Anybody noticed that BBay was cracked? Humm... I wonder if the same could happen with Renderosity and something bad happened to our VISA numbers! Luis

There is a "worm" on the Intenet now which attack Microsoft IIS Webserver software called the .ida Code Red Worm. It attacks just the webpges, makes copies of itself and find other websites to go to. This worm attacked Lycos recently. I am not sure but I do not think it will will attack the credit card information which if proper procedures were followed should be on another seperate machine. But I guess we will have to wait for a report from the folks at BBay as to what the damage was.

Unfortunately, this does reveal a problem at BBay. Microsoft did release a patch that sealed the security hole that this worm exploits. Apparently, BBay did not apply that patch. The patch does prevent this worm from being successful. It works ... but only if applied. While this particular worm does not appear designed to send information such as credit card numbers back to a source, what about the next worm that is designed for that purpose? Will we get burned because BBay did not apply a released security patch? Disappointment does not even begin to describe my feelings right now. But, then, BBay was not the only one. As of this morning, there are reports that anywhere from 20,000 to 100,000 systems have been compromised (A lot of lazy managers. Install the **** patch people!). The worm may be sending a list of compromised systems back to a source for future attacks, use, etc. It appears designed mainly to launch DoS attacks against a target -- in this case it appears the target is www.whitehouse.gov -- by having the infected systems flood the target with data requests. Security experts do believe the worm originates from China and many believe the attacks are implicitly approved by the Beijing government as part of a previously and publicly announced "cyber-war." (The people who brought us Tiananmen Square and were rewarded for the slaughter and their loving attitude toward dissidents by the international community with the 2008 Olympics. I guess this is their thanks). These same experts had been warning for months that such attacks on a smaller scale had been detected from China using various methods. Warnings had been issued that larger attacks were most likely being planned. Apparently, a combination of laziness and security ineptitude has prevailed. Maybe they learned this time, but I doubt it. I wonder if this is the "positive engagement" with the Chinese (The government, not the people) all the politicians keep telling us about.

Oh, and your Internet surfing may be a bit slower today as this worm makes it way across the Net. I am sure it has thousands and thousands of unpatched, vulnerable systems to exploit yet.

We store no CC numbers on the server, so nothing was compromised. -Trav

Just heard this morning that the White House had to change their internet or e-mail address or something to keep it out. Melanie

In addition to MIIS 4.0 and 5.0, I was just shown a news report that the "Red Alert" worm also infects PCs with Windows NT4.0 and Windows 2000. Those on DSL or cable modems will be especially vulnerable. On a related note, the "W32.Sircam" virus is making the rounds via email attachments. It is reported to be spreading extremely rapidly. I personally received two emails on two different accounts within the past hour with the infected attachments. The email itself may be in English or Spanish. Both of the emails I received were in Spanish. MAKE SURE YOUR VIRUS SCANNERS ARE UP-TO-DATE! DO NOT OPEN ANY EMAIL ATTACHMENTS UNTIL YOU HAVE VERIFIED THAT THE EMAIL WAS SENT FROM THE ADDRESS! This virus will present itself as an email from an address you may or may not recognize. One of the emails I got was from an address I did not recognize. The other was from a client's email address. I am sure he did not send it. Be careful out there folks.

Windows XP Beta also has the problem. FYI, Clint

That's why you don't open email attachments and you run a *ix server instead of a windows one. Of course, that implies you're able to seal all of the security holes on a *ix machine and Apache. Things are starting to get interesting, eh?

Hi Folks! With the introduction of OS X we Mac users may find that we should not be too smug about our relative freedom from system crackers, especially those with UNIX skills. But Microsoft's record of security leaks with regard to its operating system software is at best reprehensible. If this is what we can expect from a world run on .NET, I'll stick to my Mac (running OS 8.6), thank you. This isn't intended to be flame bait. But all this has to make anyone with concerns about online privacy very afraid. Peter (Dr Zik)

Ughhh more worms... Dam I got one of those e-mails in spainsh to. I just deleted it. I dont even open up e-mails with attachments anymore. We had a worm that messed up crap on my mother in laws computer. Finally had to reformat. I run so much security is isnt even funny, and I bet money I will still get a virus one day. Sad. Wish people were more constuctive with there time. Instead of makeing harmfull virus's and worms they could be helping the planet or something. That was such a hippe thing to say Huh? LOL. No offense to hippys. :)

Considering that the Wall Street Journal's servers were affected... and they reported the news about the flaws and the patches, I doubt if we can single out BBay or any other smaller company for not being quite timely in erecting defenses against a moving target. Considering Microsoft's weaknesses, it is truely amazing that people would willingly give their personal data to a Passport or Microsoft's .net or XP setup. Yikes! What do they think we are? Stupid?!? Yes. Carolly

Considering that the Wall Street Journal's servers were affected... and they reported the news about the flaws and the patches, I doubt if we can single out BBay or any other smaller company for not being quite timely in erecting defenses against a moving target.<<< No one was trying to "single out" BBay. It was clearly stated -- "But, then, BBay was not the only one. As of this morning, there are reports that anywhere from 20,000 to 100,000 systems have been compromised (A lot of lazy managers. Install the **** patch people!)." I enjoy BBay. I think very highly of the people behind BBay, have purchased many items from them, and will in the future. But BBay, like tens of thousands of others, got their shorts pulled over their heads when the resources were available that could have prevented it. It was an avoidable security breach. Companies must be accountable when security patches are available and, for one reason or the other, they fail to install them in a timely manner. It is like a surfer on the Net not using a virus scanner or deploying a firewall. An avoidable disaster is just waiting to happen. And the next disaster could be much worse than Communist computer drones playing cyber-vandals on websites and trying to tie up Dubyas house computers. Responsibility for security is a two-way street. Microsoft should be much more concerned with security issues than they are. That is not going to change. I think it is a cultural thing with them. So if one chooses to use their software you had better be prepared to make use of whatever tools are out there including the immediate installation of patches. I realize it is much easier and much more fashionable to simply slam Microsoft for having the security awareness of a farmer using a fox as a guard dog around the hen house. However, if you choose to use MIIS, you had better be checking for patches very, very often. And if Microsoft releases a patch, I would think there must be a reason. Wouldn't you? And if I were running their software that the patch is meant for, I would consider it prudent to install that patch. Wouldnt you? According to the latest bulletin from CERT, at least 250,000 hosts have been compromised by the Code Red worm. Now, thats a lot of cyber-wedgies. So, as stated before, BBay was not alone. There are quite a few people walking around with their shorts over their head. BBay just happens to be the closest to our hearts. Take care and Godspeed.

