Windows XP, Anyone?

V

Vladimir E. Zyubin

Hello Jiri,

Support... The most unpleasent thing we faced with is the problem to purchase legal copies of Windows NT (we use it for a HMI that does not have special secure requirements)...

--
Best regards,
Vladimir E. Zyubin mailto:[email protected]
 
M
> It seems ironic to me that when Microsoft shipped NT with
> minimum levels
> of security enabled people critisised them for not taking security
> seriously because many users would not think about turning on higher
> levels of security. Now that they do something that enhances the
> security of the average PC in the hands of non technical
> users they get criticised again.
>
You've missed the point of the thread. It is not that MS providing security enhancements is a bad thing, its the End User License Agreement (EULA) that one is forced to accept to take the fix, which then gives MS the authority to change anything on the system that they want. If people on this list are so blind as to not see this and its implications, it isn't surprising that the US lawmakers and judges are also blind to MS practices. It is a bad harbinger for the future.

Mark Blunier
Any opinions expressed in this message are not necessarily those of the company.
 
C
Hi Peter

The criticism is not because Microsoft did something to enhance their security. Heaven forbid that we should criticize them for trying to
turn the tide around. The criticism is that, what they did is like fixing a leaky boat by drilling holes in the bottom to let the water out. You go from a situation where your box is hacked occasionally to a situation where it is hacked regularly as well. This also has the side effect that no one knows exactly what state the box is in. And if something all of a sudden doesn't work, the likelyhood of finding out what did it becomes somewhat remote. Which means the only cost effective solution is to start over, which kinda defeats the purpose. It's great that they are finally turning their attention to security. This is just a very dubious way to achieve that.
Their diddling with the box presents a greater risk than the virus of the week. It can be argued that what is done can be undone, but if you can't find and fix it in an hour, they're gonna bring you the CD's.

Regards

cww
 
M

Martinicky, Brian

Then unless any attorneys are contributing to this thread, what we really have here is a bunch of engineers spinning their wheels trying to think like lawyers. Never a good thing...

Regards,
Brian
 
J

Joe Jansen/ENGR/HQ/KEMET/US

Peter,

I think that in the conext of the Automation List tho, nobody is arguing the value of XP in general. The over-riding question is: Does XP belong in any sort of IA applications? I would emphatically vote no.

Having decided that, now we need to decide what we are to use in it's place. For now, Windows 2000 is filling the spot. However, unless things
change, we as a group are going to have to face the facts that 2000 isn't going to be supported forever (or past 2003, from the sounds of it), and we need to get the vendors like WW to port to an alternative platform.

Not that I expect it to happen, mind you, but that is what we need if we are going to keep our systems secure.

--Joe Jansen
 
S
I agree with most of this and I say that MS is a monopoly and needs to be regualted for the good of the country as well as the world.

I know, I know, there is linux, but I have dealt with unix based systems before and I really do not want to go back there.
 
C
Hi Tim

List Manager wrote:
> ------------ Forwarded Message ------------
> From: Linnell, Tim
>
> This is turning into a bit of a paranoid feeding frenzy. Can I point out
> that:
>
> 1) No-one is obliged to connect a PC on a production line or in a
> certified environment to the Internet. Indeed, if you do, you probably
> run greater risks than the Microsoft Department of Evil.

We agree on the first point anyway.

> 2) No-one is obliged to use XP. As far as I know Win2000 doesn't require
> the same licensing terms, and is a better choice anyway. XP is supposed
> to be a mass market consumer O/S. As others have pointed out, O/S update
> is a useful feature in such environments, particularly when plugging
> security holes. It is not appropriate in the commercial world, in
> general, and so will not be deployed.

This is simply not true. If the automation vendors choose to release their tools on XP, you are pretty much compelled to use it. If we had
a choice of the OS to work with, we wouldn't be having this chat. And the vendors have shown a preference for the "consumer" versions of MS
operating systems regardless of how appropriate they are. My choice, of course, would be none of the above, which would eliminate the consumer vs commercial issue altogether, along with most of the other problems being discussed.

> 3) Automation (or indeed general commercial use of PCs where IT depts
> certify OS levels) is a significant market for Microsoft. They will be
> aware of the problems automatic update can cause, and will, I suspect,
> be working to obviate them.

Huh? From what I've seen they are pretty egalitarian in whose problems they ignore.

> 4) Anyone relying on XP, or Win2000 at a single point of failure in
> safety critical situations is wrong to do so. This is not Microsoft
> specific - anyone relying on Linux in safety critical situations is
> wrong too: the plant must have independant watchdog devices to shut down
> if danger is detected (this is the great problem with PC based control
> in general).

