Microsoft Drops Next-Generation Security Project [updated] 385
grooveFX points to this CRN article which starts "After a year of tackling the Windows security nightmare, Microsoft
has killed its Next-Generation Secure Computing Base (NGSCB)
project and later this year plans to detail a revised security plan for Longhorn,
the next major version of Windows, company executives said..." grooveFX writes "Glad to see they actually listen to the gripes from the media and users." Update: 05/05 19:13 GMT by T : phil reed writes "Oops. According to this article on Microsoft Watch, Microsoft really isn't giving up on NGSCB (aka 'Palladium') after all. Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology."
Next goal for Microsoft (Score:5, Funny)
What? (Score:4, Funny)
Re:What? (Score:3, Insightful)
[-1, Pedantic]
Re:Next goal for Microsoft (Score:3, Funny)
How would anyone notice?
NGSCB NOT a security project. (Score:5, Informative)
Please stop making the mistake of thinking that NGSCB was ever a security project. It is simply the newer name for "Palladium", Microsoft's total lockdown and DRM system to create a "trusted" (by the music industry, not by you) computer.
Microsoft dropping this is good in every way, except that it's ghost will return in other forms for sure...
Re:NGSCB NOT a security project. (Score:5, Insightful)
People always forget that this is just a tool. It can be used for good or ill. Hospitals could've used it to secure your medical records. You could have used it to secure and authenticate your tax returns before you sent it to the IRS. People who use the GPL could've used it to enforce the GPL! No more guessing if someone has stolen your GPL'd code - you'd know. NGSCB is just a tool. Both NGSCB and Palladium are security projects, it's just that the DRM/RIAA/MPAA use of the tool is objectionable. IT does not mean that the technology is worthless or "evil".
--
Cain.
Enforce GPL? (Score:4, Insightful)
*How* can NGSCB and Palladium be used to enforce the GPL?
Oh, by tying the source code to a key, which makes it impossible to change the source code and use the same key... but the verification is against the key. By tying the binary to a key, and making it impossible to modify the binary? So, rebuild the binary, and key use is lost.
In other words, these measures *can't* be used to enforce GPL. So much for this tool.
Now, is Palladium a security project? Well, yes, but not for the end user. Indeed, the end user can run the same old trojans, etc. as before. Palladium *will* prevent the trojan from accessing data that has bee "protected", by kicking out the unsuitable software.
It was NEVER meant to secure YOUR stuff -- if you want that, go use GPG, etc. I assume that even MS Outlook must have some integration with GPG! (all of my emails are digitally signed).
Ratboy.
Re:Enforce GPL? (Score:3, Insightful)
Hmmm. To be honest, I hadn't thought through the entire chain of events. The idea from a high level though it this: imagine the worst possible nightmare scenario for music distribution. Now music is just data and source code is just
Re:NGSCB NOT a security project. (Score:4, Insightful)
Yeah, but when someone is designing and building a tool it is appropriate to look at the intentions of the builder and the design goal.
The central design goal of of the system is that it be secure against the owner. Specificly, it is the owner is forbidden to know his own key or to have full control of his own key. If you read the engineering specs of the Trusted Platform Module (also known as TPM or TCPA chip or Fritz chip) it extensively and repeatedly states that it must be secure against the owner. Entire sections are devoted to what the owner is to be forbidden to be able to do. It explicitly states that if the chip dies then it MUST be impossible for the owner to be able to recover his data.
The system was designed with malicious intent, therefore the system itself is malicious (or evil).
You claim this is a tool that can be used "for good or ill". In fact there do not exist ANY ways this could benefit an owner that that you can't accomplish just as well with an nearly identical and non-malicious system.
All you need to do is give the owner a printed copy of his key. Such a system could have identical hardware. And with identical hardware your computer has precisely the same capabilites to protect you. There is no possible way that merely knowing your key can reduce your computers ability to protect or help you.
The only difference is that if you know your own key then you have actual control over your own computer. You can unlock anything on your computer if you choose to do so. That means it is impossible for someone hijack your computer against you to lock you into something. It means it is impossible for someone hijack your computer against you to lock you out of your own files. You computer can no longer enforce DRM against you and against perfectly legal and legitimate uses.