"If this is what we can expect from a world run on .NET, I'll stick to my Mac (running OS 8.6), thank you." Same here!!!! I received a strange email today that had an attachment and what appeared to be programming language in the body of the message i trashed it and emptied the trash right away. the War is on... Wolf359

Even some of Microsoft servers were hit with it. Heh... zone was down for over an hour at least yesterday and CNN reported that they (Microsoft) were also infected.

"Lazy Managers"??? I have put in over 60 hours this week, and have two more days of work left. The patch for the current vulnerability was released by MS on the 18th. The MS and CERT Security bulletins hit my mailbox late yesterday afternoon. Today is the 20th. We scheduled the downtime for tonight and one of our sites got hit with an as-yet unreported variant of this vulnerability this afternoon. How is that lazy or untimely? The users I support--not dissimilar from any user anywhere--pitch a screaming meemee when we tell them they can't work between 8pm and 11pm on a Friday night. "How can you shut down the systems that support a world-wide organization because you just got an email?" I've got software providers that will nullify the very costly support we pay if I install patches that are not approved by the vendor. I id'ed the new version of the worm for one of them. How is that lazy? Having to patch before a patch is released isn't lazy--it's a sign that there are way too many people with way too much time to screw around abusing those of us who have real jobs and people to support. Those people still getting hit with PoBox or the Melissa or Love Bug viruses are lazy--or just underinformed. The IIS (or any other) vulnerabilities aren't preventable by even the best IT managers before they're discovered by some freak in his basement that finds it funny or empowering to attack faceless, nameless people who would never do the same, even if given the opportunity. BTW, the "PoBox" hack, the last major round of hacks, was hacked UNIX boxes randomly looking for IIS boxes to infect. Who blames MS for the UNIX crack? Also--IIS 4.0 is an add-in for NT Server, and IIS 5.0 is an installable component of 2000--those on cable/DSL modems will only be affected if they installed it. If you did and aren't running web services (either for a site or Front Page functionality), you don't need it. Disable/uninstall it or at least lock down all permissions. And finally--per Global Crossing and Verizon, some of internet bottlenecking is due to the trunks that are melting in Baltimore. Guess I'm reading this after a very long day...or we all need to go back to smoke signals, at least in the Chesapeake Bay area. GrayMare

Recommendation: Microsoft strongly urges all web server administrators to apply the patch immediately." If I had read that bulletin when I was systems manager and two days later the patch was still not installed as thousands and thousands of systems were falling, I would have been fired. When I was DOps, if one of my managers had still not installed the patch two days after an urgent bulletin from Microsoft, I would have fired him. That is how important security was. That is how seriously security was taken. Today, you never wait for information to come to you. Go after it. One of the first things done when coming on duty should be check email for alerts, bulletins, etc. Then, you go to the sources and check their online information databases, message forums, etc. No time? Make time. The first reports that I saw publicly warning that the vulnerability existed and offering counter-measures were issued in MID-JUNE. The first patches I saw were offered by MS in MID-JUNE. That is a full month before warnings of anything threatening hit my email box. Now, how many managers undertook the recommended counter-measures then? How many installed the patch then? How many even knew about it then? Apparently, not enough. But then, if they didnt know about it because they waited for the information to come to them, they couldnt perform the job that needed performed. 60 hours on the clock means nothing if the job wasnt done. And there are several hundred thousand dead systems tonight that prove that a lot of jobs were not done. There will be thousands more tomorrow. I will let that fact speak for itself. Little else needs to said. I guess there is just a different discipline today. Take care and Godspeed. Also, good luck and I do mean that.

There is of course a simple answer to this, stop using IIS, but the logic of such a move would of course be gainsaid by the beancounters of this world, and those that want ease of use at almost any cost. Is Apache really that difficult to use, or is it simply that people don't realise you can get frontpage extensions for that too. I know the Documentation team had fits about us taking out thier IIS server, as they suddenly though they would have to forgoe the easy life that is web creation with frontpage, (even if it does make the pages almost unreadable to ordinary mortals :) Though if it's rock solid reliability and security you're after then use Apache on MacTen UNIX (for Apple hardware) from www.tenon.com, the US army switched to that once they too had thier IIs server defaced a few years ago, chiefly becuase of the results of the anual "hack a mac" contest :) later jb

As for the patch, (he says having read the full thread backwards :) who has time to test every patch, (alone and in conjuction with others, etc.) when you have a live production environment to maintain. Who to say that the patch won't introduce even more problems, look at the debacle that was the NT service pack 5 and then tell me you'd trust Microsoft with your livelyhood... One of the "rules" of being a decent sysadmin, is not installing every patch that comes down the pipe, just because it's there. I'll agree with you that security patches are of special concern, but you need the resources to test that when you apply the patch, and roll it out onto your production system, that it is going to behave itself. Especially if you're web site is the way in which you make most of your money. Unfortunately most small businesses don't have this luxury, and also lack the hardware and manpower to put it into place. Though if you are keeping card numbers on the server then you deserve to be shot! I've told my bank that under no circumstances do I want my account available by any means except over the phone (in person) or at a branch. I work with this technology day in, day out, and I know how flaky it is, and how shoddily implemented it is, even in the places you'd think would have more sense... So yes, installing the patch is a great idea in principle, but in practice it's often tantamount to a self inflicted injury. Unfortunately for those people doing this for real, in many cases "this is rocket science!" later jb

Even Microsoft servers go hit?! Again??!! It's getting worse.

