×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Third-Party Patching Conundrum

kdawson posted more than 7 years ago | from the who-do-you-trust? dept.

63

An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

63 comments

The important question is: Who is the third party? (4, Insightful)

iMaple (769378) | more than 7 years ago | (#16264735)

Well, third party patches are being used and deployed quite regularly in the FOSS world. In fact, this was one of the points the Mozilla people tried to highlight in their recent trademark dispute with debian (mainly accussing them of shoddy patches).

It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it. I'll install a security third party patch by the debian devs but might think twice if it was by some one like Linspire (not because they are necessarily shoddier, just the question of trust).

Re:The important question is: Who is the third par (1)

TubeSteak (669689) | more than 7 years ago | (#16264867)

It is not really a conundrum, whether you use a third party patch or not, just depends on who the third party is and to what level you trust it.
The conundrum is that they're trustworthy... right up until they screw you over.

What everyone is secretly afraid of is that formerly trustworthy people decide: "we're going to trojan our next release, steal a shiatload of money/IDs/information and then flea to a non-extradition country."

Sure, it's the kind of thing you see in the movies, but it could happen and you only have to get burned once for it to be a disaster.

Re:The important question is: Who is the third par (0)

Richard W.M. Jones (591125) | more than 7 years ago | (#16265007)

The conundrum is that [third party open source developers, eg. Debian, are] trustworthy... right up until they screw you over.

Well you don't need to trust them. If you've got the source you can just look at the source and the patch (and even the vulnerability if it was a full-disclosure list) and check it for yourself. Or if you're not a competent programmer, pay a programmer on your behalf to do the check.

In many ways its funny to see the Windows closed-source-is-best Microsoft-is-always-right "community" acting this way. They can't see that it's obviously better in this case to have source, and third-party patches (with source) are clearly better for everyone.

Rich.

Filters in the tubes (4, Funny)

cerberusss (660701) | more than 7 years ago | (#16264759)

I never understood the need for security analysts, patches and all that. Why can't they just install some sort of filter in the internet tubes and be done with it? Maybe a good time to write Senator Ted Stevens?

Clogged.. (2, Funny)

not-admin (943926) | more than 7 years ago | (#16264855)

If we put filters on the tubes, they'll just clog up faster.
I don't know about you, but my e-mails don't travel that well when they're clogged..

Re:Filters in the tubes (0)

Anonymous Coward | more than 7 years ago | (#16264959)

Can someone point me to a little history about this internettube/filter joke? Been reading these jokes for a while now but I hate missing out on the fun ;)

Re:Filters in the tubes (1)

truedfx (802492) | more than 7 years ago | (#16265021)

I'd say there's no fun you're missing out on -- I honestly have no idea why people still think it's funny -- but anyway, this [slashdot.org] is it.

No M$ bashing here... (1, Interesting)

xTantrum (919048) | more than 7 years ago | (#16264763)

I could see arguments for both sides. microsoft's own patches can usally be automatically updated without going to another website, but at the same time these third party patches are usally quicker to be released and i have to wonder, is it not like open source in the sense that many people are working on the same problem?

These people obviously know what they doing and to be quite honest with you, I like to choose whether or not i update my system with the latest patch that may slow down my computer or install sh*t i don't need. However thats for computer savy inidividuals like myself. however i don't see this really happening with the mass. People will just turn on automatic updates and click on that irritating flashing icon in the system tray. Who cares what it is, its obviously from m$ so it must be needed - so the thinking goes.

Re:No M$ bashing here... (1)

Baron_Yam (643147) | more than 7 years ago | (#16264869)

For personal computers, that's the way I roll - I set auto update and walk away. Quite frankly, I'd rather have my computer F@*k up once in a blue moon than spend time doing full regression testing on a test platform I don't even have before moving to my prod system.

I can rebuild my system from scratch if I need to in less time than I'd spend in a year of reviewing patches. When I get home, I want to check my email, Slashdot, Fark, some comics, etc... not be right back at work only without the pay.

