====================================

Why we don't use Windows:

In an article dated April 14, 2004 Microsoft acknowledged 14 vulnerabilities in the Windows operating system, where the most serious can be exploited by malicious people to compromise a vulnerable system.

Since that time Microsoft has issued patches upon patches, but as of this writing - after release of Microsoft's Service Pack 2 - which is 270 Megabytes!), there are still Windows security problems. In addition, many of the patches have caused some software to fail.

Here is another reason why we neither use nor promote Windows:

A former Microsoft employee says addiction to Windows revenue, mediocre products and missed opportunities could doom Seattle's most successful company, according to an article written by Jeff Reifman

Here are a few quotes from the article:

"Why are Microsoft products so endlessly frustrating to use? Even techno-geeks like me get annoyed by Windows. I'm tired of spending the first 10 minutes of my day rebooting just so I can get to work. MS Outlook 2003, the latest version of the company's e-mail and calendar software, hangs for me about once a day, requiring me to restart my PC. I also have a problem with Word 2003. Whenever I bullet a line of text, every line in the document gets a bullet. Asking Windows to shut down is more of a request than a command - it might, it might not. And recently, Internet Exployer stopped opening for me.

. . . I began using Microsoft products 23 years ago, at age 11, and worked for Microsoft from 1991 to 1999 as a technology manager. For many years, I was a Microsoft loyalist. While aware of Microsoft's shortcomings, I always believed that the Soft did its best to improve product over time . . .But recently, I've had a crisis of faith. Perhaps I've rebooted Windows one too many times.

. . . Last month . . .I bought a Macintosh G5 . . . It has been a breath of badly needed fresh air after Windows. . . Until recently, I dismissed those who did (use Macs) as impractical, elitist hipsters. . . But in the first five minutes on my new Mac, I was surfing the Internet, sending e-mail, and ripping a CD. This made me wonder about Microsofts's willingness to innovate and compete. Why are Microsoft products still so difficult to use and so unreliable? . . .Competitors such as Linux and Google are gaining, and Microsoft seems unprepared for the road ahead.

. . . Microsoft's attempts to diversify into consumer businesses have yet to pay off: 68 percent of its revenue still comes from Windows and Office sales-more than 80 percent if you include the Windows server software used by so many businesses. The company must protect these core products. 'The prime directive at Microsoft is to protect Windows and get customers to buy Windows and upgrade to Windows,' says Mat Rosoff, lead analyst at Directions on Microsoft. . . Windows, Office, and IE all have greater than 90 percent share of their respective markets. To protect the cash cows, Microsoft must do things that no other software company would be doing. . .Microsoft hasn't solved many of the software problems described . . . because of lack of competition. 'One of the most frustrating things about Windows is how it steals time from us,' says Andrews . . . In most ways, OS X is superior to Windows XP. . .

Microsoft is resisting the trend to open-source software development, in part because its entire Windows revenue stream could dwindle to a trickle if it did so. . . Recently, though, Microsoft announced that its next major Windows release, code-named "Longhorn" might be delayed beyond 2006 unless it is significantly pared down. It's already been three years since the release of Windows XP and customers still have quality and security problems with it. . . It is beyond comprehension how the company could let five years lapse between major upgrades of its flagship product. Microsoft's missteps have oepned a gaping window of opportunity for competitors.

To remain attractive to investors, Microsoft must demonstrate that it can replace lost revenue by diversifying into new businesses. . . Microsoft admits that one of its bigest chalenges is getting users of its products to upgrade to new releases. Fewer than 3 percent of Microsoft Office users have upgraded to the latest version. Microsoft says that it is its own biggest competitor, but in the absence of significant innovation, the real threat is customers defecting to less expensive alternatives . . .

University of Baltimore law professor Robert Lande says. ' Microsoft, like almost all monopolies, has become fat and lazy. Monopolies do not engage in innovation with the same urgency because they don't have to innovate to stay in business.'

Meanwhile, Microsoft continues to promise solutions for tomorrow that customers need today. . . Microsoft . . . products don't excite me anymore. I remember eagerly looking forward . . . only to be disappointed by comolex, buggy, and unimproved . . . There's kind of an angst. . .In its search for market share, dominance, and profits, Microsoft lost the ultimate battle. . .

Read on . . . is this the kind of company you want to do business with?

Microsoft goes after Australian charity

MS chases Windows licence fee from kids charity


By Kieren McCarthy
Posted: 13/07/2001 at 14:50 GMT

Reports are coming in from our cousins in Australia that Microsoft has extended its software licence crusade to include kids' charities.

South Australian charity PCs for Kids - which hands out second-hand PCs to poor and disadvantaged people - has apparently been receiving calls from MS' lawyers insisting that they cough up the Au$200 Microsoft per-PC tax aka software licence.

PCs for Kids is the smallest of a number of charities in Australia that hand out old computers to those that can't afford them in the hope of bridging a poverty and skills divide. However while most of the charities use open-source software like Linux to avoid the licence agreements, PCs for Kids has been providing PCs with Windows.

Which of course means that it is fair game and should be hounded for every penny that these evil subversive elements owe.

In fact, the Australians - ever the pragmatic race - have been turning away from Microsoft because of its controlling efforts and without making much of a fuss. Universities have started loading up Apache, Linux, Samba etc and even government departments have started to think twice about the easy but expensive option.

Just this week, top IT news site down under It.mycareer reported that the Labor government in opposition promised it would encourage the use of open-source software if it came into power because it increases innovation and cut costs.

Needless to say, the World's Greatest Luddite Senator ™ Richard Alston - the man behind a tranche of unbelievable Internet legislation in the last few months - has condemned the idea. Apparently it would leave a government open to litigation because the government has signed "binding legal contracts" with software suppliers.

====================================

There is a rather interesting article written by Charlie Demerjian entitled The IT Industry is Shifting Away from Microsoft This article is dated Sunday 28 December 2003

Here are some choice lines from Mr. Demerjian article:

"We are experiencing a major IT industry shift right now . . . Until very recently, Microsoft owned everything in the personal computer business, both low and high on the food chain. . .The problem is that Microsoft just isn't trusted . . . That knowledge is spreading up the executive ranks. Microsoft has a habit of promising users things, but not delivering. . . The fact remains that Microsoft's entire infrastructure is based on fundamentally flawed designs, not buggy code. These designs can't be changed. . . And if Microsoft does change its ways, what incentive will you have to stick with Microsoft? If you have to start over from scratch to build your app in a new, secure Microsoft environment, will you pay the hundreds or thousands of dollars to go the Microsoft route . . . Atarting over from scratch nullifies the one advantage that Microsoft has. . . In light of the won't do and can't do, Microsoft sits there, and watches its market share begin to erode. That's happening , . . the snowbal is rolling. A few people are starting to look up the hill and notice this big thing barreling down at them, and some are bright enough to step out of the way. . .The big industry change is happening, and we are at the inflection point. Watch closely people, and carefully read each and every press release.

====================================

-------------------- Microsoft Monopoly Threatens U.S. Security --------------------

By Winn Schwartau

Winn Schwartau, president of Interpact, Inc., a Florida-based security awareness firm, and founder of InfowarCon, is author of several books, including "Cybershock" and "Time Based Security." February 11, 2003

The great late comedienne Gilda Radner's renowned "Saturday Night Live" character Roseanne Rosanna-Danna ended each of her weekly editorial rants with, "Y'know, Jane, it's always something."

And so it is in cyber space. It's always something, and "It" is not going to go away anytime soon. In fact, things are going to get thunderously worse.

The "slammer" worm that crippled the World Wide Web earlier this month in a virus-like attack on corporate and government servers is the most recent in a long series of increasingly creative and disruptive assaults against the Microsoft hegemony, e-commerce and the Internet as a whole.

We do know that much of the heart of cyber-security failings is caused by Microsoft, as "Slammer" has shown. This is not a repeat indictment of Bill Gates' much ballyhooed yet failed efforts at making Microsoft products secure for business and home. Rather, it is the global techno-cultural failure of buying everything Microsoft because it's the easy, rather than secure, thing to do.

There is a simple analogy: If every lock to every door in the world were made by the same company, and each of the companies' locks used the same kinds of interchangeable tumblers and mechanical assemblies, what would the result be? Sadly, it would make the criminal's job far easier because he would only have to learn how to pick or bypass a limited set of locks.

Now for Microsoft. It owns 95 percent of the Internet browser market (which includes e-mail software) and more than 90 percent of the operating system and office suite market. Also, 28 percent of Web servers on the Internet are run by Microsoft software. See the problem?

The hackers (criminal, miscreant, recreational or security mavens) go after Microsoft products for a simple reason: The world is arrogantly dominated by the most insecure software.

We used to live in a heterogeneous world where different computers used different operating systems. That meant incompatible software, but it was also an electronic world that was very difficult for the bad guys to break into. We have evolved into a homogenous world, with Microsoft Milk in the Middle, where all of the parts are interchangeable and any program can talk to any other program. "Cut and Paste" is the mantra of globalization.

This approach solved previously incompatible operational nightmares, but what has it wrought? Now nearly all the world's locks to the repositories of the Information Age are made by the same company. Isn't that the height of criminal stupidity? Every time a weaknesses or vulnerability to a Microsoft product is discovered, the details are instantly broadcast around the globe, surely to be exploited by the nethermongers of the 'Net.

The world's economic engines run on Microsoft products waiting for the next "It's Always Something" to strike. The foundation of American defense is Microsoft. Its products, which are used throughout the federal government, including the Department of Defense, similarly await the next debilitating cyberattack. Our national critical infrastructures, including transportation, power, communication and first-response emergency services, also sit in dire need of a workable balance between security, privacy and efficiency. Whether it's harmless joyriding hackers gung-ho to help their country or terrorists targeting an electronic Pearl Harbor, the results are the same.

Suddenly the concept of cyber-monopoly, an efficient homogenous amalgam of mouse-clicks and windows, has national security implications. I have never been an advocate of Congress legislating against bad engineering, but perhaps we have turned a historical corner that demands a revisit.

We need to broaden our view of the impact when three fundamental concepts are uttered in the same breath: economic health, critical infrastructure protection and Microsoft monopoly. Anti-monopolistic laws were originally created to encourage capitalistic competition. From a security standpoint, one technical monopoly today has the most significant national security implications in this country's history. Repairing that will take vision and courage.

Because we never know how we are going to get slammed the next time, maybe our political foolhardiness is letting us slam ourselves.

Copyright (c) 2003, Newsday, Inc.

