Slashdot Mirror
Microsoft, zlib, and Security Flaws
nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."
Where do ya think their tcp/ip stack came from...might be BSD...hmmm
Slashdot, the site where everything's made up and the points don't matter
Any bets on how long before Microsoft issues a press release noting that this is yet another risk of using evil open source and open standards?
I do not deploy Linux. Ever.
the real implications behind. I'll proabbly be flamed for just looking for info, but how does this change anything that we have known about MS software being insecure?
Darn, and I thought they were caught with their pants down.
But to me it still is interesting that a company that is trying to stomp every competitor, and is spreading so much FUD about any sort of free or open software is using it themselves. (We all knew that, I just thought I'd emphasize it again.)
what?
Whoops, considering they advise not even reading open source for risk of integration of the code into their codebase and risking breach of the license.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
No way. M$'s doesn't perform well enough to have come from BSD.
It seems to be not the cae since Windows 2000 - did not they redo the stack for it? Am I right?
<^>_<(ô ô)>_<^>
Wrong. They advise not reading GPL code, not open source code.
That is quite a big difference.
How do we know they never used GPL'ed code anywhere?
since zlib is not GPL'd they are under no obligation to release the source code to any of their products.
Gee, well duh.
'Since Bill Gates office is not within the boundaries of the Cleveland zoo, he doesn't have to pay admission each day to go to work.'
I mean, what does 'obligation to release the source code' have to do with anything? Is this going to be one of those 'flog any non GPL license' discussion threads?
I wonder if anyone is keeping a running tally since the security initiative started???
Here is another bug with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
I thought the bug was caused by glibc, which made the bug worthless on non-glibc systems.
So in other words, Microsoft software sucks because of Open Source. Did anyone NOT see this coming?
Of course, having everything derive code from the same source is a risk; isn't this part of the reason the ping of death was so much of an issue?
You'd be right :), starting with Win2k, and in WinXP, they're using basically Unix TCP/IP sockets. Must admit that it does work much better than Win9x for network connectivity.
...if the government hadn't worked so hard to limit Microsoft's ability to innovate.
InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
that they should post this infoworld article this morning. and I quote
Just for some balance, Linux also has its problems. If you actually compare them, the amount of vulnerabilities found in Windows and all Linux flavors combined are almost the same on a yearly basis. So just choose the best OS platform for the application and PRACTICE SECURE COMPUTING.
Oh the irony.
I don't have any idea why MS chose to use the zlib library but it wasn't for "buglessness". MS creates enough of their own bugs they don't need to go borrow someone elses. Of course they didn't know about the bugs at the time, but still, methinks they used the code for less altruistic purposes.
Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.
Your right to not believe: Americans United for Separation of Church and
No... Microsoft will, of course, apply the open source patch to it's zlib package and recompile, thus demonstrating the viability of the open source approach to security (keep the system open, so anyone can patch the security holes, instead of keeping it closed, hoping that nobody will discover the security holes that are inevitably there).
And Open Source scores one point.
Comment removed based on user account deletion
Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Microsoft is still trying to determine which apps incorporated zlib code? My Linux box already has all its apps fixed. How long until M$ gets patches out? Weeks? Months?
How am I supposed to fit a pithy, relevant quote into 120 characters?
And yet again, it is being reported that this zlib issue is leaving a "hefty" portion of systems vulnerable to attack. Forgive my ignorance, but how? In the previous discussion on the topic, I read some posts that sort of explained a possible risk that might occur if there's a full moon and the lighting is just right.
So I ask you: what? From what I've heard the worst that could happen is your system could crash. I hardly see that as any sort of real issue, since programs like to do that all the time.
Of course, having everything derive code from the same source is a risk
Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.
Is this another example of why MS needs to be free of regulation in order to Innovat...ively copy other peoples work?
Shame.
Stop Continental Drift! Reunite Gondwanaland!
Naive question probably, but if zlib isn't GPL then does Debian use a different library and if so, is it affected by this issue?
Richard Stallman? Dick, is that you?
Slashdot, the site where everything's made up and the points don't matter
is if when they released the patch for the security flaw they made the patch GPL... just imagine Microsoft having to recode all that stuff for themselves :)
' Ore stabit fortis a fine placet ore stat '
- found on a park bench
"The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well. "
Disclaimer: I am not a security weenie, so I don't know this for fact......*deep breath*....
If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?
*bash MS* bash bash bash....it's popular right?
Sent from your iPad.
Development Team,
Thank you! I have been saying for years that Open Source is EVIL! Now we have even more proof. With this latest failure of open source code we can push even more people into using our products. We can even say that we "tried" to use open source, and look what it brought us. Once again, Thanks! Marketing and I appriciate it.
-Bill
And Windriver or whoever controlled BSDI at the time made some serious cash in that deal. They got paid to make the tcp/ip stack work well in 2000/XP and they've done a good job of it.
I just wonder if Microsoft was able to taint some of the BSD coders by allowing them to view their code. I'm sure integrating something like a TCP/IP stack required access to some 2000/XP src code. Anyone know?
Can I get an eye poke?
Dog House Forum
http://www.gzip.org/zlib/apps.html
At least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.
"Borrowed"? Whats the license for zlib?
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.
"Derp de derp."
The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.
:P
the colors were just screaming security flaw already weren't they?
Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.
And now they are forced to admit what we already knew, they haven't written anything original since...well...ever!
The zlib compression library doesn't use the GPL, however.
and the war between MS and GPL coninues, maybe the linux community could use Anime-based uniforms to storm microsoft and take the code back.
"The secret of success is to know something nobody else knows." -Aristotle Onassis
I've seen this so often that it's worth a comment.
The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.
But perhaps that is why microsoft is so afraid to let the states in the antitrust case look at their code. If some one were to discovered they actually a lot of open source code, that would be a huge embarrasement.
Microsoft is an old hand at using public domain stuff! They don't dislike it... like all companies they grew used to swallowing it up! It's even cheaper than buying QDOS was.
No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.
-pyrrho
This is particularly critical with something like the TCP/IP stack. Everybody using a stack derived from a common code base means both sides of the interface on many connections, even on different platforms, are based on the same data structures, etc. This is a good thing, no matter how the Linux folk (Linus arbitrarily decided at one point 'he didn't like the Berkeley stack' so they used some other code instead) try to spin it.
You sound authoritive. Any links for proof?
--Giving to trolls for the benefit of us all
1. It was already written and IMHO they are too cheap to write thier own software 2. read #1 over and over ALSO they used it extensivly so if they patch.... look for TONS of new "feature/bug/phone home style apps to be inserted"
""[...]but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products.""
"Darn, and I thought they were caught with their pants down."
Hey, that's a great idea. Find a way to sneak GPL'd code into, say, MFC, without Microsoft knowing it, then go to court to make them release all their software as Open Source.
Microsoft will, of course, apply all the delaying tactics they can... which gives us time to patch and rerelease Windows NT, IE and SQL server while the legal grinds are churning.
It just might work!
Why? Unless you incorporate it wholesale or re-use a patented algorithm, you do have Fair Use rights under existing copyright law.
I do not have a signature
Why?
Unless it's GPL infected it's not illegal to incorporate it.
Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.
Yeah, I've got plenty of karma to burn as well, so those mods who feel it's appropriate to mod me down because I don't march to the drums can kiss my ass.
BTW, I use XP on my desktop and I love it. I use Debian on my servers and I love that too. Windows does not fit well on a server just as Linux does not fit well on the Desktop, why can't people understand that?
Hammer of Truth
How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.
The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):
There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).
A guy with the email address 'fake@nospam.org' is challanging someone else's credentials??
heh
> have never spent time with Windows 2000.
I'm sure this is a typo. You must have meant "did time".
-pyrrho
As long as MS makes heavier use of OSS, they will be less prone to attacks.
They currently use the TCP Stack from BSD, they redesigned SMB services based on Samba (they had to cold room it due to GPL). This helps explain how MS is getting faster and less cracks.
Of course, this also explains why they oppose GPL.
I use Win2k on a daily basis and I hate it. But I take comfort in that my main workstation is a linux box, and the win2k box is there just because I'm porting code at the moment. But yes, I have spent much time with win2k. Much like a venereal disease, intimite knowledge of the subject doesn't make me want to bash it -less-.
The enemies of Democracy are
...that Microsoft uses free software, I invite you to take a look at this.
In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)
Now type "help". Check out this line at the bottom of the output:
view FILE - sort an 'ls' output file and view it with pg
Uh, yeah. Oops.