Re:No M$ bashing here... (1)

Cylix (55374) | more than 7 years ago | (#16264971)

Indeed...

Until Microsoft unleashes a torrent of pain upon your system...

Ah yes, the unspoken one known only as WGA!

The tormenter of souls has come and he knowns no end!

Seriously, that drove me crazy when it was installed and I was so pleased when they finally removed it.

Don't worry... the microsoft gnomes will bring you an even better treat in the future.... I guran'tee it.

Re:No M$ bashing here... (1)

AmberBlackCat (829689) | more than 7 years ago | (#16265013)

I've never heard of them. For all I know, Claria could have changed its name to Zert. If this caught on, I'm sure all the companies that release fake anti-spyware software would get into the business of releasing third-party operating system patches. Maybe GooglePatch could close all the privacy holes and all you have to do is accept the agreement that it collects aggregate data of your operating system use and stores it for all time. And I guess we don't have to worry at all about some other part of the operating system being updated with something that requires certain functions/methods to exist in a dll from an official patch. Just wait for another bootleg patch to fix the compatibility issue. Then wait for a patch to fix that compatibility issue. And wait for a patch to fix the rootkit from GatorVML or whatever you downloaded. I've spent too much time on this message.

Re:No M$ bashing here... (1)

Simon80 (874052) | more than 7 years ago | (#16267483)

This attitude of not trusting these patches cause they might somehow slow down your system suggests that your Windows install likes to slow down on a whim.

FOSS required for homeland security (0, Redundant)

Anne Thwacks (531696) | more than 7 years ago | (#16264799)

As MS have a monopoly, then they should be forced to support the OSes or open-source them (their choice)

Given the fact that huge numbers of Win2k and Win98 systems are, and will remain in use, they must be patched deliver homeland security.

If MS won't release patches, surely it is incumbent on the US Government to force them to OpenSource them so that others can. The US government IS still supposed to deliver homeland security?

Re:FOSS required for homeland security (1)

Macthorpe (960048) | more than 7 years ago | (#16264847)

I believe the MS official line would be "No patches for old OSes because we have newer ones."

By the way, using 'Homeland Security' as a reason to patch OSes is spurious. The government in the interests of security should always be up to date, so there is no reason for them to still be using Win98/2k. There's probably no reason for them to be using Windows at all. I use MS myself (I'm a gamer and Transgaming is still not an option) but I'd be happier if any government was using a more secure OS, or at least an OS that isn't targetted by every hacker out there.

Re:FOSS required for homeland security (1)

Joe The Dragon (967727) | more than 7 years ago | (#16266039)

There is still some software that may only work under 98 or 2000 and some times it may be a custom app that does not work well with newer os. There are also cnc systems that are still running 98 and they have custom cards in them for the cnc systems.

Re:FOSS required for homeland security (1)

DougInKY (896994) | more than 7 years ago | (#16268703)

"There is still some software that may only work under 98 or 2000 and some times it may be a custom app that does not work well with newer os."

All the more reason to transitation to Free Software/Open Source Software. Custom apps written using OSS in Linux/Unix wouldn't have to be rewritten when you upgrade your operating system. There are still apps in use in Linux/Unix that are older than some Slashdot readers. For example VI and Emacs are both old programs that that run well on modern operating systems.

Re:FOSS required for homeland security (1)

quiberon2 (986274) | more than 7 years ago | (#16264895)

I don't expect anyone else would bother to maintain Windows09 and Windows2000. Anyone who can patch Win98 can maintain Linux more easily. Even if you had the source, the learning curve would be long and thankless.

Besides, when you bought your Windows98 licence, it said on the packet what the end of service date was. Microsoft did pretty well to get within a month of it before deciding that it was not economically viable to repair.

Better buggy-whips ? (1)

quiberon2 (986274) | more than 7 years ago | (#16264807)

It's getting more like a picture of who can deliver the best buggy-whips by the day. The rest of the world has moved on to cars and aeroplanes.

