Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Asks Google To Delay Fuzzer Tool

CmdrTaco posted more than 3 years ago | from the i-need-somebody dept.

Google 205

eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

Sorry! There are no comments related to the filter you selected.

Microsoft losing their edge? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34744184)

Microsoft is the last among browser makers to react to the vulnerability. Everybody else has released patches to address some, if not all of the holes.

Seems the IE team is so small, they can only do is development on IE9; perhaps there is no other team. Maybe they're all working to make the latest Windows Mobile platform a rousing success.

Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.

Re:Microsoft losing their edge? (2, Interesting)

hedwards (940851) | more than 3 years ago | (#34744470)

Probably the only way that this will change is if the laws are changed to make them liable for their own incompetence. As it is software developers can release software without the ability to return it for a refund or any particular guarantee that it does what they claim it to do. Meaning that you could very well end up in the situation where you've paid for software that's badly broken and they're not liable, going to give you a refund or fix it.

Re:Microsoft losing their edge? (5, Insightful)

Ustice (788261) | more than 3 years ago | (#34744634)

Be careful what you wish for. We are more likely to end up with well-meaning legislation that does the opposite, where it punishes those that publish security holes as helping criminals.

Re:Microsoft losing their edge? (4, Insightful)

Anonymous Coward | more than 3 years ago | (#34744700)

They'd only start slapping a Beta tag on everything like Google does. That would buy them a few years of delays. Then they'd lobby to get the law modified so their liability was limited to the price of the software. Then they'd say the kernel is what costs and the rest is free bundled stuff. At every stage they'll lobby and start lawsuits to delay things. Eventually its 15 years later and you've got some silly obscure law that protects nobody unless they've got the money to fight a massive software company (something the US DoJ doesn't have).

Re:Microsoft losing their edge? (2)

mini me (132455) | more than 3 years ago | (#34744848)

That would only serve to drive the cost of software up. Is it not best to allow the free market to work? Those who want the guarantees can pay for it, while those who are willing to take the risk can use the software for less, perhaps even free.

I am certain that if you passed the appropriate amount of money in Microsoft's direction, they would be more than happy to accept liability for IE. Personally, I do not want to pay for that level of service.

Re:Microsoft losing their edge? (1)

LingNoi (1066278) | more than 3 years ago | (#34744912)

How could anyone whine about the cost of software going up. Right now it's at rock bottom to purchase consumer software, more expensive software across the board would be a good thing assuming the money goes to the right people (haha).

Re:Microsoft losing their edge? (1)

mini me (132455) | more than 3 years ago | (#34745074)

The added costs would go to people like insurance companies who would assume more risk on behalf of the vendor for errors in the software. A lot of open source software projects would come to an end, because who wants to be liable for errors in the work they provide for free? Let the market decide. If liability is important, people will pay for it.

Um, you're kidding. (1)

dwheeler (321049) | more than 3 years ago | (#34745420)

Um, what? It's hard to estimate profit margins, but Daniel Eran Dilger [roughlydrafted.com] estimates that Microsoft has a 66% profit margin on Office and 81% on Windows. That's far beyond typical profit margins, so such prices are not "rock bottom".

Re:Microsoft losing their edge? (1)

mcgrew (92797) | more than 3 years ago | (#34744972)

Get real, Microsoft's software is WAY overpriced. ALL of it is way overpriced; at least, for an average Joe buying the software outright at a computer store.

I paid over a hundred bucks for XP, upgrading from 98. I really felt ripped off. Not only did a lot of my old software no longer run, Microsoft "disabled" the app that came with my CD burner, saying it was "unstable". I'd had no stability problems with 98. What was worse, every morning when it booted it informed me that it had disabled this software, which it wouldn't let me uninstall. I had to reinstall XP to get rid of the app it had disabled! Shoddy, shoddy software. Consumer protecteion laws ARE warranted in my view.

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Re:Microsoft losing their edge? (1)

mini me (132455) | more than 3 years ago | (#34745086)

Accepting a refund is different than assuming liability for a mistake in the product. I am not against refunds on software. Though I do realize it is a difficult problem to solve in the world of piracy.

Re:Microsoft losing their edge? (2)

John Hasler (414242) | more than 3 years ago | (#34745108)

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".

Re:Microsoft losing their edge? (2, Interesting)

msauve (701917) | more than 3 years ago | (#34745296)

The market disagrees with you, as customers continue to purchase, and MS continues to profit from, their software offerings. Pricing is only relative to the market. From a purely economic perspective, it might be overpriced if by reducing the price they get greater profits from an increase in sales. But, I suspect that MS is pretty sharp about finding the price points which maximize profit.

"I paid over a hundred bucks for XP"

In fact, you disagree with yourself, unless you're claiming that MS somehow forced you to buy it. You had a choice, you chose to pay. If you would have paid "over a hundred bucks"+1, then it was underpriced for you. Ferraris are overpriced for me, but not for the market, since they're still a profitable business.

