January 2, 2006
2:14 AM   Subscribe

agreed on the img tag, not so much on the OS WARZ bit. i think it's useful to draw the line between microsoft's development methodology and how it's caused this problem for people. evangelizing, no, but talking about how and why things like this happen is important.

also, i think that switching systems is a valid discussion to be having (maybe in an askme thread?). in terms of pure cost-benefit, this exploit is bad enough that i will be making that recommendation to some of my friends with older computers and those who own businesses.

to me, that's just another option that's available outside of install A, B, C, D an E pieces of software to have a coherent protection suite and then update it here every so often blah blah... some people might want to consider that it's a better option for them to get a mini. just sayin'.
posted by spiderwire at 2:25 AM on January 2, 2006

I really don't want to seem snarky or anything about this. What exactly is the point of that thread then? Great information was given in the post and the early comments. That stuff is taken care of. Now there's discussion of the broader issue.... what's the problem? Just that "OS WARZ" is annoying?
posted by joegester at 2:36 AM on January 2, 2006

Spiderwire: Uhm. You're a moron. Also, please kindly use your fucking shift key before I grab hold of my end of the CAT-5 and start pulling until I find you and garrote you with a gigabit fiber patch.

There's a gazillion reasons why Windows owns the corporate, institutional and home desktop/client world and Linux and OS X don't.

Sure, yeah, in an ideal world Windows wouldn't own everything - users wouldn't be dumbasses, hardware support would be a snap, software would be as free as beer and there would actually be real-world usable software in dumpster quantities that didn't require one to grow a beard, be an SCA member, swap Grateful Dead bootlegs and refrain from showering to use.

I use Linux, BSD, AT&T System V and OS X when I can get it. Hell, I've run CP/M, AIX, and VAX. I've run Netware. There are reasons why Windows has the userbase it does. Users can use it.

Also, KDE fucking sucks.

Anyway, preach away. You're preaching to the converted, mostly. And go put that penguin back. It belongs in the zoo.
posted by loquacious at 2:37 AM on January 2, 2006

joegester: The thread is littered with OS debate stuff and conflicting information. The problem is likely going to develop further.

I'm personally not convinced that that patch worked. The tester says I'm patched - yet I just had a trojan try to execute via the WMF patch.
posted by loquacious at 2:39 AM on January 2, 2006

Well I'll lay off anyhow. No sweat off my back and I can see it's really bugging you.

(KDE does fucking suck.)
posted by joegester at 2:48 AM on January 2, 2006

I agree with loquacious. If and when new development arise we will have to wade through all of the "change your OS" comments to find relevant information. I propose that this MetaTalk thread is a better place for that discussion.

By the way thanks for the relevant info in the original thread Loquacious and Spiderwire.
posted by sic at 2:53 AM on January 2, 2006

NerdFight!!!
posted by i_cola at 2:57 AM on January 2, 2006

As much as I know OS evangalism is pointless...what's this place for anyway? We're not a security alert site. We're not Slashdot even. We don't exist to alert people to a threat, we exist to (besides posting the Best Of The Web) discuss things, and comment on things. No PublicServiceAnnouncementFilter, please - if someone posts information about an exploit like this, surely they're going to expect discussion about the causes of it, rather than just technical information on how to fix it.

Comments along the lines of "Sucker, I'm using OSX" are bullshit trolls.

Comments along the lines of "Maybe you should consider switching to Linux" probably don't achieve much, no matter how heartfelt they might be.

But we have got to at least expect and tolerate discussion about how this sort of event affects different operating systems, and where the root causes might lie.
posted by Jimbob at 3:01 AM on January 2, 2006

True, Jimbob. But MetaFilter is heavily populated by nerds. It's always been very tech-heavy, and hopefully always will be.

There have been other moments of crisis where MetaFilter has shined for it's userbase over many other methods of information dispersal - mainstream news sites or other.

It has and will be a resource.
posted by loquacious at 3:08 AM on January 2, 2006

So, if this exploit is a sign that windows sucks then that thread is a sign that mefites suck. Are you with me gloaters?
posted by skallas at 3:30 AM on January 2, 2006

I too think we should turn off images for a while. Although anyone who posts a dodgy image can be quickly found via username / paypal account. Unless it's a stolen paypal account.

Q. If we turn them off using a CSS (i.e. they aren't shown), do they still get loaded and executed?
Or is Matt going to have to add post-processing code to strip these images out when displaying pages.

I'm assuming that tags get stripped before being posted to the database, and the viewpage procedure doesn't do anything other than push posts and comments from the database straight to the page.
posted by seanyboy at 4:00 AM on January 2, 2006

If we turn them off using a CSS (i.e. they aren't shown), do they still get loaded and executed?

I doubt it - because CSS / DHTML can be used to instantly make images on pages "visible" or "invisible", I'd bet that all images linked to are cached by the browser and examined to determine their content until a command to make them "visible" comes along.

Even if they aren't opened by the browser until needed, as others have pointed out, desktop searches like Google's will probably look at the file if the browser caches it to the hard drive.
posted by Jimbob at 4:11 AM on January 2, 2006

(Opps, by "I doubt it", I really meant "Most probably")
posted by Jimbob at 4:11 AM on January 2, 2006

Great. Now we have TWO threads for the OS Wars to be fought in.
posted by crunchland at 5:02 AM on January 2, 2006

I don't get why it's such a huge offense to point out that there are OS's that aren't vulnerable to this kind of crap. (No, I am not using one of those OS's.) The important information on how to protect yourself was in the FPP. Everything after that is discussion, and a legitimate part of the discussion is that the OS is more vulnerable than others. Sure, the snickering is kind of uncalled for, but Mac users get their share of abuse, too. If I were immune, I'd probably find all the periodic frenzy among Windows users pretty funny too.
posted by Kirth Gerson at 5:14 AM on January 2, 2006

Loquacious says: "it might be advisable to disable the IMG tag temporarily."

To which I say: "They who would give up an essential liberty for temporary security, deserve neither liberty or security." Yes, there's a risk, but not one that justifies removing such a central (though often hotly debated) element of the Metafilter experience, even temporarily.
posted by killdevil at 5:23 AM on January 2, 2006

How melodramatic. If the image tag is an "essential liberty," then wait until someone actually exploits it here on metafilter. $5 through a hacked paypal account is all it will take. And then it's bye-bye pissing elephants.
posted by crunchland at 5:37 AM on January 2, 2006

killdevil : "Yes, there's a risk, but not one that justifies removing such a central (though often hotly debated) element of the Metafilter experience, even temporarily."

Please, killdevil, send me your machine IP, open up any firewall you may have and disable all anti-virus software while I remotely install some software that will restore my essential liberty to run my code in you machine.

Do you really believe that temporally (as in while a official patch isn't available and being automatically installed in most users machines) closing a security hole (an exploit inside an image file) hurts anyone's essential liberty? As in the government arresting people without warrants or motive? So "no IMG tag" equals "no freedom of expression"? Care to elaborate, I am really curious about the extend of this political theory.
posted by nkyad at 6:18 AM on January 2, 2006

First, does anyone have an example where this exploit is successful via use of the img tag? Almost everything I've seen is via the iframe tag, which I don't believe MetaFilter allows anyway.

Second...

I'm personally not convinced that that patch worked. The tester says I'm patched - yet I just had a trojan try to execute via the WMF patch.

What do you mean by "try to execute"? Even on OS X the file downloads automatically to the desktop. The patch just blocks calls to the SetAbort function, which won't happen until a) the file is downloaded automatically by your browser, and b) Windows Picture and Fax viewer tries to open it. Having (a) and (b) happen don't mean you're vulnerable.

I'd like to know because come Tuesday I'll have to worry about some 150 machines unless MS releases a patch (thank God that it's break and 2/3 of our labs are closed till mid January).
posted by sbutler at 7:00 AM on January 2, 2006

I know it's probably really a big deal and all but for whatever reason this whole thing reminds me of the bird flu that's going to kill us all.
posted by panoptican at 7:10 AM on January 2, 2006

God, what a mess. I wish you mac fanboys were no so fucking annoying.
posted by puke & cry at 7:15 AM on January 2, 2006

were no not
posted by puke & cry at 7:17 AM on January 2, 2006

agreed on the img tag, not so much on the OS WARZ bit. i think it's useful to draw the line between microsoft's development methodology and how it's caused this problem for people. evangelizing, no, but talking about how and why things like this happen is important.

You mean their development methedologies in 1990? Obviously they should not have left that code in there, but there stuff has gotten a lot better over the years. As I said, most of their problems come from 'legitimately' installed applications, because most people are too stupid to manage their machines.