I 'stabilised' my Microsoft Windows a while ago; I don't actually require any fixes, if it catches a virus and dies then that is just the way of the world. The next investment will be in a Sony Playstation.

Any vendors who don't support it, I'm not buying what they have to sell.

I'll use them (3, Interesting)

ancientt (569920) | more than 7 years ago | (#16264815)

I don't know anything about them, but when I get back to work on Monday I'm going to investigate with the hope I can use them to keep my old Windows installs secure. If they're doing patches for Windows 2000 then I practically have to at least look at the option. If Microsoft were reliable and didn't stop releasing security patches for "old" OSs, then I wouldn't need to.

I hope this really irks the people at Microsoft that make the decisions on when to EOL something.

Simply patching obsolete OS's would be more useful (3, Informative)

King_TJ (85913) | more than 7 years ago | (#16264833)

It seems like lately, every time MS takes "too long" to release a patch, someone rolls out an unofficial one - and then this debate rages on whether or not that's a "good thing".

Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones.

It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way. (I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company. Despite MS's assertions, it's still not realistic to expect everybody to migrate fully to Windows XP/2003 Server. Even the relatively small (under 100 employees) business I work for is still running an NT 4.0 workstation that drives an old voice mail system for our phones.

Re:Simply patching obsolete OS's would be more use (1)

penix1 (722987) | more than 7 years ago | (#16265087)

"Rather than wasting all the time and effort on doing this - I think the efforts could be better spent simply doing all the patches for the "unsupported" OS's, and *not* the current ones."

I agree. At least those with unsupported OS's are given one more option than they started out with.

"It would still accomplish the same result that most of these security experts seem to want; making MS look bad for their slow response times. (Imagine the embarassment if it turns out you're better and more quickly patched against vulnerabilities by running one of Microsoft's "now unsupported" OS's like Windows '98 or ME than by using their current products!) Plus, it provides needed patches for a marketplace that can't get them anymore any other way."

The moment these 3rd party patches start to outdo Windows Update, expect the lawsuits to fly. Microsoft uses Windows Update for more than updates. WGA is one example of using the update mechanism for ulterior motives. Consider also, the whole reason for EOL is to force users to upgrade rather than continue to use their existing OS. Cut off that reason and Microsoft will surely see you as a threat to their business model.

B.

Re:Simply patching obsolete OS's would be more use (1)

CCFreak2K (930973) | more than 7 years ago | (#16270241)

(I think some people might be surprised at how often a business still keeps an old, outdated MS system running for a special task at least someplace in the company.

The teacher for my PC Config and Repair class told us how they (at a place he used to work, I guess) had an NT4 server box running. It kept running the whole time. The only time it had down time was when they yanked and tossed it a few years ago.

Not only that, but places like gas stations and some market places (cash registered mostly) still use DOS front-ends and back ends. Most of those machines are either A) secure because they run behind a firewall using ancient software, or B) aren't connected to the Internet in the first place and aren't very viable targets. In both cases, a software upgrade is hardly necessary.

Microsoft would really hate that. (1)

TheLink (130905) | more than 7 years ago | (#16278989)

The more people running old versions of their O/Ses, the greater the danger that someone else comes up with a really Windows Compatible O/S, and they end up like a BIOS manufacturer.

For example, they are trying to come up with Vista. If it is too incompatible they might end up in the Intel Itanic vs AMD Opteron scenario. Where people look at the Itanic and say, if I want incompatible and fast, I might as well go IBM POWER, if I want compatible and fast, I go AMD.

That is why if lots of people get Dell/HP etc to skip the Vista preload and preload XP instead, Microsoft could have big problems, even if Linux is not being preloaded.

sliding scale (1, Funny)

macadamia_harold (947445) | more than 7 years ago | (#16264849)

This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.

Oh, so it's not a patch created by some guy in his basement. But what about some guy in his parents' basement?

