104 comments

[ 5.7 ms ] story [ 180 ms ] thread
https://mobile.twitter.com/hashbreaker/status/85322416941220...

The strange "counterargument" I commonly see on HN to any suggestion that Microsoft closed source software could potentially be unsafe for use on an internet-connected computer is that the company has "improved" since some earlier 1990's/2000's time period.

Are these commenters suggesting that other, open source operating system choices have not also improved since that time period? Should one consider how much did each respective system need to improve?

(By "other, open source operating system choices", I mean the ones that were able to connect to the internet for years before Gates decided the www was something his company should be interested in and to copy the TCP/IP stack from an open source kernel into the Windows kernel).

Are there convincing arguments why Microsoft deserves special treatment compared to the open source alternatives, i.e., why their users should not be permitted to freely evaluate the Windows kernel or Office source code via the public web? Are there compelling reasons why MS users should not be allowed i.e. given the option to edit/remove source code they are uncomfortable with and recompile? Consider the effects of limiting the number of people who can find and fix defects in a product.

Does closed source status of Windows make Microsoft's software superior to the longstanding open source operating system alternatives?

Their users don't need to be allowed to freely evaluate the source, period. When you write software, you control its distribution.

What the users are free to do, however, is use an operating system/stack that they CAN evaluate the source of.

If linux or any other open source alternative was a better actual product, it would find its way to the top of the market. In fact, it already has, on the server... by far. But linux wasn't made to be easy to use, to be quick and easy to install, to install other software onto, etc... and that has kept it back, and it kept it back long enough for microsoft to establish a de-facto standard on the home desktop market...

The closed or open source status of a product has no bearing over its superiority at all. Again, in the world of geeks, it may, but in the world at large, it doesn't, and really, it shouldn't.

The sentiment of "the better product will win" is understandable, but wrong as you present it.

Microsoft managed to gain a monopoly (legally or illegally - doesn't matter) and has used it to illegally keep others out, and network effects now (and for the past 20 years) have been that "goodness" measure - technical mediocrity had been sufficient (although recently they have been doing a lot of excellent technical work since the horrible 2000's)

In every single field Microsoft has not been able to leverage their monopoly (e.g. Phones) they are not in a dominant position, even though in some they maintain a competitive one (Xbox one, c#, SQL server)

This is very true, since the idea of meritocracy doesn't do a lot to overcome business inertia of being in a Microsoft Environment.

If there is a Linux solution that in every way exceeds a Microsoft Solution from a technical and price standpoint, you still need to weigh in the transition costs, employee costs, and the long term effect of changing. It's not always as simple as "X is better than Microsoft's Y, people will use it." There are far more things that get considered, and you can get tied down pretty heavily when your entire workflow and operations rely on a single product or vendor.

The longer you've been using a product, the harder it is to get away from it. It's not that Linux isn't good or making a lot of cool progress in all realms, it's that Microsoft does "good enough" and the transition isn't seamless enough for many use cases.

Part of why they succeeded was by being first. Linux was certainly much worse than Windows in the early days when people still used DOS together with Windows. Being first means it was massively better for those people at that time.

Plan9 lost out to Linux, perhaps partly by being too late. Do we blame Linux for being horrible?

As a user of both circa 1994 - no, Linux was definitely not worse. It was about a thousand times more stable, though it lacked e.g. A word processor.

When Microsoft produced win 2 and 3, they unfairly (and likely illegally) used their DOS and then Windows monopoly to stop competitors (DR DOS, BeOS, a few lesser known ones); they later used the Windows monopoly to embed IE and kill Netscape. It didn't matter that IE was, in fact, a better browser - everyone wanted Netscape, and it was only with the IE4 merge into the OS that Microsoft took the internet.

I was involved with one of the smaller and less famous Microsoft victims at the time, and I can assure you that regardless of technical merits, MS made very significant progress by playing dirty.

They paid billions in court for it, but economically it was worth it to them.

> to establish a de-facto standard on the home desktop market...

Doesn't this have a lot more to do with pre-installs, and the marketing power that comes with it?

Dell's XPS Linux line and the Asus EEE PC were/are both pretty popular with the average person, so far as I'm aware.

