From gegohouse at gmx.at Thu Sep 8 03:31:07 2005 From: gegohouse at gmx.at (Gmx Private 01) Date: Thu Sep 8 03:32:02 2005 Subject: [widdershins] independent security researchers vs companies ?! Message-ID: <459060938.20050908093107@gmx.at> http://news.zdnet.com/2100-1009_22-5846019.html By Joris Evers, and Marguerite Reardon, CNET News.com Published on ZDNet News: September 6, 2005 Tom Ferris is walking a fine line. He could be Microsoft's friend or foe. Ferris, an independent security researcher in Mission Viejo, Calif., found what he calls a serious vulnerability in Microsoft's Internet Explorer Web browser. He reported it to the software giant on Aug. 14 via the "secure@microsoft.com" e-mail address and has since exchanged several e-mail messages with a Microsoft researcher. Up to that point, Ferris did everything according to Microsoft's "responsible disclosure" guidelines, which call for bug hunters to delay the announcement of security holes until some time after the company has provided a fix. That way, people who use flawed products are protected from attack, the argument goes. Last weekend, however, Ferris came close to running afoul of those guidelines by posting a brief description of the bug on his Security Protocols Web site and talking to the media about the flaw. So far, the move has done little more than raise some eyebrows at Microsoft. "I am walking a fine line, but I am doing it very carefully because I am not disclosing actual vulnerability details," Ferris said. "I do this to inform users that flaws still do exist in IE...I don't like it that Microsoft tries to give users a nice warm feeling that they are disclosing everything researchers report to them." At issue is the push for "responsible disclosure" of software flaws by many industry players, including titans such as Microsoft, Oracle and Cisco Systems. Microsoft publicly chastises security researchers who don't follow its rules. Also, those researchers won't get credit for their flaw discovery in Microsoft's security bulletin, which is published when the company releases a patch. Because Ferris did not disclose any actual vulnerability details, he's still on Microsoft's good side, a company representative said. While many software makers promote responsible disclosure, it isn't universally backed by the security community. Critics say it could make security companies lazy in patching. Full disclosure of flaws is better, they say, and turns up the heat on software makers to protect their customers as soon as possible. How long is too long? "Microsoft obviously takes way too long to fix flaws," Ferris said. "All researchers should follow responsible disclosure guidelines, but if a vendor like Microsoft takes six months to a year to fix a flaw, a researcher has every right to release the details." By that time someone else, perhaps a malicious person, may also have found the same flaw and might be using it to attack users, Ferris said. Often lambasted for bugs in its products, Microsoft is doing its best to win the respect of the security community. The company has "community outreach experts" who travel the world to meet with security researchers, hosts parties at security events and plans to host twice-annual "Blue Hat" events with hackers on it its Redmond, Wash., campus. At Blue Hat, hackers are invited to Microsoft's headquarters to demonstrate flaws in Microsoft's product security. "Security researchers provide a valuable service to our customers in helping us to secure our products," said Stephen Toulouse, a program manager in Microsoft's security group. "We want to get face to face with them to talk about their views on security, our views on security, and see how best we can meet to protect customers." Many companies are getting better at dealing with security researchers, said Michael Sutton, director of iDefense Labs, which deals with researchers and software makers. "The environment has definitely changed from two or three years ago, though there are vendors who are going in the opposite direction," he said. While Microsoft sometimes is still referred to as the "evil empire," it appears to be successfully wooing security researchers. "We are at the point where all the obvious things we tell Microsoft to do, they already do it," Dan Kaminsky, a security researcher who participated in Microsoft's first Blue Hat event last March, has said. Balancing act Other technology companies still struggle with hacker community relations. Cisco especially has managed to alienate itself from the hacker community to the extent that T-shirts with anti-Cisco slogans were selling well at this year's Defcon event. Oracle also isn't a favorite, researchers said. Cisco, along with Internet Security Systems, last month sued security researcher Michael Lynn after he gave a presentation on hacking router software at the Black Hat security conference. The company had previously tried to stop Lynn from giving his talk in the first place. "It was definitely a surprise to see Cisco's reaction," iDefense's Sutton said. "I don't think that's the best approach. I do feel that it is happening less and that vendors are realizing that we don't want to work against them, but with them." Cisco contends it doesn't have any beef with Lynn's discoveries, but instead the company is unhappy about the way he went about distributing the information to the public. "This incident violated aspects of normal protocol for dealing with security flaws," said Bob Gleichauf, CTO for Cisco's Security Technology Group. "And we are real sticklers for protocol." But it seems that there have been several instances where Cisco has had similar problems in its dealings with researchers. Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol that could be exploited on a number of networking products, including Cisco's routers. Watson said he initially e-mailed two of Cisco's engineers, who responded promptly. They were helpful and even contributed some thoughts and ideas to his research, he said. But once the issue was identified as a serious security risk by the legal team at Cisco, the tone of the communication changed, Watson said. Cisco still wanted information from Watson, but no longer responded to his queries. Watson provided Cisco with several possible methods to correct the problem. Frustrated by the lack of communication with Cisco, Watson decided to present his research at the CanSecWest Security Conference in April 2004. In a scenario similar to that at Black Hat, Cisco and the U.S. Department of Homeland Security asked the conference organizer to pull the talk. The request was denied. The impending talk spurred the company into action. Fixes were released a few days before the conference. However, Cisco not only provided patches, it also patented a fix for the flaw. This raised fears that Cisco might charge for the fix, which also affected other vendors, although Cisco did not. "I was shocked," Watson said in an e-mail. "It really broke my trust in them." Cisco, like other software makers, wants security researchers to report flaws privately and have time to patch before disclosure, but Cisco took advantage of this period to apply for a patent, he said. Playing it smart A similar situation played out about a year later. Cisco tried to patent a fix to a flaw in the ICMP protocol that was discovered by Fernando Gont. The researcher outsmarted Cisco by documenting his discovery and the fix, and also by sharing the information privately with the open-source community and the Internet Engineering Task Force, a standards organization. Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. "The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so," Davidson said. Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided. Oracle chided Kornbrust as irresponsible for disclosing the data. Although not entirely happy about his dealings with Oracle, Kornbrust said it is not an adversarial relationship. "Hostile is not the right expression. I did get feedback from Oracle," Kornbrust said. But that was only immediately after he reported the bugs. Oracle did not give Kornbrust updates on how it was addressing the problems afterwards. "Oracle supports guidelines for responsible disclosure. One of those guidelines is that the company should send out updates to the researcher. They don't," said Kornbrust, who runs Germany's Red Database Security. In the past, many hackers and security researchers outed glitches without giving much thought to the impact the disclosures would have on Internet users. Software makers have been working to provide a channel for disclosure. Several have also established patching schedules. Microsoft releases patches every second Tuesday of the month, and Oracle has a quarterly schedule. Still, the debate on responsible disclosure rages. Recently the French Security Incident Response Team, or FrSIRT, was the subject of discussion on a popular security mailing list. FrSIRT, formerly known as K-Otic, releases details on vulnerabilities and also publishes exploit code that could help attackers. Sometimes the holes aren't yet patched. Other than FrSIRT selling its service, what good can such publishing do? critics have asked. "With our dependency on IT systems, responsible disclosure is of paramount importance," said Howard Schmidt, an independent security consultant who has served as cybersecurity adviser to the White House and security executive at Microsoft and eBay. Technology companies that are not responsive to security researchers do pose a problem, Schmidt said. He suggests that the government, specifically the US Computer Emergency Readiness Team (the Department of Homeland Security's Internet security agency), could act as an intermediary. "And then perhaps the government could put some pressure on (technology companies)," he said. _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org From adrian.sanabria at gmail.com Thu Sep 8 21:59:10 2005 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Thu Sep 8 22:00:16 2005 Subject: [widdershins] independent security researchers vs companies ?! In-Reply-To: <459060938.20050908093107@gmx.at> References: <459060938.20050908093107@gmx.at> Message-ID: While a good article, I think it ignores the largest problem that may develop in the world of disclosure. After what Cisco pulled, researchers in fear of being persued legally, even if they try to do the right thing, may just release all the details of vulnerabilities anonymously without any warning at all. That's what many people I've talked to are most worried about. No more responsible disclosure - just straight to the public without warning... --Adrian On 9/8/05, Gmx Private 01 wrote: > > http://news.zdnet.com/2100-1009_22-5846019.html > > By Joris Evers, and Marguerite Reardon, CNET News.com > Published on ZDNet News: September 6, 2005 > > Tom Ferris is walking a fine line. He could be Microsoft's friend or > foe. > > Ferris, an independent security researcher in Mission Viejo, Calif., > found what he calls a serious vulnerability in Microsoft's Internet > Explorer Web browser. He reported it to the software giant on Aug. 14 > via the "secure@microsoft.com" e-mail address and has since exchanged > several e-mail messages with a Microsoft researcher. > > Up to that point, Ferris did everything according to Microsoft's > "responsible disclosure" guidelines, which call for bug hunters to > delay the announcement of security holes until some time after the > company has provided a fix. That way, people who use flawed products > are protected from attack, the argument goes. > > Last weekend, however, Ferris came close to running afoul of those > guidelines by posting a brief description of the bug on his Security > Protocols Web site and talking to the media about the flaw. So far, > the move has done little more than raise some eyebrows at Microsoft. > > "I am walking a fine line, but I am doing it very carefully because I > am not disclosing actual vulnerability details," Ferris said. "I do > this to inform users that flaws still do exist in IE...I don't like it > that Microsoft tries to give users a nice warm feeling that they are > disclosing everything researchers report to them." > > At issue is the push for "responsible disclosure" of software flaws by > many industry players, including titans such as Microsoft, Oracle and > Cisco Systems. > > Microsoft publicly chastises security researchers who don't follow its > rules. Also, those researchers won't get credit