This is a topic for another day, but I know which I'd rather have running my Iron Lung.

> 5) It is genuinely scandalous to compare Microsoft commercial practices
> with Osama Bin Laden hacking into a computer. Sorry Curt, but you have
> lost track of reality if you truly believe that.

Both are convicted criminals whose crimes involve damaging people. Since both practices are the focus of federal prosecution, I stand ready to apologize to whoever's conviction is overturned . It is scandalous to keep insisting that Microsoft can be trusted when they have been proven to be abusing a monopoly. That would seem to be a breach of trust. It's like selling Enron stock to folks simply because they haven't been paying attention.

> Like I said a few months ago - proponents of Open Source would be better
> served arguing their case on the relative merits of their products
> rather than indulging in silly FUD and scare tactics and intimations
> that Microsoft is plotting to destroy the world. It isn't.

I agree, they have absolutely no intention of destroying the world. That would be counterproductive. There's far too much money to be made when they control it. And I apologize for the discomfort that discussions of morals and ethics cause some MS business partners. I am glad, at least, that they are still bothered. Why is that?

Regards

cww
 
> From: Blunier, Mark

> Jay Kirsch wrote:
> > If I had to choose between Bill Gates meddling with
> > my computer over the Internet or Osama bin Laden flying a Boeing 747
> > into it, I'd pick the former.
>
> You don't have that choice.

I didn't bring up the comparison, you should have taken that up with ccw.

> > There are some posts back there which had some actual technical
> > information stating that remote updates can be disabled on
> > WinXP. (I'd prefer this were the default setting.) What is this
> > thread really about now ?
>
> It is about MS EULA that says that they can make any changes that
> they want to your computer. Some people here want to
> believe that MS will only do things in the consumers interest, and that
> MS will never create a problem propagating 'updates'. We
> are trying to point out that we don't believe this to be the case. We
> are also trying to point out that if the MS is only going to
> provide these updates when the update feature is selected, the EULA
> should state that the users are only going to give up these
> rights when the update feature is activated.

Updates will cause problems, no doubt about it. If you have a validated production computer and update software on it, it is no longer validated.
This goes for any OS. Thanks for the reminder.

I do not follow your second point. What are "these rights" ?

jk
 
V

Vladimir E. Zyubin

Hello List,

The problem is not in evil will of MS.
The global disaster can happen because of an human error, i.e., by unpremeditated way... or because of terrorism... The centralized and
user-independent changes ("update", "upgrade") of OS is a point of global instability...

Also need to say that "update" of OS principially differs from an update of an ordinary application... in the case of OS changes, a
posible error is not a local thing and is connected with whole system functionality.

So, who will control the point of global instability? Bill Gates?
Usama bin Laden? Uncle Sam?

...and so on, very interesting topic...

--
Best regards,
Vladimir E. Zyubin mailto:[email protected]

Wednesday, September 25, 2002, 2:26:15 AM, Blunier, Mark wrote:

[...]
LM> It is about MS EULA that says that they can make any changes that
LM> they want to your computer. Some people here want to
LM> believe that MS will only do things in the consumers interest, and that
LM> MS will never create a problem propagating 'updates'. We
LM> are trying to point out that we don't believe this to be the case. We
LM> are also trying to point out that if the MS is only going to
LM> provide these updates when the update feature is selected, the EULA
LM> should state that the users are only going to give up these
LM> rights when the update feature is activated.
 
M

Michael Griffin

On September 23, 2002 03:02 pm, Jeff Dean wrote:
<clip>
> I will not participate in a protracted Digital Rights Management debate.
> Suffice to say, people who don't own the legal right to play music and
> video files or run software should not be able to do so.
<clip>

I have no interest in downloading music, whether hacked or not. My interest was in what the behavioural characteristics revealed about how the software works. This is essentially all we have to go by since there is no detailed
technical description of the system from Microsoft.

> I must say, my goal was not to reassure anyone. While I openly use and
> vocally support Microsoft and Microsoft's products, everyone is free to
> judge for themselves. I believe that there is no possibility of
> Microsoft updating software on my computer without my knowledge. I
> firmly believe they are not out to get me.

I did some research on the internet to see if I could find a better explanation of this system. There is nothing which describes the innards, but there were some articles which described the effects on the user in more detail.

The "security" updates which Microsoft is referring to are not connected in any way with "security" which protects your computer from
viruses or hackers. Rather, it is "security" for Microsoft's new "Digital Rights" (DR) software. The DR software is a major new product line for
Microsoft. They hope to sell it as a service to companies who will distribute entertainment (music, movies, electronic books, etc.) via the internet. One of the things which makes Windows so valuable to Microsoft is that they can use it to entrench their new products like this one.