Indeed. No one wanted Windows until it came preinstalled.
But linux wasn't made to be easy to use, to be quick and easy to install, to install other software onto, etc

Just for the record in case someone isn't aware: Modern Linuxes are often easier to install and install software onto (as long as that software isn't written specifically for Windows or Mac OS.)

I find they still fail a lot of the time. Some issue's I've come across recently:

* no UI scaling for hi res. Sure you can change it manually, but you have to be able to read the login screen to get that far.

* Can't change login screen resolution (haven't seen a way to do this on any distro I've tried).

* Default is to max resolution available (I'd say 1080p is a more sensible default, especially if there is no automatic scaling).

* Secondary drives require manual mounting (or doing it yourself at the command line).

Pure nonsense. Or did you try a distribution from 2002?
Ubuntu 17.04. Is that recent enough for you?

I've tried antergos, red hat and a couple of others, all with similar issues. Many I didn't get far with because I simply couldn't read the login screen. Antergos doesn't even have user switching working out of the box but it was the only one that supported my graphics card until very recently. I used the gnome variant of each.

Ubuntu 16.04 or Fedora are likely to work better than 17.04. Regardless there is still hardware that does not have the best compatibility. Ubuntu does handle individual high DPI displays well though.
I've got the new line of radeon graphics card. 16.04 only supported some <1080p resolution, 16.10 supported 1080 and 1080p landed in 17.04. Red hat was a similar story. HDMI sound doesn't work with any of them.

It was quite frustrating to read about ATI's new open source drivers, purchase that hardware explicitly because of that and still have it not work, but it's nice that it's improved so much too.

Ahh... yeah it is still easy to fall in the cracks. When you get a good system and everything works it is beautiful, when it doesn't, you will be spending quality time with kernel parameters and resources like the Arch Linux wiki. I had a miserable time troubleshooting i915 on my Dell XPS 13" (latest edition). Very frustrating to have an officially supported Dell laptop with Ubuntu that doesn't even work right out of the box.
This has always been my experience too. I've installed Linux irregularly numerous times over the years and it's never worked 100% properly on any PC I've tried it on. It suffers I guess from having to run on the same wide range of hardware as Windows does, but with a testing and driver development budget of around 50p and some bits of fluff... still, when it doesn't work, it's my time that gets sucked up trying to fix it, and I'm unapologetic about being unhappy about it.

Things are improving compared to the past, though, because my latest install (Ubuntu 16.04 on my desktop PC) required minimal setup effort and only suffers from these problems:

1. volume control keeps popping up for no reason, and the sound stutters each time that happens

2. using 2 x NVidia GPUs disables XRandR, so some things don't work when I've got a 3-monitor setup

3. for reasons unknown, I can't get 2560x1440 on my 27" monitor (yes, I know, you can change the timings using XRandR...)

4. any time I click and drag in Firefox, Firefox crashes instantly

5. something crashes on startup on every boot (and, yes, I dutifully submit the autogenerated bug report)

However LAN+wifi+3D work, and audio has proven sufficient for basic testing. Things could have been a lot worse.

(Somebody on reddit told me "You have broken hardware or you're too incompetent and shouldn't be anywhere near any computer whatsoever". Well, everything runs fine in Windows... so, ouch.)

So if your machine/os/whatever does not run properly you might either fix it yourself or pay somebody else to fix it.

But really, no need to complain about the nice things that you got for free.

>> But linux wasn't made to be easy to use, to be quick and easy to install, to install other software onto, etc

> Just for the record in case someone isn't aware: Modern Linuxes are often easier to install and install software onto ...

I think my "often" accounts for this.

Also you are now discussing something else (hi res) vs general ease of use.

> Also you are now discussing something else (hi res) vs general ease of use.

I'm discussing the challenges I've run into getting to a working installation, which is a lot more time and effort than running the installer, yet still part of the installation process.

I have all of these problems with Windows.

So many apps fail with HiDPi that I just use an external monitor.

Having to compress folders by selecting "send to" and digging around the tray for an eject button, is something I can't figure out how to solve so easily.