Simpli - Your source for San Jose dedicated servers and colocation!
Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.
I'll be more than glad to cheer when MS does something good. Wake me up if it happens.
ZZzz..
Well, I spend time with 2000, and its almost as good as kde and gnome.
And i've only got to crashes, which cause the machine to auto-reboot.
To have a really crappy product(s) then releasing something thats better doesn't mean the new thing is good, just not as crappy.
So what, exactly, has MS done thats good?
The Kruger Dunning explains most post on
if the BSA comes knocking?
Now I'd really like to see the sources to all the MS OSes.
Well it's easy to show that they use
code, at least. This is Cygwin / bash on NT4:
andrew@INEGO(22:18:47)
[path...]
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Stop it!
The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.
Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?
heuristic algorithm seeks stochastic relationship
"I bet that most ppl who bash MS have never spent time with Windows 2000."
I must admit I'm feeling guilty.
I switched to XP after a few months.
:-)
"if" M$ does use GPLed source, somewhere down the line it will come out.
Case in point. A GPLed piece of software has bug X, and strangly enough, a M$ product has the same bug.
It maybe worth the time to test major bugs in GPLed software against M$ programs if such simularities do exist.
Just a thought.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
First off, its nice to know you'll stand up for what you think only if you have karma to burn. i.e. nothing to lose.
I won't use XP, because I don't trust it, at all. I'd like to see MS put together a nice OS thats trustworthy to me, not to the varies media orginiations, not to MS, to me.
The Kruger Dunning explains most post on
Microsoft is like a prison cell with a bad lock, just when you think all is safe and bend over to tie your shoes you get screwed!
Just when I start thinking that ms is top of the line above all they come out with some security flaw out there, of course tomorrow we'll be able to dload some new service pack, but I hope they start being a little bit more proactive than reactive.
. . . and to all a good night!
Microsoft did something good a long time ago. The PC-speaker sound driver for Windows 3.1. That... kicked... ass.
Yeah, nothing like finding a bug in one piece of code and having it affect the ENTIRE INTERNET.
Keep your license politics out of technical discussions. And while your at it, try to stick to facts, instead of software development urban legends.
People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.
I think there are anti-ms people who think that becaues IIS is insecure as a webserver, that MS themselves should die. There are people of the Linux world that wishes everybody would use Linux and forget Microsoft. They fail to realize that the adoption of Linux isn't slow because of MS, it's slow because it's not beating MS at doing what they like to do.
There's room in this world for both. If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too.
In any case, this isn't an anti-Linux/pro-Microsoft rant, this is more of a 'Be happy to have what you've got' rant. If MS disappears, what will fuel the fire to make Linux better?
It's in everybody's best interest if Microsoft does well, believe it or not.
"Derp de derp."
HA HA HA HA FRAT BOY
So we expect more Hotfixes or SPs for these products? When?
This highlights taking a dependancy on externally maintained code is risky. Turn around time in fixes and integration into the codebase, verification of the fixes for those products etc...
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
If you are reading this, you most likely have no social skills.
You are correct sir.
- AIX is dying.
- AmigaOS is dying.
- BSD is dying.
- BeOS is dying.
- CPM is dying.
- DOS is dying.
- FreeBSD is dying.
- GNU Hurd is dying.
- HP-UX is dying.
- IRIX is dying.
- Inferno is dying.
- Linux is dying.
- LynxOS is dying.
- MINIX is dying.
- MacOS is dying.
- Mach is dying.
- MicroC/OS is dying.
- NachOS is dying.
- NeXT is dying.
- Nemesis is dying.
- NetBSD is dying.
- NetWare is dying.
- OS-400 is dying.
- OS-9 is dying.
- OS/2 is dying.
- Oberon is dying.
- OpenBSD is dying.
- Palm OS is dying.
- Plan 9 is dying.
- pSOS is dying.
- QNX is dying.
- RTEMS is dying.
- SCO is dying.
- Solaris is dying.
- SunOS is dying.
- TRON is dying.
- ThreadX is dying.
- TinyOS is dying.
- Unix is dying.
- VMS is dying.
- VxWorks is dying.
- Windows 2000 is dying.
- Windows 3.11 is dying.
- Windows 95 is dying.
- Windows 98 is dying.
- Windows CE is dying.
- Windows ME is dying.
- Windows NT is dying.
- Windows XP is dying.
The Free On-Line Dictionary of Computing defines an operating system as: "The low-level software which handles the interface to peripheral hardware, schedules tasks, allocates storage, and presents a default interface to the user when no application program is running. The OS may be split into a kernel which is always present and various system programs which use facilities provided by the kernel to perform higher-level house-keeping tasks, often acting as servers in a client-server relationship. Some would include a graphical user interface and window system as part of the OS, others would not.The operating system loader, BIOS, or other firmware required at boot time or when installing the operating system would generally not be considered part of the operating system, though this distinction is unclear in the case of a rommable operating system such as RISC OS. The facilities an operating system provides and its general design philosophy exert an extremely strong influence on programming style and on the technical cultures that grow up around the machines on which it runs.
The comp.os.research FAQ makes the following distinction between micro- and macrokernels:
"A recurrent topic of discussion in this newsgroup has been the comparison between microkernel (for example Mach and QNX) and `macrokernel' (traditional Unix) operating systems. The basic notion of a microkernel consists of devolving as much functionality as possible into processes rather than the kernel itself; different systems take different approaches to implementing this.
For example, some systems (such as Mach) leave device drivers in the kernel, and place higher-level services (such as file systems) outside; others (such as QNX) move device drivers outside of the kernel.
However, anecdotal evidence [93-03-03-07-56.52] suggests that the distinction between microkernel and monolithic architectures is becoming more blurred as time goes on, as the two advance. For example, most modern monolithic kernels now implement multiple threads of execution and fine-grained parallelism. Architecturally, this approach begins to appear similar to a microkernel with several kernel-space processes working from shared memory.
As an aside, people often complain that the Mach system can't be a `real' microkernel, because it is so large (at least, this is the argument most frequently cited). However, I have been told that automatically-generated code stubs contribute very significantly to the size of the kernel, and that some size reduction would be likely if MIG (the stub generator) produced better code. [Can someone from CMU comment on this?] As mentioned above, the leaving of device drivers in the kernel also contributes to Mach's size.
Debating microkernels versus monolithic kernels on the basis of kernel size misses the central, architectural point. In the same way as the point of a RISC processor is not to minimise the instruction count, but rather to make a different tradeoff between what is implemented in the processor instruction set and what is implemented in other ways, the microkernel architectural issue is to determine which services are implemented in the microkernel, and which services are implemented external to that microkernel. By making appropriate choices here, the goal is to enhance various OS attributes in a manner that might not be addressable with a monolithic kernel OS. System attributes such as performance, flexibility, realtime, etc. are all variables which are taken into account.
MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.
This would force MS eithe to pay up, or go to court and fight against the very thing they want.
The Kruger Dunning explains most post on
Please tell me: what does HURD rhyhme with?
Trollnificent!
even if that is true, ftp, telnet, and several other command-line network utilities are obviously of almost pure BSD origin.
Slashdot, the site where everything's made up and the points don't matter
it's a double-free problem. the two are totally different.
read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
I can imagine porting code being a pain in the ass. I know MS's API is a little weird, and I can certainly understand you having issues getting down that deep into it.
Where I come from is I use Win2K for doing 3D animation. A lot of people I know doing 3D stuff are running on Win2k. We have to rely on a machine constantly rendering overnight, over weekends etc, and we cannot afford to have it crash. I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.
I've witnessed a number of Win2k machines of a huge variety of hardware (i.e. not custom made all from one provider) render for many many hours at a time and never crash. I have never lost rendering time to a Windows 2000 problem. None of my artist friends have ever complained about that.
Seems to me if a program can use so much Windows resources for so long and still behave properly, Microsoft must have done something right.
"Derp de derp."
Firstly, I have heard this several times before, so I suspect it is true. Secondly, the telnet and ftp *clients* are hardly critical parts of the TCP/IP *stack*.
Windows isn't for everyone. It's built from the bottom up (meaning it's targeted at the lowest common denominator user). For you, I'm sure that a trustworthy OS is one that you can pick apart and see the guts of... AND THAT'S FINE! I'm not saying that Linux is better than Windows or vice versa, I'm simply saying that some people don't care how their OS works and what dependency tree they need to check if they want to install an update for their laptop speakers. It's about ease of use versus lookig under the covers. Some of us don't care how the OS works as long as it does.
