http://www.microsoft.com...g01/08-24WinXPRTMPR.asp

Press Release for Windows XP. It's final.

I really don't understand why everyone is getting crazy when they found a bug in a 40 million lines of code OS like a Windows XP or a service like hotmail, serving 110 millions of people. U don't have to cry that they could read ur mail, it's a well known fact that hotmail or any other webbased mail can't be 100% secure. So don't use it for that information or YOU are the idiot over here.
In my opinion security at home, if you have the knowledge, just matters about one thing: how much money do you want to spend on it. It's indeed, the same as your own house. Is it usable to build a wall around it without the possiblity leaving? Ones u make it usefull, someone will always find a way to get in. Doesn't matter if ur running Windows, Linux, BeOS, openBSD or every other peace of code.
Not one OS is 100% foolproof and save so u allways have to find other solutions or combining various technologies. Every OS has it's good and bad points. I'm running Windows XP now, knowing for sure that their could be one or more big security flaws in it, same with my hotmail account. But that is my responsability, isn't it? It's my decision that I'm running and using it now. And in fact, in my opinion this XP is the best I could bet for. Best OS for the normal pc-user that has ever been made.
And plz no linux junkies telling that their linux is the most stable peace of code because Windows XP on my computer crashes only when it's totally my fault and I f*cked it up. Linux still isn't usable for a normal homeuser and his knowledge about pc's.
What a pitty that they can't write a patch for the bug between chair and keyboard.. ;)

Greetz
Robbeke

has anyone here heard anything about homestead.com?
I have been wondering since it is a large service and appears to be
offline. in short I am missing them : ) no homepage in about 48 hoursnow. anyone can fill me in I would appreciate it. Thanks
Issac

Last time I checked, the hotmail servers have BSD running on them. I believe a beta news article stated this a while back.

Here is the link to the article that states microsoft uses FreeBSD for its Hotmail servers, not win 2k like many think.
http://www.betanews.com/article.php3?sid=992921150

Microsoft announced yesterday that the company has plugged a minor
security hole in its Web-based Hotmail email service, a hole that could
have potentially revealed users' email messages to other Hotmail
customers. Microsoft says it fixed the problem less than 12 hours after
a hacker Web site advertised it. The company also noted that the hole
didn't actually affect any of its 110 million customers; a hacker would
have required a bizarre and exacting sequence of events to use the
glitch.

"[Malicious hackers] would have to conduct thousands, if not tens of
thousands, of attempts before they could hit on a valid message ID, and
even that would only give them a portion of the information they would
need to fully exploit this issue," Microsoft said in a statement.

A Microsoft spokesperson said that hackers who wanted to take advantage
of the bug would have had to know the target users' email address, the
exact time a particular message arrived, and a random number. Even
hackers who knew the exact moment a message arrived would have had to
try 6000 numerical combinations. Scanning all the messages that arrived
in a given hour would require 360,000 combinations. "It's a
computational infeasibility," the spokesperson said, noting that the
service would have thwarted an automated attack anyway.

For me, the only advantage to open source is that bugs are found, and fixed qickly, and reliably. With everyone targeting MS, that advantage is gone. Everyone wants to find something wrong with a MS product/service, and once they do MS fixes it if it's serious enough. Anyways, just a thought.

If you read on some OTHER news sites... the hotmail flaw was FIXED

once again beta news is takeing down windows and nothing about the flaws in linux.. we all know there are flaws in any code... were only human... and this really doesnt have much to do with XP.. since currently hotmail is ran on W2K servers..

Where are all those linux freaks? Linux freaks come out wherever you are. Defend yourselves against the flaws that have allowed the Melissa Virus, the I Love You Virus and the Code Red worm. If only linux programmers would start to understand that security really DOES pay an important role when coding. We wouldnt have to be plagued by these stupid viruses i only linux programmers would do their well earned job right..just for once.

Two words for you: BIND, SENDMAIL.

The point is that companies spend billions on software each year that is advertised as secure, MS products (and others) fall pitifully short of this advertisement.

The resources MS has at its disposal exceed any other company many many orders of magnitude, yet they are no further ahead in producing a secure OS.

Most products I buy today adhere to some sort of advertising standard. Standards that don't seem to apply to software houses - that's what bugs me.

If you know how to use the OS, then you won't have a problem with security.... you just have to keep in mind, that having more serivces running means you are opening up yourself more.

Everywhere I go I hear that an OS has no real viruses or threats....
Take Linux for instance... they are immune to many viruses that become very wide spread and they dont worry about them. This is because Linux is not one of the major targets of the virus generator.
If linux held 75% of all the OS market... Viruses would pop up left and right for the OS because more damage would be done.

True - but what use in an OS without it running services?
We chose to run IIS - its shortfall from its advertised security at launch has proved to be laughable.

I KNOW I can patch it up every week or so - but that increases Total Cost Of Ownership and incurs downtime. Erm - isn't this just what MS would like us to believe they are reducing?

No, you simply turn off the services in IIS that you don't need (which I gaurentee is probably quite a bit), and if you do need the services that are constantly being effected, well... tough luck.