You don't actually have to eject USB drives. Be default, windows doesn't cache writes to removable media.
> Can't change login screen resolution (haven't seen a way to do this on any distro I've tried).

Really? You mention in another thread, you used Ubuntu. So you apparently didn't notice this [0] or this [1]?

The issue with this and complexity, is that login screen resolution is often handled by GRUB, not Linux.

Edit: In future you can drop into a commandline via Ctrl+Alt+F1

> Secondary drives require manual mounting (or doing it yourself at the command line).

Install usbmount if its connected by usb, and it'll be automatic.

If it's an internal drive, try gnome-volume-manager and it's a tickbox away. (Which is on quite a few distros by default).

[0] https://askubuntu.com/questions/794074/login-screen-resoluti...

[1] https://askubuntu.com/questions/73804/wrong-login-screen-res...

> Really? You mention in another thread, you used Ubuntu. So you apparently didn't notice this [0] or this [1]?

Neither of those solutions are user friendly are they?. You think an average person knows what grub is? I did come across the second one actually, but I have no idea if the solution is still relevant or not. I haven't seen anything to indicate what login manager I'm even running, where is this information displayed?

I'm talking about kdm/gdm or whatever is installed these days.

> If it's an internal drive, try gnome-volume-manager and it's a tickbox away. (Which is on quite a few distros by default).

It's there and configured to mount at startup. I keep most of my steam games on there. But if I log in and start up steam all the games are missing. If I navigate to the drive through the file manager and then start steam then it will find them properly. I have no idea what's going on but it doesn't appear to be mounting the drive at startup.

> Neither of those solutions are user friendly are they?

Neither is Windows. [0]

Changing a login screen is a bit of a technical thing, for technical reasons. Maybe it could be better, but at the moment, everyone sucks equally.

> I haven't seen anything to indicate what login manager I'm even running, where is this information displayed?

Most distros use systemd nowadays, so this is something that is becoming easier:

    cat /etc/systemd/system/display-manager.service | grep '/usr/bin'
Otherwise, it can vary system to system. Because things are very customisable.

> But if I log in and start up steam all the games are missing. If I navigate to the drive through the file manager and then start steam then it will find them properly.

The sure-fire fix for this is fstab, but that is a bit technical, I'll admit. I don't mind it much, because Windows can't mount my Linux drive, and OS X can have mounting issues as well when confronted with partitions it doesn't know.

I'm guessing the partition type is NTFS, so try ntfs-config.

[0] https://social.technet.microsoft.com/Forums/windows/en-US/ff...

Thanks. Systemd is one of those things that's changed since I last ran linux so I've got a bit of learning to do there. Turns out ubuntu gnome is running gdm, which isn't surprising.

> I'm guessing the partition type is NTFS, so try ntfs-config.

Ext4 actually, windows has never touched this machine :) I did the fstab thing (I think) on the last install but this is getting beyond my comfort zone.

> Neither is Windows. [0]

IME windows has always gone the other way, it will default to a lower resolution which is uglier but more usable. And the login menu is at the resolution of the last user. I did have an issue recently where windows 10 was constantly switching resolutions though, it was the first time I've been grateful for the dell/intel crapware that fixed it.

> Systemd is one of those things that's changed since I last ran linux so I've got a bit of learning to do there.

Not kidding. Its one of those things that can run half the system, so its unsurprising to not know much about it. However, at least we have a consistent way of managing things now.

> Ext4 actually, windows has never touched this machine :) I did the fstab thing (I think) on the last install but this is getting beyond my comfort zone.

Yeah, this might be getting difficult.

We used to have pysdm, but that's out of date now, and doesn't even support UUIDs, so it won't help.

I think gnome-disks (which is GUI-based), might have a chance at helping, but we're running into the technical side of Linux that I wish was easier to manage for the average person. (You can install gnome-disks with apt-get install gnome-disk-utility if it isn't already installed).

However, it might just have the same issues as the volume manager.

Wish I could help more, but I don't know enough about what's going wrong for you.

> And the login menu is at the resolution of the last user.

Thankfully, that's an easy thing to do with Linux, thanks to symbolic links. [0]

But I agree, defaulting to a lower res would be so very helpful in situations like this. Hopefully this story gets better soon.