Re:Microsoft losing their edge? (0)

Anonymous Coward | more than 3 years ago | (#34745534)

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Did you try to get a refund for the CD Burning software? Or try to get a free upgrade to a version that works with the Windows NT based XP? Or did you think that a system utility that was designed for the Win 95 based Windows 98 would just work on a different family of operating system and then blame the operating system vendor for it?

Re:Microsoft losing their edge? (1)

Anonymous Coward | more than 3 years ago | (#34745060)

I agree. It is better for people to educate themselves and make informed decisions (i.e., not using IE), then have congress make some blanket law that has 1001 unintended consequences because the it's 15,000 pages long.

Re:Microsoft losing their edge? (2)

devent (1627873) | more than 3 years ago | (#34745844)

What free market? You mean the market where I can go to Mediamarkt and get 99% of the computer, laptop with Windows 7? Or the free market in Saturn where 99% of the computer and laptop are with Windows 7? Or the free market at best buy where 99% of the computer and laptop are with Windows 7? Or maybe the free market with Dell, Hp, Samsung, Lenovo?

To what market I go if I don't wish to buy a computer or laptop with a more secure system?

A free market can only work if there are many vendors, which are competing on fair grounds. But there is only one vendor, Microsoft which can and will dictate price.

Re:Microsoft losing their edge? (1)

digitig (1056110) | more than 3 years ago | (#34745012)

Yes, and they can afford to pay, whereas most of the FOSS community would have to walk away because they just wouldn't be able to afford the risk. "Refund" is ok, "liable" is a problem.

Re:Microsoft losing their edge? (1)

Sancho (17056) | more than 3 years ago | (#34745580)

How about only having liability on code which cannot be inspected? Though the lobbys would never allow that to pass.

Re:Microsoft losing their edge? (3, Interesting)

_Sprocket_ (42527) | more than 3 years ago | (#34744600)

Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.

There was a point in time (not too long ago by normal standards - ancient history "Internet time") when Microsoft was very slow to respond to any security issue. That was very much in the Bill Gates era. The concept of full disclosure comes from that time. The subject of disclosure has been beat to death around here more than once so we'll avoid going down that path. However, some of the intents of the "full disclosure" concept is to shame the vendor and warn the user. Even "responsible disclosure" rules tend to have some breaking point where the bug gets exposed without vendor consent.

This is less of a turning point than a reminder of where we've been before.

Re:Microsoft losing their edge? (5, Insightful)

Low Ranked Craig (1327799) | more than 3 years ago | (#34744898)

Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.

Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.

Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.

Re:Microsoft losing their edge? (3, Insightful)

Gadget_Guy (627405) | more than 3 years ago | (#34744930)

According to the timeline [coredump.cx] , Microsoft too has also released patches for some but not all the bugs. This final delay appears to be because they had problems reproducing the crashes, which I think is probably due to the nature of this tool which makes reproducing the exact circumstances difficult. I can sympathise because I have had to find hard to reproduce bugs is the past.

Still I think that is correct that it should be all made public now, considering that the bad guys have already got the code.

MS's edge has always been cash and inertia (2)

HeckRuler (1369601) | more than 3 years ago | (#34745398)

Microsoft's edge has always been their ability to buy companies' products (and companies themselves) and sell them at profit and the locked-in nature of their clients. They are a business company that deals in technology rather then a technology company doing business.
There are exceptions, like their entry into the gaming arena, but don't forget their primary nature.

Can't blame him (0)

mcgrew (92797) | more than 3 years ago | (#34744200)

I wonder if this tool will work on other browsers as well?

Re:Can't blame him (1)

smooth wombat (796938) | more than 3 years ago | (#34744262)

I wonder if this tool will work on other browsers as well?

Had you read this link [blogspot.com] from the posting, you would have seen that it does. In fact, the last entry, for Opera, says the following:

Note that with Opera, the fuzzer needs to be restarted frequently.

Re:Can't blame him (0)

mcgrew (92797) | more than 3 years ago | (#34744330)

Blogspot's firewalled off here. Hitting Google for a link without the word "blog" in it now.

Re:Can't blame him (1)

Anonymous Coward | more than 3 years ago | (#34744924)

A linux user who hasn't bothered to set up a VPN to his house? Come on...

Re:Can't blame him (1)

element-o.p. (939033) | more than 3 years ago | (#34745662)

It happens. For example, I don't currently have a VPN to my home network because my home network is currently off the air while I am migrating from one Internet service to another. That, and the fact that I have worked in IT long enough that after spending 40+ hours a week at work building networks professionally, I don't particularly want to spend much more time twiddling with my home network after hours.

Re:Can't blame him (2)

Dishevel (1105119) | more than 3 years ago | (#34745218)

A /. reader that dose not have control over their own computer at work. Lols.