Casa-had the patches been applied before approval from our third party vendors or the stated SLA of 48hours notice to our customers, I would have lost my job. The former would have nullified our service contract, and we've found the patch literally kills one of the services on one of our BtoB web servers. There is a point at which a small staff can't "go get" the info. That's why I pay thousands of dollars for subscriptions to virus services and support companies. It's their job to notify me. Praxis--Apache/Unix/whatever is as vulnerable as IIS. The source code is free--how hard is it to figure out how to crack it? You are correct about testing. It is irresponsible to apply brand new patches/service releases on production systems without testing first, whether you do it or pay a vendor. That's why I'm spending my days/nights/weekends in the server rooms right now. The problem here is the accelerated speed this $#@* is hitting us. Maybe I'm wrong. The problem is that people are trying to crack it, pretty much for no real reason. This crack isn't after credit card info, it's total bullpoop. Everybody else--Sorry--this is way OT, I was (and still am, to some extent) very irritated by the suggestion that people outside the individual situations can say that the kind of issues here make the manager/IT personnel "lazy" or any other negative acronym. That's the kind of thing that makes the COO/CEO/CIT give you crap 'cause they don't understand what's actually going on. GrayMare

GrayMare, sounds like you're having fun, just try not to sleep in the office eh? :) I wasn't suggesting the Apache was bulletproof, just that it can be made highly resilient if you're willing to put in the hours, the very fact that source is free is what makes it so, everyone can see how it does what it does, so vulnerabilies are patched on a daily basis, once a sucessfull hack is found, as the "hack a mac" contest proved. The test machine was up for 6 months (I think) but they extended the contest because nobody was able to hack it... My argument was really against sloppy implementation, if you don't actually plan this properly from the start, and test it throroughly before hand, then you're going to get screwed by some script kiddie, or even worse, somebody who actually knows what they're doing. Whereas, it seems to me, that many sites including Microsoft themselves are "installing in haste, and repenting at leisure" once their server gets nuked either by a DDOS attack or by a more targeted weapon like the worm. It's a jungle out there, unfortunately most server vendors seem to asking you to look at thier really cool trees, and ignore the stuff that's lurking behind them. I don't know, I've been here for over 12 hours now, I came in to help out a friend then Tivoli went nuts, if you ever get the chance, avoid it, you'll be glad you did :) Right that's enough OT bitchin' I'll shall wander down to the flicks to watch the equally bitchin' Ms Jolie get on down in "Mortal Sin" :) later jb

GrayMare, allow me to state that perhaps my choice of word was too harsh. I apologize for that. However, I stand by my opinion and statement that there are too many managers and administrators who are not doing their jobs responsibly. And, it appears from your statements, too many "suits" not letting the job be done properly. The size of the "Code Red" infection speaks to this very well. And I still do not understand why the first bulletins, warnings, patches and counter-measures appear to have been such an industry wide secret when they were available nearly a month ago. I saw them and I've been out of the business for several years. Anyway, I apologize again for my selection of descriptive adjectives. And, again, I wish you luck.

Since accuracy is important in these matters... "In addition to MIIS 4.0 and 5.0, I was just shown a news report that the "Red Alert" worm also infects PCs with Windows NT4.0 and Windows 2000. Those on DSL or cable modems will be especially vulnerable." This worm ONLY affects machines running unpatches IIS services. "Considering Microsoft's weaknesses, it is truely amazing that people would willingly give their personal data to a Passport or Microsoft's .net or XP setup. Yikes! What do they think we are? Stupid?!? Yes." Actually, IIS/Windows servers, when maintained correctly are much easier to keep secure than their Linux counterparts. The number of IIS exploits available is small compared to the piles and piles of vulnerabilities on the average Linux server (sendmail, bind anyone?). Both systems CAN be secured, but in Windows I have exactly one vendor to track, a vendor who does a very good job in getting me timely patches... in Linux I have multiple projects/authors to try and track and all the interdependancy issues to deal with. 99.9999999% of the time I can just hit "Windows Update", say yes and I am all set - it can be part of my daily maintenance (and is). "Companies must be accountable when security patches are available and, for one reason or the other, they fail to install them in a timely manner." I agree. ALL software has bugs and security flaws, if your job as an admin isn't to keep your servers secure as it's highest priority then what IS your job? "BTW, the "PoBox" hack, the last major round of hacks, was hacked UNIX boxes randomly looking for IIS boxes to infect. Who blames MS for the UNIX crack?" I agree, the hypocrasy is simply stunning. The screaming about MS's "flaws" will go on for weeks, but no one will make a peep about the latest Linux root exploits. "Is Apache really that difficult to use, or is it simply that people don't realise you can get frontpage extensions for that too." Not at all, I have run many Apache based systems for large customers - and still admin a few who won;t switch. The reality is simply this ... Apache is an inferior product to IIS in every way my clients and I find important. ASP and ASP.NET are good fast development environments... and the support for them on Apache is nil (or almost nil). The administration of IIS is incredibly efficient and it's uptime is every bit as good as Apache. And, again, an IIS/Windows server is much, much easier to keep secure. "One of the "rules" of being a decent sysadmin, is not installing every patch that comes down the pipe, just because it's there." That's an outdated rule, and it was never really a good one to start with... but let's skip that for a moment. Not installing a patch for a KNOWN, high vulnerability and widely publicized exploit is not nearly the same thing as not installing "every patch that comes doen the pipe". it's like not putting on a Kevlar vest before getting shot because you don;t know if it is a carcinogen. Yes, the patch may be a problem, but that chance is worth the risk because you KNOW FOR A FACT that 8 million rabid GNU terrorists are just waiting to slam your MS server to hell and back as soon as someone with talent can write them a shell script. "Casa-had the patches been applied before approval from our third party vendors or the stated SLA of 48hours notice to our customers, I would have lost my job." I appreciate your problem... but you need to try and alter those contracts. There is simply no way to secure your system if you cannot be allowed to apply a critical patch from the OS vendor for a high profile vulnerability on your own authority. "I wasn't suggesting the Apache was bulletproof, just that it can be made highly resilient if you're willing to put in the hours, the very fact that source is free is what makes it so, everyone can see how it does what it does, so vulnerabilies are patched on a daily basis, once a sucessfull hack is found, as the "hack a mac" contest proved." The fact that Apache is "free" doesn't make any difference.. as evidenced by the ease with which cracks are found for many free/open source products. The patches from MS are extremely well done, extremely timely and very often available weeks or months before the exploit is widely known. On average, I devote 30-45 minutes on security issues for all my servers (13+, most Windows) and workstations (20+) and that covers it nicely. If your going to "put in the hours" then your IIS/Windows system is goign to be as if not more secure than your Apache/Linux system. Ah well, it's all OT :)