[0] https://askubuntu.com/a/578153

Ubuntu's support for less-common screen resolutions is atrocious. Aside from its poor support for hi-dpi, if you try to install it when using low-res display hardware (like VirtualBox's emulated GPU) some of the important installer UI extends off the screen and cannot be seen or clicked.
The worst thing is that with Qt or Gtk there is zero excuse for this. Someone went out of there way to created a fixed width window.
"But linux wasn't made to be easy to use, to be quick and easy to install, to install other software onto, etc"

For what it's worth (which may be not a great deal): I have installed a lot of Windows and Linux over the years, but my Windows experience has been lackin further and further behind these last few years. A short while ago, I had to a rare chance of setting up two identical machines side by side, one with Windows 10, one with Manjaro, an Arch Linux derivative. The Linux install finished sooner and with less need of interference than the Windows one. It also didn't require preparatory messing round with weird licensing codes and what have you, and of course it didn't require one tenth the amount of postprocessing to reach the desired level of functionality - compare the twenty second operation of setting up a LaTeX which worked to the corresponding twenty Windows minutes of setting up one which didn't.

Your anecdotal mileage may obviously vary.

You needed twenty minues for

  choco install latexdistofchoice 
?

(Yeah, I know, I'm being a bit facetious. I omitted three additional lines of PS to first install chocolatey...)

I need a lot more than twenty minutes to learn about and ascertain the validity of some third party installation robot, which your choco-thing appears to be.

I then need some minutes to get it started.

And yes, installation proces itself took something on the scale of ten to twenty minutes.

Pacman -Syu (or Pamac if you're in a clicky mood) took care of everything in less time than the BibTeX took to download download.

> I need a lot more than twenty minutes to learn about and ascertain the validity of some third party installation robot, which your choco-thing appears to be.

> Pacman -Syu

So it's basically "I know one system much better than the other". And your ignorance is somehow the fault of the OS now?

If you fail to understand the difference between an integrated package management system overseeing all or most software installation, and a third party bolt-on component like your chocolate robot, we may not really have the basis of a meaningful conversation here.

Anyway, I am not putting anything or anyone at fault. As clearly stated, I was relaying some anecdotal evidence of probably very littly use to the world at large.

A couple of years back, I installed Windows Vista on a Lenovo something (no idea what). Took me three days to find most of the drivers and get it all running, and about an hour to do the actual install. I ran it for a few weeks, then the software I was using had a Linux release, so I threw on Kubuntu (15.04 I think it was). Took me no effort to get drivers, as everything (bar the ancient Geforce 3D drivers) just worked out of the box. The system prompted me to install the 3D drivers, and I was done in under an hour.

Windows Licensing had a funny issue, though - I typed the number in, it rejected it, so I typed it in again, verified every character, it rejected it, typed it in a third time, it accepted it. Installed, booted up, and then it told me that I didn't have a genuine Vista (although the sticker on the system was genuine). I used it for a bit, intending to fix it later, and then one day it popped up telling me I needed to activate the system with a genuine number, which it did without asking for a new one, told me happy things and enjoy my Windows experience.

It's enough to drive you to drink...

>If linux or any other open source alternative was a better actual product, it would find its way to the top of the market.

If only the world worked like this..

You probably won't see it happen today, but in the past, it wasn't uncommon for Microsoft to threaten companies with made-up charges, bribe the police to raid their offices and steal their hardware and data, just because they opted to use a different product.

> But linux wasn't made to be easy to use, to be quick and easy to install, to install other software onto, etc...

You can only say that in comparison to Windows if you haven't tried installing both any time in the past 15 years.

(comment deleted)
I have installed both multiple times recently...

Linus is NOT as easy to install software into, its a different process for different distros... if what you want isnt in the repo of your choice you have to add repos (because politics matter in software apparently)... lets not even talk GPU driver issues...

I work on linux and mac, and I play on windows. Im familiar with all 3 environments (including various distros for linux). I'm not ignorant of any of the processes. And while linus is easier for me for the most part (I find OSX to be the simplest "plug and play" OS out there, honestly) - for the average user, its just not...

