Trustworthy Computing !?!

So what exactly is it? Well to understand that you have to understand something else. It goes a little like this. Microsoft liked to throw temper tantrums anytime a person, group, organization or even one of its corporate clients found problems with MS software. It was later agreed in order for Microsoft to save face (having built quite a rep as a big whining baby) that anyone finding a bug/hole/exploit in MS software, having notified MS must give the software giant 2 weeks.

These 2 weeks are supposed to give the the software giant time to assess the problem and to issue or at least begin developing a patch. After 2 weeks whoever made the discovery can talk about it all they want. Sometimes though MS still likes to whine if it has yet to solve the problem. This was the case when eEye Digital Security decided to go public regarding the problems with UPnP. Microsoft claimed that the company failed to give them enough time. Numerous news article flooded the web. Here's a snipet from one such article.

In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community. -- The Register, "Who Needs Hackers When We've Got MS?"

So what does this have to do with the Trustworthy Computing initiative? What is it exactly? Let me explain. Trustworthy Computing is supposed to be a way for Microsoft to win some brownie points by cleaning up its software and making sure it's the most secure and stable thing out there. No longer would software ship with every feature enabled by default. What it turns out to be is nothing more than Bill Gates (who supposedly coined the phrase according to Bill himself) blowing smoke up our asses.

Trustworthy computing turns out to be nothing more than than a PR campaign from Bill and Company. It makes Microsoft look as though they are really concerned about security when they're really not. A recent article from The Register talks about the newest round of security holes in IIS.

If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....)

While the last incident involving the Microsoft/Unisys Anti-Unix campaign was rather funny and irritated many (and the numerous articles which followed, and even a really good parody), this one takes the cake. If really shows that Microsoft products are nothing but flash.

If you can't make it good, at least make it look good. -- Bill Gates

	Wow (none / 0) (#1)
	by DG on Wed Apr 10th, 2002 at 09:18:05 PM PST

	I didn't know it took them 2 months.. thats a painful long time to leave a window open for someone to come rape your servers.. they should take a bit of wisdom from oss.. patch fast patch often.. i know some one will bust my balls about how oss wouldn't need to if they would make decent software. blah blah whine whine.. what about microsoft? if they allowed other companys to audit their software you wouldn't find a gaping hole like upnp which is worse than any oss holes in a while. If you ask me 2 weeks is too slow.. you should start on a patch asap so none of your customer lose business from servers being down.. it's just poor business sense © 2002, DG. You may not reproduce this material, in whole or in part, without written permission of the owner.

	I agree (none / 0) (#2)
	by detikon on Wed Apr 10th, 2002 at 10:44:42 PM PST

	People are starting to call IIS "A Patchy" Web Server. I would have no problem if Microsoft or any other company released patches or information as often as possible. Microsoft shot itself in the foot with XP's beta testing. It was beta tested by anyone rather than people who knew how to run a system through the gauntlet. If Microsoft were to start patching as often as some would prefer they would seem like even bigger nut jobs than they already are. They should have started much much earlier. As the article notes Trustworthing Computing attempts to hide information until patches are ready. then and only then will Ms announce a bug. That is unless someone else find it first and bothers to report it to MS first. I also agree that 2 weeks is far too long. More people and organizations need to say "hell with the 2 weeks" and announce it as soon as possible. Screw the MS whining. My belief is that MS has the money. when news hits assign as many guys on it as possible. I'm sure The Beast could afford it. One last thing. Do we really need another Windows version every year? How about we take a year or so off. Do what you did with NT (mutlitude of Service Packs) and rework Windows from the ground up. On a side note Palm is also shooting themselves in the foot right now. With so many people and even Microsoft's corporate clients being pissy with Microsoft they should re-release BeOS. It is after all a multimedia OS. With the right marketing they could make a killing in the gaming marketing and with people who just want a computer to surf they web. Oh well, I guess we'll just have to wait for AmigaOS 4 and 5 (coming soon). Go away or I will replace you with a very small shell script.

	thank you (none / 0) (#3)
	by mjl on Wed Apr 10th, 2002 at 10:47:33 PM PST

	i just thought that i'd pre-emptively thank the Adequacy.org editors for deleting this diary.

	double standards (none / 0) (#4)
	by foon on Wed Apr 10th, 2002 at 11:41:26 PM PST

	By any objective standard, windows is more secure than the competition. However, because of Microsoft's combination of security and industry-leading ease of use, they have become a favorite target of socialist hackers who want to force all computer software developers to license their software under the socialist GNU license. They cannot come to terms with the fact that commercial software such as Microsoft Windows produces a better user experience and lower Total Cost of Ownership (TCO) than their unstable, insecure hacker platform. So they deliberately target Microsoft systems, instead of Lunix, which is much easier to hack (just consider the widely publicized recent exploits in "Open" SSH and "z" lib). The truth is that these criminals are very often the same people involved in the development of lunix and other communist software.