Hammer of Truth
I bet some is in there! I just bet! For god's sake, someone less lazy... um I mean less busy, than me, find GPLed code in Microsoft. I want RMS to make us all call XP GNU/XP.
-pyrrho
Well first off I've gotta say:
HA HA!!!!!
Are any of us REALLY surprised at this though? This is Microsoft afterall. Even my chemistry TA was complaining about them today...
Derek Greene
It means nothing. It's just a widespread () but low-intensity) disaster, and MS customers happen to be among the victims.
If there's a lesson about security in all this, it has something to do with static linking. Or maybe something to do with extreme (over??) standardization, where everyone and their dog ended up using the excellent zlib.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
From the advisory
I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.
All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
No. When one types "help", the command listed above "view FILE" is (surprise!) "ls". So it's not a mistake per se (as implied by your 'oops').
Of course, it's still an indication that yes, they probably ported nslookup from elsewhere.
maybe because I use linux on my desktop and love it much more than XP and 2K, which I have also used.
to each their own!
From the ZLib page:
There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.
It would take some pretty slick work to actually get something to execute arbitary code with this particular bug, but, it's possible. So it does raise the risk level back to what you originally stated, Garett.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
Ah, but what if we made GPL'd code that was so good and so far ahead of everything else, Microsoft didn't have any choice but using it in their products... nah. They wouldn't be able to sell any licenses that way. It would be financial suicide.
'Cept if it's some product they give away for free anyway, like IE.
Actualy I do, at a rate of 2 BSOD's a week.. Of course that's only for unimportant "work related" stuff. My home system runs linux and hasn't been unvoluntairly down for a real long time now.. Neither have the systems which run my websites and databases..
Nobody expects the spanish inquisition!
...since DOS doesn't have a command called "pg".
Simpli - Your source for San Jose dedicated servers and colocation!
"So what, exactly, has MS done thats good?"
What, you mean besides using Windows 95 to make the appeal of computers so broad that nearly everybody has one? Or maybe bringing the internet out of the geek neighborhood and out into the main stream? Or how about making an OS that can install on such a broad range of hardware that you can cheaply put together a system running Windows?
Did MS do this singlehandedly? Nope, I'm not saying that. They were instrumental in it though. Despite how much everybody hates to admit it, Windows 95 had a HUGE part in making computers as broadly supported as they are today. I remember when having a computer meant you were a nerd.
Did MS use illegal tactics? Yep. They've done shitty stuff. They've made shitty products. I'm not disputing that. But they're not entirely bad either. As a matter of fact, it's MS's shortcomings that are making people fight to make Linux as a replacement to MS.
You can hate MS all you want, more power to ya, but if you're successful in the IT industry, MS was probably instrumental in that either directly or indirectly. No Microsoft? Computers = toys for geeks.
"Derp de derp."
"I beg your pardon, this looks like the same level of Inovation microsoft has been doing since Day one.
port basic
buy qdos
borrow from Apple and Xerox
borrow from BSD
borrow from open source.
...."
Ah, much like Red Hat, SuSE and Mandrake then.
Seems like Microsoft got the point of Open Source long before Linus Torvalds started hacking away: it's all about borrowing.
Your information is slightly outdated.
The BSD license no longer contains the advertisement clause, and has not contained it for some time.
If one must troll, one must learn some facts first.
Probably not, does the name Trumpet WinSock ring a bell?
But knowing microsoft, IE is probably inter-mixed with the TCP/IP stack
You should take a look at this.
I guess that explains it all, and if not, you had a good laugh.
And if you didn't laugh, you should learn to relax but
Doesn't this violate the GPL?
As I recall, this was only an issue if you had a double-free because of glibc, and I believe the original article specifically singled out Linux because it was dependant on the specific behavior of glibc.
How is this an issue for Microsoft software?
"Name one DECENT game that was produced with OSS. Yep, thought so."
NETHACK!!!!
OK, I'll be quiet now.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I took the license from the FreeBSD website
Check the url in my post
This just points out the difference between proprietary code and open code. Those using open code incorporating this flaw have had a fix available for days (if they choose to patch and compile the source). Those using proprietary code incorporating this flaw will have to wait for the vendor to release a fix, if ever.
If that's not a good arguement against depending on proprietary code (as for running a business), try this: If the flaw was not in open code incorporated into the proprietary code, but rather existed exclusively in the proprietary code alone (yeah, right -- proprietary code with bugs! LOL :-) then we might never know the flaw existed, let alone get a fix, unless some cracker with ethics told the world when they found the flaw rather than keep the exploit to themselves.
If all this should have a reason, we would be the last to know.
Okay, I'd like to make several points about the comments in response to this topic.
...He wasn't some bumbling code-stealing idiot that you guys would make him out to be.
Where do you guys get the idea that Microsoft is full of inept and lazy programmers? That just doesn't make any sense. I, for one, have talked to several Microsoft employees that have come out to my university (Michigan State) for presentations, and they all say the same thing: People who work there have a genuine passion to make good software. If you don't have the drive and motivation, you won't succeed. I mean honestly, I'm certain there are many great open source programmers, BUT, they've got to earn a living some how. If you are very talented, I'm sure a large corporation like Microsoft would pay you VERY well for your skills. I'm sure they have a lot of applicants, and as a result only hire the best. It would only make sense.
Last year the lead developer of the C++ compiler team made quite the lengthy presentation in a nearby hotel auditorium. I don't know compilers that well (I'm EE, not CS), but I'll tell you this much...that man is a genious. He really knew his stuff, and it was evident by the reactions of the CS professors in attendance. He, as many of the Microsoft employees have stated, seemed to really like his job.
Its more like parole. You aren't completely free, but it a hell of a lot better than being locked up.
Its stupid to bring up the GPL or other open source licenses or argue about whether Microsoft is stealing code. I'm glad they use zlib. I'm glad they used portions of the BSD tcp/ip stack. I'm glad they decided to support (to the best of their ability) standards like C and HTML. I'm glad I don't have to depend on Microsoft anymore. But if they hadn't used open source programs I'd have never been exposed to other options except for the likes of Novell and Sun.
The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.
You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.
The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.
Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.
People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.
no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place.
You can and should modify your lightsources whenever you render something, because a 3D rendered scene is just that, 3D rendering. NOT a so called "perfect simulation of light" because that is left to the creator of the scene.
it is the scene creator that has to make sure he gets his lighting, world and all other factors correct for the desired result.
Bah. Paintbrush artists.
I didn't do this, now did I?
Actually, it comes from VMS. VMS is so alien to the UNIX way of thinking. So, Windows is basically a hodge-podge of VMS plus some System V additions, and a pretty shell.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
Microsoft hires a lot of smart programmers and system designers who make intelligent decisions about how to design software and what code to re-use. Microsoft's programmers use open source code because it's good, it's standard, and it's familiar to them.
There are also a lot of competent programmers squashing out the bugs at Microsoft, but a large company has a lot more red tape to go through before anything is released.
The majority of Microsoft's products are good, but not always the best in their field.
Microsoft's flagship product, Windows NT/2K/XP, is an advanced operating system that strikes a good balance between security and backwards compatibility. Except for the tacked-on Internet Explorer interface, it's robust, feature-rich and modern with a very broad hardware support.
Microsoft is also very skilled in both adapting to and manipulating the market, and at using it's dominance in one market to gain dominance in others.
Microsoft knows that putting GPL code in a closed source product would open them up to lawsuits, so they avoid it at all costs. The article even mentions that Microsoft developers are banned from using GPL source code. They have used non-GLP code before, and in every case they have complied with the associated license. I wish we could put these silly accusations to rest. The only supporting evidence anyone has given is "because they're Microsoft".
Yes, I am a somewhat technical person, and that's why I'm asking. I know what buffer overflow is, and the zlib issue is not it. This may be an issue, but surely something that doesn't require this much coverage or worrying.
"...However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable. "
You're telling me their own people don't know what products uses what? Either they want to see if they can deny the use of zlib or they're just clueless. The lather seems more possible.
[alk]
It is NOT a buffer overflow. Every is happy that your karma whoring because you know what a 'buffer overflow' is but your also helping spread this FUD.
The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.
Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.
At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.
Right now, this 'security issue' is entirely theoritical.
int func(int a);
func((b += 3, b));
"no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place."