The "security" features which are concerning so many people here have several objectives. Firstly, it allows someone (theoretically the "content provider") to disable selected DR type data files remotely. That is, the
files can be rendered unusable after they are already on your hard drive.
Secondly, they are intended to allow Microsoft to patch any holes in their DR software after the software has already been delivered. This is intended to assure the companies which license the DR system from Microsoft that any security holes which are found later in the system can still be plugged.

An important point to note though is that while you may be offered a choice of whether you want an update when they become available, you don't really have a choice. If you say "no", then you may *still* get a software update downloaded into your computer anyway. This means that if the security system in the DR software doesn't work well enough, they can change it later.
This is why Microsoft has changed their software license. You "agreed" to let them do this. You also "agreed" that it was OK if any of these patches caused any of your other software to stop working. There are (or at least can be) patches loaded onto your computer whether you want them or not.

The above is a very brief overview of the situation. However, my concern is whether any of this may have undesirable side effects on industrial automation systems, not whether it is desirable in the context of what Microsoft actually designed their operating system for. If any of this causes problems for people who are using Windows XP for purposes which it was not
designed for, then there is no reason why Microsoft should feel compelled to do anything about it.

************************
Michael Griffin
London, Ont. Canada ************************
 
> The argument whether or not this setting over-rides the EULA. Far too
> many people suspect it does not, including the `fair and balanced'
> article someone was trying to hit me over the head with.
>
> Jiri

I don't think it helps to "suspect" anything or to read the opinions of others on this matter when you can just read the EULA directly.

Below are the references that I found in the WinXP EULA about the update features. Notice the phases "If you choose..." and "...,if you elect...". I do not see any statement mandating the use of Internet updates or that you must ever connect your computer up to the Internet at all.

The first paragraph is about games; nothing at all to do with present automation concerns.

The second paragraph says that security updates will be downloaded in conjunction with downloading a license that permits the playing of
secure content. This is not about general network security, it is about the security of copy protected works. After downloading such
an application, there is no requirement to stay connected to the Internet or to go back on the Internet later for more security updates.

Again, this is not relevant to automation. Why is it there ? MS does not want to be sued by content providers for security glitches in MS's DRM software that might allow this content to be illegally duplicated.

Jay Kirsch

"* Internet Gaming/Update Features. If you choose to utilize the Internet gaming or update features within the Product, it is necessary to use certain computer system, hardware, and software information to implement the features. By using these features, you explicitly authorize Microsoft or its designated agent to access
and utilize the necessary information for Internet gaming and/or updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft
may disclose this information to others, but not in a form that personally identifies you."

and

"* Security Updates. Content providers are using the digital rights management technology ("Microsoft DRM") contained in this Product to protect the integrity of their content
("Secure Content") so that their intellectual property, including copyright, in such content is not misappropriated. Owners of such Secure Content ("Secure Content Owners") may, from
time to time, request Microsoft to provide security related updates to the Microsoft DRM components of the Product ("Security Updates") that may affect your ability to copy, display and/or play Secure Content through Microsoft software or third party applications that
utilize Microsoft DRM. You therefore agree that, if you elect to download a license from the Internet which enables your use of Secure Content, Microsoft may, in conjunction with such license, also download onto your computer such Security Updates that a Secure Content Owner has requested that Microsoft distribute. Microsoft
will not retrieve any personally identifiable
information, or any other information, from your computer by downloading such Security Updates."
 
S
I certainly did not complain about the level of NT security, and you haven't shown that any of the people on this thread griping about XP did either. Granted, Microsoft has to look at the user base as somewhat of a homogenous whole.

I wouldn't say that requiring me to agree that, without any further consent on my part, Bill G's intern can break my existing software without civil or criminal liability is "enhancing security". Rather, the exact opposite. Anyone accesses my computer without my consent, its a violation of my constitutionally guaranteed property rights, and is all the more egregious if
it is someone with whom I have a business relationship.

Peter Whalley wrote:

>It seems ironic to me that when Microsoft shipped NT with minimum levels of security enabled people critisised them for not taking security seriously because many users would not think about turning on higher levels of security. Now that they do something that enhances the
security of the average PC in the hands of non technical users they get criticised again.<
 
J

Joe Jansen/ENGR/HQ/KEMET/US

The quotes on their website seem to contradict what Brian Valentine, Senior VP of Windows Development team states. According to Mr. Valentine, "Our products just aren't engineered for security". In contrast, the website claims that it was built to be secure.... Given the rash of security problems, if Windows makes it through the testing, I would question the veracity of the test.