This isn't their fault, Microsoft needs to take that into consideration, and they haven't. Hopefully they will soon (by, for example, locking down all executing code before allowing it to run)

First, does anyone have an example where this exploit is successful via use of the img tag? Almost everything I've seen is via the iframe tag, which I don't believe MetaFilter allows anyway.

It should work if you're running IE, or if you download a file and then view it 'thumbnail' mode in windows explorer (!). Firefox itself can't view wmf files natively, and will prompt you to download the file.
Rothko's "Windows users are ignorant" shtick got tired fast, though. Why do Mac users think that that's anyway to convince people to use Macs? All it convinced me was never to touch an Apple product (way back in high school even)
posted by delmoi at 7:21 AM on January 2, 2006

There have been other moments of crisis where MetaFilter has shined for it's userbase over many other methods of information dispersal - mainstream news sites or other.

Those are mostly disasters. I think the reason the thread has gone so weird is that what is a disaster for some people -- in this case many Windows users and particularly Windows admins like yourself, loquacious -- are non-problems for others. I get the metaphor that it's like bitching someone out for not building a metal boat when their wooden boat is sinking because it's on fire, but ths sort of back and forth is pretty normal on MeFi in political threads and other hot button topics. I'm sorry work is going to suck for you tomorrow, but coming to MeTa to talk about something and then calling people morons who disagree with you isn't really putting your best foot forward.
posted by jessamyn at 7:38 AM on January 2, 2006

It should work if you're running IE...

Perhaps, but before we go calling for a ban on the img tag someone should demonstrate that it's actually an attack vector.

... or if you download a file and then view it 'thumbnail' mode in windows explorer (!).

Yes, well, there is nothing mathowie can do to stop you from downloading the image. What you're suggesting here is that he block the anchor tag too.
posted by sbutler at 7:47 AM on January 2, 2006

I think what sucks the most about the OS Warz isn't the discussion of OS alternatives. Things like this are potent examples of why Windows shouldn't have the domination it is in, for sure. What sucks about the resulting discussion is the actual "You windows users are assholes and now you've got what's coming to you," bullshit that some alternative OS users are doing. As if the legion of Windows users are there in some kind of joint effort to prevent Apple and IBM from getting marketshare. As if Windows users are all perfectly well aware of how crappy their security is and aren't using any other options just to stick it to Linus Torvalds and Steve Jobs.

but someone saying, "people should seriously consider switching because x and y wouldn't happen on os x or linux" is at least worth saying, even on occasions where it isn't true.
posted by shmegegge at 7:55 AM on January 2, 2006

shmegegge : "even on occasions where it isn't true."

If I remember my Algebra (and I do, trust me) and given the differences between the systems, there are no occasions where "x and y wouldn't happen on os x or linux" would be false for some values of x and y.
posted by nkyad at 8:09 AM on January 2, 2006

... such a central (though often hotly debated) element of the Metafilter experience...
"I came for the community, but stayed for the pissing elephant!"
***
Indeed, Delmoi; the shrillness of the Macolytes reminds me of Bill Hicks' comment to non-smokers: "I'd quit if I didn't think I'd turn into one of you."

There is no point to OS evangelism. Sure, you can go tell my solitaire-playing mom that OSX will give her a more secure, stable experience, but first you'll have to explain what the O, the S, and the X stand for. If you tell me to do it, I'll probably kick you in the nuts for being a condescending jerk and then steal your wallet, since I sure as hell can't afford a Mac.

By the time the average user is skilled/confident enough to consider changing their operating system, they're sufficiently informed of what alternatives are out there.
We know our options, we're aware of the alternatives.
Our reasons for using Windows are our own, and should we make the switch, it won't be because of your nattering. Your time to shine is when a user decides to switch; then any advice, recommendations, and boosterism would be more than welcome*.
Until then, don't call us. We'll call you.

*Sadly, the impression I sometimes get from the Mac/Linux/Etc. crowd is that they'd probably scorn such a person as a ignorant n00b wannabe sullier of their precious OSes.
posted by Alvy Ampersand at 8:35 AM on January 2, 2006

If the IMG tag were to be blocked it could not just be at the comment entry level - it would have to be at the page output level, because any previous existing image can easily be changed to an infected one.
posted by Ryvar at 8:53 AM on January 2, 2006

Mac users are the PETA of the computer world.

They may have a point but they're so annoying the message gets lost in the drama.
posted by Dagobert at 8:53 AM on January 2, 2006

Hey! Hello? You guys already have one thread for your pointless flame wars. Go use it.

In the mean time... I'm still waiting for an example that uses the img tag as an infection vector.
posted by sbutler at 8:57 AM on January 2, 2006

Sure, you can go tell my solitaire-playing mom that OSX will give her a more secure, stable experience, but first you'll have to explain what the O, the S, and the X stand for.

See, you're going about it the wrong way. More secure, stable experience? Meh. I'd say, "see all those popups blocking your view, they'll go byebye...see norton begging to be updated? No more."

You know, along those lines. It's been my experience not that nontechy people are so attached to windows, but that they don't even know macs exist. They just go to best buy and pick up a new pc, you know, cause that's where computers live! =)
posted by justgary at 8:57 AM on January 2, 2006

So basically, if you're browsing with Firefox and have HTML turned off in your email client, you should be fine. Just like with 99.9% of all the other "OH NOZ, WINDOZE!" exploits.

Ya-fucking-wn.
posted by Civil_Disobedient at 9:04 AM on January 2, 2006

We know our options, we're aware of the alternatives.
Our reasons for using Windows are our own,

exactly right ... a year doesn't go by when i don't download a linux distribution and research the kind of applications i'm interested in to see if there is anything new that equals what i have on windows or gives me something especially interesting to work with without a godawful lot of hacking and hassling

5 years ago, things were such that i had reasons to dual boot ... win98 was annoyingly unstable and slow ... linux gave me a couple of options in software that i didn't have in windows

now, i'm seeing increased stability in windows xp and can't find anything i want in linux apps that isn't done better in windows ... (if it was just a matter of word processing and casual web cruising, i'd be inclined to run linux)

the equation has changed for me ... i'll continue to look and test, but i have to run what is most useful to me ... i'm not blindly loyal to windows, but application variety and functionality determine what i run

i might be trying the vmware virtual player machines soon and see how those work out for the web
posted by pyramid termite at 9:05 AM on January 2, 2006

The link in this very Meta post could point to this thread now. Recursion! How's that for geeky?
posted by smackfu at 9:21 AM on January 2, 2006

So basically, if you're browsing with Firefox and have HTML turned off in your email client, you should be fine. Just like with 99.9% of all the other "OH NOZ, WINDOZE!" exploits.

Ya-fucking-wn.

No. Any windows application that displays third party images is vulnerable. Period. This includes Firefox. I won't touch OE so I have no idea if you can completely shut off all image display in it, but I'd assume you can thusly make it 'safe.'
posted by Ryvar at 9:24 AM on January 2, 2006

I fully support doing whatever it takes to stamp out "OS Warz!" It's an irritating discussion, and is never interesting. All it represents is a bunch of pointless chest-beating. I don't want to see it anywhere, ever. Especially not in a thread that may have useful/necessary information for myself and potentially millions.

Seriously, I'm reading about something that seriously affects my life and my job, the last thing I need is some wise-ass chiming in with, "Buy a Mac!"

"Buy a clue," I say.
posted by Afroblanco at 9:25 AM on January 2, 2006

You know what, I'm going to go ahead and say it.

The OS Warz are almost always started by Mac and Linux users who want to beat you over the head with their dickOS because they feel insecure about their small market share. They don't really care about you or your computing experience.

There. I said it. I've been wanting to say it for YEARS.
posted by Afroblanco at 9:29 AM on January 2, 2006

I guess a shitty post about propping up a shitty operating system on cinder blocks is 2006's new ISO 9001 standard for the "Best of the Web".
posted by Rothko at 9:37 AM on January 2, 2006

If we're going to have Newsfilter, then we're going to have posts like this.
posted by event at 9:40 AM on January 2, 2006

We don't exist to alert people to a threat,

And yet there it was: a thread that somehow managed to alert many people to a potentially serious threat, offer suggestions about what to do, and discuss the effectiveness of those suggestions. What kind of jerk would jump into *that particular thread* (and that's the key point here) to derail with insults and gleeful cackling? What kind of jerk would want to hurt fellow members like that?