Re:Can't blame him (1)

bigstrat2003 (1058574) | more than 3 years ago | (#34745610)

Having control over one's computer has nothing to do with having control over the company network.

Re:Can't blame him (3, Interesting)

Securityemo (1407943) | more than 3 years ago | (#34744322)

Yes. There's a list right at the bottom link of other browsers it managed to break, including firefox and opera. It apparently works by stressing the garbage collection mechanisms through creating and destroying DOM objects/references; I don't know what that means really, but he's written a step-by-step of the mechanisms that seems easy enough to follow.

Re:Can't blame him (1)

Cylix (55374) | more than 3 years ago | (#34745100)

Each HTML document loaded into the browser window becomes a document object. Elements such as forms, images, anchors and links are all represented through DOM model.

While I've re-written plenty of html on the fly using this very model I've never stopped to see if the newly created points were accessible. I'm sure there are other techniques they are using or they could simply copy data in and out of an element vigorously.

This isn't too surprising since I have managed to crash browsers before and where there is a crash is a potential hole. Still, hats off for finding an inventive way of getting inside.

Re:Can't blame him (0)

Anonymous Coward | more than 3 years ago | (#34745692)

It means that the browser runs out of memory because of shitty Javascript engine? You know, where devs never bothered to check if memory is deallocated properly and doesn't leak like a sieve. And then it starts to get NULLs in its allocation function and it goes bad from there. Well, at least my guess based on what you wrote :P

CAPTCHA: huddling - as in huddling together in fear of what bugs he's about to expose. Slashdot CAPTCHA is fucking scarily on the ball most of the time!

Re:Can't blame him (2)

intellitech (1912116) | more than 3 years ago | (#34744332)

Definitely can't blame him. Considering Microsoft's track record for investigating serious security concerns in it's operating system and browser series, and the total number of people using these products across the world, he acted properly.

When (3, Funny)

Anonymous Coward | more than 3 years ago | (#34744202)

When is someone going to DO something about the possibly government sponsored hacking taking place in China? It ought to be brought up at the UN, or trade meetings, or SOMETHING! If the Chinese government won't stop it, we need to cut them off.

Re:When (1)

morgan_greywolf (835522) | more than 3 years ago | (#34744374)

If the Chinese government won't stop it, we need to cut them off.

What, exactly, do you expect? Institute a trade embargo with China? If we did that, the entire economy would grind to a halt. Goods that were once being made in Europe and the U.S. are increasingly being made in China. Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

Re:When (1, Insightful)

drinkypoo (153816) | more than 3 years ago | (#34744482)

Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.

Re:When (1)

TheCRAIGGERS (909877) | more than 3 years ago | (#34744604)

Something as serious as a trade embargo or similar would require somebody very powerful to push it, if not more than a few. And normally, powerful people want to keep the status-quo. That is, making goods in China for pennies and selling it for a huge profit somewhere else.

No, it will take something so serious that it directly impacts the fatcat's wallets before something like that happens.

Re:When (2, Informative)

piquadratCH (749309) | more than 3 years ago | (#34744676)

Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.

If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.

Let's face it: China got us by the balls, and they are ready to squeeze [telegraph.co.uk] them.

Re:When (3, Informative)

jittles (1613415) | more than 3 years ago | (#34745068)

I think this would hurt China just as much as it would hurt the US or Europe.

which? (2)

HeckRuler (1369601) | more than 3 years ago | (#34745448)

Dumping the currency, or the embargo? Because the answer is still "yes", either way. Globalization means we're all in this together. You can't hurt the othe without hurting yourself.
And, consequently, if they fuck up with say, a huge housing bubble or some such, it'll mean we have to share the pain.

Re:which? (1)

geckipede (1261408) | more than 3 years ago | (#34745728)

On that particular issue, you don't have to worry too much. The Chinese government do pay attention to private investments and have a tendency to mess about with the market to stop them getting out of hand.

When they saw people investing in housing, they reacted with a new build scheme that put up masses of new flats ready for use at almost any price level, which dropped the value of existing housing. It didn't entirely stop a fashion for housing investment, but nobody's fooled into thinking that it's a magic money making machine.

Re:When (1)

geckipede (1261408) | more than 3 years ago | (#34745660)

It would hurt them very badly if they did it unprovoked. The mechanism by which it would hurt them would be undoing their currency manipulation which keeps the yuan weak and their exports subsidised.

If there was an embargo against them, dumping the currency would have no extra effect whatsoever and it would be a very sensible retaliatory move.

Re:When (1)

DigitalSorceress (156609) | more than 3 years ago | (#34745092)

Actually, if they did something that devalued the USD, it would hurt them badly. If the USD goes down, US goods would be cheaper to the rest of the world, so our exports would increase, and it would decrease the buying power of the dollar for imported goods.

If anything, China wants to see the USD stronger... the more the dollar's worth, the cheaper its goods and services are to the US (and world) market by comparison.