With one trivial change the owner can get EVERY claimed benefit of trusted Computing and you can eliminate EVERY possible abuse of the system.
They refuse to sell beneficial systems such as I described because their motivation is precicely to impose abuses against owners. To impose lock in and lock out and to deny owners control of their own propery. If you know your key then your computer is no longer "Trusted" to act against you.
Hospitals could've used it to secure your medical records.
They could do that with the alternate system I described. Hospitals (or any company for that matter) could get just as much security from computers that came with copies of their keys. They could lock those keys in a safety deposit box, or that could simply burn the keys without even looking at them.
You could have used it to secure and authenticate your tax returns before you sent it to the IRS.
Identical hardware where you know your key is just as secure against viruses and trojans and hackers.
I have no idea what it means to "authenticate" a tax form you just filled out before sending it in to the IRS, nut I guarantee that you don't need a Trusted Computer to do it.
People who use the GPL could've used it to enforce the GPL!
hat is impossible. As others have already posed. Trusted Computing is inherently incompatible with the GPL. Hell, Trusted Computing (and any DRM system) is inherently incompatible with copyright itself. Using DRM means abandoning any refference to what is legal and what is not legal and simply substituting the DRM capabilities/restrictions in place of the law.
Not only is Trusted Computing malicious, it is also worthless. Your computer is your property, the Trust chip inside is your property, your key hidden inside your chip in your computer is your property. You have every right to rip open your computer and read your key out with a microscope. They can make it a pain in the ass to do, but they can never prevent you from doing so. The moment you read out your key
Re:NGSCB NOT a security project. (Score:5, Informative)
Except it's NOT being dropped according to a WinHEQ talk.
Microsoft-Watch [microsoft-watch.com] has details,
Who to believe?
Re:NGSCB NOT a security project. (Score:5, Funny)
Re:anyone can cut and paste, troll! (Score:3, Insightful)
Yea, it's a cut and paste of the "troll" parent. The point, which you managed to stumble blindly through with the grace and elegance of a whino smashing a liquor store window, is that just because you don't agree with it, that doesn't mean it's a troll or it's not true. Why did you zone in on the Linux parts? The whole thing isn't about Linux, but a lot of the criticisms, while short on explanation and curt, are true to some extent or another. They're good starting points for getting you actually THINKING a
no, MS security plans have now leaked (Score:5, Funny)
Re:Next goal for Microsoft (Score:5, Funny)
Re:Next goal for Microsoft (Score:3, Interesting)
When a linux only thrid party peice of software comes up with a vulnerabilty, it is grouped with "Linux" and raises the total "Linux" vulnerabilities.
That's a fair assesment if you're paid well enough.
psst, your bias is showing
4 linux kernel vulnerabilities (this includes all kernel vulnerabilities and distro specific stuff)
3
Re:Next goal for Microsoft (Score:3, Insightful)
...no most slashdotters dislike M$ because their products fucking suck and their mercenary business tactics drive decent companies out of business.
Just and unjust security criciticism of Linux (Score:5, Insightful)
a) Despite the increased amount of bundling Microsoft's done over the years, a "Linux distribution flaw" is still awfully different from a "Windows security flaw". A Linux distribution is composed of many, many more lines of code and pieces of software than Windows. If you want to include security problems with Open Office, it's only reasonable to include security problems with MS Office.
b) Local exploits attract attention on Linux. A lot of "exploits" in Linux are local attacks. Local security on a Windows box is pretty much a lost cause.
c) When Microsoft discovers a security problem and fixes it internally, they don't say "fixes a security hole in...". They just bundle it with some other set of fixes and stay quiet. You won't hear about it.
d) MS has a PR department that spins bugs as "issues" and tries to dampen criticism of security. In the open source world, people generally call "bugs" "bugs" (and frequently wishlist items "bugs", which would drive companies with marketers bananas).