Providing Patches for Microsoft is Wrong (1, Redundant)

Coeurderoy (717228) | more than 7 years ago | (#16264929)

Microsoft makes it purposedly hard to work with them.
Their security is bad, and anything that encourage people to use their software is wrong.

It encourage Microsoft to continue to work as they are.

And therefore it actually lowers the global security of the Internet

Agreed (0)

Anonymous Coward | more than 7 years ago | (#16265029)

Agreed, wish I had my mod points. I don't see why we should encourage Microsoft. Sure, people have bet their businesses on their software as well and may stand to lose a lot if they're not patched, but that's something we shouldn't encourage either. They should use the best software for the job, but they're not because someone else is covering their ass.

Wrong and Urewarding. (1)

twitter (104583) | more than 7 years ago | (#16267241)

[Patches] encourage Microsoft to continue to work as they are. ... encourage people to use their software ... And therefore it actually lowers the global security of the Internet

That's true, and the reward is a M$ attack. M$ has shown no willingness to change, is hostile alternatives and claims that alternatives are impossible. "Third party patches" are just another competition for them to destroy.

The arrogance is amazing. How can anyone cling to "official" patches for an OS that needs a new one every month? From a user perspective, it's kind of like saying, "I use the worst brand possible and only the worst is good enough for my organization." The defensive position M$ is taking needs no further analysis.

Real alternatives are the answer.

Re:Wrong and Urewarding. (1)

jb.hl.com (782137) | more than 7 years ago | (#16267877)

You never change, do you twitter?

[Microsoft] is hostile [to] alternatives

Of course they fucking are! It's called "being a competitor"!

"Third party patches" are just another competition for them to destroy.

Yes. Of course, twitter.

By the way, I and a few others were wondering whether you'd mind responding to this [slashdot.org], or maybe this [slashdot.org]. An admission that you were talking bullshit on that last one would be nice.

Re:Wrong and Urewarding. (1)

twitter (104583) | more than 7 years ago | (#16268923)

fuck off [slashdot.org].

Re:Wrong and Urewarding. (1)

jb.hl.com (782137) | more than 7 years ago | (#16268997)

no u [slashdot.org]. In that list you deliberately ignored the meaning of many of those posts and included many which weren't insulting or denigrating to you in the slightest in order to paint me as a "troll".

Re:Wrong and Urewarding. (0)

Anonymous Coward | more than 7 years ago | (#16269473)

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

  • As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
  • Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
  • A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
  • Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
  • Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
  • Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
  • Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
  • Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
  • Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
  • There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy [ibiblio.org]

And for the new setSlice (2, Informative)

farker haiku (883529) | more than 7 years ago | (#16265027)

In other news, according to SANS, there is publicly available exploit code [milw0rm.com] out there for the new setSlice bug. According to Gadi Evron's post [securityfocus.com], "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable [sans.org]here [metasploit.com].

So what? (1)

joe_n_bloe (244407) | more than 7 years ago | (#16265049)

As far as I'm concerned, virus checkers, firewalls, all sorts of TSRs -- they're all patches. What's remarkable about a third party "OS patch"?

There are hundreds (or thousands) of applications that might contain critical vulnerabilities.

superpokes: nothing new under the sun. (1)

gd23ka (324741) | more than 7 years ago | (#16265173)

Back in the good old days you would load a game on your Commodore 64 and prior to running it patch
it in memory with the POKE command in Basic to get you unlimited lives etc. Some things most obviously
never change, nowadays it seems you have to superpoke your windows box to keep it unowned.

Peanuts (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16265203)

From the gallery:

Peanut #1. If you are responsible for a data center or high reliability server or are within the standard support window, I do not recommend using a 3rd party patch. And I would go so far as to say that if MS server administrators were to do so at my company they would be fired. And the reason for this has nothing to do with security or vulnerability it is because if the server crashes after installing the patch you may need both the hardware and software vendors support. If you install a 3rd party patch on these servers and run into a problem you will more than likely be S.O.L.