Re:When (1)

piquadratCH (749309) | more than 3 years ago | (#34745480)

Actually, if they did something that devalued the USD, it would hurt them badly.

The Telegraph article I linked to named this course of action, rather appropriately, the nuclear option. China won't use this weapon lightly, but if the US would implement such a drastic embargo as proposed by drinkypoo, what other choice do they have?

Essentially, we're living in an economic cold war between China and the West (US, mostly). Both sides have the tools to annihilate the other's economy, but not without destroying or badly hurting its own.

Re:When (1)

kimvette (919543) | more than 3 years ago | (#34745780)

If the USD goes down, US goods would be cheaper to the rest of the world, so our exports would increase, and it would decrease the buying power of the dollar for imported goods.

Except for wheat and soy, what do we make to export?

Re:When (1)

AK Marc (707885) | more than 3 years ago | (#34745876)

If anything, China wants to see the USD stronger... the more the dollar's worth, the cheaper its goods and services are to the US (and world) market by comparison.

Yup. And buying our debt is a means of doing that. If people didn't snatch it up, then we'd have to increase interest to convince people to grab it. That would drain the US dollar. They'll prop it up until they are done with us, then they'll collapse our economy by just not buying anymore. At this point, the US economy would collapse from nothing more than inaction of foreigners, and yet we make that worse by invading Iraq and lying about it claiming that they are a danger to the US. We'd be safer abolishing the standing army, closing all bases, and recalling and discharging all troops. But for some reason, talk like that is unamerican, but adding trillions in debt which directly puts the US at the mercy of foreigners is ok.

Re:When (1)

Frosty Piss (770223) | more than 3 years ago | (#34745128)

If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.

Not a chance. China would NEVER destroy their CASH COW.

Re:When (0)

Anonymous Coward | more than 3 years ago | (#34745164)

There is a saying in finance: if you owe the bank a million dollars, you have a problem. If you owe the bank a billion dollars, the bank has a problem. To whom is China going to sell all that foreign currency? If it floods the market with supply where there is insufficient demand, it will devalue its own assets.

China cannot economically afford to "squeeze" the balls of the West for the same reason you can't mug someone with a RPG. They are trapped within their own blast radius.

Re:When (0)

Anonymous Coward | more than 3 years ago | (#34745404)

I've got a question.
Maybe it's a stupid question, but I might just be a stupid person.

Please explain to me how exactly China selling their x trillion USD worth of reserves would devalue the Euro?

Re:When (1)

interkin3tic (1469267) | more than 3 years ago | (#34745594)

China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude. Let's face it: China got us by the balls, and they are ready to squeeze [telegraph.co.uk] them.

A few things

1. "Nuclear option" as mentioned in that link is more descriptive than you give it credit for. Just as we could not have nuked the soviet union without getting destroyed ourselves, so too would China be bringing about mutually assured economic destruction with such a move.

2. How would the Euro be affected?

3. Ready to squeeze? You might use a more recent article than 2007 when making such a claim. I mean, it IS interesting how this will affect Hillary Clinton's chances of getting elected and all...

Your skeery link is from 2007. (0)

Anonymous Coward | more than 3 years ago | (#34745890)

The Chinese have long been dumping their dollars as fast as they feasibly can. Go look at some market graphs for chrissakes, you can see the cycle everywhere as they slowly crash-land the US economy in the wake of the demise of the petro-dollar. Dump, market crash, wait for recovery, repeat.

They aren't doing it slowly because they love us, they are doing it slowly because that's the best strategy for them. They want to get as much iron, copper, and petroleum from their titanic dollar reserve as they can, and if they crashed us fast it's likely they would no longer be able to obtain those commodities with dollars. We have a window of opportunity to get our economy off the petroleum base, but we may miss it since we have a certain major faction [conceptualguerilla.com] that wants massive poverty in order to keep the Mexicans out while keeping labor cheap.

Nuclear option, schmuclear option. Dumping their entire cash reserve at once would be a shoot-yourself-in-the-foot option. Especially since most of it only exists as electronic pulses in banking systems. The Chinese will do almost anything to prevent a US economic doomsday, and they are one of the major forces preventing home-grown cheap labor conservatives from instigating one.

Re:When (1)

RoFLKOPTr (1294290) | more than 3 years ago | (#34744688)

Who cares? The economy doesn't depend on that shit.

You obviously don't understand the basics. Yes, the economy depends on that shit. Any form of trade or investment is a part of the economy. And seeing how we contribute to perhaps a trillion dollars a year (I don't know the numbers, so this is just a wild guess) to China's GDP... all of that money is a part of our economy and that much money is a HUGE part of our economy, and if we were to eliminate it then there goes Wal-Mart. There goes dollar stores. There goes much of our electronics industry. There goes auto parts, furniture, garage door openers, dog beds, alarm clocks, and perhaps every single computer in the country.

