Posted on 12/23/2001 6:55:43 AM PST by TaRaRaBoomDeAyGoreLostToday!
The FBI's National Infrastructure Protection Center said that, in addition to installing a free software fix offered by Microsoft on the company's Web site, consumers and corporations using Windows XP (news - web sites) should disable the product's ``universal plug and play'' features affected by the glitches.
The FBI did not provide detailed instructions how to do this. Microsoft considers disabling the ``plug and play'' features unnecessary.
The company acknowledged this week that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.
Outside experts cautioned that disabling the affected Windows XP features threatens to render unusable an entire category of high-tech devices about to go on the market, such as a new class of computer printers that are easier to set up. But they also acknowledged that disabling it could afford some protection against similar flaws discovered in the future.
The FBI, in a bulletin released at 8 p.m. at the start of a long holiday weekend, also warned professional computer administrators to actively monitor for specific types of Internet traffic that might indicate an attack was in progress.
A top Microsoft security official, Steve Lipner, sought to reassure consumers and companies that installing the free fix was the best course of action to protect their systems.
Friday's warning from the FBI's cyber-protection unit came after FBI and Defense Department officials and some top industry experts sought reassurance from Microsoft that the free software fix it offered effectively stops hackers from attacking the Windows XP flaws.
The government's rare interest in the problems with Windows XP software, which is expected to be widely adopted by consumers, illustrates U.S. concerns about risks to the Internet. Friday's discussions came during a private conference call organized by the National Infrastructure Protection Center.
During the call, Microsoft's experts acknowledged the threats posed by the Windows XP problems, but they assured federal officials and industry experts that its fix - if installed by consumers - resolves the issues.
Microsoft declined to tell U.S. officials how many consumers downloaded and installed its fix during the first 24 hours it was available. Experts from Internet providers, including AT&T Corp., argued that information was vital to determine the scope of the threat.
Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.
``The patch is effective,'' said Lipner, Microsoft's director of security assurance, in an interview with The Associated Press.
Officials expressed fears to Microsoft about possible electronic attacks targeting Web sites and federal agencies during next week's Christmas holidays from computers running still-vulnerable versions of Windows, participants said.
Several experts said they had already managed to duplicate within their research labs so-called ``denial of service'' attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.
Another risk, that hackers can implant rogue software on vulnerable computers, was considered more remote because of the technical sophistication needed.
The FBI's cyber-security unit has been concerned about the threat and warned again Thursday that the potential of ``denial of service'' attacks is high. The agency said people unhappy with U.S. policy have indicated they plan to target the Defense Department's Web sites, as well as other organizations that support the nation's most important networks.
-
On the Net:
A software 'bug' absoulutely *is* a product defect. That is the very definition of a software 'defect'.
And more importanly, legally a 'defect' is anything about a product that would affect the decision to buy.
Yes, it's hard to hold a conversation with people who refuse to use language properly. Like re-defining the meaning of 'is', or claiming that software bugs aren't product defects . . .
When the first Pentiums came out, there was a bug in the floating-point unit. Intel's position was that they would fix the bug in the next rev. They saw no reason to recall the chips already in the field, since the bug would only turn up in an improbable sequence of operations involving floating-point division. The line making the rounds on the then-nascent Internet was...
In this case it was IBM who stepped up to the plate. They had spent twenty years convincing people that while computers might crash, they did not make arithmetical mistakes. They were not going to allow Intel to put that in jeopardy. They issued a press release stating that they would ship no more Pentium computers until Intel revised its policy, issued a recall, and replaced every single defective chip out there as a warranty repair. Within days a couple more followed suit (as I recall Compaq was one) and before the week was out, Intel caved. This cost Intel tens of millions of dollars, but in the long run, it probably did them good. This is how Intel got to be an adult company, instead of the same kind of brash "we own you punks" outfit that Microsoft still is.
This might not be a bad time for Microsoft to become an adult company.
The second word of the day is Tylenol. Having the FBI declare your product a national security threat, and your proposed method of correcting it as insufficient and irresponsible, is not a marketing coup, OK? Does everyone understand that? Good. We here on FR can joke about the FBI not knowing a terrorist from an anthrax spore, but on questions of national security the public is going to listen to the FBI. Getting into a public pissing contest with the FBI over national security -- especially right now -- is really dumb corporate strategy. The sooner Microsoft recognizes that, the better.
The Tylenol poisoning episode is still taught in PR classes as the definitive "right way" to handle this kind of public relations disaster. The right way is to immediately step up, own the problem, and tell people how you're going to fix it. Don't say it wasn't you, don't tell people it was an isolated incident, don't deny there's a problem. Own it and fix it. Do it fast and be up-front about it. Be seen taking action, as a custodian of the public's trust, to make your product safe from would-be tamperers.