--------------------

This article originally appeared at: http://www.newsday.com/news/opinion/ny-vpsch113125897feb11,0,322981.story

Visit Newsday online at http://www.newsday.com

====================================

How's this for a quote!

Friday 6 September 2002
Microsoft: "Our products aren't engineered for security"

Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server .net developer conference in Seattle, USA.

"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.

In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.

====================================

From:
PETER COFFEE'S ENTERPRISE IT ADVANTAGE

A weekly newsletter from eWEEK Technology Editor Peter Coffee focused on application development and technologies at the cutting edge of enterprise-class computing

September 16, 2002 // Volume 2, Issue 34

WHAT WILL YOU WANT TO UNDO TOMORROW?


-- By Peter Coffee --

When we used to draw block diagrams of the PC architecture, back in that other century, the operating system would be a horizontal layer immediately above the hardware; the applications would be the next tier up, a row of adjacent blocks on top of the OS layer, having the status of peers with each other and clients of the operating system.

If you updated a piece of the operating system, all of the applications would see that new facility. If interfaces were correctly preserved, the applications might all work better; realistically, some of them would work better while others (the ones that broke the rules, and coded to internals instead of to published APIs) would be broken. But we all knew what the rules were.

Alarmingly, it looks as if it's no longer possible to draw these diagrams as horizontal layers, with the boundaries of those layers clearly defined by published rules. The new diagram looks more like the Towers of Hanoi, the classic game (whose solution first taught me the concept of recursion) that requires things on top to be removed before anything farther down the stack can be changed. This says nothing good about the future of desktop or mobile computing.

(Visit About the Towers of Hanoi:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eR4f0DDiOU0E4K0qbs0Ao

I'm talking, specifically, about the new approach to modularity--or rather, lack thereof--that we see in the remarks of Microsoft product manager David Caulton, who explained the absence of an Uninstall procedure for Media Player 9 with the following shocking example: "As with any OS component you might upgrade, everything has to go back sequentially together. If I install Windows Media Player 9 Series beta and Office, and I roll back, that would be to a pre-Office state."

(Read "Windows Media Player 9--no uninstall?":) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eR4f0DDiOU0E4K0qbt0Ap

Oh.

So, it's now official: Not only is Office an "OS component," not a suite of applications, but the topology of Windows really is one big giant hairball (officially, "a single, integrated product"). If you want to replace the next-from-outermost layer, you have to untangle the outermost layer first. "The more users that can be informed that's the method for going back, the better," emphasized Caulton. He's right, but perhaps not in the way that he intends: Platforms that don't impose this model may be the beneficiaries.

I wonder if Caulton realizes how completely unacceptable this attitude will be to enterprise IT. It comes from the same company whose Undo facilities in applications can only undo actions in sequence: If you think about it, when I change a word and then change the style of a paragraph, for example, I should be able to pull down a list of past actions and undo the typing without affecting the subsequent formatting action.

But it's no doubt easier to implement as a simple stack--and within the context of editing a single document, we can probably live with that. If we're supposed to take seriously the ideas of Web services, however, with their potential combinatorial explosion of interactions between cooperating (or, perhaps, competing) distributed agents and processes, then it's clear that we need to be able to change modules in a mix-and-match manner--not be forced to undo an arbitrarily long list of configuration changes to get at one that's several steps in the past, only to rebuild the stack after making the only change that we really wanted to make.

It's a matter of discipline. Buyers must demand it, or expect that vendors will continue to be guided by their own convenience.

====================================

Subject: Byte Article Sept, 2002

By Bill Nicholls
September 3, 2002

With all the publicity that Windows and Linux get, you may be forgiven for not being aware of a number of other operating systems. Yet there are many other choices that I find interesting and as useful alternatives.

Five Desktop Alternatives:

OS/2 Convenience Pack from IBM eCS, OS/2 plus enhancements from Serenity Systems OpenBeOS, an open source version of the OS developed by Be BeOS 5 personal Amiga, the phoenix of operating systems

Three Emulator/Virtual Machine Systems:
VMWare
Virtual PC
Bochs

The last three OSes on the list are qualitatively different from the rest they are designed as emulators or virtual machines that can run more than one OS at a time, shared in one set of hardware. Like the story about the dancing bear, what is remarkable given the ancient x86 design is not how well they work, but that they work at all.

Be aware that this short list is by no means exhaustive. There are several more commercial or open OSes that are mature and in use, but even this list will be enough to digest at one time.

In the interest of full disclosure, I have used Microsoft Windows from 1.01 in 1985 to Windows 3.1, and subsequently Windows 95/98 and NT. In the '87 '89 timeframe, I ran DesQview and Windows together. From the 1991 beta of OS/2 2.0 up to today's eCS 1.0, and including all versions between, OS/2 has been my primary desktop. In addition, I currently run NT, FreeBSD, and OpenBSD as well as the occasional Linux.

The Development of OS/2

People new to computers in the '90s probably don't know this background, and some may have forgotten. Microsoft was OS/2's chief competitor in the '90s, but it didn't start that way. Way back in the '86 '87 timeframe, OS/2 was a cooperative effort between Microsoft and IBM. Yep, the two goliaths were cooperating, in principle at least.

OS/2 became an IBM-only project in 1989. Microsoft chose to develop Windows further in competition with OS/2. The cause of this battle is debatable, but it ultimately evolved into ownership of the desktop OS. The original Windows 4.0 was predicted for delivery in 1993, then 1994. It then became Windows 95 and was finally delivered in August 1995 to the accompaniment of extraordinary hype.

OS/2 began as an enhanced OS to run protected mode programs, and multitask in the protected mode of the Intel 286 chip. The choice of the barely adequate 286 chip for this task caused significant development delays, so by the time it was available as OS/2 1.1, the 386 chip was already popular.

OS/2 2.0 became a 386-only version at IBM. It went beta in 1991, and shipped GA in 1992, just around the time Windows 3.1 was delivered. From early 1992 until August of 1995, Microsoft had no OS that could really compete, in terms of multitasking and reliability. Despite this three year lead in technology, IBM was unable to build a coordinated effort to sell OS/2, and one result is that Microsoft has had an OS monopoly on the desktop for almost a decade.

The full story of this battle is much more complex and full of unusual events. For a variety of reasons, IBM had, in theory, the better team, more experience, better technical capabilities, a much larger sales force, and entry into the most businesses. So much for theory.

The OS/2 Contenders

The situation has changed a lot since IBM's announcement, in 2000, that OS/2 was end-of-life and would be supported with limited enhancements and drivers through 2006. Due to demand from a vocal business user base, IBM has increased its support to deliver upgraded Convenience Packs (CP) each year, reducing testing and upgrade support costs for the business community.

However, the strategy announcement for OS/2 in 2002 contains some significant changes to the previous environment. Specifically:

IBM does not intend to provide additional Convenience Packages in the future. For more information about Convenience Packages see announcement letter 200-082 at http://www.ibmlink.ibm.com/.

There's more bad news: OS/2 Defect Support: Limited warranty defect support will expire for Warp Server for e-business on 31 May 2002 and for IBM WorkSpace On-Demand 2.0 on 31 December 2002. IBM plans to provide Program defect support for OS/2 Warp 4 Convenience Packages and for Warp Server for e-business Convenience Packages for customers with software subscriptions through 31 December 2004. [DO NOT STOP READING HERE!!]

It looks like end-of-life has been accelerated. But the good news is next.

As vocal as the OS/2 business users, but less financially convincing, were the individual users such as myself. Until 2001, it looked like CPs were our only option. Then something unusual happened. IBM licensed OS/2 for resale to Serenity Systems, with the aim of supporting individuals and small businesses.

Serenity Systems enhanced their offering by improving the installation process, adding a large selection (35 items) of independently developed software and the Lotus Smart Suite from IBM as part of eComStation (eCS), their version of OS/2. They also included SMP as an option for the workstation version.

eCS 1.0 shipped on April 2001 and has continued development since then. Serenity Systems has indicated that eCS 1.1 is expected in the fourth quarter of 2002, after some selected user testing. The list of enhancements planned is significant and includes a new installer, even better than the original eCS 1.0 installer, which was a big jump over IBM's version.

eCS' site contains a lot of information patches, new uploads, news, applications, and links to other supporting sites. The support and FAQ section is particularly useful, and it looks like Serenity Systems will be our future support for OS/2. Their performance in a tough business environment gives me confidence for the future of OS/2 in its eCS incarnation.

. . . This was not the end of the article; if you wish to read the entire article or other articles by the author, please visit the
Utility Infielder Index, or for updates between columns, visit his web site: http://www.billswrite.com.

====================================

Ummm, now Microsoft has taken to false advertising . . .

http://news.bbc.co.uk/2/hi/technology/2329519.stm

Tuesday, 15 October, 2002, 11:10 GMT 12:10 UK

> Web users turn tables on Microsoft

Microsoft has been caught using a fake advert that claimed people were switching from Macs to Windows PCs.

The advert debuted on Microsoft's website and supposedly recounted the story of a former Apple Mac user who had converted to using Windows. But investigative work by net users revealed that the supposed 'switcher' actually worked for a marketing company employed by Microsoft.

The Microsoft advert was a response to the high-profile campaign run by Apple which showcased people who have moved from Windows to a Mac.

Stock taking

The page documenting the switch was entitled 'Confessions of a Mac to PC Convert' and debuted on the Windows XP Insider section of Microsoft's site. It supposedly told the story of a "freelance writer" who had used a Mac for eight years but who had now switched to using Windows. In it the switcher declared: "Windows XP gives me more choices and flexibility and better compatibility with the rest of the computing world."

Originally news of the article's existence was posted to the popular Slashdot website as a joke, but eagle-eyed users of the site found grounds to suspect the story behind it. They noticed that the picture of the woman used to illustrate the story was a stock image from the Getty Library and unlikely to be a genuine customer.

Investigative work by a reporter from the Associated Press tracked down the person behind the story who turned out to be an employee of the Wes Rataushk & Associates ad agency. This was the company that was employed by Microsoft to draw up the adverts about switchers.

Microsoft has now pulled the page from its website and said it 'regretted' its action. But in its defence it said that the employee had definitely switched from using a Mac to Windows. ====================================

Is your software secure?

Although the United States spends nearly $1 billion every year to help Russia protect its vast storehouse of nuclear weapons materials from theft or sale on the black market, few Americans know how this aid helps strengthen America's own nuclear safeguards.

Russian experts at the Kurchatov Institute, the renowned nuclear research center in Moscow, recently found what appears to be a critical deficiency in the internal U.S. system for keeping track of all bomb-grade nuclear materials held by the Energy Department - enough material for tens of thousands of nuclear bombs.