Peanut #2: That said let's look at Microsoft OS's outside of the Microsoft support umbrella. Almost every company has a few legacy machines still floating around filling various niche functions. In this case, 3rd party software patches, isolation from the network, firewalls, and IP Filters are really your only options.

-The gallery

This should be obvious (0, Offtopic)

TheZorch (925979) | more than 7 years ago | (#16265449)

Um, if you use an unsupported OS like Win98 for something see if you can do that same thing with Linux. If that 98 machine is used as a print server Linux can do the same thing, it can serve as a server that handles tape backups of high priority data, as a cheap alternative to MS Exchange server with 3rd party open source software, and even an Intranet server for in-house websites.

Linux can breath new life and functions into older computers.

How about the source code? (1)

kasperd (592156) | more than 7 years ago | (#16265543)

The correct way to make a patch is: take the source code, fix the bug, compile it, and ship as many of the executable files as necesarry. But does this third party have the source code? If they do, they probably have signed an agreement forbiding them to use it in this way. In some countries the law gives you an unwaivable right to fix bugs in software, but I'm not sure you would be allowed to share the fix with everybody in this way.

Here is an idea (1)

Fanro (130986) | more than 7 years ago | (#16266221)

How about this: If microsoft implemented a module in windows to block incomming packets based on some scripted rules, and block http connections in internet explorer based on similar rules, then everyone could develop instant band-aid patches for newfound exploits just by making and distributing new rulessets.

This could of course only be a workaround until a real patch is developed, but it would be beter than nothing and the chance of some new security hole or fatal bug introduced by a new ruleset are slim, so there would be little risk of deploying them instantly.

A similar module in an application such as word could block exploits for every fileformat that this application handles.

Comments? Would such a solution be workable? Could open source software use it to?

(plus o8e InfOrmative) (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16266475)

man walking. It's about a project the resign4tion lead developers

ZERT is why MS released an Out of Band Patch (1)

Stephen Samuel (106962) | more than 7 years ago | (#16266535)

I assert that, if ZERT hadn't shamed Microsoft into action it is very likely that MS would have probably let the exploit float around for a month before they patched for it.

mod 0p (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16266875)

join in especially faster chip networking test. 0utreach are are almost users of BSD/OS. A to decline for about who can rant Practical pur4oses, to you by Penisbird fate. Let's not be ofone single puny numbers. The loss

Why oh why? (1)

Plutonite (999141) | more than 7 years ago | (#16267149)

Why do these third-party groups release patches for proprietory software that they have to reverse engineer to understand? What kick do they get out of it?

I can understand when you devote your time to some OSS effort, but to MS? You can write viruses for their OS, release exploits, send them hatemail..but why help their victims when the only thanks you get are the kind of comments we've seen?

Re:Why oh why? (0)

Anonymous Coward | more than 7 years ago | (#16267677)

Maybe because they:

1) Recognize that they do not have the time or ability to sit down and explain to every Windows user about the alternatives to Windows, why they are better, and then assist them all in transitioning to the new platforms and new applications.
2) Recognize that most Windows users are not interested in changing OSes, for whatever reason, even if someone were to take the time to explain the alternatives to them.
3) Recognize that those Windows users include people who are important to them for some reason or another (relatives, neighbors, financial institutions, government offices)
4) Recognize that the harm being inflicted on these Windows users by Microsoft's irresponsible patching behavior is something they have the power to mitigate.
5) Recognize that mitigating the harm to Windows users will indirectly help them (less spam in their mailbox, fewer zombies filling up their web server logs with IIS attacks)

Getting a personal thank-you note from Microsoft isn't even on the list. Not that it wouldn't be nice, though ;)

Re:Why oh why? (1)

Plutonite (999141) | more than 7 years ago | (#16267859)

But by "helping" these adamant users they are also helping MS stay popular. Why give charity to the world's biggest software corporation?