A trade embargo with China is not a thought to be taken lightly.

Re:When (1)

drinkypoo (153816) | more than 3 years ago | (#34744738)

Any form of trade or investment is a part of the economy.

When you're shoving the money out of the country as fast as possible, you're doing more harm than good.

A trade embargo with China is not a thought to be taken lightly.

Slavery is not to be taken lightly.

Re:When (3, Informative)

RoFLKOPTr (1294290) | more than 3 years ago | (#34745088)

A trade embargo with China is not a thought to be taken lightly.

Slavery is not to be taken lightly.

That right there invalidates all your arguments, because that says you've been absorbing all the stupid propaganda and sensationalism about Chinese working conditions. Just because they don't make $50k a year doesn't mean they are slaves. Most of them are quite happy with their jobs.

Yeah, 14 Foxconn employees committed suicide in 2010. That's out of 920,000 employees total. So that's about 1.5 suicides out of every 100,000 employees. Wanna guess what the suicide rate in the United States was in 2007? 11.5 out of 100,000. That's EIGHT TIMES the suicide rate at Foxconn. And the suicide rate in all of China was 6.6 in 2008. One could argue that Foxconn, in fact, IMPROVES workers lives. Of course that's not necessarily true, because correlation does not imply causation, but that data is enough to make a big huge news story worthy of being approved by Slashdot's elite editorial team with which to draw a bunch of sheep to hark the benefits of working for Chinese electronics manufacturers.

Do some of your own research before believing the bullshit and comparing Chinese laborers to slaves.

Re:When (0)

Anonymous Coward | more than 3 years ago | (#34745874)

When you're shoving the money out of the country as fast as possible, you're doing more harm than good.

That depends on what is going into the country in exchange. If it's skilled labourers, then it's a very good investment. Likewise, if you're importing goods or knowledge that improve or maintain the local economy, that's also a good investment.

In the end, every economy is built on production and consumption. Money, knowledge and ethereal data/intelligence are only secondary.

Re:When (1)

morgan_greywolf (835522) | more than 3 years ago | (#34744806)

I was including stuff like toasters, eggbeaters, even so-called "Italian" espresso (Gaggia/Saeco) machines are being made in China now.

Re:When (1)

John Hasler (414242) | more than 3 years ago | (#34744510)

Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.

Re:When (1)

bluefoxlucid (723572) | more than 3 years ago | (#34744834)

It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.

Very true. Tommy Hilfiger, Ambercrombie, etc etc, "it has a name that makes me street-cool," that crap is all garbage with a huge premium for the name and "current style" to make you cool. Even The Gap does it.

What you want are the mid-range business/casual outfitters. Land's End, Polo, and the like, the people that nobody gives a shit about but that try to win you over with "quality and style." The so-called "style" is "not looking like shit" but it's not going to pretend to net you "street-cred." The price tag isn't $500 either, just a bit more expensive (we're talking $18 wal-mart crap shirts vs $25 Land's End shirts). It's enough for you to risk it casually, but if it turns out to be no better you go with another manufacturer; thus the burden of actually providing quality falls squarely on the manufacturer.

Personally I don't even know what the style is today, besides looking like a moron that can't figure out how to use a belt. I like the lines and simple form Land's End uses, and have a distaste for the visual style Polo and Doc Marten provide; but others may disagree with me and go with those, or others. I'm in no great need of Ambercombie or Old Navy $50 shirts.

One thing I can definitely say about good quality clothes, though: they survive the wash without frilling, fuzzing, or fading for YEARS; but they'll still tear on concrete, wear if you kick your shoes off (grind the hem on your pants away until it frays via the sole of your shoe), and don't believe anyone that tells you this shit won't stain. Land's End has "no-iron" pants that last 30 washes without needing ironing... it doesn't hurt, they do show a little wear after 5-10 washes but they don't really start needing a press until 30 or 40. "Quality" doesn't mean it's indestructible.

Re:When (0)

Anonymous Coward | more than 3 years ago | (#34745186)

Spoken like someone who has never used "high-end designer stuff".

If you ever have a chance, go visit a Louis Vuitton store. Take a look at the handbags and briefcases they make. Pay particular attention to the leather and know that those bags will last for 10+ years with regular every day use. Also pay attention to the zippers. They are smooth and will not scratch your skin. To create a long lasting bag that does not hurt the user does cost money and results in quality.

Just like with computer parts. Quality costs because most of the quality comes from discarding the pieces that are not quality.

Re:When (1)

bluefoxlucid (723572) | more than 3 years ago | (#34744856)

Obama wanted to raise taxes on import goods a la tariff ... Income tax was unconstitutional and we instead had a tariff system for imports. Why, our country threw down a 1% income tax and the government drew in 30 times more in taxes that year than it ever did in history; 1% should have been enough to run this country forever, with constant tax refunds to the people at the end of the year for the money we took but didn't use. How it ever got to the 25%-40% graduated system we have today I'll never know.