Kurchatov scientists discovered a fatal flaw in the Microsoft software donated to them by the Los Alamos National Laboratory. This same software has been the backbone of America's nuclear materials controlsystem for years. The Russians found that over time, as the computer program is used, some files become invisible and inaccessible to the nuclear accountants using the system, even though the data still exist in netherworld of the database. Any insider who understood the software could exploit this flaw by tracking the "disappeared" files and then physically diverting, for a profit, the materials themselves.

Warning: Go slowly with Web services

By MICHAEL MEEHAN
JUNE 17, 2002

http://www.computerworld.com/news/2002/story/0,11280,72017,00.html

"Web services may be the next big thing, but a group of users, analysts and even Web services vendors acknowledged last week at a roundtable on the issue that significant barriers to using the technology remain.

Security concerns, interoperability, data trapped in legacy systems, inadequate networks, general confusion over how to use XML, the immaturity of current Web services protocols and slashed IT budgets were all cited as hurdles to using Web services. The message from those attending the first Boston Area Web Services Roundtable here: Be careful."

Comment:

We at Aviar believe that the web is fine for e-Mail, on-line purchasing, and general surfing. But we strongly disagree that the web is up to the complex tasks necessary for optimal CMMS performance.

You may be swayed by self-proclaimed Maintenance "Analysts, Experts and Columnists" who advise you that web-based CMMS systems are the "only way to go." In our opinion, they are wrong. Web-based CMMS systems will give you headaches. The above article spells out many of the hurdles you wil face with such a system. As it states, "Be careful."

We believe that the needs of Maintenance Management are best served by a small, self-contained, network of Personal Computers dedicated to Maintenance and ONLY Maintenance. ====================================

Take a look at:

http://www.bugtoaster.com/dw15/Reports/OperatingSystems.asp

Subject: MS vulnerabilities


This is just a list of Microsoft flaws compiled since April.

====================================

August 29, 2002

Microsoft Says Found Security Flaw in Windows
Thu Aug 29, 7:06 PM ET

"SEATTLE (Reuters) - Microsoft Corp. said on Thursday that a security flaw in all versions of its flagship Windows operating system software released since Windows 98 ( news - web sites) could allow attackers to delete digital certificates."

====================================

http://story.news.yahoo.com/news?tmpl=story&ncid=582&e=2&cid=582&u=/nm/20020829/wr_nm/tech_microsoft_security_dc_2

August 29, 2002

MS in fresh digital cert flaw By John Leyden
Posted: 29/08/2002 at 12:42 GMT

http://www.theregister.co.uk/content/55/26859.html

"A flaw in the Windows handles digital certificates enables sophisticated crackers to get up to all sorts of mischief on unprotected boxes.

====================================

August 25, 2002

Microsoft discloses 'critical' security flaws!!

http://www.cnn.com/2002/TECH/internet/08/23/microsoft.security.reut/index.html

Microsoft discloses 'critical' security flaws Office, IE lapses putmillions in danger of being hacked!

SEATTLE, Washington (Reuters) -- Microsoft Corp. said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers.

====================================

August 22, 2002

Unsafe Functions in Office Web Components (Q328130)

Originally posted: August 21, 2002

Summary

Who should read this bulletin: All customers using Office Web Components, which is available as a stand-alone download and included as part of the Microsoft? products detailed below.

Impact of vulnerability: Three vulnerabilities, the most serious of which could allow an attacker to run commands on the user's system.

Maximum Severity Rating: Critical

Recommendation: Customers using these products should install the appropriate patches immediately.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-044.asp

====================================

August 20, 2002

http://www.techtv.com/news/security/story/0,24195,3395766,00.html

Attackers could use vulnerability to gain access to buyer information.

By Dan Brekke, Tech Live

A San Francisco programmer has disclosed a potentially severe flaw in how Microsoft's Internet Explorer browser implements a technology meant to assure secure transactions over the Web.

====================================

August 16, 2002

Microsoft: SSL flaw is in operating system, not Web browser

By John Fontana, Network World
AUGUST 15, 2002

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73507,00.html

====================================

August 13, 2002

Microsoft SQL Server Remote Buffer Overflow Vulnerability
BugTraq ID: 5411
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/5411
Summary: A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts.

It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server.

This vulnerability reportedly occurs even before authentication can proceed. Reportedly, this is due to a default system configuration.

====================================

August 13, 2002

Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability
BugTraq ID: 5413
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/5413
Summary: A vulnerability has been reported for Microsoft Exchange 2000.

Allegedly, Exchange 2000 will experience a denial of service condition when an authenticated user makes many requests. The vulnerability is due to IIS incorrectly allocating licenses to Exchange. Making numerous, rapid requests will exhaust available licenses granted to Exchange by IIS.

====================================

August 13, 2002

Microsoft Internet Explorer Invalid SSL Certificate Chain Vulnerability
BugTraq ID: 5410
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/5410
Summary: A flaw has been reported in the handling of SSL certificates by Microsoft's Internet Explorer web browser. It may be possible for a malicious party to create SSL certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser.

====================================

August 13, 2002

Microsoft Windows Window Message Subsystem Design Error Vulnerability
BugTraq ID: 5408
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/5408
Summary: A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system.

====================================

August 8, 2002

Passport Brings Microsoft New Headaches

The Federal Trade Commission has settled a case against Microsoft involving its Passport Web service. The FTC says Microsoft's claim that purchases made through Passport were more secure than typical E-commerce transactions was bunk. It also says Microsoft did not employ "reasonable and appropriate measures" to protect consumers' personal data. Commissioners also charged that Microsoft did not fully disclose the extent of personal data it collected on Passport users.

Under the settlement, Microsoft must beef up its Passport security and have it inspected by an independent professional every two years.

http://update.informationweek.com/cgi-bin4/flo?y=eIP40Bce7K0V20Bf2o0AD

====================================

August 8, 2002

Multi-platform flaw affects most operating systems

Security researchers have warned of a flaw in communications software that could allow attackers to take over computers running Windows, Mac OS X and Unix-based operating systems, as well as those with Kerberos authentication systems. The problem is widespread because it affects some implementations of XDR (external data representation) libraries, used by many applications as a way of sending data from one system process to another regardless of the system's architecture. The affected libraries are derived from Sun Microsystems' popular SunRPC remote procedure call technology.

http://www.cert.org/advisories/CA-2002-25.html

NOTE: No mention of OS/2 or eCS vulnerability

====================================

August 2, 2002

MS SQL 2000 resolution service, multiple vulnerabilities

Microsoft released MS02-039 ("MS SQL 2000 resolution service, multiple vulnerabilities"). The resolution service included with MS SQL Server 2000 contains two remotely exploitable buffer overflows that allow an attacker to execute arbitrary code under the privileges of the SQL service account. A remote denial of service vulnerability exists, as well.

FAQ and patch: http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

Source: Microsoft (NTBugtraq) http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0028.html

====================================

July 30, 2002

CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server

Original release date: July 29, 2002
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Overview
The Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations,compromise server hosts.

====================================

July 19, 2002

Cumulative Patch for SQL Server

Microsoft released MS02-034 ("Cumulative Patch for SQL Server"). MS SQL Server and MSDE installations have three new vulnerabilities: a buffer overflow in the bulk insert procedure; a buffer overflow in the password encryption procedure; and insecure permissions on the SQL service account registry key. The buffer overflows allow attackers capable of running arbitrary SQL statements to elevate their SQL user privileges and potentially execute arbitrary code.

FAQ and patch: http://www.microsoft.com/technet/security/bulletin/MS02-034.asp

Source: Microsoft (NTBugtraq) http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0012.html

====================================

July 16, 2002

MICROSOFT DECLINES TO USE OWN SECURITY PRODUCT

A lab at Microsoft is using a competitor's product to protect against worms and other threats. Microsoft's SQL Labs uses NetScreen Technologies' 500 series security appliance even though the company sells a competing product, Microsoft Internet Security and Acceleration Server.

http://www.computerworld.com/securitytopics/security/story/0,10801,72686,00.html

====================================

July 15, 2002

WEB MORE VULNERABLE NOW THAN EVER

(Source: ITworld.com) With over half of the Internet's Web servers potentially vulnerable, conditions are "ripe for an epidemic of attacks" against sites running Microsoft Corp. Internet Information Server (IIS) or the open-source Apache Web server software, Netcraft of Bath, England, said in its monthly Web Server survey released last week.

http://www.idg.net/go.cgi?id=712359

====================================

July 12, 2002

Security Flaw Found In Outlook Plug-In

Users of Network Associates' PGP Desktop Security 7.0.4, PGP Personal Security 7.0.3, and PGP Freeware 7.0.3 are being warned that the popular encryption software contains a serious security vulnerability that could let attackers take control of their systems, and even compromise secure communications if the attacker installs keystroke-logging software as part of the attack.

The flaw doesn't affect the PGP, or Pretty Good Privacy, encryption software itself but rather the PGP plug-in for Microsoft Outlook E-mail used to encrypt sensitive E-mail messages, according to eEye Digital Security. Outlook users who merely select a malicious E-mail containing carefully crafted code could find their systems hacked, eEye says. PGP Corporate Desktop users aren't affected, according to the advisory. PGP is widely available for download on the Web as freeware and is used by law-enforcement and U.S. intelligence agencies.

Network Associates has made a patch available for download at http://update.informationweek.com/cgi-bin4/flo?y=eHxD0Bce7K0V20BfJx0Af

====================================

July 11, 2002

New bug found in Outlook, IE

By Robert Lemos
Special to ZDNet News
July 11, 2002, 4:15 AM PT

A Danish security researcher warned users of Microsoft's Internet Explorer, Outlook and Outlook Express applications that a recently discovered software flaw could leave their system open to malicious code carried on Web pages or in e-mails.

In an advisory released Wednesday, Thor Larholm, a security researcher and partner at risk-assessment company PivX Solutions, warned that HTML objects embedded in Web pages and e-mails could carry code that allows an attacker to check out victims' cookie files, read their documents, and execute programs on their computer.

The bug, known as a cross-domain scripting flaw, was discovered on June 25, and information about it has been posted on several security lists since then. Larholm also informed Microsoft of the bug the day it was discovered.

====================================

July 8, 2002

http://www.theregister.co.uk/content/56/26079.html

...