To call it rude is to do it a service. In an emergency, you should just move on if you can't be helpful. Duh.
posted by mediareport at 9:44 AM on January 2, 2006

If we're going to have complaints about Newsfilter from a certain contingent here, then we're going to have to deal with legitimate complaints about pointless Windows posts like this, too.
posted by Rothko at 9:45 AM on January 2, 2006

I fully support doing whatever it takes to stamp out "OS Warz!"

The OS Warz are almost always started by Mac and Linux users who want to beat you over the head with their dickOS

Thanks for your four minutes of restraint.
posted by jessamyn at 9:45 AM on January 2, 2006

But Rothko, this is Newsfilter.
posted by event at 9:48 AM on January 2, 2006

Seriously, I'm reading about something that seriously affects my life and my job..."

So why are you relying on a shoddy and inferior OS when it affects your life and job?

Isn't that kind of like driving around in a Pinto with bald tires and no brakes, then bitching when somebody suggests you might want to rethink that?
posted by keswick at 9:49 AM on January 2, 2006

In an emergency, you should just move on if you can't be helpful.

"This pan is hot when you put it out of the oven. In the future, if you don't want to get second-degree burns, use an oven mitt or wait for the pan to cool."

A comment like the above — you know, giving alternatives to grabbing a hot metal object — is considered unhelpful here, apparently. That's probably the intelligence level to be expected, though, given the subject matter.
posted by Rothko at 9:49 AM on January 2, 2006

try something more along these lines to be more accurate:

"this pan is hot when you pull it out of the oven. In the future, cook tv dinners with a microwave and get rid of pans and ovens altogether."
posted by shmegegge at 9:58 AM on January 2, 2006

Speaking as a diehard Macuser:

Now would be an excellent time for experienced Windows User to make a well linked post about how to secure a PC. Written in plain language, that Joe Schmoe could follow.


As to whether such "OS wars" should be occurring in the thread, it would be better if Mac/Linux users politely point out an alternative as opposed to being dicks.

On the other hand, all the crap about Macs being more expensive and what not seems kinda silly as the Windows Admins in the original thread speak in such fear and dread about the problem. Wouldn't the better solution be to make the OS more secure? Or at least get Microsoft off its butt to release a patch?
posted by Brandon Blatcher at 9:59 AM on January 2, 2006

I don't get why it's such a huge offense to point out that there are OS's that aren't vulnerable to this kind of crap.

Because (and I'm speaking about some hypothetical Mac user, not you specifically), you don't know that. I, as someone who finally broke down and bought the geek-chic Powerbook last year, don't think of the average Mac owner as someone who knows jackshit about buffer overflows. While I appreciate the userbase may have shifted some since Apple moved to FreeBSD, I still doubt the average Mac owner's ability to tell me why their OS is definitely invulnerable. Because, deep down, the only answer most of them would have is their weirdly religious faith in the fact nothing has happened before.

These threads make me want to write the production design folks from Alias and see if I can get some of those phony Dell logos they stuck over the Powerbooks in the show.

In sum: I am with Afroblanco 100% on this. The OS war discussion might be valid if the Apple/ Linux voices in the crowd really gave a shit about Windows user's hapiness. Instead they're working out some insecurity.
posted by yerfatma at 10:02 AM on January 2, 2006

Thanks for your four minutes of restraint.

Ok, I'll admit, my comment was over the top.

Still, though, I have never seen a Windows user instigate the OS wars. Why? Because Windows users could care less what OS people use. Windows users have nothing to prove. Why do some evangelistic Mac and Linux users feel the need to propagate the OS Warz conversation when they're obviously never going to convince anyone that way? Seriously. I don't get it. My only guess is that it stems from some sort of insecurity.
posted by Afroblanco at 10:02 AM on January 2, 2006

I guess a shitty post about propping up a shitty operating system on cinder blocks is 2006's new ISO 9001 standard for the "Best of the Web".

No, your incessant and annoying prattling about Macs is the "Beat It" jacket of the aughts. For fuck sakes, please.
posted by KevinSkomsvold at 10:06 AM on January 2, 2006

The OS war discussion might be valid if the Apple/ Linux voices in the crowd really gave a shit about Windows user's hapiness. Instead they're working out some insecurity.

I guess I help my folks secure their Windows machine out of feelings of insecurity. You're right, but not in the way you think.

Can you idiots defending Windows get it through your heads? The rest of us are sick about hearing about avoidable problems on this scale. Stop complaining, hush, and use the oven mitt or wait for the pan to cool down.
posted by Rothko at 10:08 AM on January 2, 2006

Still, though, I have never seen a Windows user instigate the OS wars

I guess you haven't seen any of the posts that mention iPods. I can reliably count on one hand the number of comments before a Windows user shows up to say something reliably stupid.
posted by Rothko at 10:11 AM on January 2, 2006

wow...if anyone is shrill in this thread it ain't the mac users.
posted by advil at 10:13 AM on January 2, 2006

Still, though, I have never seen a Windows user instigate the OS wars.

Never? That's odd, 'cause I've seen it many a time. I'd say it's about half and half in my experience.

It's no insecurity. Rather it's noticing a constant problem we don't have and suggesting the same solution we use, with the idea that their problem will then go away and they can get on with the lives as opposed to being hijacked by some snot nosed virus writer.
posted by Brandon Blatcher at 10:14 AM on January 2, 2006

Can you idiots defending Windows get it through your heads? The rest of us are sick about hearing about avoidable problems on this scale. Stop complaining, hush, and use the oven mitt or wait for the pan to cool down.

wow...if anyone is shrill in this thread it ain't the mac users.

heh.
posted by Ryvar at 10:22 AM on January 2, 2006

That's probably the intelligence level to be expected, though, given the subject matter.

Please don't insult my intelligence. Reread the thread and listen to what people are saying, instead of reflexively sneering: there are programs we must use, for professional or personal reasons, that are PC-based. Period. I am comfortable with and genuinely like Macs, but they do not meet my needs at this time.

Mocking people does nothing to enhance your cause -- if you even have one. Should your OS become as popular as Windows, the collective energies of exploiters will be turned on it. Your smugness is misguided.

The rest of us are sick about hearing about avoidable problems on this scale.

Then don't read threads related to them. Problem solved. Oh, wait -- so you need this information to help your parents, who apparently don't listen to you either. So, you're goading people who are trying to help people like your parents, and thus indirectly, you. It looks like we both have shopping to do: me, for my oven mitts, and you, for a prosthetic nose to replace the one you're cutting off to spite your face.
posted by melissa may at 10:22 AM on January 2, 2006

Rothko, I don't understand why you are being so angry and hostile.

One could recast your last comment as something like "Can you idiots talking about AIDs get it through your heads? The rest of us are sick about hearing about avoidable problems on this scale. Stop complaining, hush, and use the condom or just stop fucking," and you would feel that the person saying that was an utter moron.

I don't think you're a moron, but your very rigid, narrow point of view on this is weird.
posted by taz at 10:24 AM on January 2, 2006

so you need this information to help your parents

Not really, dummy, since I read about this everywhere else on the web. Metafilter is not the place for posts about fixing Yet Another Goddamn Windows Problem.
posted by Rothko at 10:28 AM on January 2, 2006

I don't think you're a moron, but your very rigid, narrow point of view on this is weird.

Narrow-and-weird is putting your fingers in your ears and going lalalala when someone says you might have an alternative to getting repeated second-degree burns.

At first I found this masochistic attitude puzzling. Now I find it typical, more and more. Meh. Enjoy your fetish.
posted by Rothko at 10:31 AM on January 2, 2006

*eyeroll*

"since I sure as hell can't afford a Mac."

It's sad that a lot of the people that think Macs are 'too expensive' are the same ones that will go and drop $400 on $sweet_new_video_card.

The Mac Mini is $499. It's even less if you have a student discount. Yes, you need to buy a monitor. Whatever cheap VGA monitor you're using on the e-Machine will work just fine. Heck, if they're USB, the keyboard and mouse will too.

I'm just sayin that the "Macs are too expensive" line is nothing but BS, and I'm really sick of hearing it.

Time for the mandatory "I'm qualified to talk about this because I run $insert_l33t_os_list_here" bit, eh?
posted by drstein at 10:37 AM on January 2, 2006

Meh. Enjoy your fetish.

Funny how he never got around to answering Melissa May's point about "programs we must use, for professional or personal reasons, that are PC-based." But he *did* find a way to pull out another quote from her post and use it as an excuse to call her a dummy.