	Yes, double standards. (none / 0) (#5)
	by The Mad Scientist on Thu Apr 11th, 2002 at 01:14:46 AM PST

	Couple questions for the bug statistics: The Linux bugs, especially when the whole distros come to question, are sum of all bugs including application software. There are hundreds of packages in one bigger distribution. What I am not sure about is what bugs the NT5 (Windows 2000 is an overhyped misnomer) statistics contains; if they are bugs related only to NT5 itself, or also to all their applications. In the first case the standards are definitely double. I have certain feeling that the Wininformant.com author isn't exactly impartial. -- Microsoft is a brain condition.

	huh? (none / 0) (#8)
	by detikon on Thu Apr 11th, 2002 at 02:49:46 AM PST

	However, because of Microsoft's combination of security and industry-leading ease of use, they have become a favorite target of socialist hackers Microsoft security? I'm sorry but it's difficult to make that argument when Windows and Linux/Unix have a very different security model. I always find it funny how almost user (excludes guest) can open a file from say an email and infect an entire NT based network. Try doing that with Linux. Unless you run everything as root you're likely not going to run into that problem. This is true even if the virus is designed for Unix/Linux. who want to force all computer software developers to license their software under the socialist GNU license. Now why would they want to do that? Apparently you're making an assumption without even bothering to glance at the evidence. I suggest that you read this little article. If you actually read it you'd realize why people think you're silly. They cannot come to terms with the fact that commercial software such as Microsoft Windows produces a better user experience and lower Total Cost of Ownership (TCO) than their unstable, insecure hacker platform. The TCO argument has been beaten to death. Why would I want to pay insane licensing, plus upgrade software and hardware whenever Ms tell me too? The report from Microsoft only somewhat makes sense if you are already totally reliant on MS software. Besides, which would cost you more, paying a Unix specialist $100,000/year or 3-4 MCSE (Must Consult Someone Experienced) $35-55,000/year? Don't forget all the other experts you're going to have to hire. $100,000/year doesn't seem so bad now does it? Microsoft loves to tell people half the story because it's never been able to be a strong contender in the server room. People often think because it's popular on the desktop it's popular everywhere. That's laughable. If you ask me, Microsoft's and Unisys' talk of "expensive experts" does an amazing disservice to the IT industry. It discounts the abilities of those who have invested time and effort to build a career servicing the companies' products. Additionally, it gives these companies' customers a false sense of security by suggesting that they don't need experts to support their IT infrastructure. Sure, Microsoft products tend to be driven by friendly click-boxes and wizards. Basic functions can be pretty easy to figure out, but someone eventually will have to know why to click on one option or another. If such a situation does not arise during initial configuration and design, it is inevitable later on, when or if problems arise. The underlying technology of a Microsoft/Unisys product can be just as cryptic as that of a UNIX (or UNIX-like) system. Sometimes the quickest (if not the only) path to a solution requires decisively non-GUI actions, such as command-line tools and registry edits. -- OSOpinion.com, "Microsoft-Unisys Anti-UNIX Campaign Backfires" than their unstable, insecure hacker platform. So they deliberately target Microsoft systems, instead of Lunix, which is much easier to hack (just consider the widely publicized recent exploits in "Open" SSH and "z" lib). I really like the fact that configuring a server using OSS can be a pain. It means that I am able to check an double check and make sure the entire system offers security. Hey it's much better than the MS "enable everything by default" method. The truth is that these criminals are very often the same people involved in the development of lunix and other communist software. All hail the grand almight Microsoft. The great reprentation of the American way. Lying cheating stealing and treating everyone else like shit, even you clients, in order to make a a few extra dollars. Gee, no wonder the world hates our guts. Go away or I will replace you with a very small shell script.

	Shut up, NAWL. (none / 0) (#14)
	by Anonymous Reader on Thu Apr 11th, 2002 at 04:07:19 AM PST

	Who do you think you're fooling?