for their flaw > discovery in Microsoft's security bulletin, which is published when > the company releases a patch. Because Ferris did not disclose any > actual vulnerability details, he's still on Microsoft's good side, a > company representative said. > > While many software makers promote responsible disclosure, it isn't > universally backed by the security community. Critics say it could > make security companies lazy in patching. Full disclosure of flaws is > better, they say, and turns up the heat on software makers to protect > their customers as soon as possible. > > > How long is too long? > > "Microsoft obviously takes way too long to fix flaws," Ferris said. > "All researchers should follow responsible disclosure guidelines, but > if a vendor like Microsoft takes six months to a year to fix a flaw, a > researcher has every right to release the details." > > By that time someone else, perhaps a malicious person, may also have > found the same flaw and might be using it to attack users, Ferris > said. > > Often lambasted for bugs in its products, Microsoft is doing its best > to win the respect of the security community. The company has > "community outreach experts" who travel the world to meet with > security researchers, hosts parties at security events and plans to > host twice-annual "Blue Hat" events with hackers on it its Redmond, > Wash., campus. At Blue Hat, hackers are invited to Microsoft's > headquarters to demonstrate flaws in Microsoft's product security. > > "Security researchers provide a valuable service to our customers in > helping us to secure our products," said Stephen Toulouse, a program > manager in Microsoft's security group. "We want to get face to face > with them to talk about their views on security, our views on > security, and see how best we can meet to protect customers." > > Many companies are getting better at dealing with security > researchers, said Michael Sutton, director of iDefense Labs, which > deals with researchers and software makers. "The environment has > definitely changed from two or three years ago, though there are > vendors who are going in the opposite direction," he said. > > While Microsoft sometimes is still referred to as the "evil empire," > it appears to be successfully wooing security researchers. > > "We are at the point where all the obvious things we tell Microsoft to > do, they already do it," Dan Kaminsky, a security researcher who > participated in Microsoft's first Blue Hat event last March, has said. > > > Balancing act > > Other technology companies still struggle with hacker community > relations. Cisco especially has managed to alienate itself from the > hacker community to the extent that T-shirts with anti-Cisco slogans > were selling well at this year's Defcon event. Oracle also isn't a > favorite, researchers said. > > Cisco, along with Internet Security Systems, last month sued security > researcher Michael Lynn after he gave a presentation on hacking router > software at the Black Hat security conference. The company had > previously tried to stop Lynn from giving his talk in the first place. > > "It was definitely a surprise to see Cisco's reaction," iDefense's > Sutton said. "I don't think that's the best approach. I do feel that > it is happening less and that vendors are realizing that we don't want > to work against them, but with them." > > Cisco contends it doesn't have any beef with Lynn's discoveries, but > instead the company is unhappy about the way he went about > distributing the information to the public. > > "This incident violated aspects of normal protocol for dealing with > security flaws," said Bob Gleichauf, CTO for Cisco's Security > Technology Group. "And we are real sticklers for protocol." > > But it seems that there have been several instances where Cisco has > had similar problems in its dealings with researchers. > > Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol > that could be exploited on a number of networking products, including > Cisco's routers. Watson said he initially e-mailed two of Cisco's > engineers, who responded promptly. They were helpful and even > contributed some thoughts and ideas to his research, he said. > > But once the issue was identified as a serious security risk by the > legal team at Cisco, the tone of the communication changed, Watson > said. Cisco still wanted information from Watson, but no longer > responded to his queries. Watson provided Cisco with several possible > methods to correct the problem. > > Frustrated by the lack of communication with Cisco, Watson decided to > present his research at the CanSecWest Security Conference in April > 2004. In a scenario similar to that at Black Hat, Cisco and the U.S. > Department of Homeland Security asked the conference organizer to pull > the talk. The request was denied. > > The impending talk spurred the company into action. Fixes were > released a few days before the conference. However, Cisco not only > provided patches, it also patented a fix for the flaw. This raised > fears that Cisco might charge for the fix, which also affected other > vendors, although Cisco did not. > > "I was shocked," Watson said in an e-mail. "It really broke my trust > in them." Cisco, like other software makers, wants security > researchers to report flaws privately and have time to patch before > disclosure, but Cisco took advantage of this period to apply for a > patent, he said. > > > Playing it smart > > A similar situation played out about a year later. Cisco tried to > patent a fix to a flaw in the ICMP protocol that was discovered by > Fernando Gont. The researcher outsmarted Cisco by documenting his > discovery and the fix, and also by sharing the information privately > with the open-source community and the Internet Engineering Task > Force, a standards organization. > > Mary Ann Davidson, chief security officer at Oracle, sees security > researchers who threaten vendors with disclosure of bugs as a problem, > she wrote in a recent perspective piece on News.com . > "The reality is > that most vendors are trying to do better in vulnerability handling. > Most don't need threats to do so," Davidson said. > > Alexander Kornbrust specializes in security of Oracle products. He > went public with details on six security vulnerabilities in Oracle > software in July, about two years after he reported the bugs to the > software maker and fixes still had not been provided. > > Oracle chided Kornbrust as irresponsible for disclosing the data. > > Although not entirely happy about his dealings with Oracle, Kornbrust > said it is not an adversarial relationship. "Hostile is not the right > expression. I did get feedback from Oracle," Kornbrust said. But that > was only immediately after he reported the bugs. Oracle did not give > Kornbrust updates on how it was addressing the problems afterwards. > > "Oracle supports guidelines for responsible disclosure. One of those > guidelines is that the company should send out updates to the > researcher. They don't," said Kornbrust, who runs Germany's Red > Database Security. > > In the past, many hackers and security researchers outed glitches > without giving much thought to the impact the disclosures would have > on Internet users. Software makers have been working to provide a > channel for disclosure. Several have also established patching > schedules. Microsoft releases patches every second Tuesday of the > month, and Oracle has a quarterly schedule. > > Still, the debate on responsible disclosure rages. Recently the French > Security Incident Response Team, or FrSIRT, was the subject of > discussion on a popular security mailing list. FrSIRT, formerly known > as K-Otic, releases details on vulnerabilities and also publishes > exploit code that could help attackers. Sometimes the holes aren't yet > patched. Other than FrSIRT selling its service, what good can such > publishing do? critics have asked. > > "With our dependency on IT systems, responsible disclosure is of > paramount importance," said Howard Schmidt, an independent security > consultant who has served as cybersecurity adviser to the White House > and security executive at Microsoft and eBay. > > Technology companies that are not responsive to security researchers > do pose a problem, Schmidt said. He suggests that the government, > specifically the US Computer Emergency Readiness Team (the Department > of Homeland Security's Internet security agency), could act as an > intermediary. "And then perhaps the government could put some pressure > on (technology companies)," he said. > > > > _________________________________________ > Attend ToorCon > Sept 16-18th, 2005 > Convention Center > San Diego, California > www.toorcon.org > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050908/ef65676f/attachment.html From stuart at linuxsecurity.co.nz Thu Sep 8 23:13:28 2005 From: stuart at linuxsecurity.co.nz (Stuart MacIntosh) Date: Thu Sep 8 23:14:03 2005 Subject: [widdershins] independent security researchers vs companies ?! In-Reply-To: References: <459060938.20050908093107@gmx.at> Message-ID: <4320FDD8.5050006@linuxsecurity.co.nz> 'responsible disclosure' is prone to corruption(bribes anyone?) and is not ultimately fair or responsible to the public or private. Security researchers are in a field of their own and have absolutely no obligation to grant 'grace time' to corporations or software developers. I support full, public disclosure; which is not a problem but, the civil response to the greater problem of dodgy security. -Stuart Adrian Sanabria wrote: > While a good article, I think it ignores the largest problem that may > develop in the world of disclosure. After what Cisco pulled, > researchers in fear of being persued legally, even if they try to do > the right thing, may just release all the details of vulnerabilities > anonymously without any warning at all. That's what many people I've > talked to are most worried about. No more responsible disclosure - > just straight to the public without warning... > > --Adrian > > > On 9/8/05, *Gmx Private 01* > wrote: > > http://news.zdnet.com/2100-1009_22-5846019.html > > By Joris Evers, and Marguerite Reardon, CNET News.com > > Published on ZDNet News: September 6, 2005 > > Tom Ferris is walking a fine line. He could be Microsoft's friend or > foe. > > Ferris, an independent security researcher in Mission Viejo, Calif., > found what he calls a serious vulnerability in Microsoft's Internet > Explorer Web browser. He reported it to the software giant on Aug. 14 > via the "secure@microsoft.com " > e-mail address and has since exchanged > several e-mail messages with a Microsoft researcher. > > Up to that point, Ferris did everything according to Microsoft's > "responsible disclosure" guidelines, which call for bug hunters to > delay the announcement of security holes until some time after the > company has provided a fix. That way, people who use flawed products > are protected from attack, the argument goes. > > Last weekend, however, Ferris came close to running afoul of those > guidelines by posting a brief description of the bug on his Security > Protocols Web site and talking to the media about the flaw. So far, > the move has done little more than raise some eyebrows at Microsoft. > > "I am walking a fine line, but I am doing it very carefully because I > am not disclosing actual vulnerability details," Ferris said. "I do > this to inform users that flaws still do exist in IE...I don't like it > that Microsoft tries to give users a nice warm feeling that they are > disclosing everything researchers report to them." > > At issue is the push for "responsible disclosure" of software flaws by > many industry players, including titans such as Microsoft, Oracle and > Cisco Systems. > > Microsoft publicly chastises security researchers who don't follow its > rules. Also, those researchers won't get credit for their flaw > discovery in Microsoft's security bulletin, which is published when > the company releases a patch. Because Ferris did not disclose any > actual vulnerability details, he's still on Microsoft's good side, a > company representative said. > > While many software makers promote responsible disclosure, it isn't > universally backed by the security community. Critics say it could > make security companies lazy in patching. Full disclosure of flaws is > better, they say, and turns up the heat on software makers to protect > their customers as soon as possible. > > > How