"Gunsan has spread modestly since its discovery late last month. It deletes files needed by antivirus and firewall products (including all files that contain mcafee, softice, numega, antivirus, anti-virus, win32dasm, sophos, catsclaw, claw95, lockdown, symantec, firewall, virusscan, virus-scan, fprot, f-prot, zone labs, or atguard in their path). Gunsan *only affects Windows PCs* and can cause system instability by deleting important system files. "

NOTE: "only affects Windows PCs"

====================================

July 3, 2002

Microsoft Urges Users To Patch Commerce Server

The software maker issued a security bulletin warning of four vulnerabilities that could enable a malicious hacker to take control of the server.

http://computerworld.com/newsletter/0%2C4902%2C72282%2C0.html?nlid=SEC

====================================

June 28, 2002

MS SQL Server OpenDataSource() overflow

MS SQL Server 2000 has been found to contain a buffer overflow in the handling of the OpenDataSource() SQL function, letting an attacker capable of running SQL queries execute arbitrary code on the SQL server system.

This vulnerability has not been confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0116.html

====================================

June 27, 2002

From The New York Times Direct
Thursday, June 27, 2002

"Companies that sign up for Software Assurance are, in essence, committing in advance to buying every upgrade -- without knowing whether it will be any good, or even whether or not Microsoft will, in fact, release any upgrades at all during the three-year contract."

====================================

June 27, 2002

Yaha-E Worm

The W32/Yaha-E worm is spreading in the wild. It arrives in an attachment; the accompanying e-mail can have a variety of subject lines. The worm attempts to turn of anti-virus and firewall protection.

http://www.mcafee.com/anti-virus/viruses/yaha/
http://www.sophos.com/virusinfo/articles/yahae.html

====================================

June 27, 2002

Despite Microsoft's claims of a renewed focus on security, the vulnerability-beleaguered company has issued 30 advisories for 40 vulnerabilities so far in 2002. While Microsoft's efforts to scour its own code for security problems are commendable, the company is also taking some risks by offering an automated update system and by including new, activated features on update CDs.

http://www.usatoday.com/life/cyber/tech/2002/06/20/microsoft-security.htm

====================================

June 15, 2002

MS distributes Nimda to Korean .NET developers
By Thomas C Greene in Washington
Posted: 14/06/2002 at 17:34 GMT

http://www.theregister.co.uk/content/4/25738.html

Somehow or other the Nimda worm has found its way into a file which Microsoft is distributing to developers in Korea.

====================================

June 14, 2002

http://www.theregister.co.uk/content/4/25716.html

MS security hole extravaganza
By Thomas C Greene in Washington
Posted: 13/06/2002 at 17:58 GMT

"We've got a treat here; it seems MS has been sitting on a number of security holes which it's decided to dump on us all at once. So, what do you want to patch today? "

====================================

June 12, 2002

Malformed mail attribute Exchange 2000 DoS

Microsoft has released MS02-025 ("Malformed mail attribute Exchange 2000 DoS"). A remote attacker can send a malformed mail message to the target Exchange 2000 server, which would result in a temporary CPU usage of 100%. Repeatedly sending malformed messages can result in a denial of service attack.

Source: Microsoft

http://archives.neohapsis.com/archives/vendor/2002-q2/0039.html

====================================

May 23, 2002

Hacker finds fault in .Net security - Tech News - CNET.com

http://news.com.com/2100-1001-898219.html?tag=rn

News: Report: Hole found in Excel

http://zdnet.com.com/2100-1104-923263.html

====================================

May 23, 2002

GARTNER TELLS MICROSOFT CUSTOMERS TO PLAN FOR HIGHER COSTS

(Source: InfoWorld.com) Research company Gartner Group warned Microsoft enterprise customers to review their software licensing contracts or risk paying higher prices down the road as the software maker prepares to make its full switch to a new licensing program.

http://www.idg.net/go.cgi?id=687834

====================================

May 23, 2002

Windows debugger is, er, buggy
By John Leyden
Posted: 23/05/2002 at 09:08 GMT

http://www.theregister.co.uk/content/55/25407.html

Microsoft has admitted that its Windows debugging facility is itself subject to a security bug.

In an advisory issued yesterday, Microsoft admitted the authentication mechanism for the debugging facility is flawed in a way that allows unauthorised programs to gain access to the debugger.

The upshot of this is, providing an attacker can log-in to a target machine - and that's a big if - a cracker can screw your Windows box six ways to Sunday.

====================================

May 22, 2002

Researchers Say Microsoft Patch Doesn't Do Its Job

Research indicates that the patch released for the six holesin Microsoft's IE browsers 5.01, 5.5 and 6.0 only addresses the cross-site scripting vulnerability in one of the browser versions, and leaves another vulnerability unaddressed altogether.

http://www.newsfactor.com/perl/story/17798.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71256,00.html
http://www.theregister.co.uk/content/55/25326.html

====================================

May 22, 2002

JS.Fortnight Worm

The JS.Fortnight worm places an HTML file into the default signatures of e-mail sent through Outlook Express; the worm attaches a link to an adult site to all the outgoing Outlook e-mail. It also changes the browser's home page, and adds sites to the favorites list.

The worm affects Windows 95, 98, NT, 2000, ME and XP.

http://www.theregister.co.uk/content/55/25301.html
http://www.newsbytes.com/news/02/176613.html
http://www.vnunet.com/News/1131804

====================================

May 14, 2002

CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX

Control

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0155

Original release date: May 10, 2002
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Microsoft Windows systems with one or more of the following:

Overview

Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messenging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user.

I. Description

A buffer overflow exists in the "ResDLL" parameter of the MSN Chat ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects MSN Messenger and Exchange Instant Messenger users. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. The Microsoft MSN Chat control is also available for direct download from the web.

II. Impact

A remote attacker may be able to execute arbitrary code with the privileges of the current user.

====================================

May 6, 2002

Microsoft's Trojan Horse

Microsoft's digital rights management technology gives the software giant unprecedented control over end user content, argues guest columnist Curtis Karnow.

http://www.computerworld.com/cwi/community/story/0,3201,NAV65-1797_STO702=94,00.html

====================================

April 15, 2002

MS02-020: SQL extended procedure overflows

Microsoft released MS02-020 ("SQL extended procedure overflows"). SQL server 7.0 and 2000 contain buffer overflows in various extended procedures, thereby allowing an attacker who can submit queries to the database to execute arbitrary code on the SQL server.

FAQ and patch: http://www.microsoft.com/technet/security/bulletin/MS02-020.asp

Source: Microsoft

====================================

April 29, 2002

John Dvorak: "There is something terribly wrong with this operating system."

http://www.pcmag.com/article/0,2997,s=1500&a=25434,00.asp

====================================

April 30, 2002

Microsoft Internet Explorer Self-Referential Object Denial of Service
Vulnerability
BugTraq ID: 4564
Remote: Yes
Date Published: Apr 20 2002 12:00A
Relevant URL: http://www.securityfocus.com/bid/4564
Summary: Microsoft Internet Explorer 6 (perhaps other versions as well) is vulnerable to a denial of service due to an error in handling certain self-referential definitions in HTML documents. This occurs when an object of type "text/html" is specified, with the DATA field referencing the name of the HTML document in which it is defined. There may be other circumstances in which this sort of self-reference may lead to a browser crash.

====================================

April 30, 2002

Microsoft Outlook Express DOS Device Denial of Service Vulnerability
BugTraq ID: 4584
Remote: Yes
Date Published: Apr 24 2002 12:00A
Relevant URL: http://www.securityfocus.com/bid/4584
Summary: A denial of service issue has been reported in Microsoft Outlook Express.

Reportedly, this issue occurs if an HTML email message with a URL pointing to a non-existent DOS-device (CON, AUX, PRN, NUL), is embedded in the BGSOUND or IFRAME tag. Upon the user opening the mail message, Outlook Express will consume 100% CPU usage.

Either the process is ended via the Task Manager or a system restart is required in order to regain normal functionality.

It has also been reported that the offending message cannot be deleted from the user's mailbox. If this is the case, re-installation of Outlook Express may be required.

This issue may be the result of an unchecked buffer. If this is the case, there is a possibility that arbitrary code may be executed on the vulnerable target. However, this has not yet been confirmed.

====================================

May 6, 2002

Microsoft Yanks Office Tools After Security Report
By Brian McWilliams , Newsbytes

Microsoft [NASDAQ:MSFT] has removed a collection of tools for its Office suite following an independent report that the tools may open security vulnerabilities.

http://online.securityfocus.com/news/377
http://www.idg.net/go.cgi?id=3D677173

====================================

May 6, 2002

http://www.idg.net/go.cgi?id=3D677173

"Road to freedom"

Fortunately, for those who want to get off the upgrade merry-go-round, Microsoft is about to produce the kind of incentive that Linux could never provide on its own. Microsoft calls it Licensing 6.0, and the company plans to roll it out in August. It gives Microsoft customers the privilege of paying a yearly fee to use whatever code Microsoft feels like tossing together that year, at no risk to Microsoft."

====================================

By Mark Ward
BBC News Online technology correspondent

http://news.bbc.co.uk/2/hi/technology/2143630.stm

"Unless you take precautions you could find your computer is infected by viruses, have your personal details shared with all and sundry and find your e-mail inbox clogged with adverts you never asked for.

But it is quite easy to make you and your computer much less vulnerable to these dangers.

One of the easiest ways to avoid many common problems is to stop using Microsoft software.

Microsoft has become a target because its software is so ubiquitous. The vast majority of viruses, browser vulnerabilities and exploits are aimed at Microsoft software and if you stop using them you would avoid many of them. "

End of Article. Well that says it all. Perhaps that is why a recent survey shows that many companies are very dissatisfied with Microsoft tactics/practices and Microsoft-based products and that "40 per cent" of those surveyed were "actively seeking" alternatives?

Hum, looks like we're not the only ones issuing warnings folks. Then there is the following article. This article also points out a growing dissatisfaction with Microsoft and its shoddy products.

Report: Windows alternatives sought as confidence drops
by Dennis Sellers, dsellers@maccentral.com
August 6, 2002 10:15 am ET

Now is the time for Apple to go after Windows users full force, it seems. Though Windows desktop operating systems will remain the dominant client desktop standard "for the foreseeable future," you shouldn't count Mac OS X and Linux out, concludes anew report, "The Desktop OS: Are There Real Alternatives to Microsoft?," from the Yankee Group, a company that specializes in technology research and consulting.

The study finds that interest in alternatives to Microsoft's client operating system is at the highest level in over a decade. The Mac "has found a comfortable and committed niche among enterprise customers with sophisticated graphics and production departments" while Linux has gained a groundswell of support in the last three to four years due to its appeal as the "un-Windows" solution, according to Yankee Group senior analyst and Report author Laura DiDio.