Hi, Well I was willing to take you seriously untill the "GNU terrorists" remark... Developing free software is not an Anti-American activity, (more's the pity :) I work at a bank, they asked me for my "patch policy" in the third technical interview I had, it was an open question, but there was no doubt as to what the "correct" (meaning, "what they wanted to hear") answer was. That answer being, "no I don't install everything that arrives on the patch CD every month" Though when you've only got 13 servers and 20 workstations you can probably afford the time, when you step up into the big leagues you'll find there are never enough hours in the day. Hell, the production, prelife, and development machines for our monitoring system alone number more than that. Although on a personal note, I would agree with you that Linux isn't enterprise ready yet. I certainly wouldn't roll it out into production any more than I would a Microsoft solution. later jb

"when you step up into the big leagues you'll find there are never enough hours in the day." if there arent enough hours to spend on security in "the big leagues" then hopefully they'll hire more help - because when that system gets cracked with somethign there was a month old patch for hopefully "well, I didn't have time for the patches" isn't a good enough answer :) "GNU terrorists" is a very specific SUBSET of open source developers who have no higher goal than to discredit MS by any means necessary - including building crack scripts.

Hi, Hopefully is about right, but you work with this stuff for a living too right? You know how it goes, one suit promises something to another suit, shit happens, then it rolls down hill... :) As for the "discredit MS by all means necessary" I'm all for it, though what you see as a problem I see as a benefit. Security through ignorance is no way to run a system. If a vulnerability is known about and an exploit created to highlight it, then "the company" (MS or the Linux crowd) have a vested interest in producing a patch, (though for differing reasons admitedly :) quickly. Whereas if a vulnerability is known of, but no exploit exists, then why make work for yourself. I've had this from both small companies and big ones. I once had occasion to shout at the support types for a Macintosh security product, which locked down the desktop so you couldn't alter it, but unfortunately, it also nuked "desktop printing" and the only way to get both to coexist was to switch one off. So what they did while I waited for them to provide me with a patch was to give me an in-house extension that disabled the program itself, and while I appreciated it as it got me out of a bind, it did rather make thier much vaunted security redundant to anyone who posessed the disk... Rest assured that principle of CYA is alive and well in "the big leagues" :) and if we haven't installed something we know we shoud've it's not because we lack the time, and we have corroborating email to assist us in pointing the finger elsewhere :) The good thing about a crack script is that you get hold of it too, and work out what it's doing and how to stop it, you can even get firewalls (open source of course :) that have offensive strike capabilities, they'll nuke your attacker before he even knows what hits him (with appologies to any geek grrrls reading :) What you seem to be advocating is that everyone should just clam up about security and hope the hackers go away, but the fact is that somebody paid to work for 40 hours a week to defend a place is never going to be a match for somebody who's willing to spend 90 hours a week unpaid trying to break in. This is true of physical world just as it is true of the "cyber" world that we inhabit during the working week, (and some of us during the weekends too :) Crack scritps, not unlike guns and bombs are not in and of themsleves bad things, I've worked in places where we ran them against the systems ourselves in order to "harden" them, if you can crack the passwd database for even a small number of users then you need to make sure they change their password, and perhaps implement password aging to prompt them to do so regularly, but not so regularly that they start writting the password on a post-it attached to the screen or hidden inside a drawer... Personally I'm a supporter of "ful disclosure" for better or worse, like I said, it's a jungle out there, but I'd rather know what's out there than not. Ignorance may be bliss, but it's no way to secure a system against even talented amateurs. later jb

"What you seem to be advocating is that everyone should just clam up about security and hope the hackers go away, but the fact is that somebody paid to work for 40 hours a week to defend a place is never going to be a match for somebody who's willing to spend 90 hours a week unpaid trying to break in." Not at all! I am all for disclosure, that was not my point at all. What I AM saying is that there is a group of people who will deliberately (usually through ignorance) attempt to cover up or ignore the flaws in Linux/Unix systems because they have only one goal - the destruction of Microsoft. Personally - I stick WITH MS because: 1) They are the single most motivated company ont he planet to secure their systems ($$$$$) 2) They are the biggest target on the planet (The anti MS crowd) Thus, I have some of the most talented people trying to break the system I run, and the largest single group of talent securing it. Generally, this pushes the evolution cycle of Windows at a fantastic pace. And it shows - it is better and better all the time.

"Hopefully is about right, but you work with this stuff for a living too right? You know how it goes, one suit promises something to another suit, shit happens, then it rolls down hill... :)" Oh yeah... forgot this one :) As long as your ass is covered thats cool - but it is a fact of life that patches will become a very, very common thing as the "hothouse" atmosphere gets hotter - for all OS's. Thus, it is important for the suits to realize that this is NOT the old mainframe days :)