long is too long? > > "Microsoft obviously takes way too long to fix flaws," Ferris said. > "All researchers should follow responsible disclosure guidelines, but > if a vendor like Microsoft takes six months to a year to fix a > flaw, a > researcher has every right to release the details." > > By that time someone else, perhaps a malicious person, may also have > found the same flaw and might be using it to attack users, Ferris > said. > > Often lambasted for bugs in its products, Microsoft is doing its best > to win the respect of the security community. The company has > "community outreach experts" who travel the world to meet with > security researchers, hosts parties at security events and plans to > host twice-annual "Blue Hat" events with hackers on it its Redmond, > Wash., campus. At Blue Hat, hackers are invited to Microsoft's > headquarters to demonstrate flaws in Microsoft's product security. > > "Security researchers provide a valuable service to our customers in > helping us to secure our products," said Stephen Toulouse, a program > manager in Microsoft's security group. "We want to get face to face > with them to talk about their views on security, our views on > security, and see how best we can meet to protect customers." > > Many companies are getting better at dealing with security > researchers, said Michael Sutton, director of iDefense Labs, which > deals with researchers and software makers. "The environment has > definitely changed from two or three years ago, though there are > vendors who are going in the opposite direction," he said. > > While Microsoft sometimes is still referred to as the "evil empire," > it appears to be successfully wooing security researchers. > > "We are at the point where all the obvious things we tell Microsoft to > do, they already do it," Dan Kaminsky, a security researcher who > participated in Microsoft's first Blue Hat event last March, has said. > > > Balancing act > > Other technology companies still struggle with hacker community > relations. Cisco especially has managed to alienate itself from the > hacker community to the extent that T-shirts with anti-Cisco slogans > were selling well at this year's Defcon event. Oracle also isn't a > favorite, researchers said. > > Cisco, along with Internet Security Systems, last month sued security > researcher Michael Lynn after he gave a presentation on hacking router > software at the Black Hat security conference. The company had > previously tried to stop Lynn from giving his talk in the first place. > > "It was definitely a surprise to see Cisco's reaction," iDefense's > Sutton said. "I don't think that's the best approach. I do feel that > it is happening less and that vendors are realizing that we don't > want > to work against them, but with them." > > Cisco contends it doesn't have any beef with Lynn's discoveries, but > instead the company is unhappy about the way he went about > distributing the information to the public. > > "This incident violated aspects of normal protocol for dealing with > security flaws," said Bob Gleichauf, CTO for Cisco's Security > Technology Group. "And we are real sticklers for protocol." > > But it seems that there have been several instances where Cisco has > had similar problems in its dealings with researchers. > > Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol > that could be exploited on a number of networking products, including > Cisco's routers. Watson said he initially e-mailed two of Cisco's > engineers, who responded promptly. They were helpful and even > contributed some thoughts and ideas to his research, he said. > > But once the issue was identified as a serious security risk by the > legal team at Cisco, the tone of the communication changed, Watson > said. Cisco still wanted information from Watson, but no longer > responded to his queries. Watson provided Cisco with several possible > methods to correct the problem. > > Frustrated by the lack of communication with Cisco, Watson decided to > present his research at the CanSecWest Security Conference in April > 2004. In a scenario similar to that at Black Hat, Cisco and the U.S. > Department of Homeland Security asked the conference organizer to pull > the talk. The request was denied. > > The impending talk spurred the company into action. Fixes were > released a few days before the conference. However, Cisco not only > provided patches, it also patented a fix for the flaw. This raised > fears that Cisco might charge for the fix, which also affected other > vendors, although Cisco did not. > > "I was shocked," Watson said in an e-mail. "It really broke my trust > in them." Cisco, like other software makers, wants security > researchers to report flaws privately and have time to patch before > disclosure, but Cisco took advantage of this period to apply for a > patent, he said. > > > Playing it smart > > A similar situation played out about a year later. Cisco tried to > patent a fix to a flaw in the ICMP protocol that was discovered by > Fernando Gont. The researcher outsmarted Cisco by documenting his > discovery and the fix, and also by sharing the information privately > with the open-source community and the Internet Engineering Task > Force, a standards organization. > > Mary Ann Davidson, chief security officer at Oracle, sees security > researchers who threaten vendors with disclosure of bugs as a problem, > she wrote in a recent perspective piece on News.com > . "The reality is > that most vendors are trying to do better in vulnerability handling. > Most don't need threats to do so," Davidson said. > > Alexander Kornbrust specializes in security of Oracle products. He > went public with details on six security vulnerabilities in Oracle > software in July, about two years after he reported the bugs to the > software maker and fixes still had not been provided. > > Oracle chided Kornbrust as irresponsible for disclosing the data. > > Although not entirely happy about his dealings with Oracle, Kornbrust > said it is not an adversarial relationship. "Hostile is not the right > expression. I did get feedback from Oracle," Kornbrust said. But that > was only immediately after he reported the bugs. Oracle did not give > Kornbrust updates on how it was addressing the problems afterwards. > > "Oracle supports guidelines for responsible disclosure. One of those > guidelines is that the company should send out updates to the > researcher. They don't," said Kornbrust, who runs Germany's Red > Database Security. > > In the past, many hackers and security researchers outed glitches > without giving much thought to the impact the disclosures would have > on Internet users. Software makers have been working to provide a > channel for disclosure. Several have also established patching > schedules. Microsoft releases patches every second Tuesday of the > month, and Oracle has a quarterly schedule. > > Still, the debate on responsible disclosure rages. Recently the > French > Security Incident Response Team, or FrSIRT, was the subject of > discussion on a popular security mailing list. FrSIRT, formerly known > as K-Otic, releases details on vulnerabilities and also publishes > exploit code that could help attackers. Sometimes the holes aren't > yet > patched. Other than FrSIRT selling its service, what good can such > publishing do? critics have asked. > > "With our dependency on IT systems, responsible disclosure is of > paramount importance," said Howard Schmidt, an independent security > consultant who has served as cybersecurity adviser to the White House > and security executive at Microsoft and eBay. > > Technology companies that are not responsive to security researchers > do pose a problem, Schmidt said. He suggests that the government, > specifically the US Computer Emergency Readiness Team (the Department > of Homeland Security's Internet security agency), could act as an > intermediary. "And then perhaps the government could put some > pressure > on (technology companies)," he said. > > > > _________________________________________ > Attend ToorCon > Sept 16-18th, 2005 > Convention Center > San Diego, California > www.toorcon.org > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > > >------------------------------------------------------------------------ > >_______________________________________________ >widdershins mailing list >widdershins@attrition.org >http://www.attrition.org/mailman/listinfo/widdershins > > From gegohouse at gmx.at Fri Sep 9 05:55:51 2005 From: gegohouse at gmx.at (Gmx Private 01) Date: Fri Sep 9 05:57:17 2005 Subject: Fwd: Re[2]: [widdershins] independent security researchers vs companies ?! In-Reply-To: <1753591802.20050909115509@gmx.net> References: <459060938.20050908093107@gmx.at> <4320FDD8.5050006@linuxsecurity.co.nz> <1753591802.20050909115509@gmx.net> Message-ID: <1218269754.20050909115551@gmx.at> I would also agree with Stuart - while responsible disclosure is the best way, the reality of it seems to be that people trying to do the right thing are "punished" for their effort. As it is now, a little pressure could do wonders for a change in attitude. Full public disclosure seems the only logical response here. cheers, gego From hellnbak at nmrc.org Fri Sep 9 14:08:03 2005 From: hellnbak at nmrc.org (hellNbak) Date: Fri Sep 9 13:15:54 2005 Subject: [widdershins] independent security researchers vs companies ?! In-Reply-To: References: <459060938.20050908093107@gmx.at> Message-ID: On Thu, 8 Sep 2005, Adrian Sanabria wrote: > While a good article, I think it ignores the largest problem that may > develop in the world of disclosure. After what Cisco pulled, researchers in > fear of being persued legally, even if they try to do the right thing, may Why is it "what Cisco pulled" and not, "What ISS and Cisco pulled". ISS clearly had a responsibility to back their researcher. They made the choice not to. If anything, researchers at ISS should be worried about being hung out to dry and the independant guys can still go along business as usual. From hellnbak at nmrc.org Fri Sep 9 14:22:11 2005 From: hellnbak at nmrc.org (hellNbak) Date: Fri Sep 9 13:30:05 2005 Subject: [widdershins] independent security researchers vs companies ?! In-Reply-To: <4320FDD8.5050006@linuxsecurity.co.nz> References: <459060938.20050908093107@gmx.at> <4320FDD8.5050006@linuxsecurity.co.nz> Message-ID: On Fri, 9 Sep 2005, Stuart MacIntosh wrote: > 'responsible disclosure' is prone to corruption(bribes anyone?) and is > not ultimately fair or responsible to the public or private. Security > researchers are in a field of their own and have absolutely no > obligation to grant 'grace time' to corporations or software developers. You are partially correct. Bribes? Lets hear an example of this. As for providing grace time? How is that not the responsible thing to do for *any* vendor including open source ones? Giving the vendor time before disclosing the issue to the world lets them have an official patch ready so that those that actually care can install the patch and be done with it. Just dropping the issue on the public increases the risk. > I support full, public disclosure; which is not a problem but, the civil > response to the greater problem of dodgy security. Full, public disclosure, to me anyways, doesn't mean dropping an issue on to the public without notifying the vendor first. Be it that you give the vendor 3 days or 30 or even 60 is up to the researcher involved (or the company paying the researcher) but at least giving them a heads up is the right thing to do. I am making an assumption, by your domain name, that you support the dropping of a vuln to the public because you can simply write your own patch / modify the source / whatever rather quickly. That is cool, and it does make a good argument but it is an argument that doesn't scale. Open source software is being used in the corporate world -- which means you have a number of boxes that are potential targets with admins running them that do not have the ability to write their own patch, won't trust your patch, and will sit back and wait for their vendor to release an official one. It is all about the risk. The typical argument to this is usually; "well if xyz researcher/h4x0r found the bug that means others may have or already have". Sure, that is a valid concern... but give me one real world example of this happening? Lets take the last worm in the windows world we saw. It exploited (among others) MS05-039 - the PnP