What a jackass.
posted by mediareport at 10:42 AM on January 2, 2006

So, in conclusion, Windows has more security problems because it's more popular. If Macs were as popular then they'd have just as many problems. I'm sure we can all agree on that.

Oh, and Rothko is a fucker. Spiderwire is a fucker, too.
posted by Elpoca at 10:42 AM on January 2, 2006

The Mac Mini is $499. It's even less if you have a student discount.

Don't bother. According to Ryvar, the act of giving people facts to make informed decisions is "being shrill."
posted by Rothko at 10:44 AM on January 2, 2006

...I have never seen a Windows user instigate the OS wars. Why? Because Windows users could care less what OS people use. Windows users have nothing to prove.

Most Windows users are Windows users by default. Most have never thought out why they use Windows, aside from the fact it came with their computer. That being said, I personally believe all Microsoft products suck, not because of functionality, but because of their insistance on making almost every facet of their applications proprietary (their monopolistic quality at work) which leaves them open to exploits like this and makes it difficult for interoperability between anything that's not MS with something MS.

I like Linux, it works for me, YMMV. I'm a realist however, I would never tell a friend or family member with a novice level of computer knowledge to use Linux, it's not worth the headache to them (or me), I just instruct them on ways to protect themselves and occassionally make the $20 of a friend for an hour or so's worth of work deleting spyware and ridding virii of their computer.
posted by Mijo Bijo at 10:46 AM on January 2, 2006

I heard circumcision was, like, totally awful.
posted by gimonca at 10:47 AM on January 2, 2006

Metafilter is not the place for posts about fixing Yet Another Goddamn Windows Problem...

Tell me Rothko, when you wrote the MeFi Charter, why didn't you clarify this?
I would think that someone who'd presume to dictate what MeFi is and isn't about would be familiar with the concept of "Flag it or move on."
Looks like I thought wrong. I blame it on being a Windows user.

And name calling? Shame on you.
Seriously.
posted by Alvy Ampersand at 10:47 AM on January 2, 2006

Metafilter: Your OS sucks
posted by caddis at 10:49 AM on January 2, 2006

f Macs were as popular then they'd have just as many problems. I'm sure we can all agree on that.

Not likely. They might have more problems then they do now, but the OS is inherently more secure.

And while I'd admit there's people out there who are stuck using software on PCs for professional reasons, I'd really like to know what personal software doesn't have a better Mac alternative. (games lol am i rite?)
posted by keswick at 10:50 AM on January 2, 2006

I'd admit there's people out there who are stuck using software on PCs for professional reasons

How very gracious of you.
posted by mediareport at 10:51 AM on January 2, 2006

Oh, and Rothko is a fucker. Spiderwire is a fucker, too.

In defense of Spiderwire, he did apologize later in the thread (or at least it seemed, unless I missed something).
posted by KevinSkomsvold at 10:52 AM on January 2, 2006

Tell me Rothko, when you wrote the MeFi Charter, why didn't you clarify this?

If this site is a place for posts about fixing Yet Another Goddamn Windows Problem, then there shouldn't be any more bitching about Newsfilter or iPods, etc.
posted by Rothko at 10:53 AM on January 2, 2006

Not likely. They might have more problems then they do now, but the OS is inherently more secure.

No, you're wrong.
posted by Elpoca at 10:53 AM on January 2, 2006

No, you're wrong.

No, you're wrong!
posted by keswick at 10:54 AM on January 2, 2006

Isn't that kind of like driving around in a Pinto with bald tires and no brakes, then bitching when somebody suggests you might want to rethink that?

Actually, I think it's more like driving an SUV. Get a real car, you morons! One that can go round corners and stuff! My Mitsubishi Evo is like totally immune to buffer overflow attacks. What kind of idiot drives a Ford Behemoth and expects not to have rocks thrown at it on the freeway? And I don't want to hear about those OpenPublicTransit users, that's just crazy.
posted by sfenders at 10:58 AM on January 2, 2006

It's sad that a lot of the people that think Macs are 'too expensive' are the same ones that will go and drop $400 on $sweet_new_video_card.

I really don't want to get drawn into this, but there's a fundamental point you're missing here and I feel like maybe I'll clear up a misconception for at least one person by typing this, so here goes:

The reason I assemble PCs for my family members including my grandmother is because they already know Windows from the office and quite frankly don't have the time and aren't interested in learning to do things a new way. Furthermore, every web service, application, etc. takes Windows into account when being written because of the size of the userbase. Finally, when it comes down to price:performance I can assemble something for free out of old gaming machines I have lying around.

As the Linux people are fond of saying: you can't beat free.

Once I've setup their machines properly all the maintenance can be handled with bimonthly visits. None of my family members has gotten a virus on their machines after I've set it up for them. Ever. Eight machines now over five years.

To give you an idea of how bad the current situation is, this is the first time in all those years I've had to call those family members and say "hey, watch out."

The reason *I* use PCs is games. Pure and simple. I *do* have the money for a Mac, but it doesn't play 95% of the games I want - I go through about fifty a year - so it's a brick to me, whereas that $400 video card has value.

My point is that you're conflating two seperate markets - there are people using Windows for compatibility/budgetary reasons, and people using Windows for gaming reasons. The former is too cheap or too casual to buy a Mac. The latter has no use for them.
posted by Ryvar at 10:59 AM on January 2, 2006

Elpoca, in the Mac world, you have to authenticate manually to run root-level code and nearly all services are turned off by default. In the Windows world, everything runs with the privileges of whoever is logged in, usually an admin account (the equivalent of "root"), and nearly all services are turned on by default.

By design, the operating systems have very different approaches to security. Or putting it another way you might understand: you are wrong.
posted by Rothko at 11:00 AM on January 2, 2006

In defense of Spiderwire, he did apologize later in the thread.

Ok, if so, then he's merely a nutter. Rothko, however, is still a fucker. And I'm definitely right about that.
posted by Elpoca at 11:00 AM on January 2, 2006

A penguin for you
posted by caddis at 11:03 AM on January 2, 2006

Not likely. They might have more problems then they do now, but the OS is inherently more secure.

No, you're wrong.

Elpoca, if you can't understand why OS X is more secure than Windows than you really shouldn't be arguing in this thread at all. OS X is based off of FreeBSD (open source) which has a long history of security. It's had so many eyes looking at the source code to make it one of the securist OS's on the planet. Windows security is derived from the fact you can't look at the source code, not because it was coded well. Windows is the "see no evil, hear no evil" operating system.
posted by Mijo Bijo at 11:04 AM on January 2, 2006

Mijo, you're a fucker.
posted by Elpoca at 11:06 AM on January 2, 2006

Better than a fucking moron!
posted by Mijo Bijo at 11:10 AM on January 2, 2006

Ah, that felt good. Haven't called somebody a fucking moron in like 12 hours.

Seriously, enough with the name calling and back your shit up.
posted by Mijo Bijo at 11:12 AM on January 2, 2006

A penguin for you
posted by caddis at 11:03 AM PST on January 2 [!]

That was hilarious. Thanks from a Windows user who has never had a security problem.
posted by stirfry at 11:17 AM on January 2, 2006

Q: How do you prove one operating system is more secure than another?

A: You can't.

This discussion is pointless.
posted by event at 11:18 AM on January 2, 2006

Mijo, OS X is a FreeBSD userland with a Mach microkernel and a GUI slapped on top. Significant portions are close-sourced. The 'many eyes' argument is therefore invalid when discussing OS X, as is the BSD heritage.

Furthermore, newer versions of Windows have gone a long way towards rectifying poor design decisions of versions that predated widespread Internet adoption. Windows Server 2003, in particular, ships with much of the OS disabled.

The real problem at fault with the current situation is an unwillingness on Microsoft's part to break compatibility with the past. This is a trait shared by nearly all commercial software vendors because to do otherwise costs them significant amounts of corporate customers. One of the reasons OpenBSD gets so much security praise is because every few versions some major change goes through that breaks a lot of existing software, and the userbase they have is there precisely for that reason - because they want an OS that won't pull any punches in that regard.

The point is - this is not a fundamental Microsoft cultural problem at work here. It is a commercial software cultural problem, and it applies just as much to OS X as it does to Windows. It also happens to apply to Linux, as well, because Linux is very much involved in the userbase war now.
posted by Ryvar at 11:21 AM on January 2, 2006

you idiots defending Windows
Not really, dummy

As a straddler, rather than a switcher, should I start worrying that Mac use is going to infect me with the sanctimony virus?
posted by normy at 11:27 AM on January 2, 2006

I'd really like to know what personal software doesn't have a better Mac alternative
Well, when I moved to Mac, I immediately missed the following.
- Printer drivers for my Panasonic KX-P7105
- Line In plug for my microphone.
- Anything half as good as webdrive for posting images onto my webspace.
- A decent word processer. (Open Office ... sort of works)

I'm also a bit sad that I can't get Google Earth for my Mac.
posted by seanyboy at 11:30 AM on January 2, 2006

Q: How do you prove one operating system is more secure than another?
A: You can't.