I don't see either one of these things happening here. Today it would take a joint press release from IBM, Dell, Hewlett-Packard, and Compaq to do what IBM could do alone in 1991. Having AOL, AT&T, and Earthlink on board wouldn't hurt either.Perhaps such companies are hammering out the language now; I hope so.
In the meantime, Scott McNealy can do us all a favor by keeping his mouth shut. It's time for the adults to step in, not another brash kid with a big mouth.
Microsoft will win or lose the Tylenol point depending on whether there is in fact a poisoning incident. Tomorrow, literally millions of boxes will be opened across the world that contain new computers, most of them with a pre-installed version of Windows XP that contains the bug. By the end of the week, half of them will be on the Internet. If the Bad Guys are going to strike, that's the time. If it happens, Microsoft will have been on record as a taking a passive approach to this problem, stonewalling on how effective their proposed patch distribution scheme is, and asking the rest of us to believe that this is the last such exploit that will be found.
Most of the public will not be paying attention to this, but the I.T. guys will. If there are in fact widespread DDOS attacks in the next several weeks, Microsoft's acceptance as an adult in what must be an adult community will be dealt a serious blow. They'll recover, but there will be plenty of corporate CTOs who will put the "blue X of death" on them as a serious corporate software provider. That 'X' will likely stay there for a long time.
Somebody in Redmond needs to provide some adult leadership here. This is an opportunity to demonstrate responsibility as a corporate entity, and to reveal some sense that the company understands its public trust. The maturity lesson won't cost them a tenth of what it cost Intel. But that's not what they are doing. So far they seem to putting their chips on the "No DDOS attacks" line. That's the bet of a brash guy with a big mouth. If they win, they'll think they've overturned the Tylenol principle. That's a bad move, because the tamperers will be back.
Wonderful analysis.
But I'd add *one* last little thought -- the real fallout here has already happened, and there is no chance of MS saving that market.
The real 'battle' now in the software world is the battle over the 'next generation' software, 'distributed applications' (kinda like FR here). The real battle is .NET v. Java. That is MS's biggest single obsession, MS's biggest single fear is Java, MS's biggest illegal assaults have been *against* Java. Many think that the 'payoff' to MS from the Bush Justice dept was no punishment or restrictions on their ability to disable Java in the next version of Windows. Odd how one of the key conviction points upheld by everyone was the illegal actions against Java, yet the JD's settlement doesn't even *mention* that little point, isn't it? Only a payoff will get the police to completely ignore a conviction, in my experience.
MS understands that if Java continues to be the dev language of choice for new software dev, then they lose the single biggest 'force' left that is keeping MS in the game -- application availablility.
Java (or any cross-platform language, actually) is the key to ending the dominance of Windows. Platform-independent software would create real choice of OS's for the first time ever.
The biggest single concern about .NET has been it's reliability. Conventional wisdom in the development world is that it'll take MS 3 to 10 years to put out a stable, bug-free version. The .NET salesmen like Bush2000 have been repeatedly pointing to XP as proof that MS has changed, they have been using XP as proof that MS can make something free of significant bugs.
And I'd guess that's why Bush2000 just completely vanished. Likely he won't be back until Redmond comes up with a 'spin' they think might save .NET. MS must be just absolutley in a panic about how to deal with this. Microsoft has literally banked the entire future of the company on .NET. The MS spin dept must be working overtime, looking for an angle to defuse this.
But it's hopeless.
That's the reason I'm on this, "MS knew about this mission-critical defect 5 weeks ago, but didn't inform it's users until *after* the Christmas selling season" line. This point will completely kill any chance of our executives considering a .NET solution.
John Q. Public probably won't ever even hear about this. Anyone who only uses their computer as a toy -- 80% of the PC users -- won't much care.
But professionals . . . it is *not* acceptable for there to be a bug as serious as this in the software to begin with. And then to find out that if/when MS finds out about one of these bugs they'll with-hold that info from us for over a *month*? Purely to allow them to keep fraudulently selling a defective product?
They just completely killed .NET's chances. No one in their right mind will consider using .NET now. Sure, there will be 1 in 10 that don't know any better. There are plenty of idiots out there.
But no company that intends to be in business 2 years from now would even consider it, now.
Why? Just throw that windows system out and get a real one. It is a big disaster!
Actually, just a dispassionate reader here sees Harr as bringing valid criticisms (if impassioned) and you saying nothing but "MS is gonna' sue." Look in the mirror for the pesky nuisance.
SEE POST # 7
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.