Re:When (1)

HeckRuler (1369601) | more than 3 years ago | (#34745482)

It's reassuring to know there's a man out there whose fault everything is.

Re:When (1)

NevarMore (248971) | more than 3 years ago | (#34744528)

Yes, lets have the UN send one of its famous "Stern Letters Of Warning" to China that they've been very naughty and shouldn't do what every other nation or its citizens doesn't already do.

Re:When (0)

Anonymous Coward | more than 3 years ago | (#34744718)

the world cant do anything. maybe if we were spending money on science, tech, and schools, instead of speculative bubbles, and bailing out heavy campaign contributors, wed have a chance. then again, maybe its inevitable that in our comfort we grow lazy and complacent, and china will be in the same boat as us in 3-4 generations. all i know is i become more jaded every time i read....

Re:When (1)

Omniscientist (806841) | more than 3 years ago | (#34745682)

China has a permanent seat on the UN security council.

That being said, they have the ability to veto any substantive resolution designed to address their intrusion into Google's computer systems.

Security through blissful ignorance... (3, Insightful)

flyingfsck (986395) | more than 3 years ago | (#34744232)

MS believes in security through ignorance, since it makes them money. As long as the common users don't know that their machines are infiltrated, stealing their bank information and sending spam, they are happy, since at worst, they will think their machine is worn out and slow and then go out and buy a new one, chock full of new versions of MS software.

Re:Security through blissful ignorance... (5, Insightful)

mcgrew (92797) | more than 3 years ago | (#34744382)

From the co,puterworld link:

"I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."

MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.

Re:Security through blissful ignorance... (0)

Anonymous Coward | more than 3 years ago | (#34745708)

For what your software costs, its performance is abysmal.

Last I checked, IE was free.

Re:Security through blissful ignorance... (2)

v1 (525388) | more than 3 years ago | (#34745862)

For what your software costs, its performance is abysmal.

Last I checked, IE was free.

and horribly overpriced at that!

Re:Security through blissful ignorance... (2)

v1 (525388) | more than 3 years ago | (#34744422)

I think I'd call it more "security by bliss" (from 'ignorance is bliss") Really they're not so much taking advantage of users' ignorance, but rather that they don't care. As long as their computer is functional, most users don't care if their machine is participating in a botnet and DDoS'ing or spamming.

Re:Security through blissful ignorance... (4, Insightful)

bluefoxlucid (723572) | more than 3 years ago | (#34744716)

Right, which is why most users are overly concerned about "credit card theft" when most infections are about spamming the shit out of people; and a large number of people who succumb to identity theft are actually taken by malware that installs itself as an "anti-virus" program but secretly records your bank transactions.

It's like walking through Baltimore City alone at night. As much as people are terrified by it, not everyone is out to kill you; that said, if you walk through Baltimore City alone at night regularly, you'll meet someone who is out to kill you. Paranoia is when you think they're all out to get you; rational sense is when you realize, no, they're not, but there's a significant risk of encountering someone eventually and it only takes one knife to stop your heart.

Re:Security through blissful ignorance... (1)

icebike (68054) | more than 3 years ago | (#34745824)

That seems a bit over the top, even for the anti microsoft crowd here on Slashdot.

Microsoft doesn't sell computers, and they make very little on OEM versions of Windows installed in the factory.

Article is dupe (1)

Anonymous Coward | more than 3 years ago | (#34744250)

Re:Article is dupe (3, Informative)

Abstrackt (609015) | more than 3 years ago | (#34744436)

It's actually a follow-up. He finally got his response from MS but it was just them asking him to delay releasing the tool indefinitely.

Re:Article is dupe (0)

Anonymous Coward | more than 3 years ago | (#34744536)

Not really, since he had that information up when the previous story was reported.

Browse at your own risk... (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34744272)

Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:

1) Set up a rogue access point with open access and SSID name similar to the venue..

2) Set up a rogue DNS.

3) Set up a redirect page that installed demo software...

One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.

Adding any apps increasing your exposure.

The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.

Re:Browse at your own risk... (1)

Securityemo (1407943) | more than 3 years ago | (#34744592)

But that assumes you're being targeted specifically and maliciously by a skilled attacker. Unless you have a high-profile job, that defies common sense. And assuming a skilled attacker, there's really nothing you can do about it except minimizing the attack surface and just plain keeping stuff off your computer. A simple encrypted VPN connection routing all your traffic will effectively stop all local wireless attacks, reducing the attack surface to the wireless drivers, kernel packet processing and the VPN software itself.

Re:Browse at your own risk... (1)

bluefoxlucid (723572) | more than 3 years ago | (#34744680)

Well, if you're in Panera Bread or Barnes & Noble, you're probably being targeted "specifically" ... for some value of "specific" amounting to "the 5 people in that store dumb enough to use Wifi."