This is the same as saying you cannot show a Volvo has a relatively safer-engineered design than a Ford Pinto, and is thus an opinion without any basis of fact.
posted by Rothko at 11:30 AM on January 2, 2006

Ryvar makes the most sense.
posted by dial-tone at 11:31 AM on January 2, 2006

If we're going to have complaints about Newsfilter from a certain contingent here, then we're going to have to deal with legitimate complaints about pointless Windows posts like this, too.
posted by Rothko at 9:45 AM PST on January 2 [!]

First, there are far more Mac/iPod posts in the blue than there are Windows, but I trust you protested them just as much.

Second, it's not pointless to many. Surely you've met other people in your life who have a different set of interests and priorities than your own. Surely?

Third. Flag and MetaTalk are the right way to go or do you like behaving like dios?

Fourth. Don't read it.

I'm just sayin that the "Macs are too expensive" line is nothing but BS, and I'm really sick of hearing it.
posted by drstein at 10:37 AM PST on January 2 [!]

Except for some, they are too expensive. Price and what is affordable and too expensive are of course, entirely relative. That you believe otherwise is complete BS. There's no way I'd pay that much for a machine that performs so poorly for my needs. For others, it's great. In either case, it can be both not too expensive, and too expensive.

I've used Macs in freelance jobs many times. I would never buy one personally but that's just me. Doesn't mean they "suck" or that other alternatives "suck."

Personal preferences and priorities. Look into them sometimes. You'll find they differ from person to person.
posted by juiceCake at 11:33 AM on January 2, 2006

Third. Flag and MetaTalk are the right way to go or do you like behaving like dios?

Troll much? Can you show me where in the original Metafilter thread I'm going after a poster personally?
posted by Rothko at 11:38 AM on January 2, 2006

Rothko: This is the same as saying...

No, in fact, it is very different from saying that.

A new class of exploits specific to Macs could appear at any time. And it is mathematically impossible to prove otherwise.
posted by event at 11:41 AM on January 2, 2006

Troll much? Can you show me where in the original Metafilter thread I'm going after a poster personally?
posted by Rothko at 11:38 AM PST on January 2

Can you show me how "get a Mac" actually helps a person using Windows fix the problem?

Troll much? You're fucking hilarious. Thanks for the laugh.
posted by juiceCake at 11:44 AM on January 2, 2006

juiceCake : "Can you show me how 'get a Mac' actually helps a person using Windows fix the problem?"

While I disagree with Rothko's general attitude here and there and name calling here, that's not quite the point. What he said, correctly, is that he haven't personally attacked anyone in this specific blue instance. And by the way, following the "Get a Mac" advise indeed solves the problem at hand. A somewhat expensive and cumbersome method, but it certainly works.
posted by nkyad at 11:48 AM on January 2, 2006

What he said, correctly, is that he haven't personally attacked anyone in this specific blue instance.

But then, juiceCake never accused him of that, so Rothko's bringing that up was a non-sequitor.
posted by event at 11:53 AM on January 2, 2006

No, in fact, it is very different from saying that.

Why? Software is just another engineering problem.
posted by Rothko at 11:56 AM on January 2, 2006

While I disagree with Rothko's general attitude here and there and name calling here, that's not quite the point. What he said, correctly, is that he haven't personally attacked anyone in this specific blue instance. And by the way, following the "Get a Mac" advise indeed solves the problem at hand. A somewhat expensive and cumbersome method, but it certainly works.
posted by nkyad at 11:48 AM PST on January 2 [!]

I never said he did. However he did say this:

And why the hell do people PUT UP WITH IT?

Laziness, stinginess and ignorance.
posted by Rothko at 12:49 AM EST on January 2 [!]

In fact, many people use Windows because they prefer too and it has nothing to do with laziness, stinginess and ignorance.

And

if only to curtail these unnecessary threads that are not worthy of "best of the web", by any stretch.
posted by Rothko at 1:25 AM EST on January 2 [!]

This is very much a dios thing. Do it in the blue, not in the brown.
posted by juiceCake at 11:57 AM on January 2, 2006

But then, juiceCake never accused him of that, so Rothko's bringing that up was a non-sequitor.

I was improperly accused of acting like Dios. My response was appropriately germane.
posted by Rothko at 11:59 AM on January 2, 2006

Er, in case it wasn't clear, I did back off from the OS war pretty quick, and if an apology was necessary, it's hereby offered. WTF is with the "fucker" and "moron" stuff? Weren't the Windows users the ones complaining about condescension?

For the record, I wasn't evangelizing for an OS, I was criticizing Microsoft's poor practices. Using Windows isn't de facto bad; the security just sucks, and it sucks for institutional reasons in the company. People should be aware of that. I think that OSX is a great alternative, but that wasn't the issue I was trying to raise. I don't advocate that people not use WinXP and I have nothing personal against Microsoft. But just because it's not evil doesn't mean this sort of thing isn't stupid/dangerous.

But hey, people care about this stuff, they want to yell about it, that's cool...
posted by spiderwire at 12:04 PM on January 2, 2006

Can you show me how "get a Mac" actually helps a person using Windows fix the problem?

Sure: Don't want to get yet another second-degree burn in the future? Give your purchasing decision some more thought, next time around.
posted by Rothko at 12:05 PM on January 2, 2006

Oh, goody. A mac-windows flame war that turns into yet another thread about rothko and dios (in dios' absence, no less). Truly, this is what metafilter is all about.
posted by monju_bosatsu at 12:06 PM on January 2, 2006

Why? Software is just another engineering problem.

But security is not the same as safety. The safety record of a car (for example) can give us a good idea of the future safety performance of the car -- it will generally correlate pretty well. This is because safety operates within the average use case for a car.

But security operates outside the average use case. The security record of an operating system tells us some, but not nearly as much as you seem to think, about the future security of the operating system. We have no way of knowing what new vulnerabilities, what new vectors of attack, etc., will appear in the future. So it is impossible for us to say that Macs will be protected and Windows won't. Because we don't know what they are yet.
posted by event at 12:06 PM on January 2, 2006

Monju, for what it's worth, I didn't bring up his name over here.
posted by Rothko at 12:08 PM on January 2, 2006

Can you show me how "get a Mac" actually helps a person using Windows fix the problem?

Sure: Don't want to get yet another second-degree burn in the future? Give your purchasing decision some more thought, next time around.
posted by Rothko at 12:05 PM PST on January 2 [!]

Obviously, the question had to do with right now, not the future, which none of us knows but you apparently. Surely it was my own fault and that of any others who asked the question, that we assumed we'd get good responses for immediate help.

So, to make it clear, how does it help right now?

I gave my purchasing decision plenty of thought mate. And I decided, and still decide, that I don't want or need a Mac. My Windows box is much better for me and and I don't get burned at all.

Imagine that.
posted by juiceCake at 12:10 PM on January 2, 2006

But security is not the same as safety

Yes, it certainly is. A product that anyone can coerce remotely is unsafe, doubly so if you knew it was unsafe to begin with. Windows is a fucking disaster in waiting. You can't say you weren't warned.
posted by Rothko at 12:12 PM on January 2, 2006

Incidentally, I thought that my first post here was pretty tame. What does one have to do to be an 'evangelist'?

One comment, and this isn't directed at one camp or the other: the people in this thread and the other making the argument that there is no distinction between OSes and that infection is related to market share are wrong. Dead fucking wrong. Many security best practices are actually very easy to define (checking bounds to prevent buffer overflows? not running everything as administrator? bueller?) and have been known for a long time, and in those respects OSX, *nix, and, well... everything... is quantifiably superior to Windows.

That's not to say that OSX/*nix don't have vulnerabilities -- but to posit that the two are equivalent is simply ignorant, and demonstrates that you really have no clue what it is that you're talking about.

That's also not a "you must switch" argument. Lots of people get by just fine with those security holes because they're not at risk for various reasons. It really won't matter to most people, and that's fine. But they're not the same.
posted by spiderwire at 12:12 PM on January 2, 2006

Monju, for what it's worth, I didn't bring up his name over here.
posted by Rothko at 12:08 PM PST on January 2 [!]