Hi, I remember reading "Wired" ages ago where they opined that Microsoft was "post cool" meaning that at one point it was the hippest place to work, but with stock options no longer the draw they once were, etc. and the fact that they'd fallen out of favour with the "bright young things" it was rapidly becoming the place that people went because they knew they'd get in, competition for places ceased to become an issue, the sting in the tail of course was that ultimately this ammouted to a dilution of thier "intellectual" capital, which for a technology company is a fairly serious matter. I'm sure MS are motivated by the $$'s but working in a bank, and following the markets like I do, I can assure you they're far more interested in making deadlines than making sure they ship a bug free product and meet market expectations. This is true of any producer in a comodity market, the bottom line is all that counts, especialy when you have a monopoly in the market, it's all about growing market share, and then expanding the market. Like I said, I am by no means a Linux cheerleader, My chosen OS is Sun's Solaris, which is not as scalable as it should be at present, but it's getting there, they currently have hardware for the telecoms market that promises better than five 9's uptime, and has hot swap everything, even processors and PCI cards! As for the anti MS crowd, I think you mistake what they're after, I was having this argument the other night with a mate after watching "the secret history of hacking" (which was cool becuase you had John Draper, (AKA "Captain Crunch" ) and Steve "WOZ" Wozniak talking about blue boxing and the Berkley homebrew computer club, etc. Amazing stuff!) Anyway, he said he couldn't understand why people hated Bill so much, when all he'd done was create (by initially reverse engineering/stealing) a very successfull product, (albeit because IBM "dropped the ball") and I'm not lieing here, if you check your history you'll find that PCDOS (which later became MSDOS) was built from reverse engineering QDOS (Quick & Dirty OS) which itself was an improved, though again reversed engineeered version of Gary Kildal's CPM, (the people IBM originally went to, only he was out rock climbing and his wife wouldn't sign the NDA :) This and the fact that he then had the gall to accuse the hobbists of the time of stealing "his" software, (the TV program even had the original letter :) is what started the whole thing. Bill pissed off the first geeks, and that antipathy towards both the man personally, and his software in general, has been handed down to each subsequent generation of the disperate tribes, as part of our collective cultural heritage. I'm on record as saying that Word is acually a very good program, I think that after word 2.0 it did everything you'll ever need to do, but it's good. What is not good, is the OS. From a purely technical level it sucks, and I'll tell you why. I have a 386 at home, made by a company now long since dead, it has a 40Mb drive in it, large by the standards of the day. it has 4Mb of main memory, and on this machine is MSDOS 6.22, Windows for workgroups 3.11 and a version of Office Pro, (4.2 I think) this all works beautifully, and all in 4Mb, with a 40Mb disk. Now compare this to the bloated & crufty monstrosity that is, or will soon be XP. The minimum spec of the hardware to run XP (without apps) is something like a 500-700Mhz processor, 64Mb of memory and a 1Gb of storage. If you want to run more than one app at once, then you need twice to four times the memory and much more drive space, not to mention more horsepower under the hood. Then there are the annoyances such as "change the gateway, reboot the system" Why?!? on any other system BeOS, QNX, Linux, Macintosh, you name it, you can just change the gateway and you don't have to reboot, why is this necessary with windows? Why when the default IDE driver screws up does it let you boot the machine but delete the CDROM and refuse to add it back in without a complete re-install of the OS. Where in this modern age is the MS verion of pre-empive multi-taking scheduler with decent memory protection for it's OS? Why is it always necessary to reboot to fix a problem, a reboot should be a tool of last resort in a production environment, but most data centers will reboot at the end of each week just in case, (unless of course you only have a few users, then you can go for up to a month) I could contunue, but I'm sure you take my point. Most of my tribe have very pointed technical reasons why they have low regard from MS's OS, though I sometimes think that the younger generation have confused ideas about why exactly we "hate" Microsoft. :) I'm not so sure about the "target" thing either, I think most people, (most geeks) are more interested in futhering the cause, than causing problems for MS, sure there are some of the crackers out there, (especially thier script kiddie bretheren) that are into that, but by and large Ms is far less of a "target" than you might imagine. Is Windows getting better? Perhaps, perhaps not, it's certainly getting bigger, and developing more features, but when cars start adding cup and plant holders you know that "innovation" has ceased and "fiddling" and "feature creep" rule. Don't get me wrong the equation editor in Word 6.0 is very cool, but I can't imagine may people will use it, given that the bulk of the accademic/mathematic community that I've ever met, (and I worked for both ESO, www.eso.org and ESA www.esa.int :) uses latex or TeX and dvips on some form of UNIX box to process thier papers for publication, conferences, etc. Though if you want to see evolution in action take a look at the kernel developers of the Linux crowd (www.kernel.org) and what they have running in the latest release, some of it is bloody amazing, firewire, USB, highly granular and scalable SMP, military level crypto, hot swap PCI support, etc. all for free, updated constantly and available on 14+ different processor achitectures at once. So, would I like to see the downfall of MS, yes, I would. But I want it to be at the hands of a better, faster more scalable and "free" ("think free speech, not free beer" - RMS :) OS. I want David to fell Goliath, I want to read of it the next day in the newspaper and think, "my side won, and I played a very small part in it" the Linux hackers do what they do to earn the adulation and respect of thier peers, and to ultimately prove that we're better at it than they are, that a bunch of oddball hackers cranking out code in thier bedrooms can equal and better, (in a fair fight) the products of the "best & brightest" that money can buy. This is nothing short of a crusade, a Jihad, it's been a long time coming, (almost 30 years) but we have all the time in the world, and no deadlines to meet. later jb

Oh yeah, "I don't think the suits know were even in the 20th, let alone the 21st century" :) How many executives do you know that can even open thier own email. When I worked at a univeristy, the vice principla sent out a policy document saying that were going to standardise the email system to pegasus mail on everyhing, "what about the UNIx system?" we said, at wich point somebody had to spend the next two weeks explaining to him that were other types of computers in the world other than PC's and they didn't/wouldn't/couldn't run pegasus mail... :) Ah, those were the days... ;) later jb