Exactly what I was thinking.

Tough Luck?
Um, thanks for the advice.

I'm Having a Little problem with one of the machine in our training room, the start menu does not pop up anymore. Does anyone know the cause of this? Other then re-templating the workstation that is, I would like to know how to fix this problem incase it happens in the future.

Thanks,

SysAdmin2k

What OS? 2000? All icons gone or just start menu? Have you checked to see if the start menu taskbar has just gotten extremely small (check to see if you can get the up and down arrow looking mouse pointer, when you put it at the very bottom) Do you have a windows key on your keyboard? Can you get a keyboard with the windows key and punch it to see if it will actually pull it up? Give some more details, please.

If you are running 2000, perhaps server, though I am not sure why it would be in a training room, but just in case you are, check to make sure you do not have code red II. I was surprised this weekend to find one of our computers here that wasnt supposed to have any inet services running did, and was very angry at myself for not patching it anyway before hand, but thinking it was NOT an IIS server I didnt bother with it, just our webserver... anyway long story short it gave a very simular problem to the one you are asking about. Its easy enough to get around and fix but it maybe your problem.

Ctrl+Esc is one of the key combinations you can use if you don't have a windows key on your keyboard. It will do the same thing, i.e. pop up the Start Menu.

huh? not using an IIS server, just a web server? If you are running MS web server then IIS is installed and running...the same thing if you are running MS FTP Server...

Ok, I should have realize this in my previous post,

The workstation is running, NT Workstation 4.0 and has Service Pack 6a applied on it, I've tried everything I know, Ctrl+Esc, the windows keys, I've checked for regestry edits on the start menu (there are a few, such as to delay it from coming up). The network currently is running with NT, but is moving to 2k in about a month, Head Office is just a little slow for these things :\

And the machine is just a workstation, for training purposes only, I have dectected any viruses on the PC, ran the scanner a few times to make sure.

Thanks again,

SysAdmin2k

Sorry Squall, my message was seriously messed up, there are so many more details, just trying to say I had a simular problem this weekend. I have 2 2k servers in our network, 1 is an IIS Server, the other I was told it wasnt running IIS, so I didnt check it. (My fault, im stupid) It turns out the 1 I didnt check was running IIS and did get it, but the one that was supposed to be running IIS that I did patch did not get it. Now I am going back to see what really is installed and what isnt. I am sorry for that stupid message.

Errgh, I haven't found any viruses, the system is clean.

this has nothing to do with XP. all of hotmail's message contained a unique timestamp and ID. hotmail made sure that the user was a valid hotmail (passport) user and that the message ID was valid, but it's flaw was that it never checked that the message belonged to the user. the authentication scheme is working fine, just not there authorization scheme. anyone who's built sites that allow multiple users to access multiple clients/campaings/ or whatever has probably run into this dilemma

If MS isn't responsible for there secret source code who is? most of these security problems are only fixed at the code level, so how can you say that MS shouldnt be held accountable? Big businesses pay hundred's of thousands 'some pay millions' of dollars a year in rental fee's to MS. Shouldnt they expect more from MS than software that costs them hundred's of thousands more 'maybe millions', because of flaws in MS's software?

read the EULA (end user license agreement)

Wasn't Microsoft running Hotmail on BSD servers? This flaw can't possibly be Microsoft's fault. It must be some problem with the BSD operating system.

HotMail was based on FreeBSD, but latest issues with it not OS depended - that how-to this service deployed on Web servers, like Apache or MS IIS, luckily this was not IIS - CodeRed shows why :) If seriously if MS get payed for Windows OSes it responcible for issues with this at least for non foolproofnest of those OSes. Any answers about lates HotMail issue look like fooling attempts. As I saw this issue tied with that part of HotMail service what integrated by _default_ with Windows 2000 and Windows XP. Average user at current date use or cable internet or DSL so ten thousand not serious barrier - this need... 1-2 seconds and viola passport stealed :/

Currently HotMail based on Win2k and Microsoft-IIS/5.0, so outages with Hotmail was Microsoft self-deployed issue and nothing more

'viola passport stealed'

Hmm as pointed out this isn't an issue with Passport but rather the message id. Hotmail checks that the user is logged into Passport but does not cross-reference the message id requested to make sure it belongs to the current user. If anything this is a design flaw and to fix it (which MS should do), they can simply add a check to make sure the message id belongs to the currently logged in user. i.e. You cannot 'steal' someone's passport using this method, you can at best guess someone's email message id and read that email - which based on the amount of span on hotmail will probably be an email telling you how u can lose weight or worse!

I think that this is the problem that we have with security today. Not to start a flame war, but the previous two posters have learned from Microsoft that one should have to wait for security to be fixed. Implementation of security should happen at the start. This problem is just one of a thousand. I understand that programming errors occur, and security issues will always exist. But Microsoft has yet to be held accountable and has made the public believe that security is an optional service rather than an obligation by the software peddler. Are we really serious about security? Or is 'security' just a buzzword that people like to throw around at business dinners?