e) Many previous Microsoft security holes just wouldn't happen in the *IX world because of the more security-oriented culture (note that I suspect that Microsoft is improving here). MSIE and Outlook grant a lot of power to remote websites to cause execution, to modify bookmark lists, and the like. Windows NT infamously shipped with a blank Administrator password (and no prompt to set one during the install process), all drives shared by default *invisibly* (they were administrative shares, and the only security in place was the fact that Microsoft clients didn't display administrative shares remotely), and automatically reshared drives upon reboot if sharing was turned off on a drive.
f) Microsoft has been known to blame sysadmins for security problems ("Well, yeah, your network was compromised and your data destroyed by the latest virus, but you didn't firewall our systems, and we released a patch a week ago which you should have deployed.") *IX boxes was designed to sit on a network and be fully accessable, and "firewalling to fix implementation flaws" is not an interesting approach to most *IX admins. Plus, most open source contributors *are* sysadmins to some extent.
Want to do some *real* security criticisms of Linux? How about the following:
* Red Hat was trying to set a new golden security standard for Linux by adding SELinux *by default* starting in Fedora Core 2. This would have allowed giving limited access to things to processes (a sore Linux lack), helped make software SELinux-compatible, and paved the road for other distro vendors. Red Hat, after two test releases, finally just backed down on including SELinux enabled by default in FC2, saying that it just caused too many problems at the moment. This represents a loss of a year at least in moving to a much more powerful and secure security system.
* Stack overflow protection mechanisms are still not standard in the Linux world. The only distro vendor that I know of that definitely includes such a patch enabled by default currently is Red Hat with exec-shield. In contrast, *Microsoft* just added stack execution blocking to Windows.
* Filesystem ACL support in Linux today sucks. A lot. A software author cannot rely on filesystem ACLs being present (since they are not by default on most Linux boxes) -- just old-style *IX permissions. One can improvise to get *some* of the ACL functionality by cleverly nesting directories and adding users to extra groups for each directory in question, but most Linux boxes *still* have a 32 group-per-user limit. The *IX permission scheme is simple, fast, and easy-to-audit. However, it is lacking for many users -- there are a lot of sysadmins out there who'd like to be able to say "Anyone in Development can read or write this directory, Mary and all of the Marketing gro
Ahead of its time (Score:4, Interesting)
Re:Ahead of its time (Score:2)
I still run Linux.
Re:Ahead of its time (Score:3, Informative)
Re:Ahead of its time (Score:3, Interesting)
Security != Trusted Computing? (Score:3, Interesting)
Definition of trusted computing (Score:5, Funny)
Trusted computing, therefore, facilitates reduction of competition.
Re:Definition of trusted computing (Score:2, Insightful)
Informative? Funny maybe, but informative? Is it informative if I paste one definition of open as in open source?
"Not yet decided; subject to further thought: an open question."
There's a few people out there that'd see that as an accurate / informative definition.
Re:Security != Trusted Computing? (Score:2, Funny)
Re:Security != Trusted Computing? (Score:2, Insightful)
This would have been useful forVoting systems (Score:4, Insightful)
It also would have opened up new markets. It's interesting to note that all of the great innovative periods in human history have been carried on the backs of breaktrhoughs in travel,commerce and communications. Even the lowly canoe can be credited for the rapid westward puch in canada and the US. (Shame about the beaver however). The invention of "coin of the realm" and accounting practices allowed goods to be passed over huge distances even the marco polo trail carried "mail-order" goods.
At present we dont have ways in place for people to watch digital movies and othe rprotected content in ways the the owners are willing to produce or share thier content for. Let's not get into an RIAA riff here. The point is that lots of people do want to "rent" content and watch it and without a secure communication channel they cant.
likewise things like internet voting and commerce trasnactions are held back by the lack of ubiquitous secure channels.
thus while I disliked the implications of NGSC for having control over my machine I would have liked to have had one in myhouse. I'd have two computers. one for my own uses and one for the cases where security outweighed the other issues.
Palladium (Score:5, Interesting)
Surely this is pretty good news and indicates that MS might not be so able to force these kind of security measures on their custimers.
Although I imagine knowing Microsoft, the problems were at least as much technical than political, and they just gave up considering it to be "too hard and we can't be arsed", just like WinFS.