No I did. But imagine Monju can read. His post clearly displays that capability.

I felt it was a good reference rather than a large explanation. The thread has not become about him either, just a particular brand of behaviour. However, like said poster, it's futile with Rothko as well.
posted by juiceCake at 12:13 PM on January 2, 2006

So, to make it clear, how does it help right now?

It helps you confront the reality of what you are dealing with, and helps you think about a long-term solution to the problem, regardless of what you think personally about the person making that suggestion.
posted by Rothko at 12:14 PM on January 2, 2006

event's post is exactly what I was talking about. Dude, you really have no clue. You don't evaluate the security of an OS like your Hyundai. Stop making yourself look like a twit.
posted by spiderwire at 12:14 PM on January 2, 2006

That's also not a "you must switch" argument. Lots of people get by just fine with those security holes because they're not at risk for various reasons. It really won't matter to most people, and that's fine. But they're not the same.
posted by spiderwire at 12:12 PM PST on January 2 [!]

Absolutely.

However, I think the chief objections were to the not all helpful suggestions like "Get a Mac already..." and the clear we're laughing at you idiots posts.
posted by juiceCake at 12:15 PM on January 2, 2006

But security is not the same as safety

Yes, it certainly is.

Rothko, did you even read the rest of my comment, wherein I explained the difference?

I guess I should have known better than to get involved in a discussion with you. My apologies to all.
posted by event at 12:15 PM on January 2, 2006

However, like said poster, it's futile with Rothko as well.

Troll.
posted by Rothko at 12:15 PM on January 2, 2006

Rothko, did you even read the rest of my comment, wherein I explained the difference?

Yes, I did. Safety and security are one and the same. You can engineer applications that are less vulnerable from the start. You can engineer layers of security into the kernel that runs said applications and negotiates with hardware. All of this security can be tested with other applications. Simply inventing unknown boogeymen does not absolve you of responsibility, nor does it prevent you from comparing the relative safety of two products (whether cars or paperclips or software). Sorry.
posted by Rothko at 12:19 PM on January 2, 2006

It helps you confront the reality of what you are dealing with, and helps you think about a long-term solution to the problem, regardless of what you think personally about the person making that suggestion.
posted by Rothko at 12:14 PM PST on January 2 [!]

Well thanks. I totally disagree that it helps anyone right now and the reality in many cases is already known, or it wouldn't be discussed. But thanks for trying.

As for what one thinks personally about the person making the suggestion, well of course. That's obvious. Who implied otherwise?
posted by juiceCake at 12:19 PM on January 2, 2006

However, like said poster, it's futile with Rothko as well.

Troll.
posted by Rothko at 12:15 PM PST on January 2 [!]

It happens to be my honest opinion mate.
posted by juiceCake at 12:20 PM on January 2, 2006

Ironically, Rothko isn't the one trolling in this thread.
posted by spiderwire at 12:25 PM on January 2, 2006

Safety and security are one and the same.

I respectfully disagree. They are related, but they are different. Loss of security can lead to loss of safety (as your link showed) but a perfectly secure nuclear reactor can still be unsafe.

You can engineer applications that are less vulnerable from the start.

Prove it. (You can't.) We can engineer applications that we think are less vulnerable, but we can't prove it is so.

You can engineer layers of security into the kernel that runs said applications and negotiates with hardware.

So what? Again, we think this helps, but we can't prove it.

All of this security can be tested with other applications.

Please tell me how. Seriously -- please tell me. All you can do with a security testing application is say, "Well, this application showed me that nobody can come in through this door" but it doesn't tell you whether there are any other doors wide open.
posted by event at 12:31 PM on January 2, 2006

Interesting that windows posts are supposed to be sacrosanct around here. In a post about abortion, for instance, all sides tend speak up. The Christians and the atheists, the men and the women, the pro-life and the pro-choice. We expect it, we don't (usually) run away and ask for mass deletions of someone else's opinions and contributions, do we?

OMG some mac user or linux guy posted a one liner about not having to worry about this latest security issue, OH NOES! A post about an operating system sprouts a very minor discussion about other operating systems! THE WHOLE THREAD IS USELESS NOW. Public service announcement DESTOYED! Windows users who are apparently trying to SAVE THE WORLD by posting comments on a mefi thread are being THWARTED! WOE! WEEP WEEP! THINK OF THE CHILDREN!

Your attitude is getting in my peanut butter, Rothko, you terrorist! If you're not with us you're against us! Why do you hate America Microsoft? Why do you hate our freedom? DELETE DELETE DELETE
posted by Hildegarde at 12:37 PM on January 2, 2006

Your argument is the equivalent of saying that because I can't "mathematically prove" (whatever that vague term means) that flipping the left-turn signal indicator on my Saab won't cause the car to explode, I shouldn't drive it, let alone go near it.

Now, Saabs can be flaky, and in a crazy world, anything can happen.

But I take it as given that I'm more likely to be in a situation where a drunk driver will slam into me.

So I'm glad that automobile engineers spent time on airbags and crumple zones, rather than on hypothetical explosive dangers of left-turn indicator signals.

Likewise, I'm glad that the professional software engineers at Apple have done a better job at focusing on the usual weak points of an operating system than Microsoft, rather than deliberately engineering weak crumple zones into the product.
posted by Rothko at 12:38 PM on January 2, 2006

Your attitude is getting in my peanut butter, Rothko, you terrorist! If you're not with us you're against us! Why do you hate America Microsoft? Why do you hate our freedom? DELETE DELETE DELETE

Did I harsh your mellow, Hildegarde? ;)
posted by Rothko at 12:39 PM on January 2, 2006

I respectfully disagree.

You are wrong.

Prove it. (You can't.) We can engineer applications that we think are less vulnerable, but we can't prove it is so.

Again, you are wrong. Your car does not have source code. It can't do bounds checks when it gets leveled by an SUV. An OS, on the other hand, is quite capable of limiting its inputs and outputs and thus is at least theoretically capable of being secure and, more importantly of being audited for security.

So what? Again, we think this helps, but we can't prove it.

Again, you are wrong and clearly have no idea what you're talking about. Source code is knowable and readable. Just because you don't understand how this magical piece of machinery works under the hood doesn't mean that it's being run by an elf.

Please tell me how. Seriously -- please tell me.

He just did. Asking for a complete rundown of security best practices when you obviously have no grasp of the subject is like asking a classicist to discuss grammar in the Illiad even though you don't know Latin.

All you can do with a security testing application is say, "Well, this application showed me that nobody can come in through this door" but it doesn't tell you whether there are any other doors wide open.

The fact that you're talking about "security testing applications" proves that you have no idea what's going on here. This is not a discussion of after-the-fact exploits. Rothko is talking about fundamental design issues -- e.g., properly implementing access controls, following comm protocols, condition checking. Things you learn in CS 101.

This is not a subject of mystery. There have been thousands of articles and books written on how to do security and development properly. The best practices are quite well known. OSX and *nix follow many of these best practices. Windows does not. This is not in dispute in any way, shape, or form.

If you really wanted to use your horrid car analogy, then your argument is tantamount to looking at a new Honda Civic and a Pinto and saying "well, until we drive them, we'll never know which one is safer." Wrong. There are fundamental design components in each that can lead you to make an accurate initial estimation about which will be more likely to get you killed. Just because 99% of the population is using the poorly-designed car doesn't mean that cars are inherently unsafe.
posted by spiderwire at 12:43 PM on January 2, 2006

Incidentally, this section of this much longer article gives a few examples of the security problems inherent in Windows and Microsoft's development. event, if you really are looking for substantive answers to your questions, this would be a good place to start.
posted by spiderwire at 12:48 PM on January 2, 2006

Did I harsh your mellow, Hildegarde? ;)

Oh, there is no harshing mellow this deep, my friend. I'm just sitting back, listening to my itunes, loading up my ipod, chatting with some folks on ichat, and generally enjoying my glorious ibook-enabled iexistance, that's all.
posted by Hildegarde at 12:51 PM on January 2, 2006

Rothko (or spiderwire), prove to me that:

void main(void) {
printf("hello");
}

Is secure against all attacks.
posted by event at 12:51 PM on January 2, 2006

Still, though, I have never seen a Windows user instigate the OS wars. Why? Because Windows users could care less what OS people use. Windows users have nothing to prove.
posted by Afroblanco

Ahh, haven't been out much, have you? This isn't a one way street by any means. Mac bashers are everywhere. Just yesterday on a digg thread about running mac osx on a pc the first comment was "why do I want to use a fisher price computer?". On metafilter the tide is turned somewhat.
posted by justgary at 12:55 PM on January 2, 2006