Err okay. It's not a black and white situation. 3D programs do different things than 2D programs do, and its silly to limit your toolset by expecting it to come out of the renderer perfect.
Getting back on topic, it's like complaining that Windows 2000 is a crappy 3D workstation because it sucks as a webserver . The truth of the matter is that there isn't one grand unified solution that works for every little thing. Me personally, I'd rather use a Macintosh for my mobile needs, Windows 2000 for my 3D Workstation and gaming platform, and Linux running Apache as my web server, and Linux again as a mailserver.
"Derp de derp."
They're not dealing with a fairly small number of reasonably savvy users who go to read slashdot, discover that zlib has a bug and decide to go fix their systems. MS deals with millions upon millions of 'ordinary users' who run dozens of programs that have zlib linked statically (we've just been told) and who have absolutely no idea what zlib is, what their systems use it for or how to patch it (well, they can't, because it's statically linked). So it makes sense for MS to determine first which apps are affected, in what way (is DirectX ever going to run into this problem? if yes, what are the consequences? if no, or if the consequences aren't serious enough, getting millions upon millions of clueless users to download a DirectX patch ASAP isn't worth the trouble). I agree with you that they should have information handy on which of their apps link to zlib, but who's to say they don't and they're just taking this time to conduct a risk inventory (they're a big ass bureaucratic monstrosity after all)?
News and bla for computer musicians: http://lomechanik.net/
you must have pretty crappy hardware. Unless you are using faulty memory, overclocking/overheating your CPU, or very sloppy drivers you should never experience any blue screens in a NT-based kernel OS (NT4/2K/XP). sorry to bust your bubble but linux will also display similar behavior in what's known as a 'panic'.
I'm curious too. Why should we believe a fish tale like that when Win2K still has an /etc/hosts file embedded into it?
A Pirate and a Puritan look the same on a balance sheet.
I have spent alot of quality time with 2000 (migrate from NT4 to Win2000 AD = no fun ). Most people hate it because the have to use it at work, even though there are better alternatives. MS bashing goes on because their products .... WTF why am I explaining this to you, SHUT UP TROLL.
So your W2K box crashes 2 times a week and you haven't fixed it? Have you even tried?
My W2K server has been up 196 days and counting. I've NEVER encountered a BSOD on my XP notebook.
Perhaps you should try upgrading your drivers to MS cerftified ones.
The zlib incident has clearly demonstrated how well the Linux security model works. Within 24 hours after publishing the vulnerability, Linux servers were fixed all over the world, and still nobody seems to know how much Microsoft products are vulnerable.
We will probably see more and more software and code that runs on both open-source platforms and on Windows, which means that we will also see more incidents where Microsoft's security service performance can be measured against the competition.
InstallShield has lost the lead in ease of use to InstallAnywhere. It doesn't use anything from Microsoft, and performs better for the other platforms as well.
I dig it.
http://www.zerog.com
/plug
Your Technology General Contractor http://www.birddogdigital.com
Well no crap...I didn't say they were part of the stack...my point was that Microsoft uses open source code all the time...I just used the example of BSD
Slashdot, the site where everything's made up and the points don't matter
That's the 4.4BSD license, a license that predates FreeBSD (and the other open-source BSDs). It contains the dreaded "advertising clause," which is (IMHO) rightfully viewed as non-free. That's why FreeBSD uses this license which drops the advertising clause and is almost universally viewed as a free license; the other open-source BSDs did the same thing.
I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.
Maybe, just out of curiosity, you should try one of the newer distros - SuSE or Mandrake are laughably easy to setup nowadays. Pop in the cd, tell it what kind of hardware you have, done. Although I must say I agree with you that if you're looking for a platform to do 3D, image processing, video or audio on, Win2K is probably a better choice.
News and bla for computer musicians: http://lomechanik.net/
I hear all these people about a flaw in the MS OS ?
Maybe there, but its fixxed probably, now what i wonder about is when they come with the patch.
But then i also read some thing about the a difrent C version of MS, so maybe they dont need the fix.
Now i wonder why i even wrote this..
Quazion
Can someone please explain why zdnet and news, etc. are all on a non-existent domain?
; > DiG 9.2.0rc3 > news.com.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER
I don't get it. com.com seems to be some kind of travel agency. Any ideas?
(Sorry for the offtopic question)
There's room in this world for both.
It would be nice if that were true, but in Microsoft's world view, there is room for only one operating system. If free software does not vigorously compete with MS, it will be marginalized to the point of uselessness under heaps of proprietary protocols and data formats.
Microsoft is not a good citizen and alternatives will not be safe until MS loses large chunks of their markets. That is just the way it is.
Microsoft's fast responces to security issues is a recent event. They do not have a history of fast responce. But they do have a history of putting out fixes that cause problems. It is common practice to delay rolling out hotfixes and service packs to allow for discovery of these bugs and subsequent fixes.
Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.
Nice statistic. Got a valid reference for it? Or is that just a bogus number to make your rant sound nice?
People often confuse Microsoft's marketing savvy with their technical ability. They are a technical company who excels at marketing. You're crowing about their marketing. This is a technical issue (information security is not a marketing issue - despite how many companies, MS included, tend to handle it).
If the BSD license no longer has the dreaded advertising clause, then how does it differ from the MIT license? Why doesn't FreeBSD simply switch to the MIT license? Maybe there is some university rivalry.. or maybe they don't want to rename their project to "FreeMIT". ;-)
cpeterso
Name a better alternative. Windows 2000 is easy to deploy on a variety of harware, easy to use, and has well supported software. The gotcha is that it costs lotsa money to license. Can you honestly tell me there is a better alternative? The only alternative I have as a 3D Artist is Macintosh. And though I'd like to have one, Windows works on the hardware investment I've already made.
Linux is hard to install, requires a more knowledgable support people, and has less driver support. This is why Windows is big in the corporate world. Obviously Microsoft isn't so bad if it's doing what people are paying for it to do.
As for being a troll, a troll rarely makes a good point. Getting back to my original point, this attitude of "It sure is cool to hate Microsoft" is blinding people to alternatives that may very well work for them. Call me a troll for disagreeing with you if you like, but I'm not-anti Linux.
"Derp de derp."
I hope this forces more people to use the GPL and get away from the "steal this software" type of licenses like the BSD. I think M$ owes a lot of open source developers some serious money and has another person pointed out maybe they can change their license to the GPL and sue sue sue!
I just wanted to respond and let you know I appreciate the tone of your answer. I've had a couple of people recommend SuSE, and it's on my list to try.
Again, thank you for being civil.
"Derp de derp."
Give me a Gundam: Mobile Armor suit and I'll make the world a better place!
I think you're right there. I can't help but wonder if the new file system they announced is intended to keep people from dual booting Linux boxes. How much ya wanna bet that Lilo doesn't work with it without some kind of patch?
The good news is that every time MS closes a freedom with people (like XP requiring registration, or a security flaw in their software), Linux has an opportunity to be more attractive.
"Derp de derp."
I've been NT since '94. It peaked with 3.5.1 and has been downhill from there. I've spent plenty of time with NT5. It is my workday OS. I even had dellusions about improving the computing condition of my family members by subjecting them to it.
It either failed to live up to immediate requirements or failed to live up to the performance of it's DOS based predecessors in daily use.
The problem with Microsoft is that it's main focus is not technology but market domination. Technology is a far distant second (or worse) and merely a means to and end for them.
What makes Bill a better megalomaniac doesn't necesarily make for a better product.
If GNU, software development sloth encarnate, could sneak up behind Microsoft then there are some serious problems out there in Redmond.
A Pirate and a Puritan look the same on a balance sheet.
NOT crashing on a double free might be just as bad (or worse) than crashing on a double free, since it generally means somebody is accessing a free'd pointer for other reasons (prior to the second free). In *this* particular case, allowing a double free might be better than not allowing it, but in general, ANY program that does a double free probably has far more destructive bugs hiding in it.
I bet part of the reason MSFT is so averse to having its precious source code inspected is the possibility it contains GPL'd code that infringes on the license.
Win95? Apple achieved better 11 years earlier.
The whole "random collection of spare parts" thing has still yet to be completely managed by Microsoft. They still screw it up often enough for Linux to be in a position to recover the situation.
Microsoft deserves NO credit for PC hardware compatibility. The hardware usability standards were pioneered by Intel and Apple and only grudgingly adopted by Microsoft.
It's the hardware vendors MANUFACTURERS that make installing new hardware on WinDOS easy.