Re:Palladium (Score:4, Interesting)
Yes it was. Bye bye Palladium! Can we all say thanks to Microsoft for getting rid of (or at least delaying and renaming) this crazy project? This could be the start of "Say something nice about Microsoft day!"
Re:Palladium (Score:3, Informative)
Now now, I wouldn't go quite that far.
How about: "Breathe a huge sigh of relief day"?
Re:Palladium (Score:5, Insightful)
So yes, bye-bye Palladium is good news. It sill come back, in some form or another, anyway (look ar the recent IBM announcements about their trusted computing research)
Re:Palladium (Score:5, Funny)
That kind of talk will get you banned from Slashdot
So what about the palladium bios? (Score:3, Interesting)
So what happens to the palladium bioses that the bios companies were building? Are they also going to be shelved?
YES (Score:5, Insightful)
Can we please get this modded past all the responses that seem to think that NGSCB has something to do with security. NGSCB aka Palladium is/was Microsoft's locked down "trusted" computer project, meant to facilitate DRM. It never had anything to with security save for in name and spin.
This is a good thing of course, but I seriously doubt it means that that Microsoft won't find other ways of sneaking locked down computer on us in the future...
Re:YES (Score:4, Informative)
Capabilities are great, and I hope we see them in normal operating systems (not just the likes of EROS) some time. User hostile hardware chips meant to prove to record companies that the DRM software on the machine is not circumvented I hope we never see.
Re:YES (Score:4, Insightful)
To my knowledge no TCPA proponent has even responded to the EFF - proving their true intentions.
Uh...just like WinFS? (Score:3, Informative)
This is why people complain about Slashdot's misreporting and falsehoods.
They never "gave up" on WinFS. WinFS is alive and well. All the MS blogs were making fun of the reporting on this--all that changed with WinFS was that some network things were taken out of it, extraneous features not required for it to work
A few suggestions (Score:4, Insightful)
I've got a three suggestions for Microsoft on the issue of security:
Like the airlines think Saftey, Saftey, Saftey - Microsoft need to adopt the slogan.. Security Security Security
Simon
Re:A few suggestions (Score:5, Funny)
And some sort of chant -- maybe a dance
Re:A few suggestions (Score:5, Funny)
Let's hope they get past "developers developers developers"...
Soko
Re:A few suggestions (Score:5, Funny)
Re:A few suggestions (Score:5, Insightful)
Re:A few suggestions (Score:5, Interesting)
Problem is, people (particularly Windows users) buy features before they buy security. Sad, but true. I've made a nice little freelance business out of it. Funny thing is, though, I haven't had to do a whole lotta worm fixing for them. If they're keeping up with their machine, then the value of being 'worm proof' goes down even further, thus making Microsoft sting from the lack of features driving their sales.
Does it suck? Sure. Real life is funny like that.
It's because they gave up. (Score:4, Funny)
IMHO that's because Windows users have given up on getting security. B-)
With a choice of an insecure platform with fewer features or an insecure platform with more, of course they'll pick the one with more. Just think: They might actually be able to get something done between crashes, infections, and reinstalls.
Re:A few suggestions (Score:5, Interesting)
Re:A few suggestions (Score:4, Informative)
Re:A few suggestions (Score:5, Informative)
Re:Except...it didn't happen that way (Score:3, Insightful)
Re:A few suggestions (Score:5, Interesting)
1. Dumping Features would break lots of stuff. I suggest that they don't ADD any more and fix what they got!
2. Um, gcc prevents this?? There's no language that prevents these types of things. Even if you write with a language that supposedly does not have Buffer Overflows, you still rely on other modules that were written in a language that does allow them ot happen.
3. UNIX and Linux both have 20 ways to do things as well. It's called choice. You choose the best for your situation. I think what you mean is that ActiveX components used on the web should never be allowed to stray out of the web sandbox nor should they be allowed to execute code. And another thing...the mail client should NEVER be allowed to execute code with out asking the user forty times!