Oh Christ. Dude, you're a moron and a troll. Read the article. I'm done.
posted by spiderwire at 12:55 PM on January 2, 2006

(You can tell me that it looks secure to you. You can tell me that it is secure against all attacks known right now. But neither of those statements proves, or is any indication at all, that it is secure against all possible attacks.)
posted by event at 12:55 PM on January 2, 2006

Rothko writes "Sorry."
Apology accepted.
posted by peacay at 12:55 PM on January 2, 2006

[my last comment was referring to event, not justgary, if that wasn't clear]
posted by spiderwire at 12:57 PM on January 2, 2006

Wow. Rothko is an ostentatious, overbearing, whiny, immature, insuffereable, irredemable, condescending prick. Reading your words makes my tear ducts want to bleed. I can't imagine what it would be like being you, but if I ever wanted to I would build myself a tiny wooden box just large enough to fit me, paint the inside with the prettiest scenery I could imagine, and then drill a pin-sized hole from which to observe the rest of the world.
posted by baphomet at 1:05 PM on January 2, 2006

Awesome insult, baphomet. Best of the web. Cheers.
posted by Rothko at 1:07 PM on January 2, 2006

Ah, peacay. I thought you were better than that. :(
posted by Rothko at 1:08 PM on January 2, 2006

(You can tell me that it looks secure to you. You can tell me that it is secure against all attacks known right now. But neither of those statements proves, or is any indication at all, that it is secure against all possible attacks.)

Prove to me my Saab won't blow up when I use the left-turn signal. Prove to yourself how futile it is to look for such a proof when more useful "proofs" can be established about how, say, seatbelts save lives — and therefore cars engineered with seatbelts are safer than cars without seatbelts. Prove to me that I'm not wasting my time on you, event.
posted by Rothko at 1:11 PM on January 2, 2006

Furthermore, newer versions of Windows have gone a long way towards rectifying poor design decisions of versions that predated widespread Internet adoption. Windows Server 2003, in particular, ships with much of the OS disabled.

That's hilarious, right there.

"Hay guyz, Microsoft's OS is so fuckin' awesome and secure, they ship it with large parts of it disabled!!1"

Have you thought about taking a PR job with the Bush Administration?
posted by keswick at 1:17 PM on January 2, 2006

My comment was not intended as a troll, and I hope it is not interpreted by others as a troll. It is a serious question and I gave a legitimate (though very simple) example.

I am using the word "proof" in the formal sense. For example, we can prove that theoretical security protocols are secure (like Pfitzmann did with Needham-Schroeder). But the proof of the security of the protocol does not tell us anything about the security of the implementation of that protocol.

Similarly, without a proof of security like the Needham-Schroeder proof for the underlying hardware, and underlying operating system, we can only make estimates about the security of the printf() example.
posted by event at 1:18 PM on January 2, 2006

Similarly, without even with

Argh!
posted by event at 1:21 PM on January 2, 2006

I noticed the Mefi Blacklist is no longer working for me. I am not happy about that. Is it not working in general or is this a problem specific to my 'puter?
posted by weretable and the undead chairs at 1:22 PM on January 2, 2006

Safety and security are one and the same.
They have those roads that go up mountains in Europe that don't have crash barriers on them. The various traffic scientists have worked out that by reducing the security on the road actually causes people to behave more carefully and actually increases safety. This isn't germane to the conversation we're having, but it shows that in an environment where security can be improved in many different areas, decreasing security in one of those areas can improve overall safety.

Hope I haven't misinterpreted your definitions of safety and security here
posted by seanyboy at 1:26 PM on January 2, 2006

"Hay guyz, Microsoft's OS is so fuckin' awesome and secure, they ship it with large parts of it disabled!!1"

Have you thought about taking a PR job with the Bush Administration?

OK, now that's just stupid - the biggest complaint most security professional have about Windows is that it comes with EVERYTHING enabled by default. The problem with that is that shit that almost nobody needs can create holes for all the people who aren't using it.

Classic example: Windows XP shipped with a massive fucking hole in the UPnP service that allowed remote admin-level code execution on any non-firewalled system, and this was discovered shortly after its release. At that time, UPnP was rarely needed by anyone.

One of the oft-cited strengths of noted secure operating systems like OpenBSD is that they ship with every last thing possible disabled so that a minimum of potential infection paths are exposed to the world.

Less is more.

I apologize because I don't want to join in the nasty tone that has permeated this whole thread, but you should not be correcting others as to what constitutes good security practice. That Windows Server 2003 shipped the way it did was the first real sign that Microsoft was taking its then-new security initiative at all seriously. It was a sign that they were starting to turn over a new leaf, maybe, and it got some further confirmation when they finally started giving a shit about home user security with XP SP2.

The final step of cutting ties with all their previous, shitty design decisions (from a security standpoint, at least) isn't one they're going to take, though, because of the impact it would have with their corporate sales. See also: my comment above about the inherent problems with all commercial operating systems.
posted by Ryvar at 1:30 PM on January 2, 2006

Ironically, Rothko isn't the one trolling in this thread.
posted by spiderwire at 12:25 PM PST on January 2 [!]

Ironically. No one is.
posted by juiceCake at 1:31 PM on January 2, 2006

keswick: Microsoft's OS is so fuckin' awesome and secure, they ship it with large parts of it disabled
I hope you're not being wilfully awkward here. Mac OSX does the same, and it's only the distro nature of linux which stops it happening in Linux too. (e.g. If you need a web server, you'll install a web server)

I noticed today, for example, that the latest ubuntu distro doesn't have a web server, php or mySQL. Also perversly, I couldn't find "make".

This disabling is a step that Microsoft are now serious about software security. They've made the poor marketing decision of ensuring that things do not work out of the box because it ABSOLUTELY improves overall security. This is a decision which (a) has made my life harder, but (b) I absolutely endorse. To me, this is good security done properly.
posted by seanyboy at 1:35 PM on January 2, 2006

Ryvar beat me to it. Darn.
posted by seanyboy at 1:36 PM on January 2, 2006

Thank you, seanyboy.
posted by Ryvar at 1:36 PM on January 2, 2006

Doh. Double-jinx.
posted by Ryvar at 1:36 PM on January 2, 2006

Bruce Scheier makes a much better version of my argument (I bet he didn't get called a moron and a troll, anyway) in the first page or two of this essay [pdf].
posted by event at 1:37 PM on January 2, 2006

event - you might already be aware of this, but if not you may be interested in proof carrying code
posted by andrew cooke at 1:46 PM on January 2, 2006

seanyboy: I'd really like to know what personal software doesn't have a better Mac alternative
Well, when I moved to Mac, I immediately missed the following.
- Printer drivers for my Panasonic KX-P7105
Yeah, that blows. I really wanted to buy a panasonic last year as they are the cheapest laser, but had to go with a more expensive HP for its Mac support.

- Line In plug for my microphone.
This is only a problem with iBooks and Mac Minis. A (reasonably cheap) workaround is a usb mic adaptor

- Anything half as good as webdrive for posting images onto my webspace.
Panic's Transmit ftp client gets tons of praise. For my Movable Type blog, I use an iPhoto plugin. Couldn't be easier.

- A decent word processer. (Open Office ... sort of works)
MS Word for mac is way better than the Windows version, but I do share your frustration. Mellel is by far the nicest word processor I've used, but it doesn't have a neutral file format. If you were to go the Open Office route, NeoOffice is a more native port.

As offensively as it was put, I think Afroblanco was right: we mac users tend to be a little overzealous because we need the marketshare to grow to protect our investment. I apologize on behalf of all the sanctimonious dicks in this thread and the other. That said, do consider a Mac for your next purchase ;)
posted by Popular Ethics at 1:52 PM on January 2, 2006

event : "Prove it. (You can't.) We can engineer applications that we think are less vulnerable, but we can't prove it is so."

event, I understand what you are saying and why you're saying it, but you completely, irrefutably wrong. This is incidental to this thread, but let me give you some perspective. There are several known methods to prove a program correct, for whatever set of parameters you mean by "correct".

You just do not understand what software really is. A piece of software, regardless it being readable or not, regardless the programming language it is written on, regardless of its target machine or operating system, is just a mathematical theorem proposing one or more hypothesis. A program is a way to transform one set of symbols (namely the input) into another set of symbols (namely the output) through a series of definite logical operations. Inside a given set of constraints (allowed symbols, allowed operations) each step can be proved correct and the whole program can be proved correct.