No, Microsoft wasn't the one that make computers more than "toys for geeks". That credit goes to the developers of the Web and early web browsers. THAT is the killer app that pulls in the sixpack family.
Microsoft was late on that technology too, and had to muscle it's way into marketshare when they finally got off of their posteriors.
A Pirate and a Puritan look the same on a balance sheet.
This is exactly why software is not all GPLed! There are some things that are good for everyone and keeping it all to yourself is just as fucking shithead of you as it is of MS.
doubtful...
http://research.microsoft.com/university/ntsrcli ci nfo.asp
Microsoft® makes source code to Microsoft operating system products like Windows XP, Windows 2000 and Windows CE available to universities and other "not-for-profit" research institutions at no charge. Currently, there are over 100 universities worldwide with our source licenses.
This is again Mundie piping up with that stupid argument, that the GPL is bad because it limits the licensees choices. Now where's my choice when i want to develop using Microsofts sourcecode (if i can get my hands on it, even some governments can't)? Well, i have to accept Microsofts conditions. With the GPL and similar licenses i have to agree to the conditions of the respective authors (which choose the GPL as a license). So where's the difference? I'm sure it's easier to satisfy the GPL than Microsoft anyway. If only someone would ask what Microsofts conditions are for using their sourcecode when Mundie goes on a rampage again, that should shut him up for good.
Meanwhile the TCP/IP stack and now the zlib (and probably some other open source software Microsoft choose to make money off) shows what all that rhetorics of Mundie really is about: They want to take without giving, and they have seen that there's some nice open source software they'd like to get their hands on if only it weren't for that pesky GPL. Apparently that there's some open source software, that's too good to ignore, even for innovative Microsoft. It's really unfair that the GPL is asking Microsoft to share with others if they want to benefit from that software.
--
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
This is a "bug" in the webpage... someone forgot to update it apparently, since the 4.4BSD license has been updated years ago. Check the addendum here:
L ic ense.Change
/usr/src/gnu or make sure he doesn't ship any of them, which for a lot of applications is not necessary anyway.
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.
The removal of the advertising clause retroactively applies to any BSD licensed sources that Berkeley has the copyright of, including 4.4BSDLite which FreeBSD is based on, and since the FreeBSD additions are covered with the FreeBSD license which is the BSD license without the advertising clause and references to the "Berkeley Regents" replaced with "FreeBSD Project", this effectively means that there is absolutely no advertising clause issue.
There are of course some non-free (in the BSD sense, I am not trolling!) sources, most of them GPL, however if one is looking to release modified FreeBSD binaries without providing the source, he can simply rm -rf
I'm glad it demonstrates something. It sure as hell doesn't demonstrate that OSS is more secure because of more eyes!
Installshield that is. MS has the "Windows Installer." Installshield is a separate entity.
How could this affect PHP4's use of zlib? I assume this is used when you use gzip compression on pages using the ob_handler?
When this "security flaw" affects LINUX, you simply title the article "software bug" but when it affects Microsoft straight away its a "security flaw".
TALK ABOUT BIASED!!!
What have they done that's good? Are you flipping insane? One word: DirectX
I will ignore your comment as you have NO idea what you are talking about.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
When you install either OS, you're also installing a lot of auxillary software. Red Hat gives you a C/C++ compiler for free, while you would have to buy VC++6 from Microsoft. Red Hat includes an IRC client, which is a separate download under Windows. Red Hat gives you more text editors than you can possibly be interested in (joe, several variations of VI, Emacs and XEmacs, gEdit, NEdit, Abiword, Kate). You even have the option of installing StarOffice 5.2, free. With MS, you get Notepad, Wordpad, and EDIT (command-line). And last I heard, Notepad *still* had that 64K limit, which is simply braindead. Red Hat gives you TuxRacer, while you would have to shell out $50 for Microsoft's HALO.
Finally, the docs that ship with Red Hat are probably way more thorough (though less organized) than anything Microsoft gives you.
The point is, if you can see where the bloat is coming from, then it really isn't bloat. Most Linux distros have big installs because they provide a lot of different utilities and a lot of documentation. I'm hard pressed to figure out where the bloat in Windows comes from.
If, by "does well," you mean "continues to exist, continues to improve its software, and continues to provide incentives for competitors to improve theirs" then I fully agree. If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong. Microsoft has its place in the world, I'll agree. But that place is not the center of the world's information economy.
You want the truthiness? You can't handle the truthiness!
That's true, they never have written an OS from scratch. Windows 9X is DOS-plus-GUI-shell and DOS was derived from QDOS; Windows NT is DEC's MICA, broken and in fancy clothes, and 2k, XP, Longhorn etc are all derived from that. What about CE? Maybe that's why you need an expensive mega-micro-beast to run it on.
If MS truly want OS security, why not just wrap their user interface around OpenBSD? The licence allows it, provided credit is given (and that can be done in very fine print).
Got time? Spend some of it coding or testing
Mandrake, for example. That and any other package for which this was straightforward to do.
Got time? Spend some of it coding or testing
For your compiling pleasure, Mandrake 8.2 includes a tool to do just that. But you will also have to grep the entire source tree to catch self-included static copies of zlib. Just be glad that you can do this. (-:
``Hello, Microsoft Technical Support here. Can I have your money, er, support number please? ... Thanks, OK, now what seems to be the problem? ... Rebuild from source? Sir, don't you mean reboot...?''
Another fine reason to give money to Mandrake instead of Microsoft.
Got time? Spend some of it coding or testing
:%s,rebotted,rebooted,g
The security vulnerability is due to zlib trying to free the same section of memory twice. The glibc memory allocation routines aren't very smart, and will cause heap corruption if you try to do this. This heap corruption can be exploited.
The Microsoft runtime libraries have smarter memory allocation and deallocation - attempting to free the same area of memory twice does not result in heap corruption. Consequently the zlib bug isn't a security vulnerability in Windows.
Gosh, what else do they make besides a second rate search engine? That there is no security on M$ is no secret.
Their response according to the article is:
Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library.
Meanwhile, in a dark Seatle back room someone is running "apt-get update" for a fix! Well, that's what I did. No problems now.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Yeah thats true.. I mean when you have alot more eyes looking at something no matter how long it takes to find it'll eventually be found, one way or another.
When you have a small pool of eyes not even bothering looking you don't find anything.. So obviously it's more secure.
Dumbass.
I don't think we have compatible definitions of the word 'bloat'. When I used it, Red Hat (KDE) had so much going on it was difficult to track down very specific items. It was slow to repond, and flat out frustrating to use. Windows 2000, on the same machine, was much more responsive. That's either bloat or inefficiency. When Windows takes too long to access the registry, that's sometimes considered bloat. Programs take up too much space (70 megs to download Star Office, for example...) is considered bloat. For me, Windows 2000 is the OS of choice on this machine. If I had the "It's cool to hate MS" attitude and went with Red Hat, I woudln't be any better off. I'd be hurting myself, and that was the point I was making.
.DOC format, right? Well that proprietary format keeps other people out, that's true. But it also allows MS to make changes and make the format do more. Look at what a .DOC file can do that a .TXT file can't. You can attach other files inside it, format your text, etc. If MS was adhering to a standard like HTML for example, how would they be able to innovate without bending it towards proprietry at some point?
.GIF files, the .PNG standard was developed. .PNG Is a totally kick ass format for us artists who need lossless compression and alpha channel support. This format came around BECAUSE somebody tried to strangle a format they owned.
" If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong."
I disagree. Let's talk about proprietary formats for a sec, those aren't 100% bad for everybody. Although I realize this can be used to leverage a monopoly, there's a lot to be said for having a format that MS can diddle with. This gives MS some room to innovate. MS invented the
When they do this, they create an opportunity for somebody else to come in and make a better format. When Unisys tried to make people pay for using
Long story short? Every time MS tries to leverage their monopoly, a new opportunity arises. Embrace that philosophy, because that is exactly the type of thing that will make Linux a big player out there.
"Derp de derp."
Well, that could be. I don't have any problems with my M$ software. It sits on floppies and CD's where it can be installed to use some obscure piece of hardware on a second rate computer never attached to the internet. Most of the time, however, it never causes problems.
Bad Microsoft, bad! Quit saying that free software is unusable while using it. Oh yes, good luck hunting thought that vast tree of poorly documented closed source junk you have been purchsing from other companies for the last ten years. Is this what you will build the Digital Rights Management Operating System, TM and patented use of other people's code? Slap! Crack! What a joke of a company. What shall become of all the M$ stock when the world figures out that M$ is the equivalent of an Ice Vendor in Antartica?