Re:A few suggestions (Score:5, Insightful)
And another thing...the mail client should NEVER be allowed to execute code with out asking the user forty times!
And I bet you'd still have users that would click the "Yes, i'm an idiot" button forty times just so they could see the pretty new screen saver their friend so thoughtfully sent them!
Re:A few suggestions (Score:3, Funny)
I thought Microsoft's slogan was
"Developers developers developers" ?
http://www.ntk.net/media/developers.mpg
It's time to tighten up C++ (Score:5, Interesting)
Yes. I've been trying to get the C++ committee to tighten up that language for years, with little success. It's time to get more serious about this, and apply pressure via ANSI (which is supposed to insure that standards are safe) and the Department of Homeland Security's National Cyber Security Division. Like it or not, we need to go to full subscript checking for anything that could possibly be exploited. The resulting 10-20% performance hit is minor compared to the costs of dealing with these attacks.
I've sent this to the C++ committee:
The Sasser worm exploits a buffer overflow in Microsoft's LSASS service, which is, apparently, written in C++.
Perhaps more weight should be given by the Standards Committee to tightening up C++ and making it a safer language. The Committee has consistently rejected most suggestions which tighten up the language, usually on the grounds that they would impact existing code or prevent some dangerous but valid code from being used.
It is now appropriate to ask ANSI, and the Department of Homeland Security's National Cyber Security Division, to reevaluate the C++ committee's priorities in the light of the documented and substantial damage caused by weak safety features of the language. Whether the committee should be permitted to promulgate unsafe technologies with ANSI approval must be seriously questioned at this point.
That will probably be ineffective. The appropriate forum will probably be Congressional hearings on computer security, which were threatened last year after the SOBIG virus, and are likely to happen this year.
Re:It's time to tighten up C++ (Score:3, Insightful)
Re:A few suggestions (Score:4, Interesting)
XP SP2 is being compiled using a new C compiler which automatically generates code resistant to buffer overruns. It's not perfect, but it is a start.
Combined with the new firewall and NX protection (on AMD64 systems), XP SP2 should be far more secure than its predecessor.
Cancelling security? What next? (Score:2, Funny)
Re:Cancelling security? What next? (Score:3, Funny)
Can you imagine the prospect of SCO receiving $699 for each installation of Windows???
Next Gen? (Score:5, Funny)
And it's already rumored... (Score:5, Funny)
RTFA (Score:5, Interesting)
Re:RTFA (Score:5, Informative)
So here you have it - customers and partners didn't like it.
Re:RTFA (Score:5, Funny)
Re:In other words (Score:3)
Leaving out the judgements of good or evil the only way one could argue that Microsoft doesn't force things on people is to ignore the entire company's history. It has been proven time and time again and finally through the court system that Microsoft has imposed its will on OEMs and consumers for years now. Every single time we have gotten even the slightest glimpse into Micrsoft's way
In conjunction (Score:5, Funny)
Would the new Longhorn security system... (Score:3, Insightful)
Re:Would the new Longhorn security system... (Score:2)
Re:Would the new Longhorn security system... (Score:2)
I trust my own damn computer. If I want to store hundreds of illegal documents on an encrypted disk image, I'm confident it won't send the password to Apple or the government. I know it won't be hacked into because it uses RSA's proven encryption. It's MY computer, and if I want to use it to do things that industry X
Uh? Listening? (Score:5, Insightful)
The ol' "keep renaming the thing so people don't have a steady label for what they are fighting". The british sellafield->windscale->thorp nuclear shenanigans, the last Palladium->NGCSB namechange, TIA->something-or-other. All the same propaganda trick.
The solution for opponents is to either keep using the old name so that the public latches onto it (everyone still calls it "Sellafield" and, to an extent, "TIA"), or invent your own name and get it to penetrate the public consciousness (much harder, only example I can think of it "Infidel")
The security feature we need is... (Score:5, Funny)
What we need is "No Executive" security technology. Even the greatest security tools can be hogswaddled by the pointy hair types.