Re:Browse at your own risk... (2)

Securityemo (1407943) | more than 3 years ago | (#34744790)

It just makes no sense to me. Sitting with a laptop computer at a public access point and targeting people to spoof/sniff credit card information and credentials seems to have such low throughput to effort when botting at this point in time is almost simpler to execute (like firing an automatic shotgun). The people hanging out at the botting forums I've seen seem like ordinary criminals for the most part, and the barrier to entry nonexistant. Why use a low-risk low-pay method when you could use the no-risk higher-pay method?

Re:Browse at your own risk... (4, Interesting)

bluefoxlucid (723572) | more than 3 years ago | (#34745000)

Sitting in a Starbucks is a low-risk method because it's hard to trace. Hell, you can load automated software onto a hand-held PDA (iPaq? I ran Linux on one...) to do all the raping and infecting. The packets can be tagged with a different MAC address than your real device, making it physically untraceable; it's all in your pocket, and can auto-connect to wifi and do whatever, so picking you out of a crowd is harder than "find the suspicious person" since you just carry it around and don't go out sniping.

This works for MP3s and child porn and whatever the hell else too, btw. Assuming you know where and what to search (I assume torrents for MP3s, who knows for kiddy porn), you could have an automated program do all the relevant searches and store the results. When you get home, pop the device out and browse through the cached results... pick what you want, and next time you're out it'll find those things and download them.

For the obvious flaw, you can ban your own Wifi network and your neighbors', or have the program automatically search for certain networks (yours, your neighbors', etc) and decide you're "too close to home" and shut down. You could even have a separate daemon that handles wifi, and when it sees you're "too close to home" it prevents any wifi connections at all.

There's a lot of "I can have this here with me, but never physically do anything while connected to the network, and never use my own network" that can be done to hide your online presence. The same can be done for chatting on forums, sending e-mail, etc. The only thing you can't hide that way is real-time chat like instant messaging or IRC, because you have to twiddle the device; but for answering a forums post or blogs, you can have a program smart enough to deal with phpBB and V-Bulletin and Wordpress... it could let you record what you want to post, who to reply to, which post ID to reply to, the works... then when you're out somewhere, post.

Basically you're interacting from an alternate reality, one where you're pulled out of the real world; that interaction is transferred into the real world physically somewhere, but you're not present at that point and there's no cable running from there to here to draw a path to you. You'd have to use an innocuous device (a PDA most likely, bought in cash) and download the software from a MAC-shifted device on a public link to have absolutely zero trail (i.e. no evidence that you're even capable of this), but it'd be doable. Completely. It'd make for some interesting shit... maybe I'll write a sci-fi novella about the idea.

Re:Browse at your own risk... (1)

Securityemo (1407943) | more than 3 years ago | (#34745180)

There's the latency, though. I can think of two other "bullet-proof" solutions: no-strings-attached satellite signal (you can only track so far as the uplink satellite's "footprint" as far as I'm aware), and simply tunneling the connection through two different botnet nodes in different jurisdictions, making sure not to transmit presonally identifiable data through the endpoint. If you obfuscate the data in time and shape, you could even pass a connection through the same "listening post" twice, allowing you to perform anonymous attacks or communication in your own region even under "perfect" local internet surveillance.

Re:Browse at your own risk... (2)

bluefoxlucid (723572) | more than 3 years ago | (#34745310)

Enough forensics will trace the connection back to where it came from, i.e. starbucks. Satellite... good luck getting free satellite, and they can ID the device somehow if you have a log-on (z3r0c00l did this...). I'm talking about something that traces back to a pinhole in reality and then vanishes. Oh shit, the attack came from nowhere; a wizard did it.

Re:Browse at your own risk... (1)

Securityemo (1407943) | more than 3 years ago | (#34745570)

Actually, post-attack forensics would not be able to get anything useful out of botnet proxies even assuming black helicopters descending on them minutes after the fact. As long as it stays up, a node can be infected and malware injected and updated without ever touching disk, using multi-stage shellcode utilizing dll injection. The largest threat would be the botnet nodes being compromized during or before the attack. Now, if your criteria is that not only the attacker but also the *method used* being unknown, that puts up a few more barriers. Let's see - compromizing routers is considered "voodoo" still, and if you pulled it off right you could use it to erase or falsify the records. You'd have to somehow reset the router to a normal state afterwards though. A router log with a falsified connection record pointing somewhere amusing, on a router thought more or less "unhackable", and assuming that no other forensic information regarding the connection in question exists - that'd be "Whoops, a wizard did it". Regarding the satellite option, a *hacked* satellite could be used in the same manner as a hacked trusted router, but is probably more likely to be treated as "Whoops, a wizard hacked the satellite" than "Whoops, a wizard did it (and we don't know how)" due to the many different and unknowable methods that could have been used in the router method.

Re:Browse at your own risk... (0)

Anonymous Coward | more than 3 years ago | (#34744968)

None of those steps have anything to do with browser security.