They wanted to be the asshole in the middle, stripping ideas and programs from others, to sell as The Sole Operating System. All the people they ruined could be hard at work fixing their codes. Now, those codes will continue to be distributed unmodified. The task is too great for a single company. Like most such ventures, in the end Microsoft can only manage to be assholes.
Friends don't help friends install M$ junk.
Do you think linux does not use zlib ?
Dude, the King of the World doesn't bother challenging. He merely questions with a smile. Surely, I cannot be expected to believe a post without evidence as to do so would pollute the mind.
--Giving to trolls for the benefit of us all
Seriously - they should come up with some small little product that it doesn't matter if they have to release the source code to. They should put some GPL'd code in there - perhaps not even try to hide it too much.
And then they should see what happens. I guess they figure not many in the GNU crowds care much for them anyway, so they won't lose "loyal customers".
However, it'd either do two things:
a) show MS that it doesn't matter cause no one dared to file a suit
b) give the GPL it's day in court and see what happens.
The only downside is that whoever decides to take this to court better be loaded. It could be a long uphill battle.
It would be interesting to see the outcome though...however with MS's legal team, perhaps it may not be a good outcome.
There is another interesting point to make here. The origional poster implys updates will be slow to trickle in to the Linux install base, while Windows Update offers a shortcut to the process. Microsoft's Windows Update service is not unique. Its not even first of its kind. Linux distributers such as Redhat and Mandrake have long offered a simular service. Debian has had such a system in place even earlier.
In short, Windows Update provides neither a panacea nor unique solution to the issue.
I'm afraid you misunderstand the license. What you suggest still involves linking your program to the GPLed code at runtime, which is expressly forbidden by the GPL.
Besides, you have to release the code of the wrapper library under the GPL, which in turn requires you to release the code of your other program under the GPL as well. The chain will continue no matter how many "wrappers" you write.
still nobody seems to know how much Microsoft products are vulnerable.
No Microsoft products are vulnerable, just like no Net/Open/FreeBSD programs are vulnerable. The zlib bug doesn't ripple down into the system and become a security flaw except on the only OS that has embraced glibc, and that is Linux.
Get it through your thick fucking head, dude.
Sorry. There are eye and there are eyes. Clearly this demonstrates that just throwing it out into the world and hoping that eyes at random will find the bug isn't a foolproof strategy.
I am really tired of the 'few eyes/many eyes' meme and how it's turned into a dogma.
Sorry, Eric Raymond didn't reinvent Software Engineering when he wrote his diatribe. There are many other far more experienced people out there doing a better job, some not even based on crappy neo-pagan metaphors and matchbook-cover political economy.
add C:\windows\command\fdisk /mbr to your friend's autoexec.bat file. It prevents certain boot sector viruses.
Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.
It's been 14 seconds since you hit 'reply'!
If this error seems to be incorrect, please provide the following in your report to SourceForge.net:
Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day
* Please choose 'formkeys' for the category!
Thank you
-------
yeah, fuck off, Rob. I had a constructive comment, but now I'll just leave this shit instead.
"Bug found in open source software"
And so Microsoft gets ranted against?
I know Microsoft has lots of security flaws, but subscribe to bugtraq, debian security etc... and linux has a LOT of bugs too. Seriously people...
BTW, Notepad does not have a 64K limit in Windows NT4/2000/XP..
Um, what the heck are you talking about?
Does anybody know if Trumpet Winsock uses zlib?
We all know Microsoft doesn't use Trumpet Winsock, but this fellow, er, asked first...
Windows 95/98/ME/NT3/NT4 all have a hosts file, too.
It's, umm, a functional method of establishing a static host table. Hell, I use mine to block images.slashdot.org so I don't get any of the spam or pretty BS when I read this site.
Yet again, the slashcode censors my comment.
Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 1 minute since you last successfully posted a comment
If this error seems to be incorrect, please provide the following in your report to SourceForge.net:
Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day
* Please choose 'formkeys' for the category!
Thank you
strings will display ASCII strings embedded in a binary.
With the additional '--print-file-name' option for the GNU binutils version, it's even more useful.
From Windows NT 5.0:
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Berkeley'
nslookup.exe: @(#)nslookup.c 5.39 (Berkeley) 6/24/90
nslookup.exe: @(#)commands.l 5.13 (Berkeley) 7/24/90
nslookup.exe: @(#)debug.c 5.22 (Berkeley) 6/29/90
nslookup.exe: @(#)list.c 5.20 (Berkeley) 6/1/90
nslookup.exe: @(#)subr.c 5.22 (Berkeley) 8/3/90
nslookup.exe: @(#)skip.c 5.9 (Berkeley) 8/3/90
nslookup.exe: @(#)getinfo.c 5.22 (Berkeley) 6/1/90
nslookup.exe: @(#)send.c 5.17 (Berkeley) 6/29/90
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Regents.*University of California'
finger.exe: @(#) Copyright (c) 1980 The Regents of the University of California.
ftp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
nslookup.exe: @(#) Copyright (c) 1985,1989 Regents of the University of California.
rcp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
rsh.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
The double free bug in zlib doesn't affect MS systems since the msvcrt lib isn't affected by a free of a NULL pointer. This article on CNet shows the need for pageviews.
Never underestimate the relief of true separation of Religion and State.
If I open ftp.exe (for Win95) with Notepad I see the following information:
Copyright (c) 1983 The Regents of the University of California. All rights reserved.
Looks like they do believe in inovation.
P.
And ofcourse they now support raw-sockets in WinXP. For average users by default. Who'll say "I saw that one coming" when a major WinXP based DDoS attack starts to rage the net?
Not Buzzword 2.0 compliant. Please speak english.
Reading up on the zlib licence, which is short and easy to understand, I find this clause:
The way I read this, if software uses zlib code, then the authors of their software must not claim to have written the code. Microsoft are not obliged to acknowledge the zlib authors anywhere, but if they make a copyright statement saying that the code was written by Microsoft, then surely they are claiming that they wrote the zlib code in their product, and are therefor breaking this clause?Does anyone know if Microsofts' copyright statements comply?
I am probably too late for this point to be discussed.
But microsoft tried to remove this protection in one of their Visual Studio services packs - the result - Microsoft's ( and other's ) programs crashing randomly all over the place. They quickly reversed the 'optimization'
More worryingly -that means that alot of programs are actually relient on that thin safety net!
How would any university user know - they would not be GPL coders because of the NDA and fear of contamination. Perhaps Eben Moglen should find someone who can thoroughly examine the MS code who won't be writing anymore GPL code - but I guess MS would find some way of stopping that!
Bloat is not how many Gigs of hard drive you need to install all packages - on this basis Debian would be the most boated release ever. Bloat is requiring ever more RAM and ever faster CPU's to run an OS and a reasonable set of apps. On this basis while Linux does seem to be following the same increasingly bloated path as Windows at least you have an option of running a lean system with a windowmanager or light desktop environment such as Windowmaker or XFce respectively. However I have given into bloat - at home away from this goddam Windows machine I run Gnome.
In your view, the society moves forward as a side affect of individuals pursuing BIG MONEY. I suspect that if you do some reading on just who are the people who create innovative technology you will find that they are people motivated only partly by money but much more for having a burning desire for the subject area they are addressing. BIG MONEY is made by those who can take other people's innovations and market them. Frequently, the winner is as much politically connected as they are financially astute. What motivates open source developers is the burning desire to "make a difference" in some way...in the area they care about - programming and software development. How about this, we won't worry about the "starving programmers" of the world if you stop worring about the "starving Billionaires" of the workd.
I want to be alone with the sandwich
The fact that people spent their own time on zlib is a liability.
/. readers believe it to be.
Spending money is a liability too, because all money is a representation of the amount of work it would take to mine an equal portion of gold. One has to also work to get money.
Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program
Example: A free park would only be useful to society if people are restricted from charging and restricting others from and entering the park. Why then do we have parks? The makers are not rewarded, and no one else is entitled to be rewarded financially.
There are other factors that influence people to do things, e.g. emotional costs. If you see an addressed, stamped envelope on the ground, would you pick it up and mail it? If you answer yes, then, why did you do it? No one is paying you to do it, you did it for emotional reasons. If you answer no, then you are a defector. You better hope that no one knows about it. With anonymity comes increases in defectors, as people realize they don't have to contribute, they can just take. That's why the government makes taxation mandatory and not voluntary.
