What? I think its pretty clear that anyone using Apache does so at their own peril now. Why is it moronic to assume that administrators interested in their users security will let go of ideology and begin using IIS.
A year of NSA revelations, 2 major POSIX security flaws and not a peep about CryptoAPI. However it shakes out with IIS, the debate about open vs closed source security is close to being settled for good.
Companies and people hand over evidence all the time without a warrant, so I'm not sure what your point is. A warrant is for an unauthorized search. This search was already authorized.
I really don't understand why this group would rather have cops searching through Hotmail than MS. Seems that every other story about the government searching emails has this site up in arms, but when MS does it you run back to the government. So weird.
Basically, yes, but its a massive gulf right now. Some organizations can get away with it because of their skillsets, but its hard to sustain and they have trouble hiring.
The U of A where I worked has a large OSS infrastructure, that I helped manage, and its hard to hire good people to support it. They manage it, but it would be impossible to scale it out to the desktop for 800 end user IT people, 10 000 staff and 45 000 students in the computer labs. In contrast, the EA agreement is only low 7 figures for all their MS licensing.
Its changing, and it will likely be a completely different ballgame in 10 years, but its not really a contest at my level.
After attacking Mike over one thing, I have to step in here and defend him. He is a friend of the general public, not Google. It's just that in a lot of ways Google has aligned incentives with the public because their business model is public trust (to a large degree). Microsoft's interests are aligned with their Enterprise customers and OEMs where the bulk of their revenues come from. So it might look like he's a Google supporter, but really issue by issue he agrees with them more often than MS.
This is changing as Google becomes more attracted to Enterprise revenues (very stable), and MS becomes more consumer focused. As their incentives drift towards each other their behavior will become more similar and Mike will hate on them equally (or cash twice the shill checks as you seem to think)
That's a fair point, but I'm not 100% sure its a better solution. I think they already hand over too much information to law enforcement. Microsoft at least has an incentive to only look at pertinent information and to scrub it when they're done. Law enforcement has no such incentive. I think the obvious solution is a neutral 3rd party or a Cloud Services regulatory board to handle sensitive issues like this.
I think a lot of the outrage towards this is because people don't understand how big a deal this is to Microsoft's biggest customers, both OEMs and EAs. They had to do something, and they did, they just didn't have a good solution on hand and guessed wrong.
This would be true if software licensing was anything but a drop in the bucket for an organization's IT budget. Also, Microsoft at least gives a ton of free consulting hours with large EAs. Every organization has a mix of open and closed source stuff but the licensing costs don't determine what's most expensive, ease of update is. We get dinged by our auditors if our software isnt up to date, and the ease of transition that closed source stuff usually has (except ERP stuff and Oracle) offsets the cost of the license.
Its complicated, but man hours, power, user hardware, user training and consulting make up the bulk of an IT budgets. Training 100 000 users on something new costs WAY more than licensing 100 000 windows workstations at 60 bucks a pop. And don't get me started on migrating from Office.....
To further obfuscate, a better solution might be to go back to the honor-system activation model and then this wouldn't be such a big problem, but that's a completely separate argument that I think you and I would agree on.
I have to disagree, and I'm a lot more qualified to make that argument. If VLM code gets into the wild that has MASSIVE implications for all of their biggest customers. I run a 150k user AD environment right now, and we would have had to make large, high impact changes to our activation model if the activation code was under threat.
Its my job to be VERY aware of whats going on here, and even though I personally hate that they did this, professionally i have to stand with them, and thats why they did it.
This is a VERY long conversation, but a lot of it comes down to 3 things: Manageability, supportability, and cost to confirm (testing).
Manageability: making environment wide changes (and confirming they were successful) is very difficult in an enterprise linux environment, and prone to failure. Getting better every day, but not there yet and the least of the issues.
Supportability: Not that its necessarily harder, but it is WAY more expensive to pay a Linux systems analyst to do workstation support than it is to pay a tech support monkey with a HS education. Scale that out to 1000+ IT people, and its a multi-million dollar problem.
Confirmation/Testing: This is a lot more nuanced, and really only affects the ultra-large enterprises, but having a consistent code base among your 100 000+ computers in a large enterprise has economies of scale when testing new rollouts that is impossible to replicate in a package-based environment. It comes down to man-hours required to test changes under an ITIL/COBIT managed environment. Again, efforts are being made (successfully) to nullify this problem, but it still exists.
That's a BS argument. Exploits come from bugs, having access to source allows you to find bugs. Or workarounds. And yes, we are reliant on Microsoft OS's in the enterprise because there isn't another option. I know you are about to explain to me how Linux can do it, but I'm an Enterprise Architect and you aren't, and you're wrong.
They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.
This is a MAJOR flaw in the US legal system, and Google/Apple/Facebook would be forced to do this the same way in similar circumstances. Except they don't have enterprise customers that they have contracts with to secure their code, so they aren't as worried about this issue and are using it to attack microsoft.
There is a techdirt article from years back of Google doing the same thing (to Gchat messages) when one of their engineers was abusing his access to communicate with minors. They had no issue looking through the mis-accessed accounts to confirm that.
Get your reps to change the CFAA and make information you create, stored at a 3rd party your own property. Otherwise, cloud storage providers will ALWAYS be forced to use only internal policies to decide these matters.
Your read on this case, Mike, is a bit off. It had nothing to do with a copy of Windows 8, but source code relating to the Volume Activation mechanics in Windows 8/Server 2012. This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable. They made a promise to other customers, paying customers, that they would do everything in their power to keep that code secure.
How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.
This is actually a problem with the CFAA that makes your email sitting on a server the companies problem. I guarantee they are correct that there is no way to subpoena emails you legally own. Remember, in US cloud services the provider owns that data because of the antiquated law. Fix it! They shouldn't, and MS should require a court order to search it.