Windows : Not Ready For The Desktop

https://andrewhickey.info/2012/04/07/windows-not-ready-for-t...

Most Windows users never install Windows.

No, they chose to buy a computer with windows on it...

And an article starts with complaining that its not free (money) and not open source - it makes it very clear the level of bias right off the bat.

It's a commentary on presumptions. Did you seriously fail to realise this?
Microsoft was really really bad at security. Then the internet became a popular thing. I think an fresh xp install would, on average survive 15 minutes before getting infected by blaster. Microsoft, to their credit, improved dramatically. I don't know if they're extraordinarily good compared to other software producers. Microsoft gets the mention because it was so very bad, back in the day.

It's kind of like when a very lazy person turns into a marathon runner. They made huge changes.

(comment deleted)
There were versions of windows, 2000 if not XP, that could and would get infected in-between the time the network stack initialized and the local software firewall initialized a second or two later. This was actually addressed and fixed, because it was not a unique experience. That's how pervasive and wild the exploit network traffic was before MS got their act together.

Edit: My google-fu is failing me, and I can't find the right keywords to find a reference to this, but I distinctly remember it. Back in the days when firewalls weren't quite as pervasive, and especially not for small colo deployments.

I saw this first-hand when installing Windows 2000 using Parallels circa 2006. I mistakenly believed the configuration I had chosen had the VM behind the Mac's firewall, but it wasn't. The VM was infected before Windows 2000 could install the latest updates... just a matter of minutes.

This is not as extreme as you are describing, but it was also on the corporate network of a large company, not the open internet.

Indeed. But becoming a marathon runner who finishes in 7 hours, after the finish line has closed, and doesn't get a medal because the cut off was 6:30 :)

No, it's a great achievement, but there's still room for improvement.

I don't support anyone hiding source code from users (and have given conference talks about hard-to-detect ways of backdooring binaries), and so I don't mean this to be an excuse for the secrecy of the source code, but every single person I know who's worked in the security industry agrees that Microsoft made a major qualitative improvement in their security at every level, based on spending a lot of money and giving security people power in the development process.

Most people feel Microsoft is managing security better than the main Linux-based operating systems do, in terms of auditing, coding standards, code reviews, and developer security education. (That doesn't mean that they're doing this better than each and every individual open source project.)

Some of the people agitating for giving Microsoft more credit about this have personally seen the results, as in-house or contracted developers or auditors.

It can be hard to make an apples-to-apples comparison about what this means for the security of deployed systems because people are potentially using the systems in different ways with kind of different attack surfaces. (For example, quite a few Windows desktop users may still be downloading unsigned binaries from HTTP sites, which Linux users would be less likely to do because of the prevalence of package managers -- though maybe some of those Linux users will do the curl | sh thing from an HTTP site too.)

I don't think that a typical open source project has improved to the extent that Microsoft has during this timeframe, though, again, it's hard to know exactly what to compare or how to compare it.

That's a really complete argument. But there's still the elephant in the room of the whole operation being closed source, and the inability to do quantitative analysis into the improving security of a closed source system.

People on the inside can say there have been qualitative improvements, but that's not measurable on the outside and so is no better than hearsay and conjecture. Meanwhile in the GNU/Linux world, you can browse the git repositories and see and audit every step in the development process if needed.

Is it possible that typical open source projects didn't NEED to improve their security over the same timeframe, given that the F/OSS world didn't fuck users over for two decades with unfixed 0days?

Meanwhile, the OP here is talking about Word which is likely a world away from the improving security team working on Windows. Hell, I'm surprised they've got more than a skeleton crew working on the desktop version of Word anymore. People in my community 60+ have been using Google Docs for the last five years already.

We will never know the answer to your assertion until more than 1% of the OS market is open source.
And _this_, ladies and gentlemen, is why we have disclosure deadlines for security vulnerabilities. For example, Project Zero expects vendors to fix security vulnerabilities within 90 days of notification.

Looking at this story, it's possible that 90 days is almost too long and should be shortened. As time goes on, it's becoming more and more common for multiple parties to become aware of the same vulnerabilities. Not all of those parties have good intentions, as we see here. Shortening the window of exposure is key.