	Bleh.. (none / 0) (#11)
	by DG on Thu Apr 11th, 2002 at 03:31:24 AM PST

	go read about what linux is or is not before you, bitch and moan about exploits in zlib or anything like that, it's like saying windows has an exploit becuse you can use holes in outlook to mess someone up, zlib and openssh are programs you can install and run on the os, it doesn't mean its essencal to have them installed, unstable? i've had windows crash more times in the last day than linux has crashed in 7 years, if you crash all the time there is something you messed up not the programmer of the program (talking X not some alpha 0.1 program) damn paranoid mccarthy wannabes.. © 2002, DG. You may not reproduce this material, in whole or in part, without written permission of the owner.

	crash, boom (none / 0) (#21)
	by detikon on Thu Apr 11th, 2002 at 01:38:20 PM PST

	Oh no but you can't dare mention anything to do with Internet Explorer. You have to mention something outside of it. Almost every single exploit can be tied to IE. Why? Because IE is integrated into every damn thing. If you don't know that you really don't know that much about Windows do you? Hell, even the Windows shell is explorer.exe and with only a few extensions you've got IE. Even the start menu couldn't work without IE or at least some worthy replacement shell. Go away or I will replace you with a very small shell script.

	Well.. (none / 0) (#23)
	by DG on Thu Apr 11th, 2002 at 03:18:01 PM PST

	not as much as ms would like to think anyway, after all 98lite works.. but yeah ie is pretty much the os now it's sad really, becuse upgrading ie breaks too much stuff, i always forget about the core being tied to ie now © 2002, DG. You may not reproduce this material, in whole or in part, without written permission of the owner.

	This soft-ware company seems important to you. (5.00 / 1) (#6)
	by elenchos on Thu Apr 11th, 2002 at 01:46:31 AM PST

	Can you help us understand why that is? Yes, yes, I've heard of this Micro-Soft. We all have heard that they are quite well-established in the soft-ware business and have brought some notice upon themselves. However, you must realize that most people are not obsessed with any soft-ware businesses, even one of the larger ones. But to you they are a "giant". This large soft-ware company plays a central role in your life. Have you noticed this unusual trait about yourself? This is of interest to us, I assure you. What is a "giant" to you? Do "giants" play a role in your life? Do you think of your father as one of these "giants"? Do you think the owner of Micro-Soft, this Mr. Gate, is more or less of a "giant" than your father? Are you angry with your father? Now I know that's a lot of questions, but if you can try to answer I think we can make progress in undertanding you obsession with a soft-ware company. And isn't that what you really want? I do, I do, I do --Bikini Kill

	Clearly, this subject agitates you. (none / 0) (#13)
	by elenchos on Thu Apr 11th, 2002 at 03:45:43 AM PST

	For that I am sorry. Honestly, I am hoping to see fewer technology-related articles here in the future, as the issues surrounding the various products that people buy from the computer store seem to be a source of genuine stress for many of our loyal readers. It isn't all that unusual, as neuroses go. There are documented cases of entire villages in the Southern US becoming manic in their fixation on one or another of the major American car manufacturers. Granted, those cases were traced back to the long-term effects of home-distilled grain alcohol, but nonetheless, I don't think we should judge our own crop of soft-ware company fanatics too harshly. As a peace offering, I will share this with you: recently I happened to view an advertisement on televison for one of the products of this Micro-Soft. I don't remember the details, but I must say, I thought the advertisement struck an inappropriate tone. So there, you see? Now please try to breathe slowly, and I will do my best to keep the subjects away from technology as much as I can. No promises, but I want you to know that I care about all of Adequacy.org's readers. I care very, very much. I do, I do, I do --Bikini Kill

	Good to keep away from technology, (none / 0) (#15)
	by because it isnt on Thu Apr 11th, 2002 at 04:30:28 AM PST

	but what's technological about corporate politics and PR spin? adequacy.org -- because it isn't

	Maybe... (none / 0) (#16)
	by The Mad Scientist on Thu Apr 11th, 2002 at 07:03:55 AM PST

	...the fallout? Wherever Microsoft and their products come through, a trail of helpline calls follows. The most recent story was a document suggested to be read-only, that refused to be opened in anything other than read/write mode. Again, an example of a product that somehow works, except when you want some less commonly used features. Blessed be plaintext. Blessed be SGML. Blessed be open formats.