Oh, and for the curious, I got the quote from infoworld, specifically:

"http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml":http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml

Enjoy!

--Joe Jansen
 
M

Michael Griffin

Vladimir E. Zyubin wrote:
<clip>
> The following question appears in my head after your words:
>
> What do the XP-users plan to do when MS cancels to support the XP? Who
> will generate the authorization keys? Who will rewrite the
> software in order to port it on new MS OS - devil knows the name... MS
> produces a new OS every 2 years!
<clip>

The DR system can be thought of as a copy protection system for data files. There is a utility which can be used to transfer the various "keys" to a new computer.

I agree though that I wouldn't be willing to use it for any data which I wanted to keep over the long term. I have a book on Russia which was printed 150 years ago, but is still quite readable today. I doubt the Microsoft DR
system will prove to be quite that durable.

************************
Michael Griffin
London, Ont. Canada
************************
 
Jiri Baum:
> >>Windows had a certified security rating once, but it was: (a)
> >>different version, no longer supported, (b) with the network not
> >>connected, and (c) only C2 anyway).

Jeff Dean:
> The US Government (who created and certified "C2" security in Windows
> NT 3.5 and 4.0)

Ah, sorry about that, I was not aware of the NT 4.0 certification - NT 4.0 is still supported until mid-2003. Not particularly long as far as
automation goes, but my point (a) was incorrect.

> and other governments changed it's security rating system in 1998. The
> new system is called the "Common Criteria for Information Technology
> Security Evaluation (CCITSE)."

Yeah, I can never remember the new acronym, and it's a much more complex system. That makes it more flexible, of course, but also harder to
remember and keep track of.

> Windows 2000 is currently undergoing the rigorous review to achieve
> certification comparable to C2 as a distributed operating system
> (connected to a network). Windows XP has also started this process.

Right, that will - when finished - deal with point (b). It does nothing for point (c).

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
M

Michael Griffin

On September 26, 2002 04:12 pm, Curt Wuollet wrote:
<clip>
> The criticism is not because Microsoft did something to enhance their
> security. Heaven forbid that we should criticize them for trying to
> turn the tide around. The criticism is that, what they did is like
> fixing a leaky boat by drilling holes in the bottom to let the water
> out. You go from a situation where your box is hacked occasionally
> to a situation where it is hacked regularly as well.
<clip>

There are two completely separate and unrelated types of security involved which people are confounding, and which is causing much confusion in this debate. One type of security is provided by the "Windows Update". This provides security to you and your computer against hackers and viruses when these updates fix security holes. This type of security is not new, nor
unique to Windows XP.

The other type of security is for the DRM (digital rights management) system which is relatively new, and has been the subject of debate. These updates provide security for *Microsoft*, not security for you. This prevents a user of the computer from taking advantage of bugs or shortcomings in the DRM system to use DRM files in a manner which was not authorised by Microsoft or one of their licencees. These updates are NOT intended to provide security to
you against hackers or viruses.
The concern has been that is the DRM system may offer a possible back door into a computer which could disable your application software as an unintended side-effect. It is generally believed that regardless of what
choices may be offered on your screen, at least some DRM updates are NOT optional. There is also some concern that this back door may now or in the
future extend through whatever firewalls or other systems you may have if your entire system comes from Microsoft as an integrated network.

I think the fact that these are two separate systems we are talking about needs to be kept in mind if the technical debate is to be useful.


************************
Michael Griffin
London, Ont. Canada
************************
 
M

Michael Griffin

On the other hand, if you think you would get a clear and unambiguous answer from a lawyer, then I think you are in for a bit of a shock when you do talk to one. All they could give you is an "opinion" of what a judge might say.

************************
Michael Griffin
London, Ont. Canada
************************
 
V

Vladimir E. Zyubin

In any case, try to think is better than do not try to think...
Lets be a bit more constructive and not say rash words...
A list of fears was stated in the thread... I personally see, it is a list of common fears. Great!

And if we dare to click the "Yes, agreed" button without a visitation of legal advice office then we all are slightly lawyers... ;-)

--
Best regards,
Vladimir E. Zyubin mailto:[email protected]
 
G

George Robertson

Good heavens! Regulated? That would just take it from bad to worse. It just needs COMPETITORS!

If people could make money selling Linux, it might have already become dominant. Capitalism, creativity, and invention are what we need. The
government doesn't create or fix anything!

George G. Robertson, P.E.
Manager of Engineering
Saulsbury E & C
[email protected]
(915) 366-4252
 
Top