Re:Browse at your own risk... (1)

Securityemo (1407943) | more than 3 years ago | (#34745016)

It has nothing to do with application-level code execution exploits, but there's no effective difference to the person and system being attacked. It's just a different means to the same end.

Re:Browse at your own risk... (0)

Anonymous Coward | more than 3 years ago | (#34745298)

I did the exact same thing less than a week ago except that I streamed Never Gonna Give You Up. People were flipping out all over the place!

White hat? (1)

Anonymous Coward | more than 3 years ago | (#34744376)

If it wasn't being exploited by Chinese hackers before it's going to be exploited now!

Re:White hat? (1)

Securityemo (1407943) | more than 3 years ago | (#34744966)

You seem to assume that any eventual spy-hackers couldn't (or haven't) come up with efficient fuzzer tools like this on their own. Assuming knowledge on how to write this class of exploits and domain knowledge of the protocol or file structure being attacked, any programmer here could write a fuzzer like this.

MS denied accusations (3, Funny)

should_be_linear (779431) | more than 3 years ago | (#34744388)

"We consider all Mr. Zalewski claims invalid. Obviously he didn't contact Security Experts for IE in reality just like you cannot contact Santa".

Re:MS denied accusations (0)

Anonymous Coward | more than 3 years ago | (#34744792)

Steve Ballmer throws chairs at the elves in his lair at the North Pole.

On FF block pop up windows (1)

roman_mir (125474) | more than 3 years ago | (#34744440)

Didn't work for me until I turned off the 'block pop-up windows' in Tools-Options-Content.

So I'll keep that window pop-up blocker turned on I guess.

Rather misleading... (2, Informative)

MerelyASetback (1969768) | more than 3 years ago | (#34744462)

The summary made it sound like IE had 100 vulnerabilities, while the article stated that there was 100 vulnerabilities between 5 browsers ...

Dup, and they didn't ask "Google" anything. (2)

lseltzer (311306) | more than 3 years ago | (#34744520)

First, this article is basically a dupe of one from a couple days ago [slashdot.org] . Second, Zalewski was working on his own and MS asked him, in his personal capacity, not to release the tool. I had all this in my PCMag article referenced in the previous /.

Reading difficulties (1)

Anonymous Coward | more than 3 years ago | (#34744566)

The title should be changed to:
Microsoft asked a guy who works at Google to delay publishing work he did on his own time and did not publish through Google or as a representative of Google.

Zalewski? (1)

bluefoxlucid (723572) | more than 3 years ago | (#34744654)

Is that the guy that wrote "Silence on the Wire"? That was a good book of not-likely attacks that are completely and utterly practical, at least in a lab environment consisting of "my living room and $10 of shit I bought off Mouser." Reading the blinking lights off modems, for example.

Why MS don't like to fix a vulnerabilities? (1)

gest.hds (1934474) | more than 3 years ago | (#34745138)

CIA (or maybe China Gov) asks MS to delay fuzzer tool.

kayo (0)

Anonymous Coward | more than 3 years ago | (#34745264)

Yes, "Silence on the Wire" is written by Micha "lcamtuf" Zalewski

Enough with Polish jokes! (1)

Ecuador (740021) | more than 3 years ago | (#34745270)

Polish Google security white hat Michal Zalewski

-What's your name?
-Zalewski
-Zalewski? Is that Polish?
-Yes.
-Are you trying to do some Polish humor?
-That's..
-SHUT UP!
-That's just my name..
-SHUT UP! I don't appreciate racial slurs! I think them dumb Pollacks have been ridiculed enough!

The obvious question is.... (0)

Anonymous Coward | more than 3 years ago | (#34745488)

....Microsoft really has security guys?

you fail iHt (-1)

Anonymous Coward | more than 3 years ago | (#34745510)

GAY NIIGERS from when done playing to keep up as themselves to be a conversation and that has grown up and arms and dick the reaper BSD's TTok precedence

Any release over a holiday is a dick move! (0)

Anonymous Coward | more than 3 years ago | (#34745636)

This is like the google dude a while back who said "I gave you 5 days before releasing my hack" where 5 days was thursday night to monday over a US holiday.

According to this dude's timeline [coredump.cx] . He contacted them on December 20th, and got a real reply the next day. However, things generally move pretty slowly over the last week of the year... They ask him to hold off a bit, and instead he releases his info on New Years Day.

I repeat, if you base your tool release timeline over a major holiday, you are a dick.

Fuzz stuff!! (1)

dwheeler (321049) | more than 3 years ago | (#34745672)

Once again, it's clear that fuzzing is really useful for testing security. Not that it's a be-all/end-all, but people developing secure software should be using fuzzers. It's unfortunate that this fuzzer's "design can make it unexpectedly difficult to get clean, deterministic repro"; without deterministic repros, it's often really hard to find and fix the problem.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?