Vulnerability. If someone malicious, other than ISS, had discovered this bug prior don't you think we would have seen a worm long before the patch? Don't you think we would have seen reports of Windows 2000 boxes being owned and no one knows why? So sure, maybe a few guys found and knew about this bug. But they sure as hell didn't abuse it on a mass scale (corporate espionage perhaps?) which is where the real percieved risk is at this point. From adrian.sanabria at gmail.com Fri Sep 9 14:44:19 2005 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Fri Sep 9 14:45:10 2005 Subject: [widdershins] independent security researchers vs companies ?! In-Reply-To: <1218269754.20050909115551@gmx.at> References: <459060938.20050908093107@gmx.at> <4320FDD8.5050006@linuxsecurity.co.nz> <1753591802.20050909115509@gmx.net> <1218269754.20050909115551@gmx.at> Message-ID: Don't get me wrong, I agree with Stuart as well. I was originally replying from the point of view of the article, not my own personally. I believe that, as long as software companies treat security researchers as nuisances (when they opt for responsible disclosure) or threats (when they opt for full public), they're just going to continue making it harder and harder on themselves. --Adrian On 9/9/05, Gmx Private 01 wrote: > > > I would also agree with Stuart - while responsible disclosure is > the best way, the reality of it seems to be that people trying to do > the right thing are "punished" for their effort. As it is now, a > little pressure could do wonders for a change in attitude. > > Full public disclosure seems the only logical response here. > > > cheers, > > gego > > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050909/c547a5d8/attachment.html From MShapiro at outcastpr.com Tue Sep 13 14:57:21 2005 From: MShapiro at outcastpr.com (Melissa Shapiro) Date: Tue Sep 13 14:56:24 2005 Subject: [widdershins] Forbes: Microsoft's Midlife Crisis Message-ID: <6F807BD3DDD9874A9FDFD568F9EF381D02175752@INDIGO.outcastpr.com> Anyone else wondering how this statistic could be right? 140% of profits? The company relies on Windows and a suite of desktop applications--products released a decade ago--for 80% of sales and 140% of profits. Newer products--the Xbox videogame machine, the MSN online service, the wireless and small-business software--collectively have racked up $7 billion in losses in four years. > Microsoft's Midlife Crisis > Victoria Murphy, 09.13.05, 6:00 AM ET > http://www.forbes.com/2005/09/12/microsoft-management-software_cz_vm_0 > 913microsoft.html?partner=daily_newsletter > > Steven Ballmer, Microsoft's cheerleader and chief executive, takes the > stage at the Georgia Dome in Atlanta to stoke the spirits of 10,000 > faithful at the company's annual sales meeting. "Win, drive, innovate, > impress!" he shouts, his forehead glistening under hot stage lights as > ponds of sweat soak the pale blue shirt on his barrel-chested frame. > "But there's a way people keep score. Billions! Billions! Billions! If > you wanna grow, things that rhyme with 'billions' are very good," he > roars, sprinting up and down the aisles to trade high fives with > starstruck salespeople. > > The crowd at the Georgia Dome loves it, but even Ballmer's booming > voice can't mask the disturbing truth: Microsoft (nasdaq: MSFT - news > - people ) is slowing down. It is bigger, more lumbering and less > profitable than it was five years ago. Its sales are up 73% in five > years, but profits are up only 30%. Payroll has doubled in the last > six years. In the fiscal year just ended, sales rose only 8%, the > first time the company has ever reported less than double-digit > growth. > > In the dog years of Silicon Valley, Microsoft, at 30, is in advanced > middle age. The company relies on Windows and a suite of desktop > applications--products released a decade ago--for 80% of sales and > 140% of profits. Newer products--the Xbox videogame machine, the MSN > online service, the wireless and small-business software--collectively > have racked up $7 billion in losses in four years. > > In Web-server software, Microsoft has 20% of the fast-growing market, > while the free Apache program, a Linux variant, has 70%--worth $6 > billion in revenue had Microsoft gotten the sales. In search, Google > (nasdaq: GOOG - news - people ) and Yahoo! (nasdaq: YHOO - news - > people ) get 70% of queries while MSN gets only 13%. Google now gives > away features (desktop search, photo archiving) that Microsoft > promises in its next upgrade of Windows--which is running two years > late. > > What has gone wrong? Microsoft, with $40 billion in sales and 60,000 > employees, has grown musclebound and bureaucratic. Some current and > former employees describe a stultifying world of 14-hour strategy > sessions, endless business reviews and a preoccupation with PowerPoint > slides; of laborious job evaluations, hundreds of e-mails a day and > infighting among divisions so fierce that it hobbles design and delays > product releases. In short, they describe precisely the behavior that > humbled another tech giant: IBM (nyse: IBM - news - people ) in the > late 1980s. Tellingly, IBM reached a point of crisis just over three > decades after it started selling computers to commercial users. > > "Microsoft is a vestige of the past," says Marc Benioff, chief of > rival Salesforce.com, whose shares, since they were first offered to > the public in June of last year, are up 27%; Microsoft's are down 5% > in that period. Salesforce, which trades at 84 times next year's > earnings (versus 20 for Microsoft), rents its software to businesses > over the Internet. "Microsoft," Benioff says, "still wishes the > Internet hadn't been invented." > > "Microsoft has become what it used to mock," says Gabe Newell, a > developer on the first three versions of Windows. At late-night rounds > of poker with "Bill and Steve" in the mid-1980s, he says, "we laughed > at IBM. They had all this process for monitoring productivity, and yet > we knew they had spectacularly bad productivity. That's Microsoft > now." > > Jeff B. Erwin, who quit in December after five years there, adds, > "Microsoft has some of the smartest people in the world, but they are > just crushing them. You have a largely unhappy population." > > Unhappy because they aren't getting rich the way they did in the > 1990s. In September 2003 Microsoft ended its stock option program, > replacing it with outright grants of shares, which aren't at the > moment minting very many millionaires. Since the tech crash in 2000, > Microsoft stock has lost half of its value, although it has done > better than the next four entries in the March 2000 ranking of Nasdaq > stocks by market capitalization: Cisco (nasdaq: CSCO - news - people > ), Intel (nasdaq: INTC - news - people ), ITC DeltaCom (nasdaq: ITCD - > news - people ) and Oracle (nasdaq: ORCL - news - people ). And now it > is being eclipsed, in software cool and stock market excitement, by > the upstart Google. > > The doubts and the sniping gnaw at Ballmer, 49, who became chief > executive six years ago, just as the tech sector was peaking on Wall > Street. "The one thing that frustrates me is any sense that the > company doesn't have huge, amazing opportunity to change the world and > huge, amazing opportunity to grow," he says. "We absolutely do. Will > we execute well? That's my job." > > In many ways, Microsoft still looks invincible--its stock may even be > a bargain. Surely it has the wherewithal to buy its way into new > fields. Even after paying a $32 billion dividend last year, Microsoft > has $40 billion in its pocket. With annual net income of $12 > billion-plus, it outearns every other technology company. > > Moreover, the next 18 months could be filled with blockbusters. > Fifteen product releases are set, including new versions of Windows, > Office and the SQL database; the much-hyped Xbox 360 is to debut this > holiday season. Microsoft is at its best when a new threat looms--as > Netscape did a decade ago--and now it has the next one. Ballmer revs > up the troops with a new battle cry: "Goo-GLE! Goo-GLE! Goo-GLE!" > > "Tone comes from the top," he says. "People have to be reminded that > there's nothing that stands in our way of competing. Our capacity to > learn is amazing." > > Ballmer is one of the richest men in the world. His 3.78% stake in his > employer is worth $11 billion. Bill Gates owns 9.42% and, with other > assets, has a net worth of $51 billion. And while Gates sells 20 > million shares every quarter to diversify his assets, Ballmer rarely > disposes of shares, and even then mainly for charitable purposes. He > drives a seven-year-old Ford to the office every day. > > Ballmer grew up in the suburbs of Detroit, one of two children; his > father was a manager at Ford Motor (nyse: F - news - people ), his > mother raised the kids. Steve and Bill bonded at Harvard in their > sophomore year. Bill dropped out, while Steve dutifully stayed on. > Ballmer graduated in 1977, did a stint at Procter & Gamble (nyse: PG - > news - people )and entered the Stanford Graduate School of Business in > 1979. In 1980 Gates persuaded him to ditch the M.B.A. program and join > Microsoft as employee No. 30. > > For two decades Ballmer was Bill Gates' right hand. He headed sales > for Windows 95, then became president in 1998. In January 2000 Gates > ceded the chief exec role in order to focus on the big picture. They > talk or e-mail each other daily, and Ballmer consults with Gates even > on small acquisitions. > > In Gates' grip the old Microsoft ran like a startup, even though it > had long ceased to be one. A decision as small as hiring a > product-marketing manager required approval from the very top. "There > was no management structure," says Mich Mathews, a 12-year veteran who > now heads marketing. "We were very hierarchical. If a guy in France > wanted to do something, that had to go through Steve." > > Shortly after Ballmer took charge, he began looking at how to build > some structure into an unwieldy management process. He interviewed a > hundred employees at all levels. What emerged was an attempt to create > a system with both accountability and flexibility. He recast the > company into seven divisions and ordered each to publicly disclose a > quarterly profit-and-loss statement, even though accounting rules > don't require such revelations. > > "This will be a place with some structure, but structure that aids > teamwork, not politics and bureaucracy," Ballmer told employees in a > companywide e-mail in June of last year. "Nothing solves 'big company' > ills quite like a strong focus on accountability for results with > customers and shareholders." > > With accountability, though, comes competition for resources. The > seven divisions act as rival fiefs, pursuing overlapping technologies > and warring over whose code will prevail in the spaces where different > divisions' products interact. "Windows and Office would never let MSN > have more budget or more control," says Mark Jen, who quit Microsoft > eight months ago. "MSN e-mail should talk to Office Calendar contacts > and share appointments from Office with friends and family on the Web. > But then MSN could cannibalize Office." > > The squabbling is delaying the release of the next version of Windows, > called Vista. In 2001 Microsoft promised that Vista would be ready in > 2003; by mid-2003 it said 2005. Now Vista is set for year-end 2006, > the company vows; some analysts say early 2007 is more likely. > > Some employees complain that they spend hours tracking down > collaborators in far-flung groups instead of talking to customers and > taking products to market. Working on a huge project requires checking > in with management constantly. "Instead of promoting the product to > customers, I'd get stuck in the office until midnight preparing slides > for my monthly product review," says David Ryan, 33, a marketer for > Windows XP. He has just been freed up to pursue an incubation project > in the server group, where he is happily exempt from most reviews. At > Microsoft a "review" is often a progress report illustrated with 15 > PowerPoint slides. > > Other staffers say that almost every move requires a lawyer's > signature and that even routine approvals can take weeks. Recently one > employee waited a month while a $10,000 purchase order for outside > development work was held up by legal. By the time the lawyers were > done, the budget for the deal