"Corporate user resentment and dissatisfaction with Microsoft and some of its practices are at an all-time high," DiDio said. "This cumulative dissatisfaction will not necessarily translate into corporate defections to rival operating systems. But it does open the door a crack and raises the possibility that Linux and Macintosh OS X can gain new footholds in an overwhelmingly Windows world."

Then there are issues ranging from Microsoft's "perceived monopolistic practices, hyperbolic marketing, ongoing security woes, and habitually slipping ship dates of major new product releases as well as confusion surrounding the overall .NET strategy, the Yankee Group said. The result has "undermined corporate customer confidence." In fact, a recent joint survey of 1,500 corporations by Sunbelt Software and the Yankee Group found that nearly 40 percent of the respondents were so outraged by Microsoft's new licensing scheme that they are actively seeking alternative products.

End of Article

Will this dissatisfaction result in more people moving to alternative systems? Only time will tell. . . it takes courage to change. Are there enough courageous people to make a difference? Read on . . .

Experiences at a Firm Hostile to Free Software
By Terrell Prud‚, Jr., MCSE
Posted: 12/08/2002 at 12:23 GMT

After a two-year stint doing Information Security, I had re-developed the itch to do hands-on systems engineering again. To satisfy that itch, I joined an environmental consulting group called Hagler Bailly, based in the Washington, DC area, in late 2000.

This firm was, for the most part, a "Microsoft shop", in that it ran versions of Microsoft Windows almost exclusively, including on their servers. However, there were at least two Sun Solaris machines, and the primary and secondary DNS servers -hosting domains for which we were globally authoritative - ran GNU/Linux and BIND v8.

Hagler Bailly was in the process of being bought by a British consulting firm called PA Consulting Group. A month or so after I joined, that purchase was complete, and we officially became PA Consulting Group employees.

As with any buyout, there were adjustments. Like Hagler Bailly, PA too was a Microsoft shop, but even more so than Hagler Bailly. Where Hagler Bailly might have considered a non-Microsoft solution, given a sufficient business case, PA had decided that, no matter what, nothing but Microsoft Windows NT (and later Windows 2000) would run at PA. "If it can run on NT, it will run on NT." This corporate attitude, held near and dear by not just management but by the entire network operations section in Britain, would eventually have very interesting consequences.

Shortly after the buyout, PA sent a Compaq server running NT 4.0 and MS SQL Server to its new Stateside headquarters. This machine was to be the major "business process" tracking server for the Americas, doing all financial tracking and timecard processing for the company's Western Hemisphere offices. Staff members in both Britain and the United States had problems accessing it, to the point where applications were breaking and tempers were rising. The problem turned out to be a rather subtle name-resolution issue, which I fixed by making an entry for this server in a GNU/Linux machine's DNS zone files. The irony was not lost on my MIS director. Despite GNU's involvement, he gladly accepted the solution, because it got London off of his back; he chose not to tell London what the solution was. GNU and BIND had saved his hide.

This incident involving free software saving the day would be but a harbinger of things to come. For unrelated reasons, I eventually rebuilt our DNS servers with OpenBSD running BIND v9. OpenBSD proved to be an excellent choice for this task.

Hagler Bailly had a FTP server before the buyout. After the buyout, London ordered us to immediately decommission the FTP server, because "FTP is not allowed at PA." To back this mindset up, PA's standard firewall configuration blocked everything outbound or inbound, except for traffic originating from the Web proxy machines and the SMTP gateway. This wouldn't have been so big an operational problem if PA's SMTP gateway had been able to handle large files, i. e. any attachments over 5MB. Due to the nature of our business, staff routinely exchanged between 10 and 100MB files with our clients. Email was never designed with this in mind; FTP was.

At the request of several managers and a few partners in the USA, we rebuilt our FTP server--in spite of London's order--and reconfigured the firewall to allow FTP inbound and outbound. This FTP server, running GNU/Linux, has never crashed in the year-plus that it's been running. Miraculously, it still exists today (but for how much longer?). After London learned of it, the entire British NetOps team did everything it could to cajole/threaten us in the USA to take it down or migrate it to Windows 2000 Server. British NetOps even enlisted the head of IT at the home office, who was stubbornly on their side; he came just short of ordering that server decommissioned. Because that server solved a business need, and in such fine form, I could not in good conscience take it down.

The biggest contention regarding free software at PA centered on the Web proxy servers. Not only was PA in love with Microsoft's operating systems, it was completely sold on Microsoft's Web proxy server software. PA had installed two in the Americas to do proxy caching and Internet Content Filtering (ICF). Each of these servers required nightly reboots to avoid crashing during business hours. This was due to a known memory leak which brought down Web service, often daily. Users complained constantly about the unreliability and slow performance, repeatedly asking the help desk to do something about it.

I had heard of the Squid cache running on GNU/Linux (hereafter referred to as "GNU") and FreeBSD, and, as an experiment, I decided to give it a try. It should be noted that I had never before deployed any free software that would be taking this kind of load (about 1,000 users). Furthermore, I myself had originally come from the "Microsoft school" and had been running NT boxes since 1995. Even so, I was willing to try. I reasoned that if free software was good enough for Yahoo! and Microsoft's HotMail, it was good enough for us. I piloted Squid on Red Hat's GNU/Linux with Internet Content Filtering, with a test user base of ten people. The pilot was successful. Squid on GNU proved to be easier to set up than I had anticipated (I had downloaded the latest Squid source and compiled it). The pilot users reported speed increases of, on average, 3 times when surfing the Internet, with SSL sites showing the most improvement--15x in some cases.

Knowing full well that London would have a fit if they found out, we kept this just a pilot, until a very major American partner complained to the Executive team about the slow and unreliable "Internet access" in the Americas. Due to this partner's influence, London at last authorized us to "do something to fix this." My MIS director was told about the GNU-based proxy still in pilot. I was given the go-ahead from my boss and the MIS director to deploy this "new" Web proxy for all of our offices in the Americas. This deployment resulted in many calls to my office asking what the heck we did to improve "Internet access", as the users called it. Partners, consultants, and secretaries alike couldn't believe the increase in speed and reliability they were experiencing. They loved it! It should be noted that the GNU-based proxy ran on much smaller hardware than either of the Microsoft-based proxies did. The GNU proxy took everything the users threw at it without even a hiccup for six months, with enough breathing room to handle at least an additional 1,000 users before slowing down. Due to the Internet Content Filtering, it also blocked nearly all pornographic sites, which is standard practice at most firms, and it did this with no perceptible slow-downs.

Unfortunately, the good times were not to last. The UK NetOps team already disliked the American NetOps staff for not towing its line. Additionally, there were, sadly, nationalistic reasons for their opposition to their US counterparts. After six months of trouble-free performance from the GNU Web proxy, one of the British NetOps team members finally got wind of it. The logs showed that he tried 36 times until he found a porn site that the GNU proxy did not know about (and thus didn't block). He then ran to the head of IT, screaming bloody murder. The head of IT immediately ordered me to take the GNU proxy off line, under threat of termination. The MIS director--who had approved its use -- immediately denied any knowledge of the GNU proxy. I did as ordered, and two weeks after I did so, PA came up with an excuse to "eliminate my position."

I still keep in touch with some PA staff and am told that the partners and managing consultants do not at all like the return to "the way it was." That "way", with proprietary, closed software, now once again makes their jobs, and their subordinates' jobs, harder. Web-based research is a non-trivial source of revenue for many consultancies, and my logs showed that my users performed such research in significant quantities. The aforementioned GNU/Linux FTP server still stands only because there is no other feasible way to quickly transfer large files (the MS Exchange SMTP gateway had major problems with large file attachments). Quite a few partners and consultants in the Americas, because of this and several other draconian policies of this firm, have left PA for other opportunities. As for myself, I am now in a position that is much more open to the use of free software, and my new organization has thus benefited from my knowledge.

The conclusion that I came to, throughout this ordeal, was that Richard Stallman, the founder of the Free Software Foundation, and those like him (e. g. the FreeBSD team), were right. Free software "can" be a toy, just like Duke Nuk'em or Quake, but free software can be, and is, also of highly professional and commercial quality, as my experience proves. In fact, it was Dr. Stallman who suggested that I write this article, and I'm glad I had the sense to listen. When you can scare the daylights out of people like my previous employers this badly, simply on the strength of your merits, that's when you know that you've proven your point...and free software did just that at PA Consulting Group. It's a shame that the firm, to this day, doesn't have the good sense to listen. ®

Disclaimer: The views expressed by Terrell Prudé, Jr are his own and do not reflect the opinion of The Register.

End of Article
Isn't this a sad commentary? Does it take a genius to realize that it makes sense to use the best solution available? No wonder Microsoft has such a monopoly . . . and with people in charge willing to sell out their companies and use only Microsoft even when there is something better out there, can we hope for change anytime soon? We've run into companies with this same mindset, and personally, I feel sorry for their employees and stockholders.

====================================

Microsoft, terrorism, and computer security

By Oxblood Ruffin
Posted: 14/12/2001 at 17:22 GMT

Since 11 September the world has changed immeasurably, but some things remain the same. The single greatest threat to Internet security is still Microsoft -˙ not the soon to be Osama Haz Bin.

Microsoft is not, of course, a terrorist organization. But its ubiquity on the desktop coupled with its poor track record in network security is a tested formula for international disaster.

Security, from the structural perspective, is negative -- it's about denying actions or access or direct contact. Like a prophylactic, it prevents certain bad things from happening while preserving most of the benefits of interaction.

At the heart of the security debate are two competing approaches: 'security through obscurity,' in which it's hoped that concealing an exploitable defect will prevent exploitation, and 'full disclosure,' which works on the premise that forewarned is forearmed, and which most professionals now prefer.

First, let's look at Microsoft's preferred way of dealing with vulnerabilities: security through obscurity.

That was the norm during the early days of networks and computers. As researchers discovered problems they would alert the vendors without fanfare, and in the best of all possible worlds, the vendor would fix them before anyone got hurt. Microsoft became a big fan of this model because it was quiet and discreet and didn˙t contradict its marketing propaganda. However, there was little incentive for them to actually fix anything so long as it could all be kept quiet. No public pressure, no repercussions. Consequently, many serious vulnerabilities lingered for years.

Increasingly frustrated by Microsoft's complacency, researchers began opting for the public-humiliation approach. As they discovered flaws, they began to make them known. Microsoft's PR department went into full gear, denying that problems existed, or suggested that they were merely hypothetical, but often there was more stalling.