Next up on HN: extreme outrage after a botched security update breaks hundreds of millions of machines. Not all bugs can be fixed with a simple one-line fix, and the faster patches need to be cranked out, the lower quality they'll be.
Well yeah, if a patch for a single application broke machines then the outrage would be deserved.
Or maybe people stop shipping dogshit?
There was a simple settings change for a temp fix on this one too. When there is even a remote chance a bug is being exploited in the wild it needs to be disclosed. Corp IT can work around it almost always. Individuals can as well. This argument that "it's complex to patch" is a non-starter at best. We the users deserve the option to decide how to deal with it. Silent exploitation is how we all lose, even the vendor.
In which case the users need to be informed of the security risks they are taking by using that software. Hiding risks is not the answer.
It says it right in the article:

> "We performed an investigation to identify other potentially similar methods and ensure that our fix addresses [sic] more than just the issue reported," Microsoft said through a spokesman, who answered emailed

If MS had immediately patched CVE-2017-0199, only for someone to reverse the patch, discover an identical exploit somewhere else in the code and commence immediate abuse, people would crucify Microsoft.

From the article, it seems clear that Microsoft scheduled a public release of the patch as soon as it became clear it was being publicly exploited.

Vendors, even ones as large as Microsoft, do not have infinite resources available to evaluate vulnerabilities. There are only so many of the issues you can work on at once. They have to evaluate each issue and prioritize the fix. In this case, they merely did not recognize the potential scope of the problem at hand.
That's true, but it doesn't matter. It's still broken.

That's why we have automatic release after a set time. Because it's a problem for the public even if the vendor has zero resources. The ability of the vendor to fix the problem is not related at all to the potential damage the problem can cause.

Worst-case scenario? The software is shutdown and/or withdrawn from the market because the vendor can't fix it. Not that the vulnerability isn't announced.

What we need is a public and open way to do this that doesn't involved walled gardens.

I don't want anyone to be able to shutdown and/or withdraw software that I'm using for any reason. That cure is worse than the disease.
Personally I don't want you to have to. As far as I'm concerned, if you're notified in big, red letters (perhaps every time the software starts)? Works for me. As long as you know -- and are reminded. (That's because different people use the same software. If the notice only appeared once, a new person might start using the software/machine and not be aware of what's going on)

But if you had a piece of software with a terrible vulnerability that was currently being exploited to do some sort of terrible harm? Beats me. Does my right to use the internet without being DDOSed override your right to use unsafe software if you want?

Not sure why you're down voted. I had the same thought as parent, but this seems like the answer.

A standard splash screen on load that pops up for 10 seconds and says "this program has known active vulnerabilities that are unpatched". If people choose to ignore it, that's on them. Cheap and easy, no?

That still requires that a third party is allowed to flash things on my screen without my explicit consent.
Does it?

We already have a solution to this, which I hate: walled gardens. I'm exploring options that preserve the peace while not letting companies effectively own their users.

Maybe there is no answer that makes everybody happy. That's why it's worth asking questions.

Just so I understand this, you're saying that if you have a piece of hardware that's say, taking down the local ISP because you're running compromised software on it, you don't want to even be notified before your box is compromised or that there might be a problem.

Well, dang. Something's going to happen. That much is sure. What's the first notification you'd like that you're destroying the internet experience for others and perhaps ruining a local business? SWAT team at the door?

I hear your complaint. I'm just not able to figure out how it makes sense.

I don't want other people to be able to change things on my computer. If my setup is causing problems on their end, they have my contact information and can tell me over traditional routes. An ISP can cut off my internet connection if they detect suspicious traffic.
There's also an aspect of "capitalist tough-love".

Sometimes companies do have resources for fixes and for general security-quality, but they don't budget or prioritize because there's no strong economic incentive.

(comment deleted)
Nah, that's more false than it is true. I've seen Microsoft sit on cases simply because they can. I'm sure that they were not resource-bound in this case, they simply didn't make it a top priority. Their self-imposed timeline is 180 days by default.

Unless it comes from Google of course, because they know Google take the 90 day deadline seriously (or 7 days for active attacks such as this).