had evaporated. Dennis Reno left > Microsoft two years ago feeling burned out from bureaucracy. He'd > worked 18-hour days but got little done because he was bogged down by > paperwork. "The smallest issue would balloon into a nightmare of a > thousand e-mails," says Reno, who is now at Plumtree Software (nasdaq: > PLUM - news - people ). > > Ballmer views product integration as Microsoft's big advantage--how > its software will reach from the desktop to servers, databases and the > Web and onto phones, handhelds and set-top boxes. But reach means > complexity. As it is, the last version of Windows has 50 million lines > of code, and Vista will run a lot more. > > "Projects were weighed down by integration," says Alexander Hopmann, > who quit Microsoft in March to join a home-networking startup, Pure > Networks, in Seattle. In 2000 he worked on new storage software for > Exchange, a server program that works with Microsoft Outlook e-mail, > but the Outlook team, without admitting so, didn't want it. "They sent > me a 200-page document that said our technology had to be 100% better > than the current stuff. Then it failed, of course, so they did it > themselves." > > More recently, programmers at the MSN online service were ready to > release a search tool letting users sift through their own PCs, but > the research lab and the Windows division were working on similar > efforts. Some argued that any new tool should wait to be bundled into > Vista. Yusuf Mehdi, a top MSN executive, had to dicker inside the > company for a month before striking a compromise that let MSN's and > Vista's search tools both go ahead. > > Ballmer has moved to counter the drawbacks of bigness, pushing > employees to focus more on customers and less on internal doings. At > the sales meeting in July, former sales chief Kevin Johnson encouraged > the crowd to "just say no" to internal requests and meetings. He has > ordered all internal sales meetings to occur only on Tuesdays, so his > reps can pitch to customers the rest of the time. > > Some customers say Microsoft is more responsive than it used to be. > "The old Microsoft took its customers for granted," says J.E. Henry, > tech chief at the Regal Cinema theater chain. "They didn't care what > we had to say about total cost of ownership, security, risk. After > Steve took over, I saw a complete turnaround." > > In its days of complacency, IBM had a no-layoff policy. Ballmer, > determined not to let deadwood accumulate in Redmond, Wash., lets go > of 6.5% of the workforce every year for inadequate performance. He > makes a valiant effort to penetrate the management honeycomb to rally > the worker bees. He writes a quarterly overview, e-mailed to all > employees, and also does several Webcasts a year. He regularly holds > what he calls "skip-level one-on-ones" with individuals or groups of > employees who are up to ten levels below him. Another method: > "wallows" (his word)--impromptu meetings focused on the bigger issues; > he recently challenged the Microsoft Business Solutions team to > describe how it will target medium-size companies. > > Ballmer has put in place half a dozen internal surveys to give > employees a sense that their opinions are heard. The Microsoft poll is > an anonymous survey with 60 statements that employees are asked to > rate, from "strongly disagree" to "strongly agree," on such topics as > accountability and performance rewards. Last year Microsoft got 70,000 > written responses to various questions. > > Customer satisfaction gets measured annually. Employees meet with > managers every August to plan up to six "commitments" for the upcoming > year. Each job is assigned to one of 15 levels--the system sounds a > lot like civil service pay grades--and given a "competency tool kit," > a list of the skills an employee of a particular type and level should > have. At annual performance reviews, managers are compelled to rank > employees on a scale of 1 to 5. Says Hopmann, the escapee now at Pure > Networks, "There's a bureaucracy that over time has developed these > rules. It has become a huge morale problem." > > Morale would no doubt be better if Microsoft were still growing at 50% > a year, as it was doing 15 years ago. Not counting one-time gains from > option accounting, net in the fiscal year just ended was up only 19%. > > The Xbox game console is hot, but its division has lost $4 billion in > four years and isn't yet in the black. The mobile-software division, > also losing money, has just a sliver of the market for cell phone > handsets. Microsoft Business Solutions, after acquiring Great Plains > Software for $1.1 billion and Navision for $1.4 billion, is supposed > to deliver $10 billion in sales by 2010. At its current 6% growth > rate, MBS will attain that goal in 43 years. > > Give us time, Ballmer says. "You could say 1995 to 2000 was about us > winning on the desktop. Then 2000 to 2005 we won and drove the server > market. And the next five years is all about driving and winning the > Web," he says. Yet it was in 1995 that Gates issued his "tidal wave" > memo, a clarion call to the Microsoft hordes: "Like the PC, the > Internet is a tidal wave. It will wash over the computer industry and > many others, drowning those who don't learn to swim in its waves." A > decade later, is Microsoft poised to win the Web? Not by any measure. > > Then again, Microsoft is so vehemently competitive that it could yet > prevail in videogames, searching and servers. Microsoft is "the > world's largest startup," says star programmer Ray Ozzie, who wrote > Lotus Notes and joined Microsoft in April when it acquired his > startup, Groove. "No one seems to feel comfortable in their own skin > here. It's weird. They still need to succeed." > > He observes what Ballmer is too proud to say: "The top executives get > the potential Microsoft has. But the next tier of employees doesn't > because of the stock price." > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050913/bedcf96e/attachment-0001.html From admin at netsyssec.com Wed Sep 14 12:11:18 2005 From: admin at netsyssec.com (N J) Date: Wed Sep 14 12:12:28 2005 Subject: [widdershins] Forbes: Microsoft's Midlife Crisis In-Reply-To: <6F807BD3DDD9874A9FDFD568F9EF381D02175752@INDIGO.outcastpr.com> Message-ID: Melissa, I agree this seems odd. I emailed the author and she told me this - 'Microsoft's other divisions are money-losing, so Windows etc account for more than 100%'. This isn't correct, as obviously profits cannot exceed 100%. I'm not sure what to say to her :O N J _____ From: widdershins-bounces@attrition.org [mailto:widdershins-bounces@attrition.org] On Behalf Of Melissa Shapiro Sent: Tuesday, September 13, 2005 7:57 PM To: widdershins@attrition.org Subject: [widdershins] Forbes: Microsoft's Midlife Crisis Anyone else wondering how this statistic could be right? 140% of profits? The company relies on Windows and a suite of desktop applications--products released a decade ago--for 80% of sales and 140% of profits. Newer products--the Xbox videogame machine, the MSN online service, the wireless and small-business software--collectively have racked up $7 billion in losses in four years. Microsoft's Midlife Crisis Victoria Murphy, 09.13.05, 6:00 AM ET http://www.forbes.com/2005/09/12/microsoft-management-software_cz_vm_0913mic rosoft.html?partner=daily_newsletter Steven Ballmer, Microsoft's cheerleader and chief executive, takes the stage at the Georgia Dome in Atlanta to stoke the spirits of 10,000 faithful at the company's annual sales meeting. "Win, drive, innovate, impress!" he shouts, his forehead glistening under hot stage lights as ponds of sweat soak the pale blue shirt on his barrel-chested frame. "But there's a way people keep score. Billions! Billions! Billions! If you wanna grow, things that rhyme with 'billions' are very good," he roars, sprinting up and down the aisles to trade high fives with starstruck salespeople. The crowd at the Georgia Dome loves it, but even Ballmer's booming voice can't mask the disturbing truth: Microsoft (nasdaq: MSFT - news - people ) is slowing down. It is bigger, more lumbering and less profitable than it was five years ago. Its sales are up 73% in five years, but profits are up only 30%. Payroll has doubled in the last six years. In the fiscal year just ended, sales rose only 8%, the first time the company has ever reported less than double-digit growth. In the dog years of Silicon Valley, Microsoft, at 30, is in advanced middle age. The company relies on Windows and a suite of desktop applications--products released a decade ago--for 80% of sales and 140% of profits. Newer products--the Xbox videogame machine, the MSN online service, the wireless and small-business software--collectively have racked up $7 billion in losses in four years. In Web-server software, Microsoft has 20% of the fast-growing market, while the free Apache program, a Linux variant, has 70%--worth $6 billion in revenue had Microsoft gotten the sales. In search, Google (nasdaq: GOOG - news - people ) and Yahoo! (nasdaq: YHOO - news - people ) get 70% of queries while MSN gets only 13%. Google now gives away features (desktop search, photo archiving) that Microsoft promises in its next upgrade of Windows--which is running two years late. What has gone wrong? Microsoft, with $40 billion in sales and 60,000 employees, has grown musclebound and bureaucratic. Some current and former employees describe a stultifying world of 14-hour strategy sessions, endless business reviews and a preoccupation with PowerPoint slides; of laborious job evaluations, hundreds of e-mails a day and infighting among divisions so fierce that it hobbles design and delays product releases. In short, they describe precisely the behavior that humbled another tech giant: IBM (nyse: IBM - news - people ) in the late 1980s. Tellingly, IBM reached a point of crisis just over three decades after it started selling computers to commercial users. "Microsoft is a vestige of the past," says Marc Benioff, chief of rival Salesforce.com, whose shares, since they were first offered to the public in June of last year, are up 27%; Microsoft's are down 5% in that period. Salesforce, which trades at 84 times next year's earnings (versus 20 for Microsoft), rents its software to businesses over the Internet. "Microsoft," Benioff says, "still wishes the Internet hadn't been invented." "Microsoft has become what it used to mock," says Gabe Newell, a developer on the first three versions of Windows. At late-night rounds of poker with "Bill and Steve" in the mid-1980s, he says, "we laughed at IBM. They had all this process for monitoring productivity, and yet we knew they had spectacularly bad productivity. That's Microsoft now." Jeff B. Erwin, who quit in December after five years there, adds, "Microsoft has some of the smartest people in the world, but they are just crushing them. You have a largely unhappy population." Unhappy because they aren't getting rich the way they did in the 1990s. In September 2003 Microsoft ended its stock option program, replacing it with outright grants of shares, which aren't at the moment minting very many millionaires. Since the tech crash in 2000, Microsoft stock has lost half of its value, although it has done better than the next four entries in the March 2000 ranking of Nasdaq stocks by market capitalization: Cisco (nasdaq: CSCO - news - people ), Intel (nasdaq: INTC - news - people ), ITC DeltaCom (nasdaq: ITCD - news - people ) and Oracle (nasdaq: ORCL - news - people ). And now it is being eclipsed, in software cool and stock market excitement, by the upstart Google. The doubts and the sniping gnaw at Ballmer, 49, who became chief executive six years ago, just as the tech sector was peaking on Wall Street. "The one thing that frustrates me is any sense that the company doesn't have huge, amazing opportunity to change the world and huge, amazing opportunity to grow," he says. "We absolutely do. Will we execute well? That's my job." In many ways, Microsoft still looks invincible--its stock may even be a bargain. Surely it has the wherewithal to buy its way into new fields. Even after paying a $32 billion dividend last year, Microsoft has $40 billion in its pocket. With annual net income of $12 billion-plus, it outearns every other technology company. Moreover, the next 18 months could be filled with blockbusters. Fifteen product releases are set, including new versions of Windows, Office and the SQL database; the