Finally researchers began what is known as full disclosure by publishing exploit code to prove that the vulnerabilities they caught were in fact real. Unable to continue sweeping its mistakes under the carpet, Microsoft initiated PR campaigns against "hackers", which it subtly equated with "criminals".

Today, Microsoft prefers to brand full-disclosure proponents "information anarchists," and has even equated them with terrorists in an attempt to manipulate public anxiety after the 11 September attack.

Microsoft continues to argue that by publishing exploit code the bad guys are given free attack tools. But this assumes that the bad guys didn˙t already know the exploit. Perhaps they did, perhaps they didn't. But when everyone knows, the playing field is leveled, secure computing best practices are elevated, and patches must be issued quickly.

Quite simply, full disclosure forces vendors to fix their products. It's a pity that they need this sort of prodding; but the historical record illustrates that they do.

Sadly, many average users have suffered. Over the past several years Microsoft's security model has cost governments, the enterprise community, and home users anywhere from five to twenty-five billion dollars depending on whose tally one accepts. The ILOVEYOU virus, Melissa, Code Red, and a host of others have been the agents of this burden. As a result, millions of users have either lost entire hard drives or valued files, or worse, stood by helplessly as account passwords, private information, and personal images have been stolen from their computers and passed around by the Net's bottom feeders for pleasure or profit. If there were such a thing as data rape, this would be it.

Corporations have spent incalculable sums purging their systems of bugs they should never have been susceptible to in the first place, while staff productivity plummets in a connected office whenever the machinery is off line. And downtime is serious money for any company, large or small, that earns its living only while connected to the Net.

So why don't product liability laws apply to the software industry? How is it that one set of rules applies to the auto industry, for instance, but not to the information superhighway's largest purveyor of digital 'lemons'?

Bear in mind that most, if not all, of this virtual mayhem was not the work of elite computer criminals. It was committed by bored teenagers who cobbled together attack scripts that continue to be traded around the Internet like baseball cards. And regardless of the misery they have caused and continue to cause, and despite the profane amounts of money they've cost their victims, Microsoft's spin has always been the same -- a sort of smile and dissimulate medley that exonerates Microsoft, blames 'hackers,' and promises a brighter tomorrow.

But not everyone is disoriented by this smokescreen. In fact, the majority of security professionals are astounded that Microsoft has chosen to sacrifice security concerns to its marketing goals. Taken to a comic extreme, a real-world illustration of the software leviathan's modus operandi would play out thus: the next time a crazed junkie dives through your window looking for money or worse, skip the police and call a help desk staffed with minimum-wage dunderheads. Find that the frustration of this futile exercise overshadows entirely the emotional impact of your original complaint.

If 11 September taught us anything, it's that everything is vulnerable, and often in the most blunt and simplistic ways. The massive Internet disruptions launched via Microsoft bugs over the past few years have been executed primarily by pimply amateurs. Does anyone actually believe there are no computer scientists who wouldn't love to find a place in heaven by exploiting the Great Satan's favorite software company? Microsoft's security through obscurity will only give these guys an exclusive advantage, because they'll find and use the holes that no one is expecting to be found.

====================================

From the Register

by Richard Forno

By now, people know that I'm not the world's greatest Microsoft fan. Truth be told, I'm not completely biased against the company, and will even acknowledge that it has, at various points, produced some decent products. I also don't 'bash' Microsoft because it's the 'in' thing to do these days, but because there are serious problems with the software company's products and services that they continue to ignore. In fact, some would argue, they just don't get it. Such observations, therefore, must be voiced.

The federal government and technology industry want you to believe the threats to our networks are external, not internal, where someone must be held accountable when things go wrong. Thus, we hear the rhetoric about cyber terrorists, hackers, and the so-called 'Digital Pearl Harbor' - things you can't easily point fingers at and hold someone accountable for when bad things happen. The White House would be wise to look at our nation's own self-induced vulnerabilities before rushing to spin up a sinister external threat; absent the rich target of opportunity presented by nearly all Microsoft products, hackers, crackers, and electronic evildoers would have a much harder time causing mainstream mischief every other week.

Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyber terrorists. In fact, in a recent interview with E-Week, Microsoft Vice President Jim Allchin said that Windows XP is "...dramatically more secure than Windows 2000 or any of the prior systems." Released on October 25, it was to be the default operating system on all new personal computers sold, and its release was timed to coincide with new PC sales for the 2001 holiday season.

Unfortunately, Windows XP doesn't protect you from Microsoft, an entity some argue is more dangerous than any cyber terrorist or hacker gang.

It turns out that the Windows XP ships with a new feature called Universal Plug and Play (UPnP) enabled by default, thus allowing UPnP devices to locate each other on a local network, so that your home computer can talk to your refrigerator can talk to your toaster can talk to your stereo can send messages to your PDA, and so forth. However, as a result of this oversight, someone could remotely use this feature to exploit, control, or disrupt a system from remote locations around the world. As if computer exploits aren't bad enough, you'll soon have to worry about someone turning off your freezer and spoiling your holiday leftovers....

Note this is not to be confused with the Windows Remote Assistance feature -- promoted as one of the major benefits of using Windows XP, yet functioning in essentially the same way as the UPnP exploit. (One wonders how quickly the Remote Assistance feature will be exploited in the future as well.)

Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of Eeye Digital Security, demonstrated the UPnP exploit to a shocked group of reporters yesterday. As a result, media and security experts are calling this "The Mother of All Exploits" for Windows XP, scrambling to inform the public about the importance of downloading and installing the fix for this problem -- a security problem not caused by a hacker or cracker, but developed and implemented exclusively by Microsoft for your computing convenience and to enhance your user experience as a 'feature' of the product.

According to an AP story, Microsoft Security Manager Scott Culp called this latest vulnerability the "the first network-based, remote compromise that I'm aware of for Windows desktop systems" and a "very serious vulnerability."

I guess it's all in how you define "compromise." How very Clintonian.

Although repeatedly interviewed by the media reporting on Microsoft-based security events over the years, Culp apparently doesn't consider any of the following Microsoft-centric security exploits as "network-based, remote compromises" for "Windows desktop systems" either -- the series of Back Orifice programs from the always-amusing Cult of the Dead Cow (cDc) to e-mail worms, Trojans, and viruses (think BadTrans) that can transmit sensitive information from systems they infect.

Did Culp miss a few days of class here and there and forget to read up on SECHOLE.EXE (July 1998), the assorted Internet Explorer cross-frame scripting exploits (September 1998) or the mid-2000 ability to remotely exploit a Windows desktop through a buffer overflow found in the Clip Art feature of Microsoft Office? And what about Windows File and Print Sharing vulnerabilities from back in 1995?

How about the seemingly-endless number of buffer overflow exploits (think CodeRed, Lion, and Nimda) that plague Microsoft Internet Information Server (IIS) -- granted, IIS isn't made for "Windows desktops" but it deserves mention given the nearly-identical software code in Microsoft's desktop and server products.

So how exactly does Microsoft classify these other types of network-centric exploits? As nuisances but the price of doing business in the wired world?

When will it end? And what to do about this latest security problem originating in Redmond?

Microsoft, as the world's largest purveyor of PC software, with an established monopoly status, needs to do the responsible thing. Rather than continue to preach security as a marketing tool for its .NET venture, an avenue for business development with new proprietary 'standards' and fee-based, censored security 'partnerships' or review its reactive measures, it should get back to the basics and look within for the solution to its internal problems that usually evolve into the world's problems.

Simply put, Microsoft needs to review its software code line-by-line and clean it up. Years of service packing, patching, re-patching, updating, critical updating, and hot-fixing Windows products have made them dirty and prone to breaking, as we see every few months. Better yet, Microsoft needs to revisit the basic design of Windows - namely, removing the shared code between applications and the underlying Windows operating system (like the pervasiveness of the Web-enabled Internet Explorer across each Windows application and system.) Like a car, it's time to bring the Windows code into the shop for a major tune-up. Actually, a worldwide recall might in order.

In addition, Microsoft must not ensure its products work well together, but also conduct much more aggressive 'abuse testing' of its software (e.g., XP) before it gets released to the Real World. Such testing should be done by independent third parties and conducted in a transparent, public manner to preclude any claims of bias in the results of such testing.

In general, Microsoft should conduct what the rest of the computing community considers a real "beta test" -- namely, making sure that a supposedly finished application works as intended, using experienced users to test the functionality, durability, and security of the product in a real-world, real-use, take-no-prisoners environment....not use its much ballyhooed 'beta test' periods as the opportunity to market advance copies of their products, many of which never seem to get out of the beta stage even when they're officially released for sale!

In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community.

Realistically, a vendor should be able to examine and verify a reported exploit -- particularly one as critical as this one -- and release a patch or publish corrective guidance to the public in about two weeks. In this case, Microsoft -- had it decided it was in its interest to do so -- could have easily assigned fourteen thousand programmer man-days (1000 programmers x 14 days) to address the problem within two weeks. Eeye was very generous in giving Microsoft so long to fix the problem, although why it took nearly two months for Microsoft to address the problem raises some disturbing questions.

Perhaps acknowledging this would be contrary to the tone and contents of Culp's October 2001 missive calling for a Microsoft-based Vatican of Vulnerability to quell the public disclosure of security vulnerabilities and implement software security through obscurity and public ignorance. More interestingly, Eeye reported the UPnP exploit to Microsoft back in October (according to sources at Eeye, the day after Windows XP was released).

Was Microsoft's two-month silence on this critical exploit a business decision to avoid public embarrassment on a new product so close to the holiday (e.g., "new PC purchasing") season? We can only wonder.

Microsoft is by far the most notorious in their vulnerability announcements, legalese, and cover-their-tail security alerts, something CDC member Tweety Fish noted in a 1999 interview discussing the growing number of Microsoft-generated security problems back then. He noted that Microsoft "will not consider any given security risk a problem until it becomes a problem in the press." Or, to put it another way, it's not really a problem until Microsoft says so.

Actions speak louder than words. Microsoft pays security plenty of lip service for marketing and public relations spin control, but the firm's history of addressing security problems falls quite short of what security professionals would consider a robust, long-term commitment to dealing effectively with the matter. Thus, it's up to third parties like Eeye and other research firms to continue serving as a "check and balance" against a future of vendor-induced security-through-obscurity and public ignorance.

Thanks to Eeye's responsible disclosure of this catastrophic vulnerability in Windows XP, not only is the Internet a bit safer, but their actions prove once again that voluntary disclosure of vulnerability information is possible without a fee-based vendor-sponsored private club.

