From CNet:

Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch. [...] Microsoft acknowledged the latest issue and said more fixes would be forthcoming.

I've had it.  I really have.  I'm normally one to defend Microsoft to the bitter end, if for no other reason than having a good argument, but I give up.  The problem is, I can't find a better browser to use.

STOP.  Stop right there.  I've been using MyIE2 for quite some time, complete with tabbed browsing, mouse gestures, ad blocker, etc, etc.  Don't you say FireFox... I've tried it, more than once - I tried to force myself to use it earlier this month after the last security hole was found... but I can't.

There aren't any major functionality problems; it's the little things.  Tiny pieces that aren't quite right, mostly having to do with not enough options being exposed in the UI.  No, about:config doesn't count... that's horribly lame... entirely too much hunting for an option that may or may not be on that giant list.

Sooooo, what are the alternatives?  Opera?  Netscape?  Jimmy's Neat-o Browser 5000?  I don't want to run a beta; I don't want to have to spend longer than 30 seconds to find an option and change it, and I can't at this point give up the tabbed browsing and gestures.  Am I asking too much?

Sigh.

- G

I don't know if Microsoft didn't give the session presenters any of the session materials ahead of time, or if the presenters just didn't bother to run through the demos, but the sessions in both the IT 300 and Developer tracks were just awful - I can't speak to the IT 200 track; neither I nor my compatriots attended any of those sessions.

First of all, even in the IT 300 track - the supposed advanced track - very little information beyond a basic walkthrough of anything was given.  Second, even thought it seemed like we were watching someone walk through a hands-on-lab for the first time (constantly referring back to their steps), things still went wrong.  When something happened that wasn't specifically spelled out in the steps that were provided, the presenters were lost.

If you're new to the field and want to get a decent look at the minimum you need to know security-wise these days, I'm sure you'll get good use out of the day's events.  If you've been in the field for a while, and you're looking for in-depth insight into how Microsoft does security, you'll probably want to save yourself the time, and pop for some other training at a later date.

Just my 2 cents - I would've posted this last week, but I've been constantly on the move since Thursday morning... I'll be back on the ball this week; promise!

- G

This from the GNOME sysadmin team via Slashdot:

We've discovered evidence of an intrusion on the server hosting www.gnome.org and other gnome.org websites. At the present time, we think that the released gnome sources and the gnome source code repository are unaffected.

Wow.  In the last six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME... say what you will about the state of things with Windows servers - goodness knows it's not perfect.  Just how hard is it to harden a Linux server on the net, when the sysadmins of these übervisible websites can't get it right?

I first had my eyes opened wide to the threat of widespread security problems while I was working for MS PSS, on the IIS team, during that wonderful summer of Code Red, Code Blue, Code Red II, Nimda... there was more, but I've lost count.  Staying up until all hours of the night helping the world's sysadmins that had been caught with their pants around their ankles (so to speak) led me to make a promise to myself - that I was never going to work for a company that allowed security and patch management to be so slack.

When I joined my current company, in my first week I decided to get an idea of what the security situation was - it took me two days to get all the data, format it, and determine a good course of action.  As fate would have it, a new critical patch was released during those two days, rendering my work obsolete... that pissed me off like I'm sure all too many of you would understand.

In the pursuing 6 months, I took HFNetChk's XML output, built an app that would scan Active Directory for servers, use HFNetChk to scan them, wrap the XML up, ship it to a central webservice, and used ASP.Net to put together a decent looking (I'm no designer, but I thought it looked good) reporting website.  Now, we've got all 26 sites polling and submitting data for over 2000 servers worldwide, and we know exactly which servers need what as soon as Microsoft releases a patch.  SMS 2003 and Group Policy handle the workstations - not my jurisdiciton.  It's special, and I'm damn proud of it, but I'm sure a good percentage of the people reading this could do the same - but have you?  Have you decided to pick up NetIQ's Security Analyzer, or some other tool to do your patch management?  What's your story?

Microsoft's Security Summit is coming up, and there's actually a breakout session scheduled for Patch Management - I'll be there... in Raleigh, not the previously reported Charlotte - longish, boring story.  Are you planning on going?  Why?  Why not?  It is, after all, free.

- G

Browsing through the Microsoft Partners site as I an wont to do at times, I found a link to their Security Summit, coming here to North Carolina next month, and then on to 18 cities in other states into the summer.  If you thought DevDays was a great value for what they gave you (I didn't go - wasn't worth the 3 hour drive to get what seemed to me to be a mini-PDC overview), then absolutely consider heading out for this.

It's not just development this time; in fact, there's only one development track through the day.  The other two tracks are for IT Professionals - an intermediate and advanced track it would seem.  I'll most likely mix and match between the advanced IT sessions and the dev sessions through the day - after all, I bounce back and forth in a normal workday, so why not do it for the training too.

For all of you wondering if you can convince your boss to let you out for another day after DevDays - be sure to include in your pitch that the Security Summit is 100% free.  That's right, for the low, low price of $0.00 you can attend - but only if you register before your city's space fills up.

I'll be in Raleigh on April 8th, still unsure if I'll don my PDC blogger t-shirt for the event... have any of you dared wear that shirt outside of the LA Convention Center?  Anyway, if you're going to be there too, drop me a line - maybe we can swing a blogger meetup.

- G