much-hyped Xbox 360 is to debut this holiday season. Microsoft is at its best when a new threat looms--as Netscape did a decade ago--and now it has the next one. Ballmer revs up the troops with a new battle cry: "Goo-GLE! Goo-GLE! Goo-GLE!" "Tone comes from the top," he says. "People have to be reminded that there's nothing that stands in our way of competing. Our capacity to learn is amazing." Ballmer is one of the richest men in the world. His 3.78% stake in his employer is worth $11 billion. Bill Gates owns 9.42% and, with other assets, has a net worth of $51 billion. And while Gates sells 20 million shares every quarter to diversify his assets, Ballmer rarely disposes of shares, and even then mainly for charitable purposes. He drives a seven-year-old Ford to the office every day. Ballmer grew up in the suburbs of Detroit, one of two children; his father was a manager at Ford Motor (nyse: F - news - people ), his mother raised the kids. Steve and Bill bonded at Harvard in their sophomore year. Bill dropped out, while Steve dutifully stayed on. Ballmer graduated in 1977, did a stint at Procter & Gamble (nyse: PG - news - people )and entered the Stanford Graduate School of Business in 1979. In 1980 Gates persuaded him to ditch the M.B.A. program and join Microsoft as employee No. 30. For two decades Ballmer was Bill Gates' right hand. He headed sales for Windows 95, then became president in 1998. In January 2000 Gates ceded the chief exec role in order to focus on the big picture. They talk or e-mail each other daily, and Ballmer consults with Gates even on small acquisitions. In Gates' grip the old Microsoft ran like a startup, even though it had long ceased to be one. A decision as small as hiring a product-marketing manager required approval from the very top. "There was no management structure," says Mich Mathews, a 12-year veteran who now heads marketing. "We were very hierarchical. If a guy in France wanted to do something, that had to go through Steve." Shortly after Ballmer took charge, he began looking at how to build some structure into an unwieldy management process. He interviewed a hundred employees at all levels. What emerged was an attempt to create a system with both accountability and flexibility. He recast the company into seven divisions and ordered each to publicly disclose a quarterly profit-and-loss statement, even though accounting rules don't require such revelations. "This will be a place with some structure, but structure that aids teamwork, not politics and bureaucracy," Ballmer told employees in a companywide e-mail in June of last year. "Nothing solves 'big company' ills quite like a strong focus on accountability for results with customers and shareholders." With accountability, though, comes competition for resources. The seven divisions act as rival fiefs, pursuing overlapping technologies and warring over whose code will prevail in the spaces where different divisions' products interact. "Windows and Office would never let MSN have more budget or more control," says Mark Jen, who quit Microsoft eight months ago. "MSN e-mail should talk to Office Calendar contacts and share appointments from Office with friends and family on the Web. But then MSN could cannibalize Office." The squabbling is delaying the release of the next version of Windows, called Vista. In 2001 Microsoft promised that Vista would be ready in 2003; by mid-2003 it said 2005. Now Vista is set for year-end 2006, the company vows; some analysts say early 2007 is more likely. Some employees complain that they spend hours tracking down collaborators in far-flung groups instead of talking to customers and taking products to market. Working on a huge project requires checking in with management constantly. "Instead of promoting the product to customers, I'd get stuck in the office until midnight preparing slides for my monthly product review," says David Ryan, 33, a marketer for Windows XP. He has just been freed up to pursue an incubation project in the server group, where he is happily exempt from most reviews. At Microsoft a "review" is often a progress report illustrated with 15 PowerPoint slides. Other staffers say that almost every move requires a lawyer's signature and that even routine approvals can take weeks. Recently one employee waited a month while a $10,000 purchase order for outside development work was held up by legal. By the time the lawyers were done, the budget for the deal had evaporated. Dennis Reno left Microsoft two years ago feeling burned out from bureaucracy. He'd worked 18-hour days but got little done because he was bogged down by paperwork. "The smallest issue would balloon into a nightmare of a thousand e-mails," says Reno, who is now at Plumtree Software (nasdaq: PLUM - news - people ). Ballmer views product integration as Microsoft's big advantage--how its software will reach from the desktop to servers, databases and the Web and onto phones, handhelds and set-top boxes. But reach means complexity. As it is, the last version of Windows has 50 million lines of code, and Vista will run a lot more. "Projects were weighed down by integration," says Alexander Hopmann, who quit Microsoft in March to join a home-networking startup, Pure Networks, in Seattle. In 2000 he worked on new storage software for Exchange, a server program that works with Microsoft Outlook e-mail, but the Outlook team, without admitting so, didn't want it. "They sent me a 200-page document that said our technology had to be 100% better than the current stuff. Then it failed, of course, so they did it themselves." More recently, programmers at the MSN online service were ready to release a search tool letting users sift through their own PCs, but the research lab and the Windows division were working on similar efforts. Some argued that any new tool should wait to be bundled into Vista. Yusuf Mehdi, a top MSN executive, had to dicker inside the company for a month before striking a compromise that let MSN's and Vista's search tools both go ahead. Ballmer has moved to counter the drawbacks of bigness, pushing employees to focus more on customers and less on internal doings. At the sales meeting in July, former sales chief Kevin Johnson encouraged the crowd to "just say no" to internal requests and meetings. He has ordered all internal sales meetings to occur only on Tuesdays, so his reps can pitch to customers the rest of the time. Some customers say Microsoft is more responsive than it used to be. "The old Microsoft took its customers for granted," says J.E. Henry, tech chief at the Regal Cinema theater chain. "They didn't care what we had to say about total cost of ownership, security, risk. After Steve took over, I saw a complete turnaround." In its days of complacency, IBM had a no-layoff policy. Ballmer, determined not to let deadwood accumulate in Redmond, Wash., lets go of 6.5% of the workforce every year for inadequate performance. He makes a valiant effort to penetrate the management honeycomb to rally the worker bees. He writes a quarterly overview, e-mailed to all employees, and also does several Webcasts a year. He regularly holds what he calls "skip-level one-on-ones" with individuals or groups of employees who are up to ten levels below him. Another method: "wallows" (his word)--impromptu meetings focused on the bigger issues; he recently challenged the Microsoft Business Solutions team to describe how it will target medium-size companies. Ballmer has put in place half a dozen internal surveys to give employees a sense that their opinions are heard. The Microsoft poll is an anonymous survey with 60 statements that employees are asked to rate, from "strongly disagree" to "strongly agree," on such topics as accountability and performance rewards. Last year Microsoft got 70,000 written responses to various questions. Customer satisfaction gets measured annually. Employees meet with managers every August to plan up to six "commitments" for the upcoming year. Each job is assigned to one of 15 levels--the system sounds a lot like civil service pay grades--and given a "competency tool kit," a list of the skills an employee of a particular type and level should have. At annual performance reviews, managers are compelled to rank employees on a scale of 1 to 5. Says Hopmann, the escapee now at Pure Networks, "There's a bureaucracy that over time has developed these rules. It has become a huge morale problem." Morale would no doubt be better if Microsoft were still growing at 50% a year, as it was doing 15 years ago. Not counting one-time gains from option accounting, net in the fiscal year just ended was up only 19%. The Xbox game console is hot, but its division has lost $4 billion in four years and isn't yet in the black. The mobile-software division, also losing money, has just a sliver of the market for cell phone handsets. Microsoft Business Solutions, after acquiring Great Plains Software for $1.1 billion and Navision for $1.4 billion, is supposed to deliver $10 billion in sales by 2010. At its current 6% growth rate, MBS will attain that goal in 43 years. Give us time, Ballmer says. "You could say 1995 to 2000 was about us winning on the desktop. Then 2000 to 2005 we won and drove the server market. And the next five years is all about driving and winning the Web," he says. Yet it was in 1995 that Gates issued his "tidal wave" memo, a clarion call to the Microsoft hordes: "Like the PC, the Internet is a tidal wave. It will wash over the computer industry and many others, drowning those who don't learn to swim in its waves." A decade later, is Microsoft poised to win the Web? Not by any measure. Then again, Microsoft is so vehemently competitive that it could yet prevail in videogames, searching and servers. Microsoft is "the world's largest startup," says star programmer Ray Ozzie, who wrote Lotus Notes and joined Microsoft in April when it acquired his startup, Groove. "No one seems to feel comfortable in their own skin here. It's weird. They still need to succeed." He observes what Ballmer is too proud to say: "The top executives get the potential Microsoft has. But the next tier of employees doesn't because of the stock price." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050914/13f3139f/attachment-0001.html From scott at urajah.net Wed Sep 14 12:15:08 2005 From: scott at urajah.net (Scott Sanders) Date: Wed Sep 14 12:16:21 2005 Subject: [widdershins] Forbes: Microsoft's Midlife Crisis Message-ID: <14A601735ABBD34AB0C94064B7EE52231C97@kallisti.urajah.net> It makes sense if you think of it this way: 1 Billion = total profits = 100% 1.4 Billion = Profit from windows and desktops apps = 140% of total profits It's still bad grammar and sensationalistic, but correct. _Scott ________________________________ From: widdershins-bounces@attrition.org [mailto:widdershins-bounces@attrition.org] On Behalf Of N J Sent: Wednesday, September 14, 2005 9:11 AM To: widdershins@attrition.org Subject: RE: [widdershins] Forbes: Microsoft's Midlife Crisis Melissa, I agree this seems odd. I emailed the author and she told me this - 'Microsoft's other divisions are money-losing, so Windows etc account for more than 100%'. This isn't correct, as obviously profits cannot exceed 100%. I'm not sure what to say to her :O N J ________________________________ From: widdershins-bounces@attrition.org [mailto:widdershins-bounces@attrition.org] On Behalf Of Melissa Shapiro Sent: Tuesday, September 13, 2005 7:57 PM To: widdershins@attrition.org Subject: [widdershins] Forbes: Microsoft's Midlife Crisis Anyone else wondering how this statistic could be right? 