Humans are very emotional and that's what drives people to cooperate. Without that cooperation, society would never work. Individuals that fail to cooperate are viewed as defectors. People hate defectors and will go out of their way to punish them because they reduce the quality of... life.
(not that is matters too much, since there are many other compression tools).
Then why are you complaining?
Society does not move forward without using other's tools, but society does not move at all without monetary incentive.
Read what I said earlier.
There is a reason for money, and it is not for "evil" purposes despite how bad
No one is saying that money is evil.
Throwing out software because of how it was created is plain ignorance and wasteful.
Who is "Throwing out software?"
There are more useful things to be done than paying someone to rewrite a compression library.
And there are more useful things than rotting in jail, hence why smart people don't break the law, lest they get punished. As for lazy people, the punishment for not doing anything is that you have to write a compression library.
Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.
You don't know that any of that would happen.
"This software" in the clause you've cited probably refers to the zlib library, not to the complete product it is used in (otherwise the "use this software in a product" wouldn't make any sense). Since Microsoft is not distributing a standalone zlib library, there isn't anything to misrepresent. I'm pretty sure they left the original copyright notice in the library's code.
BTW, I've been told that on the Windows XP installation CD, you'll find a file which contains copyright ackknowledgements for much of the software that they're using in Windows (e.g. the BSD license requires reproduction of the copyright notice "in the documentation and/or other materials provided with the distribution" when distributing binaries, so you'll find the BSD license in that file). I don't have Windows XP, so I can't tell you the file name. On the Windows 2000 CD or in the installed system I haven't found the file, but I guess they put it somewhere (anything else would be pretty dumb, given how simple it is to comply with the licenses we're talking about here).
Sig (appended to the end of comments I post, 54 chars)
Only Slashdot could be so arrogant/ignorant to attempt to present the zlib security issues as if it were an MS problem. Even the sub-title of the News.com article says: "A security flaw in open-source software used by Linux and Unix systems for compression may affect some Microsoft products that also use the code. " Slashdot is starting to make Microsoft look like a reliable sorce for non-biased information.
and going away....
Moments before I made the post I was reading about gzip's current buffer overflow in which you can pass a path on the command line that's more than 1020 characters and you will cause the overflow.
:O)
I confused this with zlib's problem and hence my claiming that zlib had an overflow.
I was wrong and I realized this a few minutes after posting. D'OH!
Anyway I still hope that my post helped someone to understand what buffer overflow's are about, even if it doesn't apply to zlib at present
--
Garett
Actually the stripping of the copyright notice from the bianary was a source of sore contention.
"Some of us don't care how the OS works as long as it does. "
Of course, but the issue only exsists at the point in time where it *doesn't* work, at which point the "welded-shut car hood" system goes to crap.
Also a concern is not just if the OS does what I tell it to, but what else its doing that I can't tell it to stop doing...
rpm-rebuilder
Got time? Spend some of it coding or testing
There are more than 10x as many OSS projects with more than 100k installations in the field than there are M$ products in the same boat. There are more than 100 distinct OSS products (not counting libraries and such, but including games) installed on this Mandrake Linux box which see use at least once a week, and it's doing nothing special. How many copies of Mandrake Linux are there in the field? Now add in packages unique to RedHat, SuSE, Debian...
Got time? Spend some of it coding or testing
If spending money is not a liability, then why are you complaining?
Money doesn't grow on trees, people have to work for that money. Spending money to buy a piece of software is therefor, a liability. Why is it a liability to m$ to have to work or spend money, but not to people? You seem to have this view that anything that stops you from getting money or that makes you have to work is a liability, since all that money comes from some magical pipe dream in the sky, just waiting for you to collect it.
It's an awfully slippery slope from GPL to Apocalypse. Don't be dramatic. All software is NOT open source. You could never have all software open source.. or all software closed source. You would have to make one of them illegal first, and there would still be underground OSS people. The only person trying to outlaw anything is M$ by lobbying lawmakers to stop the GPL, along with their heavy FUD campaign.
There are free parks all over the place. Some are run and owned by the government, others are small and run by their communities respectively. Where I live, we have a free community-run park where people grow plants, vegetables, and flowers. People who use the park have to cooperate and follow the rules, or they can't use the park. Without that punishment cooperation falls apart. It all manages itself with the threat of punishment for defection. The makers of the free park put restrictions on it, after all, free park does not mean "free for all," or free land for the taking, do what you want with it. Another example, the government gave away buildings and land recently via essay contest. They gave the buildings to community organizations, not to McDonalds, Kmart, or M$. If someone comes along and takes the land, puts toll booths in, then no one can use it.
Most people who code OSS have other jobs too. They still have to put restrictions on their code just like any other person. They have a right to license their code, M$ never had a right to their code in the first place, just as we never had a right to M$ code. Since OSS can be used to run a business, it does have economic value, just like "Central Park."
How did we get from one person picking up one envelope to trash-mail picker-upper? People drop their things all the time, some people who find them may choose to ignore or keep them, (Defection,) while some people choose to cooperate. I'm just giving you an example of defection vs cooperation, you changed the example, so now defection would be throwing all your trash all down the sidewalk, the reverse would be if the trash men threw out your trash can with the trash or vandalized your home and dumped the trash all over your lawn. Cooperation would be Not doing those things.
That is only one form of cooperation, (money for product) as I pointed out there are other forms of cooperation. The question is how good are the goods? When consumers buy a product that self-destructs via deactivation; if the computer box is deceptive, or has nothing in it; if the product forces you to pay for all sorts of other tied services, that's viewed as defection.
People make decisions on emotions all the time. When people see a label they feel good about, they may think there is equity in that product because they see it all over the place and are familiar with it. The cheep, no-label brand may be viewed with suspicion even though it may be better and cheaper.
Money is not what makes people cooperative, it's the ability to punish the free-rider, the threat of punishment; and the removal of anonymity, so that everyone knows who the free-rider is. Without these things, cooperation falls apart.
What you fail to understand is that cooperation takes two people; a business can defect too. Enron is a defector, M$ is also a defector. It has nothing to do with how much money bill has, but how he got it, through lies and deception. With the Iterated Prisoner's Dilemma Tit-for-tat is the best strategy. This means consumers need to defect to other platforms or find a way to punish m$ in the courts.
And so would everybody who has to reinvent the wheel every time M$ changes their closed source OS, closed document formats and interfaces, etc, etc.. That was the point of OSS, you don't have to reinvent the wheel. How is m$ any different when they put must-abide-by restrictions and limitations on their code?
I never mentioned M$. You seem to be on the defensive for them so forcefully. Do you work for them? My point is how can you complain about rewriting, e.g., GPLed code when you never wrote the code. That's like complaining because you can't "do nothing," and have a product in the end. People who are constant defectors sometimes end up wasting away in jail, but they can only blamed themselves, not the people they stole from. I should have said: The punishment for never having written a compression library, is "paying someone to" write a compression library.
"Let not him who is houseless pull down the house of another; but let him labor diligently and build one for himself, thus by example assuring that his own shall be safe from violence when built." -- Abraham Lincoln
That's amazing! Where are these numbers? Just Curious.
Software has greater value if it is high quality. The monetary concept can be a distraction where people start to demand money over quality, a model where the bottom line is all that counts, getting that vapor ware out the door, all bugs included. Some companies turn un-ethical when they realize they don't have to do anything at all, they could just gain from the money invested by others, and can take without giving, like Enron and as I said with vapor ware.
Your concept is that monetary value is the only value and it is wrong. An antique may have a higher monetary value because some crazy person collects them, or may have no monetary value whatsoever, yet someone may never part with it.
PS - M$ is saying OSS is bad, and BSD is the only good OSS, yet they're not even licensing their code under BSD, instead, they came up with this Shared Source that is afflicted with most of the same things they are complaining about under OSS. If BSD is so good, then why don't they use it? The message is: "BSD is good for our competitors." Anyone who takes advice from M$ on what to do with their code is naive. And lets see the taxes billy g has paid?! He doesn't, he just gets tax free stock options. Lastly, Scarcity and Artificial Scarcity are not the same thing.
http://www.newscientist.com/news/news.jsp?id=ns
http://www.nature.com/nsu/020107/020107-6.html
http://www.thegamesjournal.com/articles/Aggress
See also: The Voter's Paradox, The Volunteer's Paradox, The Prisoner's Dilemma, and The Tragedy of the Commons.