A lot of people have the power to mitigate MS problems, but that doesn't mean we should spend our free time helping a company that already makes far more money than it deserves, just because it is popular. If the users want to stick with it, let them.

There are some situations where charity doesn't apply.

Re:Why oh why? (0)

Anonymous Coward | more than 7 years ago | (#16268269)

I guess they look at the situation from a completely different perspective than you. They see users in need. You see a horrible company that makes more money than it deserves. Both are correct but limited observations.

Because car metaphors are always popular, here's an example:

Alice and Bob, both expert auto mechanics, are driving down the same highway in their late-model Lexuses. They see Charlie standing on the side of the road next to his broken-down Hyundai with the hood up. Alice thinks: "That poor bastard bought a Hyundai! Well, I guess he won't be doing that again!" and zooms past. Bob thinks: "I'll stop and give the guy some help." So he does.

Alice might be right. If nobody helps Charlie, then Charlie will have a truly miserable time, and may think twice before buying another Hyundai. Then again, he may just think "all cars break down" and keep buying them. But the truth is she'll never know.

Bob might be right. Charlie may think that because he has to rely on the kindness of strangers to keep his car running, maybe he should buy a better car. Then again, maybe he'll just be happy he got a free repair and he'll keep buying Hyundais. But the truth is Bob will never know.

In both scenarios, Charlie may or may not keep buying Hyundais. There's really no way to tell for sure. Also, neither Alice nor Bob honestly think their actions assist the Hyundai Corporation in any material way.

It's a variant on the classic food aid ethical dilemma. If a nation is chronically unable to feed its population, do you give them your extra food or not? Alice would say that they'll never change their agricultural practices if they don't have a good famine to show them something's wrong--and furthermore, dumping a ton of free food into the market will drive any remaining food producers out of business. Bob would think: "We have extra food; they have starving people. It's not that hard to figure out what needs to be done".

I've always sided with Bob in these ethical dilemmas. I recognize Alice has some very good points, but in my opinion you don't want to overthink an action of mercy. You either help people in need or you don't. To me, Alice's arguments are for someone who's decided not to help, and is looking for a logical reason to justify that position.

Re:Why oh why? (0)

Anonymous Coward | more than 7 years ago | (#16268317)

That was a nice analogy and a very good point.

Re:Why oh why? (1)

Plutonite (999141) | more than 7 years ago | (#16269051)

Very well, but in that case why not also highlight the inherent danger if using MS products that are terrible to begin with, and - to top it off - not supported anymore? Like a link to a small paper/article with every patch release?

It's more like stopping to help with a car model that Hyundai doesn't support anymore even though it's in heavy use, so if Bob walks away the poor schmuck will discover why so many people are pissed at the company.

Finally, they may have a point, but life is too short. Too many things to do, programs to write, choclates to eat, moves to make. You can spend your life writing patches for MS products. It's just wrong in a universal sort of way.

Regards,
-P

Re:Why oh why? (0)

Anonymous Coward | more than 7 years ago | (#16269387)

I agree that providing information about better options is always nice. But it shouldn't be a requirement to read through the options before you get help (that would be like those homeless shelters that won't help you until you accept Jesus Christ as your personal savior). Offering more help than people requested is nice. Forcing people to accept a kind of help they did not request is not nice.

If Bob walks away, it's possible the poor schmuck will discover why so many people are pissed at Hyundai. But I think it's more likely that the poor schmuck will discover why so many people are pissed at Bob. It's really unknowable how he'd react. Flip a coin.

You are most correct that life is too short. You only have so much time in this world, and there is a lot of suffering you can stop. Volunteer at a soup kitchen. Tutor at your local school. Fix your elderly neighbor's broken computer. Do the best with what your competencies allow. Every little bit helps. Not helping people in need is just wrong in a universal sort of way ;)

Re:Why oh why? (1)

Plutonite (999141) | more than 7 years ago | (#16269815)

Well at least we have achieved something today: people with Windows are people in need, in the same league as orphans and elderly neighbors, whereas we FOSS supporters are the real Warren Buffets of the world (Gates would be too much of a pun).