[/obligitory upper-management jab]
Wrong deduction (Score:3, Insightful)
Microsoft doesn't listen to the media and the users, they listen to their shareholders and their finance guys. And they are saying that Windows looks like crap when it comes to security, undermining the credibility of the product, in turn threatening the sales and therefore their dividends.
Microsoft listen to users? bah... If they did, they'd have jumped on the internet bandwagon much earlier. They're going about the whole security thing just like they dealt with TCP/IP and the web: they're thrasing to catch up. And the sad thing is, they probably will sooner than you think...
Microsoft does what it does best (Score:3, Insightful)
What they are doing, as they have done in the past with such flops as Bob, is slowly merge the improvements and features that they planned on delivering in a single project into their whole lineup across the board. As the article says, Longhorn is planned to incorporate this security technology.
While this is by no means a cure-all for the problems that Windows faces, it is a step forward in computing. Whereas legacy systems such as Unix are finding it harder to support newer hardware features such as the NX codes in the latest AMD and Intel chips, the deep corporate partnerships that Microsoft has with these companies allows them to bring such technologies to the public at a faster rate than otherwise possible.
That said, Windows sucks, has sucked, and will continue to suck. Linux shows it up every single time. Not to mention that Linux's security structure is already designed to thwart the exact problems that Microsoft is attempting to stop.
Re:Microsoft does what it does best (Score:5, Informative)
Uh, what?
As far as I know, the so-called "NX codes" are just the ability for the MMU to mark a page of memory as non-executable.
Real architectures, such as SPARC, Alpha, and PA-RISC, have had this feature for a long time. It's used in Solaris for the non-executable stack feature, and it's the basis for OpenBSD's W^X feature [openbsd.org].
So Intel, AMD, and Microsoft are just catching up to features which platforms you dismiss as "legacy systems" have had for years.
Re:Microsoft does what it does best (Score:3, Informative)
Anyway, I know Microsoft has never taken advantage of this feature. I'm surprised *BSD (particularly) FreeBSD hasn't.
There it goes, again. (Score:4, Insightful)
Actually, it's good for the Linux Community that Microsoft keeps making the same mistakes again and again. Ahh..old faithful!
Maybe Miguel will now rethink his very stupid "I'm scared, I'm very scared" quote he made a few days ago...
Um, no. (Score:4, Interesting)
- Microsoft hasn't announced hardware specs. What you're referring to is what a bunch of watchdog folks are GUESSING will be the hardware specs.
- WinXP is much more stable than 2k. If you consider stability a "boring" enhancement, well, I bet you're in the minority.
EVERYBODY LISTEN UP--WinFS was not "cancelled" (Score:3, Insightful)
WinFS was NOT cancelled. It wasn't even scaled back. They just removed some extraneous network features not required (which will probably be free downloadable updates anyway). But, all the sites like Slashdot completely SPUN it and misreported it. Slashdot is owned by VA Linux, so the agenda is obvious.
Re:EVERYBODY LISTEN UP--WinFS was not "cancelled" (Score:5, Insightful)
Possibly already too late (Score:5, Interesting)
Re:Possibly already too late (Score:4, Interesting)
Re:Possibly already too late (Score:2)
I Dreamed This! (Score:5, Funny)
Gates then proceeded to use a Windows XP CDRom as a prism to magnify his own inner evil until it was focused enough to melt a cute puppy, drawing appreciative applause from the crowd of evildoers. The crowd then had a huge WindowsXP InstallFest and cut off their own testicles in preparation for the comet Zurg's arrival to take them away.
MS throws out way to many OS's.. (Score:2, Interesting)
Can we be serious for a second (Score:2, Funny)
The'll just insert a coupon with Longhorn saying that users will get the Free Security upgrade when Half Life 2 ships, or when someone believes the 'free beer - tomorrow" sign, whichever comes first
Like they ever had a security project in the first place
Dropped, indeed. (Score:2, Insightful)
Right... The new plan is this... (Score:2, Funny)
PHG (pointy hair guy): Right. We killed the old plan.
MSGurus: Hooray!
PHG: Everyone gets a bonus.
MSGurus: Hooray!
PHG: We have a better plan.
MSGurus: Hooray... we think.