Obviously, the methods available to prove programs are painfully slow, so nothing but the most important/expensive software is developed this way.
posted by nkyad at 1:56 PM on January 2, 2006

event: It's Schneier, and if your argument is really "but no OS can be perfect," then it's a strawman, and the only possible response is: "Duh." Either that comment is moronic, or it's not even remotely germane to the discussion. At any rate, it certainly isn't a useful statement at the level of an operating system.

The argument that I think everyone here was making is not that *nix and/or OSX is "perfect" but that they are better, and that Windows is in many ways uniquely flawed. Your first relevant comment in this thread,

Q: How do you prove one operating system is more secure than another?

A: You can't.

This discussion is pointless.

is, yes, moronic and trollish. The argument that because perfect security is impossible, Windows and *nix are therefore equivalent w/r/t security is simply not true. Windows is both empirically and theoretically a poorly written and insecure OS. The comparison to any flavor is *nix is not even close. This is not a disputed fact, although you seem to think/imply that it is. Your subsequent defense is so completely disconnected from everything else you've said in this thread and the other that it strikes me as wholly disingenuous.

Seriously, if you don't understand how testing airbag safety and writing a secure OS are distinct, you have no business taking part in this discussion.
posted by spiderwire at 2:01 PM on January 2, 2006

Also, I think that the first graf of the article I've linked several times here is particularly on-point. Since no one appears to have read it, I'll take the liberty of posting:

Let's be honest: there's no such thing as bug-free software. Initial versions of programs may occasionally crash, fail to de-allocate memory, or encounter untested conditions. Developers may overlook security holes, users may do things nobody thought of, and not all systems are identical. Software developers are human, and they make mistakes now and then. It happens. But of all major software vendors Microsoft has the worst record by far when it comes to the quality of their products in general.

I strongly encourage event to read the section entitled "Basic insecurity of MS products." It's really quite interesting.
posted by spiderwire at 2:05 PM on January 2, 2006

I apologize on behalf of all the sanctimonious dicks in this thread and the other. That said, do consider a Mac for your next purchase ;)

Thanks for the nice, reasoned tone, PE - that was cool of you. I'm definitely thinking about it for certain family members - mom, grandma, etc. Incidents like this one make it easier for me to not feel bad when it comes to telling my family to shut up and plunk down some cash. But until stuff like Oblivion starts hitting the Mac it's a no-go for me. I'll be first in line if/when the time comes, though.
posted by Ryvar at 2:08 PM on January 2, 2006

The hard part of horsehockey is getting the horses to hold the sticks.
posted by clevershark at 2:11 PM on January 2, 2006

clevershark, that's why you should get donkeys ... horse users are ignorant lazy idiots
posted by pyramid termite at 2:25 PM on January 2, 2006

hahahahaaa. ha! ♥ pyramid termite
posted by taz at 2:31 PM on January 2, 2006

Sure, but then people would call is asshockey, and that's just not right.
posted by clevershark at 2:31 PM on January 2, 2006

Dude. Harsh.
event is only trying to make the point that no modern operating system can be proved to be secure. I think he understands the situation clearly.

You state - in the strongest manner - that Unix Variants are inherently more secure than Windows. In the past, on the server side of things this has proven (by dint of the infection vectors of worms) to be true. However, in the context of the desktop environment, I think you're missing some important issues.

Firstly, Desktop Unix has only really got going in the last 5 or so years. Lessons learnt by Microsoft have been applied to the mass of new development on Desktop Unix. One of the main reasons that browsers like mozilla is so safe is because the development environment (as a whole) has learnt that you don't do things like - allow access to your filesystem via your webbrowser.

Like it or not, these lessons have also been learnt by microsoft. There's no point in comparing the entire history of Microsoft exploits with a newly patched and up-to-date Linux machine.

Secondly, Linux desktop machines are generally owned by Power Users. Like Me. In the 20 sum years that I've worked on computers, I've only been affected three times by exploits. The reason I've only been hit three times. Because I know computers. Like 99% of the linux users out there. Comparing attacks on Windows users with attacks on Linux users is like comparing apples to oranges. There are too many factors.

You may like to know that the third exploit I got hit with was a PHP exploit which trashed my linux based website.

Thirdly. If an email based virus was written which attacked my Apple Mac, that email, when propagated would probably only hit one other Mac User. There's a lesson here about biodiversity, and how weeds hidden in heterogeneous crops are less likely to be infected by disease, but it's a long lesson, and I've been going on too much.

Finally. Don't assume that any attack vectors for upcoming Linux exploits will be designed to hit the operating system. They won't. My guess is that any Linux Desktop exploits will be designed to infect via a higher level of program. KDE, open office, Gaim, GTK, etc will offer the attack routes needed for Linux exploits. These are programs which don't have the same level of security applied to them as the core. This is a guess, and it'll require a larger adoption of Linux, but that's what I see happening.
posted by seanyboy at 2:32 PM on January 2, 2006

pyramid termite, you're such a moron. clevershark has an specific horse-related problem, he does not want to know anything about f***ing donkeys nobody else uses anyway. I hate people who tries to turn any horse related thread in a traction-animal war.
posted by nkyad at 2:34 PM on January 2, 2006

LOL
posted by clevershark at 2:36 PM on January 2, 2006

event is only trying to make the point that no modern operating system can be proved to be secure. I think he understands the situation clearly.

But that doesn't make the debate "pointless" by any stretch of the imagination. That's why I called it disingenuous, and that's why the criticism was harsh.

You state - in the strongest manner - that Unix Variants are inherently more secure than Windows.

I didn't say that at all. However, most of the main Unix variants are more secure than Windows. There's nothing "inherent" about it.

the development environment (as a whole) has learnt that you don't do things like - allow access to your filesystem via your webbrowser.

If you think that lesson was only learned in the last 5 years, you are wrong. Regardless, Microsoft has had ample opportunity to redevelop in the last 15 years or so, and instead they choose to recycle broken legacy code.


Your points about "power users" and "biodiversity" are relevant as far as explaining why there have been fewer exploits that have widely affect OSX and Linux users, but they don't change the fact that the design of Windows is fundamentally flawed and insecure. OSX doesn't run as root, by default. Windows makes you run everything as administrator. What do you not understand about this? The list of really basic things that Windows screws up is miles long, and it has nothing to do with their level of adoption.

Don't assume that any attack vectors for upcoming Linux exploits will be designed to hit the operating system. They won't.

Right, because it's more secure. Under Windows, a random third-party program can install itself under a standard configuration as a result of something as simple as viewing an image, or Sony can rewrite basic parts of the OS with a rootkit, or the BIOS can get fried, and so on and so forth. Whereas in properly designed operating systems, the kernel and core functions are isolated by simple access controls (which aren't exactly innovative), and the damage is limited.

Seriously, I have no idea how people can continue to make this argument with a straight face. Windows works for some people. That's fine. However, it is irrefutably less secure than most any other OS, and many of its security flaws are the sorts of things that first-year CS students would know to avoid. Period.
posted by spiderwire at 2:47 PM on January 2, 2006

Actually, cars do have source code. All modern cars have at least one computer, some have dozens.
posted by rfs at 2:51 PM on January 2, 2006

Seriously, I have no idea how people can continue to make this argument with a straight face
Because I see no proof that the latest version of windows is less secure than the latest version of any other operating system.

the damage is limited.
There's no difference to the average user between a hosed computer and a hosed user space. The worst thing it can do is propagate to others or delete my data. You can partition the O/S off from the desktop as much as you want, but ultimately, this is what is important to me.

Many of its security flaws are the sorts of things that first-year CS students would know to avoid.
Unfortunately, this is not the case.
posted by seanyboy at 2:59 PM on January 2, 2006

event, I understand what you are saying and why you're saying it, but you completely, irrefutably wrong. This is incidental to this thread, but let me give you some perspective. There are several known methods to prove a program correct, for whatever set of parameters you mean by "correct".

I choose the set of parameters to be: the Halting problem. Prove my program correct.

Proof of security falls in the same territory.
posted by event at 3:07 PM on January 2, 2006

I would just like to say that that "Why I hate Microsoft" article was amazing. I had made the argument to friends before that "If some other OS were 90% of the market share, hackers would have found just as much to play with in it, because that's what they do." I now understand that the reason these virii and malware apps don't affect linux/macOS is because when the vulnerabilities were discovered in windows, there was no comparable vulnerability in linux/macOS. that speaks volumes. but hey, I'm not a sysadmin, so it's not