That alone speaks volumes, and pretty much validates the necessity of Google's forced disclosure policy.

Not everything is a trivial webservice with zero users, that can be patched overnight with no impact.
I'm not sure how that's relevant.
That's relevant to the time it takes to fix a vulnerability and deploy the patch.
I thought that it is the norm for M$ to hand out the zero-days to the 3-letter-agencies for "a while" and patches them ONLY when someone else gets hold and starts using the same vuln.. so it makes PERFECT sense that they would do something like that.

Also who in their right mind allow Word/Excel/Powerpoint to access the internet? (oh yes it's called "365" and it makes software, that is completely unfit for the task, to access the internet)

Not sure why you're being downvoted. This is literally the company that built in "_NSAKEY" into the kernel, which is still present (just called "_KEY2" now.
Putting some sort of security backdoor or snooping feature into your software (likely by government order) is pretty different from 'M$ gives 0days to spy agencies and delays fixing them'. _NSAKEY, whatever it is, doesn't resemble the situation the original article is describing.
If "_key2" is an public key embedded within Windows, then presumably there exists one or more holders of the private key somewhere - what exactly are they able to do with this key?

I've seen a lot of concern about "_key2" and "_NSAKEY" being expressed over the years, but scant technical detail.

We need civil penalties for failing to patch any serious vulnerability (that can be defined as RCE, priv. escalation, etc) within 30 days of disclosure.

If you can't patch it, you must issue a patch that announces the vuln and disables the minimal set of functionality that enables it. Even if that's the whole program.

So, turn a nontrivial set of vulns into successful DoS attacks?
Yes. That, in turn, will give the economic incentive to not have the vulnerabilities in the first place.
Or for software not to get written in the first place.
>Or for [buggy] software not to get written in the first place.

FTFY

We place too much trust and rely too much on computer systems these days to have the luxury to write software like we used to.

No don't twist my words. I meant I'm sure as hell not inventing something new if it sets me up for civil liabilities. It would kill innovation.
> meant I'm sure as hell not inventing something new if it sets me up for civil liabilities.

And I'm arguing that not doing so might be a good thing. I shudder to think how we'd be off if other infrastructure disciplines took the same approach we take to develop software.

If you build something that people use in important infrastructure, prepare to be on the hook if it fails.

So if you write some toy PID controller for your kids LEGO project and post it to stack overflow, should you be held liable for all the places it is used?
I don't think a person should be held liable in this case because the solution was clearly labeled as a toy, and not as a serious solution.

If this person presented it as a real solution, however, then yes I believe he should be held liable, as much as a lawyer would be for recklessly giving out legal advice.

In either case, The developer who built upon the solution without validating it or verifying its correctness should bear most of the blame, regardless of how the answer was given.

If the security externalities impose on the society a burden that is bigger than the benefit provided by the software not writing it in the first place seems like a good idea.
(comment deleted)
I don't the think we need this. It follows the strategy of "just create one rule and penalty for everything bad that can be done." The result is more regulations than can ever be learned, except by total specialists that devote their entire career to compliance in one particular area, huge enforcement costs, and typical government incompetence (we have clean water regulations, doesn't stop them from being broken constantly).

IMHO, a better solution is to create legislation that forces software to be sold and distributed under a set of public, common terms.

If the rest of the market worked the way software does, everytime you went into a restaurant, bought a book, or used a photocopier you first would sign a long contract freeing that business of any liability whatsoever.

If I go to a restaurant and the Food poisoning kills my family, I can sue them. If I buy a book at the store, the store cannot mandate that I not read the book on Sunday. If you buy the book on Amazon Kindle, they are free to stipulate pretty much anything.

If software and digital products were sold with universal, reasonable terms, companies and individuals that were damaged by grossly negligent behavior could sue and have those damages repaid to them. This incentivizes companies to behave better. It is also more general purpose. We don't have to add one new regulation for every way a company can possibly be grossly negligent.

"A quick change in the settings on Word by customers would do the trick, but if Microsoft notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in."

In their monthly update, couldn't Microsoft have released a patch to have this setting to the correct configuration? Of course this would only be the short term solution, rather than waiting for 9 months for the permanent solution.