PHG: Because we spent so much time and money on the old plan...
MSGurus: Booooo!
PHG: We have to implement the new time in a fraction of the time. Bill thinks six weeks is plenty. Meeting adjourned.
No, Palladium is still very much alive (Score:5, Informative)
Slashdot getting something wrong? No way, dude (Score:3, Troll)
WinFS was "cancelled?"
The iPod Mini is a complete and utter failure?
Microsoft violates human rights in China?
Longhorn apparently already has hardware requirements, even though they were merely predictions by watchdogs who attended the WinHEC?
Nobody likes Windows XP, and everybody is hearing about Linux, even though Google Zeitgeist shows Linux at 1% usage?
The Lone Gunmen die? Oh, wait...
Yes, kids, you need to try getting your news outside of Slashdot once in a while--you'll see
Probably going to show up under another name (Score:5, Insightful)
Would never work anyway (Score:5, Insightful)
Not strange at all. (Score:5, Insightful)
Come to think about it, harder and more vigalant enforcement on comercial software is only going to drive these people to open source no matter how they do it. Enforce and people migrate, dont and people dont pay. They are in a tough spot, BSA and ppl.
Re:Not strange at all. (Score:3, Insightful)
Spoken too soon? (Score:4, Informative)
http://www.eweek.com/article2/0,1759,1585363,00
says MS is denying this is true.
Why do we fear such incompetence?! (Score:4, Insightful)
Heck, Microsoft cannot even secure its own "proprietary" gaming console, why did we ever fear that they'd lock down all of our computers?!
Re:Why do we fear such incompetence?! (Score:3, Insightful)
We only have 2 PC BIOS manufacturers now... Do you think that for a billion dollars they really wouldn't instantly put Microsoft's DRM restrictions in their BIOSes?
I don't advise anyone to be scared, but I certainly advice everyone to pay attention to the progress they are making, and whatever you do, don't dismiss it, or it'll be here before you even realize it.
Secure XP boxes for sale! (Score:3, Funny)
Tigerdirect is selling [tigerdirect.com] what they claim to be "The Next Level of Computer Security for Your Home or Office". I think their definition of computer security may be a bit different than yours or mine however, as one of the major selling points is a "-110 decibel siren to sound alarm and scare off intruders". Imagine that bad boy going off every time the machine is violated by the Windows worm de jour! ;)
Security vs Safety (Score:3, Interesting)
Something is not safe when its maker has made mistakes that all third parties to use it.
Something is not secure when it is not guarded, i.e. there is no one to watch over it.
Microsoft should increase the safety of its products, i.e. remove all the bugs. They are secure, already. There is no unguarded place in Microsoft Windows NT/2000/XP (unlike its baby O/S).
Palladium has nothing to do with safety or security. It only has to do with copyrights, i.e. to prevend from unauthorized access to media.
I am surprised that Microsoft has not made a tool to grep the code for buffer overruns and other potential problems. With all the compiler technology they have, it would be very easy for them.
Apparently... (Score:2)
Sounds well and good, but I can think of at least two questions: has anyone in the linux community looked into making use of this and, if not, why not?
Re:Apparently... (Score:2)
As far as I understand it, it's not that good.
It's possible to get round, and so it's only use would be to obscure things.
Re:Apparently... (Score:2, Informative)
Real processors (SPARC, PA-RISC, Alpha) have had this same feature for years, and OpenBSD uses it as the basis for the W^X [openbsd.org] feature, which ensures that no page in a program's memory space will be both writeable and executable.
So if you consider OpenBSD to be part of the "Linux community", then the answer is yes.
The witch is dead.... (Score:5, Funny)
What in the holy hell? (Score:4, Insightful)
Ahahahaha...have you not heard of the Common Language Specification, which publicly explains to compilers how to produce the intermediate code? We could have Python.NET if we wanted (and it's being worked on).
This isn't exactly some sort of black secret. They published them as open standards. How do you think Mono exists? Any compiler can look at the specs and produce the code.
Sigh...Slashdot sucks these days. The endless Microsoft articles are boring and uninformed. Remember when it was cool tech news?