"How many executives do you know that can even open thier own email." Lot's of them - but then I did contracts at tech Savvy companies like AT&T and Bell Labs. "far more interested in making deadlines than making sure they ship a bug free product and meet market expectations." This is only true as long as those deadlines resutl in a product the market wants. Bill is far to smart a guy to ship something on-time if it will flop int he market. While it occasionally does happen, on the whole MS products are shipped when they are ready. "My chosen OS is Sun's Solaris, which is not as scalable as it should be at present, but it's getting there, they currently have hardware for the telecoms market that promises better than five 9's uptime, and has hot swap everything, even processors and PCI cards!" I wrote code for Solaris a long time ago, it was an OK OS and the hardware was cool - but commodity PC hardware has it matched now - the high end Dell servers are swappable in allt he important ways and it is fairly easy to show on paper that clusters are far more cost effective at maintaining uptime than swappable components anyway. Most of the large comapnies we do consulting for opt for a small failover cluster of 3-5 commodity Pentiums instead of dumping a ton of $$ into exotic hot swapped servers. "I'm not lieing here, if you check your history you'll find that PCDOS (which later became MSDOS) was built from reverse engineering QDOS (Quick & Dirty OS) which itself was an improved, though again reversed engineeered version of Gary Kildal's CPM, (the people IBM originally went to, only he was out rock climbing and his wife wouldn't sign the NDA :)" Actually - this is not quite correct. QDOS was built by Tim Paterson and Microsoft Licensed it. They did not "reverse engineer" it or do anything else nefarious. They offered Tim money, he took it and gave them the code. That's called business :) More tidbits can be found at the Everything2 entry. BTW - there is no area in which QDOS was an "improved" CP/M :) "This and the fact that he then had the gall to accuse the hobbists of the time of stealing "his" software, (the TV program even had the original letter :)" They did. It is a matter of historical fact that paper tapes of the Basic language written by Bill and his asssociates were stolen from the MITS "road show" demonstration trucks by hobbyists who believed they were entitled to anything that they could get their hands on. By any reasonable definition of the term they did steal it. You can read the "Open Letter to Hobbyists" if you would like - the points it makes about ethics and the law are still valuable. Let's be clear. Stealing software is stealing - just like stealing a texture is stealing. There is no defense for piracy. If you were trying to say that there is something odd about Bill complaining about piracy because of something with QDOS, I simply can't agree. Bill paid for QDOS - nice and legal. They STOLE Basic, sad but true. "I have a 386 at home, made by a company now long since dead, it has a 40Mb drive in it, large by the standards of the day. it has 4Mb of main memory, and on this machine is MSDOS 6.22, Windows for workgroups 3.11 and a version of Office Pro, (4.2 I think) this all works beautifully, and all in 4Mb, with a 40Mb disk." OK.... "Now compare this to the bloated & crufty monstrosity that is, or will soon be XP. The minimum spec of the hardware to run XP (without apps) is something like a 500-700Mhz processor, 64Mb of memory and a 1Gb of storage." I couldn't run POSER on the machien you mentioned first - so why should I expect an entire multimedia capable OS to fit in anything like that kind of space? I might add that you couldn't run Linux with anything liek the abilities I have on my XP desktop in those hardware req's either. Computers DO MORe than they used to. That takes more "stuff". "Then there are the annoyances such as "change the gateway, reboot the system" As far as I know, this is not true on Win2K and WinXP, in fact I significantly reconfigure they net connections in my XP box for testing pretty often and never have to restart. "Where in this modern age is the MS verion of pre-empive multi-taking scheduler with decent memory protection for it's OS?" Windows NT, Windows 2K, Windows XP. I think your spending way too much time with WFWG 3.11 :) In fact, until OS X the Mac NEVER had pre-emptive tasking nor memory protection :) "I could contunue, but I'm sure you take my point. Most of my tribe have very pointed technical reasons why they have low regard from MS's OS, though I sometimes think that the younger generation have confused ideas about why exactly we "hate" Microsoft. :)" "Your tribe" has changed, and you didn't notice it. Linux is NOT a tribe of well meaning hacker types - it is now a tribe of 15 year old kids who think that pirating MP3's are a constitutional right and that hating MS is the thing that makes them "cool". Read Slashdot sometime, you will see exactly what I mean :) I think another problem is that, like most groups, you're tribe is jsut not able to adapt their prejudices. The "weekly reboot" was a dead issue by NT 4 SP5 and it wss never a problem in Win2K. If you keep judging MS by only what you see in Win98 then you will be very, very surprised when WinXP shows up in retail stores. "Though if you want to see evolution in action take a look at the kernel developers of the Linux crowd (www.kernel.org) and what they have running in the latest release, some of it is bloody amazing, firewire, USB, highly granular and scalable SMP, military level crypto, hot swap PCI support, etc. all for free, updated constantly and available on 14+ different processor achitectures at once." They do do some nice stuff, and I have been working with the Linux kernal source since the .07ish pre-alpha versions. But the reality is that the Linux kernal is far from innovative. They are simply spending their time implementing the features they see in other systems. It's good work, but let's not hold them up as the pantheon of innovation. Besides, read Kernal Traffic sometime and you'll see how buggy most of it is - hell, the Linux VM system is still blowing chuns they can't even find. Again, Linux is a nice system - and for a few years it had serious advantages - but they couldn't really innovate after that - and Windows2K was good enough to replace it, and WindowsXP will continue the trend. "This is nothing short of a crusade, a Jihad, it's been a long time coming, (almost 30 years) but we have all the time in the world, and no deadlines to meet." That "jihad" has been HAPPENING for 30 years, and they haven't won yet :) The reality is that no free OS will ever be the champion - there isn't enough direction, dedication or support to make it viable. MS will fall someday - but it will be to another large company with a single source OS. Thanks for the discussion, this is fun :)

hi, I have "replied" but I have yet to "indent" and I have to buy a ticket and catch a train befor drinking beer, so it'll have to wait untill tomorrow :) later jb