I guess the reason is that by studying the patch, even a short term workaround such as this, you can deduce what the vulnerability is and quickly knock out a working exploit. I'm not suggesting that security-through-obscurity was the correct choice by MS, or the time taken to build a comprehensive fix was acceptable, but from the article it seems that this has been a bit of a gnarly issue to solve properly and even a cursory fix might reveal deeper seated issues.

I'm not defending MS here, but I imagine that Word's codebase is a helluva pile of cards to work on. Especially given that it can still open document formats such as WordPerfect 5 which date back to 1988. Add in all the legacy OLE automation stuff, a VBA environment and all those shims and backwards compatibility things that MS are known for (see Old New Thing blog) that translates as "One Does Not Simply Patch Word".

This is why what McAfee did is ok. It was already being exploited. This got it patched and let Corp IT roll out a settings change to fix it immediately. Google's 90 day policy from its team is also sane. Letting bad bugs live on in the dark after submitting to a vendor is clearly more dangerous for everyone.
Not really, according to the article the sequence of events went

* Microsoft warned in March of active attacks

* Microsoft schedules patch for April 11th

* McAfee sees attacks on April 6th

* McAfee publicly explains how to use the exploit on April 7th

* April 9th attack-kits are publicly for sale

* April 11th Microsoft releases public patch as scheduled

McAfee fucked up here.

Microsoft was formally notified of the vulnerability in October 2016. Why leave this out of the timeline?

The researcher that found the vulnerability first noticed it in July 2016. Between July and October he had gathered even more information about the vulnerability, presumably in his interest to demonstrate how serious the matter is, as well as a likely attempt to procure as large a bug bounty as possible.

If Microsoft was presented with such a serious vulnerability and didn't address it properly for over half a year, I would say that they are the owners of the lion's share of the responsibility here.

I don't see why. The whole thing seems wrong. Having privacy and keeping secrets seems to only encourage the bad security practices. If instead every vulnerability discovered was immediately shared, our society as a whole, and especially the IT sub culture, would work quite differently. We would value security far more. Right now, it is easier to justify having less focus on security because when someone does find an exploit they'll help you patch it up before it is out of control.

On a very fundamental level, someone engaging in the free exchange of information, and this information being useful to people wanting to know what is or is not secure, cannot be a fuck up.

Microsoft had a security flaw. That's a fuck up.

People used that flaw for immoral actions. That's a double fuck up.

McAfee shared information letting people know about active security threats. That isn't a fuck up.

FWIW, I'll note that Google has a 7 day policy for issues that are believed to be under active exploitation.
Thanks, I didn't know that. I really appreciate the work you and others do/did at project zero, btw. It is hard to understate the impact it has had on changing people's minds about disclosure (anecdotally of course).
What's more interesting than vulnerabilities being found is vulnerabilities being created. I used to think they were progressively eliminated so older software is safer. But is that true? Is MS accidentally creating new ones faster than they're patching old ones? Same goes for any software.
I'd imagine the rate is more or less constant, with the exception of very new software.
The answer is yes:

> Despite being Microsoft’s newest and ‘most secure’ operating system, Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each).

https://www.avecto.com/news-and-events/news/94-of-critical-m...

And if you've used Windows 10, you'd already know that. Windows 10 has added a ton of new features/crap. The Q&A has suffered, too, and Windows 10 has been quite buggy so far, ruining some people's computers, etc.

And since we were talking about Word, here's another tidbit from the same source:

> Microsoft Office products were the subject of 79 vulnerabilities, up from 62 last year. This represents a 295% increase in Office vulnerabilities since 2014.

The amount of bugs likely increases in general, too, because more code = more complexity = more bugs and bigger attack surface, especially if we're talking about "improving" or adding on top of an old codebase, as is the case with Windows and Office, as opposed to writing something from scratch (which may benefit from safer languages sometimes, newer safer architectures, etc).

Even though there is a lot of work in computer security, those stories really scare me and I wonder if I would dare working in this field. I wonder if hackers already lost their life due to their work in computer security, and I would not like to fall in the crosshair of russia right now.