It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.
Are those our only options?? We have to like all the bad things that M$ does and focus on only the good, or we can't ever complain or have any opinion at all? Is there ever any time that we can in fact, complain? If they do 3 bad things and 3 good things do we have to just let them do whatever they want?
"M$ destroyed the econemy, the software market, netscape, Java, etc... But they did that ONE good thing. Come on! That one good thing??? Huh?? One good thing?? We simply Have To let them go."
No, [M$] is using legally licensed code in their operating system, which happens to be BSD licensed. They are on an anti-GPL crusade, which is largely different. Get your facts straight.
M$ is against "OSS because it's viral" because they can't take without giving. They say "The least viral is BSD" because they CAN take without giving. Then they come out with Shared Source. Show me that M$ license that you can take without giving? Shared Source is not it. There is no relevant difference between Shared Source and GPL.
Microsoft is saying: "Don't use GPL, it's communism. Use BSD instead."
How is GPL communism and BSD not?! Is M$ opposed to communism in favor of socialism?!
It's like saying: "Killing is wrong because: Thou shalt not kill... But if you do, let me be the one who does the Killing. Other wise, it's wrong."
It's one thing to use BSD code, that's fine. But it's another to say "No one should put restrictions on their code except for me, because that's, like, communism." M$ is rationalizing again, and poorly.
So, Get YOUR facts straight.
A liability is something that drains your money. An asset is something that brings in money. Money is used to trade goods. In the old days people would make things and trade them. If I make a chair and you make a log of cheese, I can trade my chair for your cheese. Today we use money for trading of services. I work at the chair factory and you work at the cheese factory but we trade money. When one buys a product, they want to get it for the least amount they can get it, and conversely, the seller wants to sell it for the most amount of money they can get, because you are trading labor for labor. It goes both ways -- people value their labor. Spending it IS a liability.
Well, we could certainly give value to air and make people pay air tax, this would produce jobs, and money will magically materialize, since, as you said, society having to spend money is not a liability.
I hope that example shows you that you're wrong. When society needlessly has to spend money it is a liability. Things have value if people (in the market place) find them valuable. If people aren't willing to pay for your product you can leave the market place. The market has spoken and it said, "You lose." Simple, easy, Market driven. Ever notice how the free market is great until m$ starts losing their monopoly, and then they start crying about wanting to change the rules?
The Federal Reserve controls the value of money. One ounce of gold has use value equal to other commodities on the market that take approximately the same labor expenditure. When they raise the value of gold, the value of money goes down. In a free market, products are supposed to compete via improvements. The better product is rewarded. As products get better, the older products depreciate in value. Good or bad, that's a fact of reality. If you can't make better products, then the value of your software doesn't deserve value. That's what we call market driven. M$ doesn't want to play by the rules, they want to be the Federal Reserve of software. They want to raise or lower the value of software whenever they want to kill the competition, corner the market, or rob consumers. Increasing the value of software means that it will cost more for people to buy it.
You might call it "dramatic," but I call it the future. Read what I wrote to the other guy in the posts above. It's not the end of the world, but it may very well be the end of the consumer computer as we know it. Apple computer is in a very good position right now, as they own the hardware and the software. Once the anarchy takes its toll upon Microsoft's architecture everyone will move to bashing Apple. Why? Because Apple provides a single solution for consumer problems. They will then inherit all Microsoft customers. Forget choice of hardware. That will be long gone. Keep in mind, though, that this is if FSF philosophy becomes the norm. When "average" people start demanding free (no-cost) software. It's a stretch, yes. I do believe it is plausible, though. There is much value in coherent architecture, which I find very lacking in open source land (infact, it's the one thing I hate most about using Linux).
I call it dramatic bullshit fiction.
1. People bash M$ because they are chronic defectors.
2. Apple is not a propagandizing fascist monopoly at this time, M$ is.
3. More free software on the x86 platform would not make x86 platform obsolete, but have the opposite effect. That's one reason why m$-anticompetitive actions had little effect on people switching to Apple.
4. Apple is so isolated because they would be crazy to go up against m$ or suffer the same fate as OS2. I think Apple currently runs *nix software and would obviously choose to run x86 ware, if not for that obstacle.
5. How will FSF philosophy become the norm over night. I never saw any philosophy become the norm ever. It sounds like one argument against gays: "If people are gay then no one will make babies, all humans will die, blah blah." You don't like OSS, You're part of everyone.
6. Then, what are you getting so worked up about? Did you take your medication today?
Yes, it does. But, at what cost to programmers? If a business finds value in a open source program, then they will not pay programmers to build them one. Then programmer jobs will be lost, I'm sure. Should the business be entitled to a free ride? Someone had to spent time and money building the program they are now using. Which leads to the next quote.
Oh, my heart bleeds for the victims of a free market! You're going to have a heart attack when I tell you how the scribes lost their job when someone invented the printing press, Luddite. If programmers think they can make one piece of software and rake in the money for eternity then they won't have a job for long anyway. That's competition for you. Even m$ has to compete with themselves. How many new features can M$ add to a word processor? If people already have office97 they don't need officeXP. One of their bad solutions: software as a service, and Software Activation to help force people to upgrade when their software expires. There's that defection again. People already traded their service to you in the form of $$ for your software and they get a self-destructing product. Nothing! M$ is out of control. Consumers are angry.
You're going to shit yourself when I tell you m$ destroyed the browser market through anticompetitive actions. Netscape is a cottage industry. Please explain to me how it is ok for m$ to destroy the browser market but it's not ok for someone to make a better product? I guess they only like the rules when they work to their advantage. With its open nature, OSS can't be anticompetitive, unless you think that making the superior product is anticompetitive. But then you'd be misunderstanding capitalism or free market.
M$ is again defecting. Instead of playing by the rules and improving their products, they spend all their effort destroying competition any way they can, so they don't have to do anything. It costs less to attack and eliminate software advancement, or launch a propaganda campaign than to actually do work As long as they are a monopoly, they can sit back and still get paid.
Everyone should be able to get a good word processor without spending an arm and a leg, like AbiWord. Why should a business have to spend thousands of dollars on a word processor only to send out letters?! Does M$ want to reinvent the word processor for the next century? Why not just get that out of the way and move on to bigger challenges than office vapor ware. Nothing about OSS is forcing anyone to use it. Everyone in the world is not going to work for free just because one person can.
Downloading OSS software is not defection, it's already free. Taking source code, stamping your name on it, and never contributing back is defection. 'A' is not selling software, they are running a web based store. If they wanted to sell software they wouldn't make it free. 'A' has every right to license their code however they want. The rest of your argument is invalid.
I doubt that. Quality plays a part, but consumers today want features and coherency. Which is why many people will accept a Windows crash every once in awhile. They want to be able to print from any application and use the network from any application. They don't want to mess with configuration and installation details.
People don't accept a windows crash. Given the option, they would choose no crashing. I want to be able to configure whatever I want to, and even if I didn't, I know not a computer that never needs configuration. Windows needs more installation configuration than say, mandrake Linux, as it stands. People have this narrow minded idea that windows is so easy, only because they're familiar with it. Many foreigners will tell you how hard English is, but that's just because they don't know it. A good example of this is Opera. When I first used it I thought it was fast but weird and hard to use. Now I find it the most innovative browser around and can safely say with certainty, Opera has a better interface than IE. It has configurations out the wazoo, and I'm always learning new tricks with it. If you are a power user you need these things. People should not be reduced to the lowest common idiot. The fact that people use such products is not proof they choose crashes, and less features available to them.
In this sense, open source software based on the GPL mirrors the
That's just a slippery slope comparison to frighten people. A mighty claim even for a hypocrite. M$ "puts at risk the continued vitality of the independent software sector," in and of themselves, outside of M$, when they break the law. Why should they get upset if these companies are not going to make any money, ever. Isn't that what M$ wants? Should we punish people who offer free content? Where would the Internet be today? What about public TV or regular TV and radio, with commercials. They work by the same principal of Free content? Public parks, charity, free museums, mp3 musicians etc.
And, M$ said OSS is viral because one can't take without being tainted, yet shared source is viral in that same way. Microsoft gives away its browser and Internet mail client and free e-mail accounts. It must be m$ to which you're referring? M$
Ximian can do whatever they need to. No one is forcing you to use GPLed code. No one ever said that OSS was a get rich quick scheme. If you seek money, use another license. If you can't handle that, you have serious problems.