	RSS (none / 0) (#12)
	by Anonymous Reader on Thu Apr 11th, 2002 at 03:42:34 AM PST

	By any objective standard, you have proven, in all your posts, regarding all topics, to be the most reliable, stable and scalable dummy. Stay by the phone, I'll call you soon for Comedy Hour.

	oh man (5.00 / 1) (#7)
	by Anonymous Reader on Thu Apr 11th, 2002 at 02:18:56 AM PST

	Please stop with the pathetic attempt at psychology. It seems that every single article in relation to computing must bring about your only real argument. You consider it a great weapon don't you? People often decline to comment and you feel that you have won. Sorry, it's that it is tired and we've all read the dribble before. It's not about MS being big-daddy. It's the most obviously form of PR spinmasters blowing smoke up everyones ass. People are just too damned ignorant to realize it. Maybe then they also realize they should be using a Mac, a Linux-based OS or even BeOS. Nowadays OSes are a commodity. The average person doesn't use an OS. They use applications. Make them look pretty and they'll use it. Woooooowwwww, lookey shiny sparkly.

	of course, you're right (none / 0) (#20)
	by nathan on Thu Apr 11th, 2002 at 10:53:22 AM PST

	My dad was sceptical at first, but after recompiling his kernel a few times, he started to love Lunix almost as much as you! Not me, though. I'm proud to say that I run BeOS (nothing like multithreading; once you've tried it, you can't go back.) Nathan -- Li'l Sis: Yo, that's a real grey area. Even by my lax standards.

	Ha (none / 0) (#9)
	by DG on Thu Apr 11th, 2002 at 03:20:05 AM PST

	Elenchos, that was the oddest and most lackluster attempt at pseudo psychological babble i've heard in a while, other than to boost your ego at trying to use arm-chair psychology what does his father have to do with anything?, it makes me wonder about your sanity © 2002, DG. You may not reproduce this material, in whole or in part, without written permission of the owner.

	he likes Freud (5.00 / 1) (#22)
	by detikon on Thu Apr 11th, 2002 at 01:40:59 PM PST

	Just like Freud did with all the "tell me about your mother", he wants to know that there's someone out there who feels the same way as he does about his daddy. Go away or I will replace you with a very small shell script.

	He-llo Re-fu-ta-tion (none / 0) (#10)
	by because it isnt on Thu Apr 11th, 2002 at 03:27:34 AM PST

	These hy-phens seem im-por-tant to you. Why do you al-ways use them when men-tion-ing The Mi-cro-soft? Are you be-ing fa-cet-ious? It sounds like it to me. adequacy.org -- because it isn't

	Clearly (5.00 / 1) (#18)
	by jvance on Thu Apr 11th, 2002 at 07:13:46 AM PST

	he's studied under the Master Himself, T. Herman Zweibel. Whatever happened to that loveable old curmudgeon, anyway? -- Adequacy has turned into a cesspool consisting of ... blubbering, superstitious fools arguing with smug, pseudointellectual assholes. -AR

	he was last seen (none / 0) (#19)
	by nathan on Thu Apr 11th, 2002 at 10:41:30 AM PST

	In a spaceship, bound for the unknown. Nathan -- Li'l Sis: Yo, that's a real grey area. Even by my lax standards.

	I thought... (none / 0) (#17)
	by The Mad Scientist on Thu Apr 11th, 2002 at 07:05:27 AM PST

	...Freudian psychology was discredited and abandoned decades ago.

	Freud discredited?! (none / 0) (#24)
	by elenchos on Thu Apr 11th, 2002 at 04:14:36 PM PST

	Maybe in the Communist Bloc, but I can assure you that we in the Civilized World recognize Sigmund Freud as the founder of all modern psychological thought. To discredit Freud would be to discredit the entire science of psychology and return to square one. It would put psychoanalysis back on the same primitive, solipsistic level as astrology or Christianity. You are sadly misinformed, my little Soviet stooge. Without Freud, there is simply no foundation for understanding Thing One about how the brain works. I do, I do, I do --Bikini Kill

	perhaps you should read... (none / 0) (#25)
	by detikon on Thu Apr 11th, 2002 at 04:45:49 PM PST

	...The Interpretation of Dreams by Sigmund Freud in which he credits the earlier works of others. Go away or I will replace you with a very small shell script.

	*Of course* he gives others credit.** (none / 0) (#26)
	by elenchos on Thu Apr 11th, 2002 at 07:31:29 PM PST

	Dr. Freud was an honorable and generous man, whose insights and wisdom were unmatched. These are among the very reasons why he was so correct in his time, and why his ideas remain unchallenged to this day. I would be more concerned if you had dug up some accusation that Freud failed to give credit to his forbearers. I do, I do, I do --Bikini Kill