"How many executives do you know that can even open thier own email." > >Lot's of them - but then I did contracts at tech Savvy companies like AT&T and Bell Labs. I was a permanent employee of AT&T labs in the UK, in fact I was the sole admin for labs outside of the USA, B band, my last job in fact, before beggining at the bank :) >>"far more interested in making deadlines than making sure they ship a bug free >>product and meet market expectations." > >This is only true as long as those deadlines result in a product the market wants. Bill is far to >smart a guy to ship something on-time if it will flop in the market. While it occasionally does >happen, on the whole MS products are shipped when they are ready. Which is exactly what I said, he's far more interested in the bottom line than in shipping it on-time, etc. He's selling a product, a comoddity, not providing a service. as such he may delay the rolout if he thinks that the market isn't right for it. Which, i would venture to suggest is a lot different than simply rolling out the next version of the OS because you've writtten a better one... >>"My chosen OS is Sun's Solaris, which is not as scalable as it should be at present, but >>it's getting there, they currently have hardware for the telecoms market that promises >>better than five 9's uptime, and has hot swap everything, even processors and PCI >>cards!" > >I wrote code for Solaris a long time ago, it was an OK OS and the hardware was cool - but >commodity PC hardware has it matched now - the high end Dell servers are swappable in allt >he important ways and it is fairly easy to show on paper that clusters are far more cost >effective at maintaining uptime than swappable components anyway. That's not what I hear. At ESO we had Dell servers, complete with internal RAID 5 and they were balky as hell, the DLT would sometimes simply refuse to backup, as for backing up to a schedule on a network, forget it... Then there are the mail (notes) gateways at ESA, in outlying regions, (like the lauch sites in French Guyana) they have very few users, so they don't need to be rebooted because of that, but there is an ongoing dispute between them, MS & Lotus as to what is causing the memory leak that makes recovering archived notes folders all but impossibly slow after two to three weeks without a reboot... The fact is that NT simply doesn't scale with SMP, 2, 4, 8 = increasing returns, (very slight at 8) up to 16 = diminishing returns to point that the machines are dangerously unstable with 16 processors in one box, "been there, done that" :) Most of the large companies we do consulting for opt for a small failover cluster of 3-5 commodity Pentiums instead of dumping a ton of $$ into exotic hot swapped servers. Yeah I know, depends what they run on them, but teleco's go for the exotic kit, which is far more fun to work with, just depends on how valuable your uptime stats are I guess :) >><"I'm not lieing here, if you check your history you'll find that PCDOS (which later >>became MSDOS) was built from reverse engineering QDOS (Quick & Dirty OS) which >>itself was an improved, though again reversed engineeered version of Gary Kildal's >>CPM, (the people IBM originally went to, only he was out rock climbing and his wife >>wouldn't sign the NDA :)" > >Actually - this is not quite correct. > >QDOS was built by Tim Paterson and Microsoft Licensed it. They did not "reverse engineer" >it or do anything else nefarious. They offered Tim money, he took it and gave them the code. >That's called business :) OK, Kildall wouldn't license his code, so Patterson reverse engineered it so he could sell/steal it. Bill, knowing that Kildall wouldn't sell CP/M to him, and that IBM approached Kildall first, bought QDOS as a way of legally stealing CP/M. Either way, he still made his first million selling a product that wasn't his to sell, just as it wasn't Patterson's to sell either. >BTW - there is no area in which QDOS was an "improved" CP/M :) Subsequent version of "DOS" improved on the clone that Bill bought/stole, so in that way it was an "improved" CP/M (though I'll leave the quotes intact :) >>"This and the fact that he then had the gall to accuse the hobbists of the time of >>stealing "his" software, (the TV program even had the original letter :)" > >They did. It is a matter of historical fact that paper tapes of the Basic language written by Bill >and his asssociates were stolen from the MITS "road show" demonstration trucks by >hobbyists who believed they were entitled to anything that they could get their hands on. Gary Kildall invested a lot of time and money on CP/M, and were it not for his wife, Bill wouldn't have got a sniff at IBM. Two wrongs don't make a right, hobbyists stole BASIC, Bill stole CP/M, but "selling" software was a fairly odd thing at that point. Here's one for you, tell me, what was actually being stolen except the physical tape? (According to the laws of the day :) Everybody steals software, if people hadn't stolen (and used) MS software, he wouldn't have made as much money, or enjoy the monopolist position he does now, I make no moral jugement as to whether it is good or bad. We've all "stolen" software, unknowingly or not. The same goes for the "look and feel" cases, what exactly is being stolen, and are we all collectively guilty of such theft? >By any reasonable definition of the term they did steal it. You can read the "Open Letter to >Hobbyists" if you would like - the points it makes about ethics and the law are still valuable. Just as Bill "stole" CP/M, though I would comment that the question Bill asks: "Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free?" Has been amply answered by the GNU/Linux/Open Source community itself, anyone can "afford" to do it, they just can't make a "profit" from doing it, which is after all the point, Bill was bitching about loss of profit, when he was the only one really trying to sell anything to the hobbyists besides the hardware manufacturers. Because up untill then the software, or the knowledge required to program it, was shared, given away for free. "Information wants to be free" right? >Let's be clear. Stealing software is stealing - just like stealing a texture is stealing. There is no >defense for piracy. Now there are laws as regards "intellectual property" but back then, computer software was ephemeral, do you think that Bill could have got a hearing in a court of law? Do you think he would have prosecuted if he could have? Or was the relationship between the then embryonic MS and the hobbyists to symbiotic? To bring it up to date, why don't Metallica sue the "fans" that "steal" thier music via Napster, they have thier names after all.... The law is the law, fundamental, absolute. If you choose to avoid the verdict of the courts, you choose to forgoe the remedy too, and you accept the consequences. >If you were trying to say that there is something odd about Bill complaining about piracy >because of something with QDOS, I simply can't agree. Bill paid for QDOS - nice and legal. >They STOLE Basic, sad but true. But he was complicit in stealing CP/M, he knew he had nothing to demo, and would lose the opportunity if he had nothing to show, so he chose to turn a blind eye to Patterson's theft and cover himself legally by purchasing QDOS. Thus he gains access to CP/M without paying the owner/writer/creator of CP/M for the right/privilege, also sad but true :) >>"I have a 386 at home, made by a company now long since dead, it has a 40Mb drive >>in it, large by the standards of the day. it has 4Mb of main memory, and on this >>machine is MSDOS 6.22, Windows for workgroups 3.11 and a version of Office Pro, >>(4.2 I think) this all works beautifully, and all in 4Mb, with a 40Mb disk." > >OK.... > >>"Now compare this to the bloated & crufty monstrosity that is, or will soon be XP. >>The minimum spec of the hardware to run XP (without apps) is something like a 500- >>700Mhz processor, 64Mb of memory and a 1Gb of storage." > >I couldn't run POSER on the machine you mentioned first - so why should I expect an entire >multimedia capable OS to fit in anything like that kind of space? Neither could I, but I can run an "entire multimedia capable OS" on it, it's called QNX, and it's base spec is a '386sx16 :) www.qnx.com >I might add that you couldn't run Linux with