140% of profits? The company relies on Windows and a suite of desktop applications--products released a decade ago--for 80% of sales and 140% of profits. Newer products--the Xbox videogame machine, the MSN online service, the wireless and small-business software--collectively have racked up $7 billion in losses in four years. Microsoft's Midlife Crisis Victoria Murphy, 09.13.05, 6:00 AM ET http://www.forbes.com/2005/09/12/microsoft-management-software_cz_vm_091 3microsoft.html?partner=daily_newsletter Steven Ballmer, Microsoft's cheerleader and chief executive, takes the stage at the Georgia Dome in Atlanta to stoke the spirits of 10,000 faithful at the company's annual sales meeting. "Win, drive, innovate, impress!" he shouts, his forehead glistening under hot stage lights as ponds of sweat soak the pale blue shirt on his barrel-chested frame. "But there's a way people keep score. Billions! Billions! Billions! If you wanna grow, things that rhyme with 'billions' are very good," he roars, sprinting up and down the aisles to trade high fives with starstruck salespeople. The crowd at the Georgia Dome loves it, but even Ballmer's booming voice can't mask the disturbing truth: Microsoft (nasdaq: MSFT - news - people ) is slowing down. It is bigger, more lumbering and less profitable than it was five years ago. Its sales are up 73% in five years, but profits are up only 30%. Payroll has doubled in the last six years. In the fiscal year just ended, sales rose only 8%, the first time the company has ever reported less than double-digit growth. In the dog years of Silicon Valley, Microsoft, at 30, is in advanced middle age. The company relies on Windows and a suite of desktop applications--products released a decade ago--for 80% of sales and 140% of profits. Newer products--the Xbox videogame machine, the MSN online service, the wireless and small-business software--collectively have racked up $7 billion in losses in four years. In Web-server software, Microsoft has 20% of the fast-growing market, while the free Apache program, a Linux variant, has 70%--worth $6 billion in revenue had Microsoft gotten the sales. In search, Google (nasdaq: GOOG - news - people ) and Yahoo! (nasdaq: YHOO - news - people ) get 70% of queries while MSN gets only 13%. Google now gives away features (desktop search, photo archiving) that Microsoft promises in its next upgrade of Windows--which is running two years late. What has gone wrong? Microsoft, with $40 billion in sales and 60,000 employees, has grown musclebound and bureaucratic. Some current and former employees describe a stultifying world of 14-hour strategy sessions, endless business reviews and a preoccupation with PowerPoint slides; of laborious job evaluations, hundreds of e-mails a day and infighting among divisions so fierce that it hobbles design and delays product releases. In short, they describe precisely the behavior that humbled another tech giant: IBM (nyse: IBM - news - people ) in the late 1980s. Tellingly, IBM reached a point of crisis just over three decades after it started selling computers to commercial users. "Microsoft is a vestige of the past," says Marc Benioff, chief of rival Salesforce.com, whose shares, since they were first offered to the public in June of last year, are up 27%; Microsoft's are down 5% in that period. Salesforce, which trades at 84 times next year's earnings (versus 20 for Microsoft), rents its software to businesses over the Internet. "Microsoft," Benioff says, "still wishes the Internet hadn't been invented." "Microsoft has become what it used to mock," says Gabe Newell, a developer on the first three versions of Windows. At late-night rounds of poker with "Bill and Steve" in the mid-1980s, he says, "we laughed at IBM. They had all this process for monitoring productivity, and yet we knew they had spectacularly bad productivity. That's Microsoft now." Jeff B. Erwin, who quit in December after five years there, adds, "Microsoft has some of the smartest people in the world, but they are just crushing them. You have a largely unhappy population." Unhappy because they aren't getting rich the way they did in the 1990s. In September 2003 Microsoft ended its stock option program, replacing it with outright grants of shares, which aren't at the moment minting very many millionaires. Since the tech crash in 2000, Microsoft stock has lost half of its value, although it has done better than the next four entries in the March 2000 ranking of Nasdaq stocks by market capitalization: Cisco (nasdaq: CSCO - news - people ), Intel (nasdaq: INTC - news - people ), ITC DeltaCom (nasdaq: ITCD - news - people ) and Oracle (nasdaq: ORCL - news - people ). And now it is being eclipsed, in software cool and stock market excitement, by the upstart Google. The doubts and the sniping gnaw at Ballmer, 49, who became chief executive six years ago, just as the tech sector was peaking on Wall Street. "The one thing that frustrates me is any sense that the company doesn't have huge, amazing opportunity to change the world and huge, amazing opportunity to grow," he says. "We absolutely do. Will we execute well? That's my job." In many ways, Microsoft still looks invincible--its stock may even be a bargain. Surely it has the wherewithal to buy its way into new fields. Even after paying a $32 billion dividend last year, Microsoft has $40 billion in its pocket. With annual net income of $12 billion-plus, it outearns every other technology company. Moreover, the next 18 months could be filled with blockbusters. Fifteen product releases are set, including new versions of Windows, Office and the SQL database; the much-hyped Xbox 360 is to debut this holiday season. Microsoft is at its best when a new threat looms--as Netscape did a decade ago--and now it has the next one. Ballmer revs up the troops with a new battle cry: "Goo-GLE! Goo-GLE! Goo-GLE!" "Tone comes from the top," he says. "People have to be reminded that there's nothing that stands in our way of competing. Our capacity to learn is amazing." Ballmer is one of the richest men in the world. His 3.78% stake in his employer is worth $11 billion. Bill Gates owns 9.42% and, with other assets, has a net worth of $51 billion. And while Gates sells 20 million shares every quarter to diversify his assets, Ballmer rarely disposes of shares, and even then mainly for charitable purposes. He drives a seven-year-old Ford to the office every day. Ballmer grew up in the suburbs of Detroit, one of two children; his father was a manager at Ford Motor (nyse: F - news - people ), his mother raised the kids. Steve and Bill bonded at Harvard in their sophomore year. Bill dropped out, while Steve dutifully stayed on. Ballmer graduated in 1977, did a stint at Procter & Gamble (nyse: PG - news - people )and entered the Stanford Graduate School of Business in 1979. In 1980 Gates persuaded him to ditch the M.B.A. program and join Microsoft as employee No. 30. For two decades Ballmer was Bill Gates' right hand. He headed sales for Windows 95, then became president in 1998. In January 2000 Gates ceded the chief exec role in order to focus on the big picture. They talk or e-mail each other daily, and Ballmer consults with Gates even on small acquisitions. In Gates' grip the old Microsoft ran like a startup, even though it had long ceased to be one. A decision as small as hiring a product-marketing manager required approval from the very top. "There was no management structure," says Mich Mathews, a 12-year veteran who now heads marketing. "We were very hierarchical. If a guy in France wanted to do something, that had to go through Steve." Shortly after Ballmer took charge, he began looking at how to build some structure into an unwieldy management process. He interviewed a hundred employees at all levels. What emerged was an attempt to create a system with both accountability and flexibility. He recast the company into seven divisions and ordered each to publicly disclose a quarterly profit-and-loss statement, even though accounting rules don't require such revelations. "This will be a place with some structure, but structure that aids teamwork, not politics and bureaucracy," Ballmer told employees in a companywide e-mail in June of last year. "Nothing solves 'big company' ills quite like a strong focus on accountability for results with customers and shareholders." With accountability, though, comes competition for resources. The seven divisions act as rival fiefs, pursuing overlapping technologies and warring over whose code will prevail in the spaces where different divisions' products interact. "Windows and Office would never let MSN have more budget or more control," says Mark Jen, who quit Microsoft eight months ago. "MSN e-mail should talk to Office Calendar contacts and share appointments from Office with friends and family on the Web. But then MSN could cannibalize Office." The squabbling is delaying the release of the next version of Windows, called Vista. In 2001 Microsoft promised that Vista would be ready in 2003; by mid-2003 it said 2005. Now Vista is set for year-end 2006, the company vows; some analysts say early 2007 is more likely. Some employees complain that they spend hours tracking down collaborators in far-flung groups instead of talking to customers and taking products to market. Working on a huge project requires checking in with management constantly. "Instead of promoting the product to customers, I'd get stuck in the office until midnight preparing slides for my monthly product review," says David Ryan, 33, a marketer for Windows XP. He has just been freed up to pursue an incubation project in the server group, where he is happily exempt from most reviews. At Microsoft a "review" is often a progress report illustrated with 15 PowerPoint slides. Other staffers say that almost every move requires a lawyer's signature and that even routine approvals can take weeks. Recently one employee waited a month while a $10,000 purchase order for outside development work was held up by legal. By the time the lawyers were done, the budget for the deal had evaporated. Dennis Reno left Microsoft two years ago feeling burned out from bureaucracy. He'd worked 18-hour days but got little done because he was bogged down by paperwork. "The smallest issue would balloon into a nightmare of a thousand e-mails," says Reno, who is now at Plumtree Software (nasdaq: PLUM - news - people ). Ballmer views product integration as Microsoft's big advantage--how its software will reach from the desktop to servers, databases and the Web and onto phones, handhelds and set-top boxes. But reach means complexity. As it is, the last version of Windows has 50 million lines of code, and Vista will run a lot more. "Projects were weighed down by integration," says Alexander Hopmann, who quit Microsoft in March to join a home-networking startup, Pure Networks, in Seattle. In 2000 he worked on new storage software for Exchange, a server program that works with Microsoft Outlook e-mail, but the Outlook team, without admitting so, didn't want it. "They sent me a 200-page document that said our technology had to be 100% better than the current stuff. Then it failed, of course, so they did it themselves." More recently, programmers at the MSN online service were ready to release a search tool letting users sift through their own PCs, but the research lab and the Windows division were working on similar efforts. Some argued that any new tool should wait to be bundled into Vista. Yusuf Mehdi, a top MSN executive, had to dicker inside the company for a month before striking a compromise that let MSN's and Vista's search tools both go ahead. Ballmer has moved to counter the drawbacks of bigness, pushing employees to focus more on customers and less on internal doings. At the sales meeting in July, former sales chief Kevin Johnson encouraged the crowd to "just say no" to internal requests and meetings. He has ordered all internal sales meetings to occur only on Tuesdays, so his reps can pitch to customers the rest of the time. Some customers say Microsoft is more responsive than it used to be. "The old Microsoft took its customers for granted," says J.E. Henry, tech chief at the Regal Cinema theater chain. "They didn't care what we had to say about total cost of ownership, security, risk. After Steve took over, I saw a complete turnaround." In its days of complacency, IBM had a no-layoff policy. Ballmer, determined not to let deadwood accumulate in Redmond, Wash., lets go of 6.5% of the workforce every year for inadequate performance. He makes a valiant effort to penetrate the management honeycomb to rally the worker bees. He writes a quarterly overview, e-mailed to all employees, and also does several Webcasts a year. He regularly holds what he calls "skip-level one-on-ones" with individuals or groups of employees who are up to ten levels below him. Another method: "wallows" (his word)--impromptu meetings focused on the bigger issues; he recently challenged the Microsoft Business Solutions team to describe how it will target medium-size companies. Ballmer has put in place half a dozen internal surveys to give employees a sense that their opinions are heard. The Microsoft poll is an anonymous survey with 60 statements that employees are asked to rate, from "strongly disagree" to "strongly agree," on such topics as accountability and