsoft of trying to avoid taking responsibility for fixing holes in its software by making it harder for people who discover them to publicize the security breaches. Researchers said they are worried that Microsoft will use the Microsoft-sponsored conference, "Trusted Computing Forum 2001," in Mountain View, Calif. to push its agenda and create a proposal for practices that favor its own position. 7 November: An Analysis and Opinion of the Microsoft Antitrust Settlement
The major failing of this settlement is that it doesn't punish Microsoft for breaking the law but instead prevents the company from continuing the behavior that got it into trouble. The list of prohibited conduct spells out, in very general terms, exactly what the company did wrong in the past. But preventing similar crimes in the future isn't "justice." Imagine a court letting a convicted thief keep the items he stole if only he promises never to steal again. That's the "justice" this settlement foists on the people of America and the world. True justice addresses the people the crime hurts--in this case, Microsoft's competitors, partners, and users--and punishes those who commit the crime. This settlement lets Microsoft retain its illegally gained market power, along with most of the advantages that come along with that dominance. 6 November: Microsoft: No relief from security attacks
Microsoft's security response center must be feeling a little punch-drunk these days. After the one-two combination of the Code Red and Nimda worms that targeted the company's server and PC software this past summer, the titan announced an initiative in early October to promote security-savvy administration among its partners. However, almost every week since it announced its Strategic Technology Protection Program, a new security flaw has cropped up. In the past few weeks, holes have been found in Excel and PowerPoint and a new system for protecting music content. A major security patch was issued for Windows XP, and the company had to shut down part of its Passport service to fix a set of flaws in the technology that Microsoft hopes will become the foundation of its .Net initiative. The company will have to do some fancy footwork to quell concerns of its .Net partners and current customers, said John Pescatore, an analyst with research firm Gartner. 5 November: The Long Shadow of XP
For years critics wailed that Microsoft was an unrepentant monopolist. Now they're resigned to living with that. To Microsoft's enemies, the launch of XP symbolizes something else entirely--the extent to which Microsoft remains an unrepentant monopolist, whose business model is based on using Windows to muscle into markets it covets. That, for them, is a very depressing thought. Many have spent years fighting Microsoft in one way or another. The central belief today of those who fought the company in the 1990s is that, despite everything that has happened, nothing has changed. Microsoft is more powerful than ever. To them that is the real meaning of the XP launch--and it's what each of them is having to come to terms with, each in his own way. 5 November: Oops! MS.de 'pirates' its own WinXPs
Microsoft Deutschland seems to have accidentally pirated itself by shipping the same copy of Windows XP over and over again. Sort of, anyway. German sites 3Dwin.de and Heise Online report that numerous copies of XP with the same product key have been turning up, and naturally these won't activate, because they've been activated already. The copies appear to be genuine, and Microsoft Deutschland is currently trying to figure out what happened. 2 November: Stealing MS Passport's Wallet
To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed. The bugs in Passport, a sign-on service used by more than 165 million people, were discovered this week by Marc Slemko, a software developer. By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message. The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the lynch pin of its .NET e-commerce service initiative. 2 November: MS to force IT-security censorship
We all know how Microsoft likes to bully its many 'partners', so it comes as no surprise that the Beast has decided to apply its partnership muscle to silence the software and network security research community. The company is currently shopping a 'security partnership agreement', which would open up reams of MS vulnerability data to those firms which capitulate to its censorship demands while leaving all others out in the cold, The Register has learned. 2 November: Microsoft, please fix your software!
You'd think that after the FBI first warned the public about a computer virus, Microsoft would announce a comprehensive plan to fix what's broken regarding security flaws in WindowsÑand especially in Outlook Express. The company can start by wresting control of the browser architecture from the Web Consortium and other committees and immediately ceasing to allow fancy functionality that nobody except a few maniacs actually uses. Everywhere you look, there are problems, one after another. Microsoft's first point-to-point tunneling protocol was flawed. More recently, the newest version of Windows Media Player can somehow execute code and create all sorts of damage. Microsoft apologists will tell you that Unix has many flaws, too. It's riddled with all sorts of holes. I'm not going to argue that point, but Unix is a legacy OS, not unlike DOS in its ancient heritage. And no Unix vendor has the resources of Microsoft. Microsoft is the world's biggest software company, period. It should act the part.
|