And with this humbling thought, I go off to bed a happier man than I ever was. :)

Official vs. unofficial (1)

Anonymous Coward | more than 7 years ago | (#16267205)

It's not a question of choosing between an official and an unofficial patch. It's choosing between an unofficial patch and no patch at all.

If the vendor acted more responsibly (i.e. patched vulnerabilities as soon as possible after they were reported, rather than sitting on its patches for up to a month), none of this would be an issue at all. I'm not asking for them to cut back on regression-testing, just make the patch, test the patch and release the patch--no matter what day of the month it is.

The "monthly patch cycle" is only a convenience for virus-writers, not users.

About untrusted binaries... (1)

Kidbro (80868) | more than 7 years ago | (#16269235)

"I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security consultant now working at a Seattle-based online retailer. "Personally, I worry about putting unverified and untrusted binaries on my system, and about the likelihood that they are going to be any higher quality than the ones Microsoft releases."

And this, dear Johansson, is exactly why I, and many with me, will never trust neither your former employer's nor third party patchers' code. "[We] worry about putting unverified and untrusted binaries on [our] system[s]."
Give us the source under a sane license and we'll be able to verify that both Microsoft's and third party patchers' code is trustworthy.

Anti-virus software is just a 3rd party patch (1)

syousef (465911) | more than 7 years ago | (#16269887)

...for security holes in an OS, and plenty of people install antivirius software.

Re:Anti-virus software is just a 3rd party patch (1)

bartman227 (943025) | more than 7 years ago | (#16275615)

When you work in an organization as large as the one I work in, (10's of thousands of windows desktops) and something like over 10,000 windows servers, you need the 'official' fix. Most of our desktops are patched automatically and our servers are patched per schedule. However, we test the patches as they are releasd from M$.
I have wasted many a saturday doing MS-Patchathons because of an urgent fix that was rolled out. This is the way of things.
If you are running an unsupported O/S like win98 then get a clue and upgrade. Yes Linux is an outstanding alternative since it runs on just about anything, but in my experience, those who are running unsupported O/S's like Windows 98 simply don't have the experience to run something like linux. There's nothing WRONG with linux its just that getting up to speed on it takes more time than the average casual computer admin has time for. You know the casual admin who does that job because they're the only person who can do it, they actually have anohter job to do like accountant or maintenance person, etc.
Hey there's one guy i work with who swears by BSD and runs it on the oldest most obsolete hardware he can find, and you know what, that's fine. But 99.9999999999% of the general computing population is just not going to want to learn how to fix dependicies in a gcc library to get the 'X' version of tetris to run.
-Bart

Win 98 Security Advice Needed! (-1)

Anonymous Coward | more than 7 years ago | (#16270393)

Hi, I know I will get mostly sarcastic and humorous repies to this question, but I also know that I will probably get a lot of really useful answers, so here goes.
  I still use Win98 and I would like advice on how I can make it as secure as possible. For example, security patches (are there any other groups with reliable security patches for Win98, or do I even need them? Is the group mentioned in this article good enough?)
  I would also like advice on the best firewall and the best antivirus that will still work with Win98.
  I know that it must seem stupid to a lot of you that I am still using Win98, but why should I buy a new computer when this computer (which I bought in 1998) still does EVERYTHING that I need? The only things I use my computer for are surfing the Net, sending and receiving email, playing chess and other games online(none of which require a newer computer), playing CDs and playing my old PC videogames.
  The only thing I am concerned about is security. I need:
1. Security patches for exploits.
2. A newer firewall than the old one that I am currently using.
3. A decent antivirus program that works with Win98.

  I have shut down IE and I use the Opera browser, so at least I can avoid most IE problems.
  I would really appreciate any advice you can give me, as well as any genuinely funny, or at least mildly amusing replies.
  Thanks!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...