˙ 2001 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.

====================================

Survey: Microsoft Facing Major Backlash To Licensing 6.0 As Deadline Approaches

http://www.crn.com/Sections/BreakingNews/dailyarchives.asp?ArticleID=34562

In case you don't have time to read the entire article or can't find it, here are a few quotes:

Quotes:

"Some 80 percent still have a negative view of the annuity-based licensing plan, and 90 percent believe it will increase their licensing costs."

"Meanwhile, about 36 percent of 1,400 businesses polled said they will not upgrade to the Licensing 6.0 plan and another 38 percent are seeking alternatives to Microsoft products, according to the survey. "

"In a small percentage of cases, some reluctant customers have been threatened with software audits by overly aggressive Microsoft sales reps, DiDio said"

====================================

http://newsforge.com/article.pl?sid=02/05/07/2234251&mode=thread&tid=3

Did you know Microsoft was convicted of software piracy last year by a French court? Not many people do. The Commercial Court of Nanterre fined Microsoft 3 million francs because it illegally included another company's proprietary source code in SoftImage 3D, a top-of-the-line animation package.

====================================

From the Financial Times

http://news.ft.com

Europe plans tougher line than US on Microsoft
By Francesco Guerrera and Birgit Jennen in Brussels
Published: May 9 2002 21:20

Microsoft faces having to make radical changes to meet European regulatory concerns that go well beyond what is being demanded of it in the US.

After a three-year investigation, European antitrust regulators are studying wide-ranging measures to prevent Microsoft from using its strong position in the software market to injure competitors, according to people familiar with the case. They are said to be minded to take a tough line against the company, though final decisions have not been taken.

The measures under consideration would force Microsoft to change the way it produces and sells its Windows operating system and Media Player software, and to provide a large amount of technical information to competitors.

They would go well beyond the terms of last year's settlement between Microsoft and the US government, which also investigated the company's alleged anti-competitive practices, and could further sour relations between the two antitrust authorities following last year's high-profile spat over General Electric's 43bn takeover of Honeywell.

William Kolasky, who heads the US antitrust division's international affairs, this week said monopoly leverage cases remained an area where European Union policy had been "unduly protective of competitors", a thinly veiled reference to the Microsoft case.

People familiar with the matter said Mario Monti, European competition commissioner, and his officials had still not decided what measures to impose on Microsoft. They warned that discussions were still at an early stage and any decision on possible fines, which could total up to 10 per cent of Microsoft's turnover, was months away. Microsoft and the commission declined to comment.

However, it is understood that the authorities are considering asking Microsoft to separate its media software Media Player from Windows.

Microsoft's rivals, led by AOL Time Warner, have alleged that incorporating Media Player as a standard feature of Windows gave the software an unfair advantage over rival programs, such as Real Networks' Real Player. Microsoft rejects the allegations.

One solution being studied in Brussels would be to allow computer makers to choose between a Windows with Media Player and one without it.

Such a move, which would force Microsoft to produce a slimmed-down version of Windows, is much more radical than that favoured by the US company. Microsoft is understood to be willing to negotiate a solution similar to that agreed with the US government and some states, which allows computer makers to hide the Media Player icon from desktops but not to remove the entire program.

The commission is also considering asking the company to provide a host of technical information to rival makers of servers - large computers that are the gateway to the internet and e-commerce.

====================================

A campaign against unix, launched by Microsoft, that runs on a UNIX server.

http://www.computerworld.com/storyba/0,4125,NAV47_STO69761,00.html

When it was discovered Microsoft switched to a Windows server which immediately crashed ...the server hasn't been online since the switch to Windows.

But still, Corporate America insists on Windows...go figure. Are we living in Bizarro or a bad nightmare?

====================================

Aviar asks:

Do you want to entrust your mission-critical CMMS to an operating system imposed on you by THREATS?

Why was Microsoft so frightened of OS/2 that they had to resort to threats?

Simple. OS/2 is better than Windows and Bill Gates knows it!

That's why we developed Oz for OS/2. It's a better platform, period!

WHEN WILL PEOPLE WAKE UP?

Appropriate Notable Quote:

All that's necessary for the forces of evil to win in the world is for enough good men to do nothing.

- Edmund Burke

Remember when Microsoft told you that Windows 95 was the greatest software product ever?

Remember when they said the same thing about Windows 98?

NOW Microsoft is telling you to dump those products and buy their new stuff!

". . .If someone is on Windows 95 or 98, they need to get off of it," Microsoft Group Vice President Jim Allchin told analysts on a conference call on Wednesday morning . . ."

Analysis: Will Win XP be more than an upgrade?

Mary Jo Foley

Ziff Davis Internet

Microsoft Corp. has taken a stand: The company is going to launch Windows XP on October 25 of this year, come hell or high water.

Further upping the ante, Microsoft officials have declared the company plans to spend, over the course of four months, double the amount of money to market Windows XP that it did to launch Windows 95. For those who remember Windows 95's full-page ads, the midnight-madness promotions at computer-retail stores across the country, the lighting of the Empire State Building in the colors of the Windows flag and the August 25, 1995, launch-day carnival (complete with a ferris wheel on the heart of the Redmond, Wash., campus), you ain't seen nothing yet.

The strangest aspect of the Windows XP launch -- at least so far -- is Microsoft's behind-the-scenes claims that XP is not an upgrade product. While the company will offer upgrade versions of Windows XP at retail, Microsoft is planning to push both the Home Edition and the Professional Edition of Windows XP as preload products, first and foremost.

As Microsoft has made plain on its earnings calls in recent months, the company is counting on its two biggest products for this year, Office XP and Windows XP, to help bolster not only Microsoft's cash coffers, but those of its hardware and software partners.

Because Microsoft's last consumer operating system, Windows Millennium Edition, was found by many consumers to be unstable and buggy, it would seem natural for Microsoft to pitch Windows XP as an upgrade Windows ME. But that seemingly is not the plan. Instead, by upping substantially the RAM requirements for Windows XP, Microsoft basically is guaranteeing that Windows XP won't work on many older PCs. Thus, those consumers who want the new operating system will need to buy a new computer preloaded with the latest and greatest Microsoft operating system.

"If someone is on Windows 95 or 98, they need to get off of it," Microsoft Group Vice President Jim Allchin told analysts on a conference call on Wednesday morning.

Allchin reiterated during the call that Microsoft's goal is to get Windows 95, Windows 98 and Windows ME users off those operating systems and onto new PCs preloaded with Windows XP.

"If you purchased your machine during (the) holiday '99 or later season, Windows XP should work pretty well in that environment," he said. The message was clear: For those with older hardware, bite the bullet and buy a new Windows XP-ready machine.

(Allchin also noted that the amount spent on the XP launch will be in the "hundreds of millions" of dollars category.)

Microsoft's decision against positioning XP Professional as an upgrade to Windows 2000 Professional is more understandable. Laptop and business-computer users running Windows 2000 Professional have registered few public complaints about stability or bugs. For those business users who have installed Windows 2000, Microsoft tacitly is encouraging them to stay with Windows 2000.

Schedule nitty-gritty

Microsoft is marching steadily toward launch date, testers said. Two weeks ago, the company released a post-Beta 2 interim release, build number 2465. According to an alleged copy of the most recently published internal beta schedule, Microsoft developers are aiming to complete Release Candidate 1 by June 6, Release Candidate 2 by July 2 and release the gold code to manufacturing by July 25.

The July 25 RTM date gives Microsoft a bit of leeway. If the company misses that target by a month or two, it still could get Windows XP code to PC makers in time for them to preload it on holiday machines. And Microsoft would still have at least a month to produce CDs and related packaging needed to supply retail stores with boxed copies.

"It would have been nice to make back-to-school," Allchin conceded, but he re-emphasized Microsoft's oft-repeated adage that quality, not marketing, determines ship dates for Windows.

Allchin said Microsoft was not anticipating any possible confusion or overlap between Windows XP and its Xbox gaming console -- both of which are now due in the latter part of this year.

"X marks the spot this holiday season," he quipped. "Whether you're into the game market or XP."

May 9, 2001 11:40 AM ET Ziff Davis Article

====================================

Why does your company keep believing people who have lied to them again and again?

Using Microsoft products is going to cost your company more . . . and more . . . and more

====================================

Users Pay More Under Microsoft Licensing Changes

With its Software Assurance Program, Microsoft Corp. intends to replace its present upgrade policies on Oct. 1. For the majority of business users, this will lead to a substantial increase in licensing costs. The Dutch Network Users Association (NGN), which unites some 4,000 network professionals, estimates that price increases for organizations that don't currently have Enterprise license agreements will range from 100% to 225% for the use of Microsoft Office between 2002 and 2005. (For details see the NGN analysis at the bottom of this story).

In adopting the new policy, Microsoft abandons the principle that the corporate holder of a software product has a right to an upgrade at a reduced rate.

NGN calculated the increase in costs under this new program for a company that uses Microsoft Office for a period of four years (2002-05), according to assumptions we have made based on a report from Gartner Inc. in Stamford, Conn., discussions with the staff of Microsoft Corp. and information on the Internet.

If user organizations are to have the use of Office XP for a reasonable price, under the new agreement, they must pay for an upgrade to their present version of Microsoft Office 95, 98 or 2000 to Office XP - whether they want it right now or not - to qualify under this program for the next version in 2002 or 2003.

If they do not purchase the upgrade before Oct. 1, the charges for the use of Office XP will increase over the next four years. NGN estimates that 86.5% of its members will have to deal with the new license model at higher prices, contrary to Microsoft's claim that 80% of its customers will be paying the same or less and that only 20% of its customers will pay more.

The holders of an Office license will be forced by the altered license and upgrade policy to purchase the new version of Office XP before Oct. 1, when the rights to an upgrade lapse. The fact that Microsoft has altered its upgrade policy in such a way that a user who doesn't hold an Office license after Oct. 1 loses the right to an upgrade is unconventional and unreasonable. In addition, we see no justification for such a high increase in the upgrade price.

Being forced to invest in this upgrade before Oct. 1 is tantamount to having a knife at your throat. However, most firms will simply be unable or refuse to implement such an upgrade before this date.

Should Microsoft implement this license policy as it is, the NGN will consider advising all members who are holders of Microsoft Office to reconsider their investments in every business license. In view of the fact that there aren't many alternatives to Microsoft, this advice will involve a great many problems, and there is no free option.

Microsoft first announced its new license policy for Office. In a discussion with the NGN, Microsoft has also disclosed that the same arrangement will also apply to all other Microsoft software, such as Windows.