performance rewards. Last year Microsoft got 70,000 written responses to various questions. Customer satisfaction gets measured annually. Employees meet with managers every August to plan up to six "commitments" for the upcoming year. Each job is assigned to one of 15 levels--the system sounds a lot like civil service pay grades--and given a "competency tool kit," a list of the skills an employee of a particular type and level should have. At annual performance reviews, managers are compelled to rank employees on a scale of 1 to 5. Says Hopmann, the escapee now at Pure Networks, "There's a bureaucracy that over time has developed these rules. It has become a huge morale problem." Morale would no doubt be better if Microsoft were still growing at 50% a year, as it was doing 15 years ago. Not counting one-time gains from option accounting, net in the fiscal year just ended was up only 19%. The Xbox game console is hot, but its division has lost $4 billion in four years and isn't yet in the black. The mobile-software division, also losing money, has just a sliver of the market for cell phone handsets. Microsoft Business Solutions, after acquiring Great Plains Software for $1.1 billion and Navision for $1.4 billion, is supposed to deliver $10 billion in sales by 2010. At its current 6% growth rate, MBS will attain that goal in 43 years. Give us time, Ballmer says. "You could say 1995 to 2000 was about us winning on the desktop. Then 2000 to 2005 we won and drove the server market. And the next five years is all about driving and winning the Web," he says. Yet it was in 1995 that Gates issued his "tidal wave" memo, a clarion call to the Microsoft hordes: "Like the PC, the Internet is a tidal wave. It will wash over the computer industry and many others, drowning those who don't learn to swim in its waves." A decade later, is Microsoft poised to win the Web? Not by any measure. Then again, Microsoft is so vehemently competitive that it could yet prevail in videogames, searching and servers. Microsoft is "the world's largest startup," says star programmer Ray Ozzie, who wrote Lotus Notes and joined Microsoft in April when it acquired his startup, Groove. "No one seems to feel comfortable in their own skin here. It's weird. They still need to succeed." He observes what Ballmer is too proud to say: "The top executives get the potential Microsoft has. But the next tier of employees doesn't because of the stock price." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050914/f413f28a/attachment-0001.html From samuel at fas.harvard.edu Mon Sep 26 16:44:55 2005 From: samuel at fas.harvard.edu (Juliet Samuel) Date: Mon Sep 26 16:47:16 2005 Subject: [widdershins] Post to list In-Reply-To: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> Message-ID: <43385DC7.30306@fas.harvard.edu> What is this list? Why is my email on it? Can you remove me? Juliet Samuel On 30/08/2005 12:04, Melissa Shapiro wrote: > mshapiro@outcastpr.com > > > Welcome to the widdershins@attrition.org mailing list! > > To post to this list, send your email to: > > widdershins@attrition.org > > >------------------------------------------------------------------------ > >_______________________________________________ >widdershins mailing list >widdershins@attrition.org >http://www.attrition.org/mailman/listinfo/widdershins > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050926/57f0ecad/attachment.html From marlowe at antagonism.org Mon Sep 26 16:50:48 2005 From: marlowe at antagonism.org (marlowe) Date: Mon Sep 26 16:53:49 2005 Subject: [widdershins] Post to list In-Reply-To: <43385DC7.30306@fas.harvard.edu> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> Message-ID: <43385F28.8080705@antagonism.org> Juliet Samuel wrote: > What is this list? Why is my email on it? Can you remove me? > > Juliet Samuel > > On 30/08/2005 12:04, Melissa Shapiro wrote: > >> mshapiro@outcastpr.com >> >> >> Welcome to the widdershins@attrition.org mailing list! >> >> To post to this list, send your email to: >> >> widdershins@attrition.org >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> widdershins mailing list >> widdershins@attrition.org >> http://www.attrition.org/mailman/listinfo/widdershins >> >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins Juliet, If you follow the links provided in the footers, you will find the answer to your questions. Patrick From hellnbak at nmrc.org Mon Sep 26 20:11:43 2005 From: hellnbak at nmrc.org (hellNbak) Date: Mon Sep 26 19:21:12 2005 Subject: [widdershins] Post to list In-Reply-To: <43385F28.8080705@antagonism.org> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <43385F28.8080705@antagonism.org> Message-ID: LSD must be gettin stronger these days... On Mon, 26 Sep 2005, marlowe wrote: > Juliet Samuel wrote: >> What is this list? Why is my email on it? Can you remove me? >> >> Juliet Samuel >> >> On 30/08/2005 12:04, Melissa Shapiro wrote: >> >>> mshapiro@outcastpr.com >>> >>> >>> Welcome to the widdershins@attrition.org mailing list! >>> >>> To post to this list, send your email to: >>> >>> widdershins@attrition.org >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> widdershins mailing list >>> widdershins@attrition.org >>> http://www.attrition.org/mailman/listinfo/widdershins >>> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> widdershins mailing list >> widdershins@attrition.org >> http://www.attrition.org/mailman/listinfo/widdershins > > Juliet, > > If you follow the links provided in the footers, you will find the answer to > your questions. > > Patrick > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > From zen at MIT.EDU Mon Sep 26 19:26:43 2005 From: zen at MIT.EDU (will taggart) Date: Mon Sep 26 19:29:05 2005 Subject: Dilatory post, Re: [widdershins] Post to list In-Reply-To: References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <43385F28.8080705@antagonism.org> Message-ID: Sounds like the Admiral James Stockdale: "Who am I?" "Why am I here?" The first existentialist vice-presidential candidate. Those were the days... _____________________________________ Will Taggart Graduate Student Science, Technology and Society Massachusetts Institute of Technology Mail: zen@mit.edu On Mon, 26 Sep 2005, hellNbak wrote: > LSD must be gettin stronger these days... > > On Mon, 26 Sep 2005, marlowe wrote: > > > Juliet Samuel wrote: > >> What is this list? Why is my email on it? Can you remove me? > >> > >> Juliet Samuel > >> > >> On 30/08/2005 12:04, Melissa Shapiro wrote: > >> > >>> mshapiro@outcastpr.com > >>> > >>> > >>> Welcome to the widdershins@attrition.org mailing list! > >>> > >>> To post to this list, send your email to: > >>> > >>> widdershins@attrition.org > >>> > >>> > >>> ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> widdershins mailing list > >>> widdershins@attrition.org > >>> http://www.attrition.org/mailman/listinfo/widdershins > >>> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> widdershins mailing list > >> widdershins@attrition.org > >> http://www.attrition.org/mailman/listinfo/widdershins > > > > Juliet, > > > > If you follow the links provided in the footers, you will find the answer to > > your questions. > > > > Patrick > > > > _______________________________________________ > > widdershins mailing list > > widdershins@attrition.org > > http://www.attrition.org/mailman/listinfo/widdershins > > > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > From thegnome at nmrc.org Mon Sep 26 21:17:51 2005 From: thegnome at nmrc.org (Simple Nomad) Date: Mon Sep 26 20:27:20 2005 Subject: [widdershins] Post to list In-Reply-To: <43385DC7.30306@fas.harvard.edu> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> Message-ID: On Mon, 26 Sep 2005, Juliet Samuel wrote: > What is this list? Why is my email on it? Can you remove me? http://attrition.org/mailman/listinfo/widdershins See the above link. You can figure out how to unsubscribe from there... -SN From madsaxon at direcway.com Mon Sep 26 20:54:43 2005 From: madsaxon at direcway.com (madsaxon) Date: Mon Sep 26 20:56:44 2005 Subject: [widdershins] Post to list In-Reply-To: References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> Message-ID: <6.0.3.0.2.20050926195312.02b6fec0@pop3.direcway.com> At 08:17 PM 9/26/2005, Simple Nomad wrote: >See the above link. You can figure out how to unsubscribe from there... But how do these people get on lists in the first place? Either the signup/authentication process is flawed/nonfunctional, or the chaos butterfly is lurking nearby. m5x From jericho at attrition.org Mon Sep 26 20:58:30 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Sep 26 20:58:32 2005 Subject: [widdershins] Post to list In-Reply-To: <6.0.3.0.2.20050926195312.02b6fec0@pop3.direcway.com> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <6.0.3.0.2.20050926195312.02b6fec0@pop3.direcway.com> Message-ID: : > See the above link. You can figure out how to unsubscribe from there... : : But how do these people get on lists in the first place? : Either the signup/authentication process is flawed/nonfunctional, All lists here require confirmation of subscription, so a single spoofed mail will not do the trick. From madsaxon at direcway.com Tue Sep 27 01:00:33 2005 From: madsaxon at direcway.com (madsaxon) Date: Tue Sep 27 01:02:36 2005 Subject: [widdershins] Post to list In-Reply-To: References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <43385F28.8080705@antagonism.org> Message-ID: <6.0.3.0.2.20050926235946.02c5aea0@pop3.direcway.com> At 07:11 PM 9/26/2005, hellNbak wrote: >LSD must be gettin stronger these days... Well, they've had a long time to make improvements on the stuff that Leary left behind. ;-) From andre.ludwig at gmail.com Tue Sep 27 01:13:17 2005 From: andre.ludwig at gmail.com (Andre Ludwig) Date: Tue Sep 27 01:15:11 2005 Subject: [widdershins] Post to list In-Reply-To: References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <6.0.3.0.2.20050926195312.02b6fec0@pop3.direcway.com> Message-ID: <9d03f28f05092622133ec46a52@mail.gmail.com> On 9/26/05, security curmudgeon wrote: > All lists here require confirmation of subscription, so a single spoofed > mail will not do the trick. > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins i see now... But what if a single trick was spoofed to the mail as a confirmation to the subscription list?!! As always i blame the hurricane machine, baby midget jesus, and the aliens for the seemingly perfect blend of chaos, delusions, and mild humor in this message. So whats everyone think about securing information by encrypting its display mechanism and controling its disimenation? http://optics.org/articles/news/10/4/20/1#securedisplay and another different technology, with the same results. http://www.merl.com/projects/privatedisplay/ Dre From shizitmilitant at gmail.com Tue Sep 27 18:58:30 2005 From: shizitmilitant at gmail.com (Jared Stone) Date: Tue Sep 27 19:00:43 2005 Subject: [widdershins] Post to list In-Reply-To: <9d03f28f05092622133ec46a52@mail.gmail.com> References: <6F807BD3DDD9874A9FDFD568F9EF381D02078268@INDIGO.outcastpr.com> <43385DC7.30306@fas.harvard.edu> <6.0.3.0.2.20050926195312.02b6fec0@pop3.direcway.com> <9d03f28f05092622133ec46a52@mail.gmail.com> Message-ID: On 9/27/05, Andre Ludwig wrote: > > On 9/26/05, security curmudgeon wrote: > > > All lists here require confirmation of subscription, so a single spoofed > > mail will not do the trick. > > _______________________________________________ > > widdershins mailing list > > widdershins@attrition.org > > http://www.attrition.org/mailman/listinfo/widdershins > > > > i see now... > > But what if a single trick was spoofed to the mail as a confirmation > to the subscription list?!! > > As always i blame the hurricane machine, baby midget jesus, and the > aliens for the seemingly perfect blend of chaos, delusions, and mild > humor in this message. > > So whats everyone think about securing information by encrypting its > display mechanism and controling its disimenation? > > http://optics.org/articles/news/10/4/20/1#securedisplay > > and another different technology, with the same results. > > http://www.merl.com/projects/privatedisplay/ > > > Dre > _______________________________________________ > widdershins mailing list > widdershins@attrition.org > http://www.attrition.org/mailman/listinfo/widdershins > Its either the LSD or her hubby was using her email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/widdershins/attachments/20050927/2429d721/attachment-0001.html