You can't blame M$ for these security problems. Look how many lines of code and how much software they put out. It would be impossible for there not to be a lot of holes.

And M$ always releases patches quickly and more security flaws related to M$ aren't really that bad, unlike Linux where several flaws can get you root access. Granted Windows and Linux don't work the same way, but no OS is perfect and you can't blame companies for security flaws

How do you figure? If I write the code, I am responsible. Lots of code, lots of programers. I am sure you would feel differently if it was your credit card that was ripped off from a website. And 99% of the Microsoft security issues that receive attention from the mass media are Administrator or Local System compromises (same as root in *NIX). Linux , FreeBSD, OpenBSD (well OpenBSD hasn't fallen in years), etc... all have issues. But the number of REMOTE root compromises still pale in comparison to Microsoft products.

From the way you're posting I'm assuming you could create an operating system with impenetrable security, and one that will require no patches. Maybe you've even already done that? Please...share with us, show microsoft how it's done! An OS that will never need patches and is completely secure, no matter what. Show me the OS you created and then start talking about how much better microsoft should be.

Credit cards numbers being ripped from websites? Is this a pandemic that I am not aware of?

Find my ONE credible source that has details credit card numbers being yanked from web sites. If you are going to say stuff like that be prepared to back it up with a source or don't even post it.

Blaming the OS maker for security issues is like blaming the your home builder for having your home robbed. You have NO responsibility when it comes to insuring the security of your personal information? Do leave your doors unlocked?

Perhaps the DOJ should stop pursuing legal action against MS and start pursuing the real criminals... the a******s that try to hack & crack your computer. Of course that won't give liberal politicians headlines like "Senator X protects the little guy from big-bad Microsoft" will it.

Actually in the past year atleast 1 credit union and Egghead.com were compromised and thousands of numbers were stolen...

Do you know about OpenBSD(http://openbsd.org)?

Four years without a remote hole in the default install.

I wonder how many remote holes have been found in Windows NT/2000 in the last four years... hundreds?

Do people HAVE to run your software??? I thought not. People don't HAVE to run M$ (literally, in reality they don't have much of a choice)

OpenBSD is a VERY secure and VERY stable OS, absolutely no arguments there. Part of the reason it is so is because everything that comes with it is tested and tested and tested and the other reason is that by default I believe that it doesn't start any services at all - it's up to the admin to individually start whatever service they require. What this means is that you don't have boxes running god knows what services without the admin knowing about it. The downside to this is that the software that comes with OpenBSD isn't the latest - as it has not had time to be thouroughly tested.

As for the amount of holes found in NT/2000, how many have been found in GNU/Linux? Does finding X holes make an OS bad? I wouldn't think so, I'd rather have these holes found and patched so others can learn from them. We can't wait till every application has been completely tested before running it under our OS, we'd never see very many applications!

Back on topic, we found that there was a design flaw in the way Hotmail retrieves emails which luckily can be fixed quite easily (I would imagine). Now anyone else that runs a service similar to Hotmail can also check to make sure their systems are secure.

'receive attention from the mass media'

When is the last time that you heard on the mass media about ANYTHING relating to OpenBSD or FreeBSD? Linux might come up a little bit more often, but a little bit more than not-at-all is still fairly much not-at-all. The mass media will report anything that's popular - it's not exactly a good source to use to make a point.

However you are right in saying that this is Microsoft's problem. Althought they did not build Hotmail from scratch, they did implement Passport into it and therefore this should have been realised as a security issue. Maybe it even was realised but someone said that 'no-one is going to randomly pick message id's', in which case they underestimated the amount of people with too much time on their hands =) In any case, this is MS 'fault' and hence should be resolved.

Unless you count a few 'friends-of-friends' (no names will be given obviously) off irc who used to hack 'weak' websites for the sole purpose of gaining access to their lists of credit card numbers, as being a credible source, I cannot give you one. However if you gave some connections they you shouldn't have any problems finding credit card numbers and details on irc, commonly referred to as 'carding'. Why is this done? Well it has been and probably still is far to easy to order hardware/software/whatever-ware off e-stores on the web and have it delivered to your area (not your own house obviously).

So yes, this is something you should be aware of. Nothing that I would go crazy over, but being aware of it doesn't hurt. It was as a result of seeing what these guys do that I'm far more cautious where I use my credit card.

How can one honestly doubt an OS which is built on an NT infrastructure from being "safe" by comparison to Hotmail? Hotmail has been "unsafe" for ages and noone I know uses it for mission critical E-Mails... Windows XP will have security flaws, of course. It's an OS like any other. If there's a problem, it WILL be fixed... That's usually how it works.

What IS the deal with Hotmail, who the heck is running that show?

A couple weeks ago they acknowledge that, despite the fact that they tout the fact of providing virus scanning of mail passing through their system, they haven't been keeping the virus definitions up-to-date (good grief!) and were a major source of the spread of the Sircam virus.

Then we find that their admins hadn't aplied the necessary patches to guard against the Code Red Worm? Doh!

Expect this "flaw" to be resolved in the near future. You allready see MS working on the hotmail/msn email service... this security issue will also be fixed in the move to .net