anything liek the abilities I have on my XP desktop >in those hardware req's either. Linux, maybe, it'd run like a dog, but maybe. Though, like I said, www.qnx.com :) I have run it on a '386, just to find out what it's like, (I bought the real thing) and on a '386sx16 it has a guaranteed interupt response time of 27 it's a deterministic real time system, and the only thing the Canadian government will let govern a nuclear reactor :) >Computers DO MORe than they used to. That takes more "stuff". Like I said... ;P Yes they can do more, but that doesn't mean they need more stuff, just that we are encouraged to buy more stuff. There is a difference :) >>"Then there are the annoyances such as "change the gateway, reboot the system" > >As far as I know, this is not true on Win2K and WinXP, in fact I significantly reconfigure they >net connections in my XP box for testing pretty often and never have to restart. I threw Win2K off my laptop, (it came with it) as it wouldn't run half the freeware/shareware I wanted it to, (some of it antique admittedly :) I use Me at the moment, as well as Linux (Mandrake) and BeOS (4.5.2) multiboot. I did have the QNX RTP installed (as my version of QNX 4.2.2 is node locked to my '486) but the new realese doesn't recognise my laptop's keyboard, bugger! :) >>"Where in this modern age is the MS verion of pre-empive multi-taking scheduler with >>decent memory protection for it's OS?" > >Windows NT, Windows 2K, Windows XP. I think your spending way too much time with >WFWG 3.11 :) I wouldn't call that decent, my NT box here, (SP6) decides on a daily basis whether it will let me run Apple's Quicktime movieplayer or Reflections X client/server. Currently QT is working so reflections isn't :) Yesterday IE informed me that I had to turn on javascript to continue to access the hotmail session that had just timed out, the same session I'd had open for days. I had to dump out of IE to get back into hotmail. It's not my account, as I'm a local admin on my PC, it just something you have to live with... >In fact, until OS X the Mac NEVER had pre-emptive tasking nor memory protection :) I never claimed it did have :) >>"I could continue, but I'm sure you take my point. Most of my tribe have very pointed >>technical reasons why they have low regard from MS's OS, though I sometimes think >>that the younger generation have confused ideas about why exactly we "hate" Microsoft. :)" > >"Your tribe" has changed, and you didn't notice it. Linux is NOT a tribe of well meaning >hacker types - it is now a tribe of 15 year old kids who think that pirating MP3's are a >constitutional right and that hating MS is the thing that makes them "cool". You're right, my "tribe" isn't Linux. I herald from a clan of rootless itinerant geeks, (after Neal Stephenson :) my tribe are those that still cling to the "old ways" who would no more hack into a system than they would use the term "hacker" to refer to those that do :) The fifteen years old will grow up, eventually, and they too will lead the powers that be a merry chase, just as our elder statesmen did in thier day, you know, "Hans & Gribble", RMS, even Bill himself :) >Read Slashdot sometime, you will see exactly what I mean :) Every day, come rain or shine :) >I think another problem is that, like most groups, you're tribe is jsut not able to adapt their >prejudices. The "weekly reboot" was a dead issue by NT 4 SP5 and it wss never a problem in >Win2K. Tell me a group that is, (able to adapt) ethocentricity is that which defines us, "the inherant assumption that the way your culture does something is intrinsically the way it should be done." We are no different in that respect to any other ethnic group, regardless of how large or small. >If you keep judging MS by only what you see in Win98 then you will be very, very surprised >when WinXP shows up in retail stores. It didn't impress me, except by the absence of clutter on the desktop :) >>"Though if you want to see evolution in action take a look at the kernel developers of >>the Linux crowd (www.kernel.org) and what they have running in the latest release, >>some of it is bloody amazing, firewire, USB, highly granular and scalable SMP, >>military level crypto, hot swap PCI support, etc. all for free, updated constantly and >>available on 14+ different processor achitectures at once." > >They do do some nice stuff, and I have been working with the Linux kernal source since the >.07ish pre-alpha versions. But the reality is that the Linux kernal is far from innovative. They >are simply spending their time implementing the features they see in other systems. It's a "work in progress" :) >It's good work, but let's not hold them up as the pantheon of innovation. Besides, read Kernal >Traffic sometime and you'll see how buggy most of it is - hell, the Linux VM system is still >blowing chuns they can't even find. I never said they were, I'll even agree with Bill that it's far easier to code an aspiration such as "to recreate UNIX" that it is to "build the best operating system available" but then I would also contend that MS isn't doing the latter, perhaps the only people who could be said to be doing that are the BeOS hackers, who are coding an entire OS from the ground up! >Again, Linux is a nice system - and for a few years it had serious advantages - but they >couldn't really innovate after that - and Windows2K was good enough to replace it, and >WindowsXP will continue the trend. Linux was never a contender for the desktop, but it's share of server market growth continues to outstrip that of any MS product, and since the server market is the only growth market left given the near saturation level of MS's desktop penetration I'd figure that Bill has a fight on his hands, because whether he like it or not, the PC's OS is rapidly becoming a commodity, and as market theory will tell you, you can't make more than a 3-4% profit in a commodity market as the empahis then falls on people who upgrade, thinks tV's and mobile phone's and you get an idea what I'm talking about. >>"This is nothing short of a crusade, a Jihad, it's been a long time coming, (almost 30 >>years) but we have all the time in the world, and no deadlines to meet." That "jihad" has been HAPPENING for 30 years, and they haven't won yet :) The reality is that Like the Muslims, I'm in it for the long haul :) If it happens in my lifetime, I'll rejoice. If not, I shall pass the torch on the best I am able, I can do no more than that. >no free OS will ever be the champion - there isn't enough direction, dedication or support to >make it viable. MS will fall someday - but it will be to another large company with a single >source OS. I don't honestly believe that even the most fervent Linux supporters ever believed that Linux will take over the desktop, and with stuff like the Eazel project falling by the wayside, I doubt it will ever be more than a niche desktop OS at that. A desktop for geeks. But the server market is another matter, I honestly do believe that Linux given time will provide a significant advantage to those that run it, given it's resilence, memory footprint, hardware req's, TCO, etc. Especially given that .net will be pay per play, not per seat as is currently the case with Me, 2K and XP, the manouverings over revoking the "dual use" (home/ofice) seat on Office in a bid to increase revenues was only the first of many such moves I believe you'll see MS implement in a bid to avoid commoditisation. They need people to understand that the OS is a seperate entity, and not something that simply comes with the machine. This was after all one of the key emails that sunk them in the Netscape case. The fear that if they didn't have the dominant browser the OS would simply become a means by which you ran Netscape, instead of a product within it's own right, to paraphrase, (since I can't recall verbatim :) "we need to develop our own browser to avoid commoditisation of the underlying OS. Because if all you need is an OS to load an app, and you have an OS allready, you don't need to upgrade do you? >Thanks for the discussion, this is fun :) Yeah, touche! :) later jb

Bugger! missed out the end quote: "we need to develop our own browser to avoid commoditisation of the underlying OS." That's better :) later jb

http://www.pbs.org/cringely/pulpit/pulpit20010802.html later jb