We continue to believe that Microsoft will pursue a reasonable balance between product and price and hope that it will reconsider its license policy in order to meet these objections.

NGN's Cost Calculations Under Microsoft's New License Agreement

The following possibilities and their financial consequences were calculated by the Dutch Network Users Association (NGN) and cover a period of four years:

Option A: Upgrade to Microsoft Office XP before Oct. 1

An upgrade currently costs 50% of the new price of the software. Bear in mind that after Oct. 1, this version upgrade of Office will no longer be available. A company can use Office XP until 2005 but will not have the use of the latest versions that are released in the meantime.

Option B: Participate in the Software Assurance Program, which grants an unlimited right to all upgrades that appear in the period 2002-05

The Software Assurance contract costs 29% of the end-user price per year. Microsoft sets the condition that the user must have the current version of the product. Only Office XP will be the current version on Oct. 1, but most NGN members use Office 95 or 97. Even Office 2000 will no longer be considered current. That means the user is obliged to upgrade. The total cost for four years: The upgrade equals 50% of the full purchase price, plus four years of Software Assurance: four years multiplied by 29% of the purchase price equals 166% of the end-user price.

Note: A user will have the latest version of Office for the period of four years. This is more than three times as expensive as Option A.

Option C: Do not participate in the Software Assurance Program after Oct. 1

Because upgrades will no longer be available after Oct. 1, it will be possible only to purchase an entirely new license. Cost: 100% of the end-user price.

Note: The user will then be obliged to use Office XP for the next four years. This is the same situation as Option A but exactly twice as expensive!

Option D: Upgrade after Oct. 1 through the retail channel

Cost: 50% of the end-user price. But the retail version differs functionally from the version under corporate licenses; there is a registration module limitation (a maximum of two installations per individual CD) that makes application in a business environment of more than 20 PCs impossible.

Note:

Are the licensing changes fair to users? Head to the Computerworld Operating Systems Forum to discuss the issues with the author and your peers.

Vincent Everts is chairman of the Dutch Network Users Association in the Netherlands.

http://www.computerworld.com/cwi/community/story/0,3201,NAV65-1797_STO61240,00.html

====================================

Pleasantness from Redmond.

http://dailynews.yahoo.com/h/zd/20010622/tc/microsoft_audit_or_else_there_s_trouble_1.html

Note the one VP who said

adding that his company has spent about $200,000 on Microsoft products over the past several years, "For your business partner to be that bad, if there was a competitor some day, I'd switch. "

====================================

30 March 2001 Updated: 15:36 GMT

http://www.theregister.co.uk/content/4/18002.html

All your data (and biz plans) belong to Microsoft
By: Andrew Orlowski in San Francisco Posted: 30/03/2001 at 15:07 GMT

With Microsoft's HailStorm .NET initiative hinging on the company's very own PassPort service, you'd think Redmond would be bending over backwards to stress the confidentially of user information.

Well, if that's the case, it hasn't started yet.

The current Passport Terms of Use agreement not only fails to guarantee confidentially, but actually gives Microsoft and its business partners the right to own your information, and do pretty much what they want with it. That encompasses all your Hotmail and MSN Messenger communications today.

As the Terms state:

"By posting messages, uploading files, inputting data, submitting any feedback or suggestions, or engaging in any other form of communication with or through the Passport Web Site ... you are granting Microsoft and its affiliated companies permission to:

1. Use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such communication.

2. Sublicense to third parties the unrestricted right to exercise any of the foregoing rights granted with respect to the communication.

3. Publish your name in connection with any such communication."

And it doesn't stop there. Are you emailing a contact about a hot idea or business plan of your own? Hand that over, too:

"The foregoing grants shall include the right to exploit any proprietary rights in such communication, including but not limited to rights under copyright, trademark, service mark or patent laws under any relevant jurisdiction. No compensation will be paid with respect to Microsoft's use of the materials contained within such communication. "

After the eFront debacle, we're baffled why anyone would want to trust confidential communications to any of the big IM services, let alone MSN Messenger.

====================================

Fred A. Miller, Systems Administrator
Cornell Univ. Press Services" wrote:

Microsoft: Audit, or else there's trouble

"In its continuing jihad against software piracy, Microsoft's legal department has sent letters to corporate customers demanding they conduct internal audits of their software licenses and submit their findings within 30 days to the software giant.

The letter, using language no less intimidating than the Internal Revenue Service might use, also includes a form that spells out the audit process. Customers must report the number of installs, documented licenses, license upgrades and unlicensed software. Covered in the process are operating systems, Office suites, individual applications, BackOffice products and the Visio product line.

The audits are not only costing IT shops time and money (some well into five figures), but several customers contacted this week who received the letters without warning said they bordered on harassment."

http://www.zdnet.com/zdnn/stories/news/0,4586,2779270,00.html

====================================

Following is an article printed in the Pittsburgh Tribune Review Friday, March 16, 2001:

Virus damage $2.6B

The "I love you" computer virus that paralyzed networks around the world last year caused losses of about $2.6 billion, making it one of the most costly manmade disasters of the last three decades, a study by Swiss Re, the world's second-biggest reinsurer, found. The bug attacked about 45 million computer users worldwide, from Ford Motor Co. to the British Parliament, by making copies of itself and using stored electronic-mail addresses to spread. The virus was one of the 10 most expensive events caused by people since 1970, the found.

We ask, Do you really want Microsoft to have all of your personal data? Do you really, believe that Microsoft can keep that data safe from hackers? Read on . . .

From CBS.MarketWatch.com, online

Microsoft to unveil linchpin software

By Mike Tarsala, CBS.MarketWatch.com
Newswatch
More Headlines

2:35 PM ET Mar 19, 2001

REDMOND, Wash. (CBS.MW) - Bill Gates on Monday will try to convince anyone who's ever filled out a form on the Internet to trust him with their lives - and pay his company for it.

Microsoft plans to unveil Internet-based software that lets people store and manage their personal records. The new service makes the world's largest software company a central repository for storing credit card numbers, birth data and other types of personal information. The company will charge a to-be-determined monthly fee for the service.

The software, code-named Hailstorm, is getting a warm reception from some analysts. It lets people enter and change their information, store it via the Internet with Microsoft [MSFT], then selectively give the information away when buying goods or subscribing to services online.

The software's goal is to let people give out just the amount of personal information they want to share - all at a mouse click. It keeps people from having to root through file cabinets any time they want to make a big-ticket purchase, file a medical claim or apply for a loan.

"It's 180 degrees from what we've seen before: Instead of it being a service that's paid for by online vendors, it's paid for by you," said Rob Enderle, analyst with Giga Information Group. "You own the information."

But Microsoft keeps it. Considering the number of times that Microsoft' sites have come under attack from computer hackers in recent months, Gates and company may have to make their case Monday for why the software is safe.

"A lot of people don't trust Microsoft, and the company's own security exposures exacerbate that problem," Enderle said.

Microsoft executives will also have to convince consumers how the software is a big step up from the company's current personal information service, called Passport, which is free.

Hailstorm is expected to be a critical part of Microsoft's future .NET strategy, a bet-the-business plan to offer software as a service, according to Merrill Lynch. The software's release could act as a near-term catalyst for Microsoft's stock, according to the investment bank.

The software won't have any financial impact on Microsoft for at least 12 months, however. Microsoft's .NET is a three-year plan the company first unveiled last year.

Hailstorm will incorporate new versions of Microsoft's Hotmail e-mail, MSN Messenger software, as well as new services. Analysts say the company will spend tens of millions in advertising Hailstorm, stressing the product's security.

Key to Hailstorm is Internet security software that makes it difficult for hackers to gain access to personal information. Storing information in Microsoft's data repository is supposed to be safer than storing it on a home computer.

But the question is, does Hailstorm makes Microsoft an even bigger target for hackers than the company is already. The world's largest software maker regularly comes under attack from computer hackers as it is.

Shares of Microsoft lost $1.13 to $53.56 in Monday trading.

====================================

What do the Germans know that we don't know?

German armed forces ban MS software,

citing NSA snooping
 By: John Lettice
Posted: 17/03/2001 at 18:59 GMT

The German foreign office and Bundeswehr are pulling the plugs on Microsoft software, citing security concerns, according to the German news magazine Der Spiegel. Spiegel claims that German security authorities suspect that the US National Security Agency (NSA) has 'back door' access to Microsoft source code, and can therefore easily read the Federal Republic's deepest secrets.

The Bundeswehr will no longer use American software (we surmise this includes Larry and Scott as well) on computers used in sensitive areas. The German foreign office has meanwhile put plans for videoconferencing with its overseas embassies on hold, for similar reasons. Under secretary of state Gunter Pleuger is said by Spiegel to have discovered that "for technical reasons" the satellite service that was to be used was routed via Denver, Colorado.

According to a colleague of Pleuger's this meant that the German foreign services "might as well hold our conferences directly in Langley." We're not entirely sure whose interesting video conferencing via satellite service has a vital groundstation in Denver, but we note that Pleuger seems to have gleaned this information from a presentation held earlier this month in Berlin by, er, Deutsche Telekom.

Which just happens, along with Siemens, to have picked up the gig. The two companies have supplanted Microsoft (and anything else American) and will be producing a secure, home-grown system that the German military can be confident in.

====================================

Microsoft admits Windows(tm) is unreliable!

to read the full article, CLICK

MS using the old Blue Screen to sell Win2k

By: Thomas C Greene in Washington(tm)

We've been telling you this for years!

Mean Time To Failure (MTTF):

Windows 9x: 216 hours Windows NT: 919 hours

Now Microsoft wants you to dump everything you have and buy their latest systems which have been reported to contain 63,000 known bugs!

Your CMMS data is too valuable to trust it to unreliable systems like Windows with abysmal MTTF records like this! You wouldn't buy bearings or pumps or belts which failed like this. Why do you accept unstable, unreliable computer software?

Is it because your "Corporate IT Gurus" won't let you have our product Oz because it is not Windows-based?

They are wrong and they are doing you a grave disservice. They are costing you lost time and lost data.

FACT: If you had installed Oz with OS/2 years ago, you would still be running it, with no downtime due to Operating System or program failures. Your system would still work and your CMMS data would be intact.

It's time to tell your "Corporate IT Gurus" that it's your budget. Tell them you want a reliable CMMS. Tell them you are sick of crashes, blue screens of death, lost time and lost data. Tell them you want Oz!

As an alternative, you can let the "gurus" dictate to you what you must use. You can let them dictate yet another Windows system which will give you even more grief and cost you more time, money and lost data