Microsoft, zlib, and Security Flaws

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

zlib

how does this compare with Apple's use of GPL code in Darwin? i mean, is zlib used at a low-level, or is it part of MFC?

Re:zlib

[real_b0fh]

who cares.

all that matters is that there are big service packs comin. haha

BSD is dying

[Pi3.142]

* Important Stuff: Please try to keep posts on topic. * Try to reply to other people comments instead of starting new threads. * Read other people's messages before posting your own to avoid simply duplicating what has already been said. * Use a clear subject that describes what your message is about. * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated.

Re:BSD is dying

[toby+w]

what?

whoah!

big HP advert in a box! it's happened!

Seriously? Microsoft use open source code?

[bytes256]

Where do ya think their tcp/ip stack came from...might be BSD...hmmm

Just waiting for the press release...

[Nonesuch]

Any bets on how long before Microsoft issues a press release noting that this is yet another risk of using evil open source and open standards?

Re:Just waiting for the press release...

[Mr+Windows]

ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").

Re:Just waiting for the press release...

[edrugtrader]

actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products

Re:Just waiting for the press release...

[Mr+Windows]

There is the extra risk of using a proprietry product which incorporates OS products. I've fixed (nearly...) all the software on my machine that uses zlib, because it's OS, and I can do it/use someone else's patch and check that it's been done.

How long will we have to wait for a "patch" from MS, and how will we know that it does exactly what it says on the tin? ISTR that the DCMA (if that's the correct acronym) would prevent people in the US reverse engineering any patch to verify that it works, so it's down to testing (insert comment about testing not showing the absence of bugs).

Re:Just waiting for the press release...

[gr3g]

Well then what are we are waiting for? GPL zlib 1.4.4 (is that the right number?) and then if M$ wants to upgrade we will have them! of course this won't work, oh well.

Re:Just waiting for the press release...

It's very interesting...I was talking with the CTO of a company that is partnered with MS and he said in their agreement it says they can't use any OpenSource code in their products. Strange that MS doesn't practice the same.

Oh well .NET is looking quite cool...sad to say it but Linux is dying largely because Java is taking a backseat to this .NET stuff.

Re:Just waiting for the press release...

[jmu1]

I'll bite, but only for a nibble.

The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.

Re:Just waiting for the press release...

[graystar]

Except they used it. So if they use evil and risky open source software why did they do it?

Re:Just waiting for the press release...

[Ooblek]

Oh please, so its an OS originated bug and now people are already criticizing Microsoft about it. What do you think they are going to do? Release a patch that does nothing just for the fun of it?

I don't think Microsoft could ever look good, not matter if the bug is theirs or not. Hell, the next bug found in any OS software should be blamed on Microsoft. Just because they're there.

Re:Just waiting for the press release...

[wickedhobo]

That's like shooting yourself in the foot and then touting why guns are bad and should be banned.

Re:Just waiting for the press release...

Such a press release would in my opinion be justified. The open source movement certainly feels that it has every right to publicly call attention to security flaws in Microsoft software, even to the extent of saying that such flaws are the result of its closed-source approach to software development. Microsoft has every right to counter this with its own propaganda.

Re:Just waiting for the press release...

[jedidiah]

This bug doesn't alter anything really. This situation is more a success of the Bazaar development model rather than one of it's failure. Due to wide availability of sourcecode, a VAR descovered an esoteric bug while providing tech support for another program.

Microsoft can hurl propaganda any day it likes.

I don't think this situation really gives them a "leg up" in that sort of endeavor.

Re:Just waiting for the press release...

LOL. You made me shoot coke out of my nose.

Re:Just waiting for the press release...

[grub]

actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products

The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.

Re:Just waiting for the press release...

[angel'o'sphere]

again I risk a flaimbater rating :-)
Well, he got a +5 Interesting rating for a realy silly comment. I'm even more wondering that no one is answering to it.


ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + e of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").


Can you explain what the difference is between open source and GPL in relation to fixing a bug in an open source library?

I would asume you are able to just download zlib and fix it and write a nice email to MS about that fact.

Frankly: the benefit of GPL and Open Source is definitly not that everyone can go and fix a bug.

The benefit is that everyone has the POTENTIAL to do that.

I for my self have not the ability to go and fix THAT bug in ZLIB. I never looked at ZLIB. It will take weeks for me to find the place where the bug is.

Probably you can find the bug. Fine for you.

OTOH there are shareholders, workers and customers who are interested in being able to SELL/BUY the software.

With GPL selling of software is impossibel as long as you are not the OWNER of the software. Like e.g. Sleeping Cat.

Regards,
angel'o'sphere

Re:Just waiting for the press release...

[leonbrooks]

So if they use evil and risky open source software why did they do it?

Oh, it's OK for them to use BSD-ish software, just not for their poor stupid customers who have no brains (else why would they either buy our stuff or trust us?).

Seriously, I'm betting it was desperation. They couldn't get their own stuff to work for love nor money, so they borrowed someone else's brains. It worked pretty well for NT (AKA Digital Equipment Corp's MICA or broken VMS in fancy dress) and for SQL Server. Not so well for Stacker or SpyGlass, but in the end they came out ahead, which is all that really matters to a corporation like that.

Re:Just waiting for the press release...

[Com2Kid]

The idea is that if a product you own uses Zlib and is compleatly opensource, that you can most likely just download the fixed zlib source and the source to the program and compile and have a version of the program that does not have the bug.

Which would mean that you get to avoid any vulnerability periods in your software during which the bug is widely known but there is no security fix for it.

THAT is what open source is all about, if something breaks, even if you cannot fix it, you can download the fixed modual and the original sourcecode and compile it all together with the handy included step by step instructions. :)

Re:Just waiting for the press release...

[Com2Kid]

WindowsNT?

Oh you mean where they actualy PAID some real developers and coders to come in and make a real OS? (as opposed to buying one for pocket change. :D )

Hell, dude, that was a GOOD thing. MS got their heads out of their collective asses for a second and realized that they needed some Real Talent.

Oh and after they ditched the stolen Stacker code the issues with the built in compression on MS systems pretty much went away, LOL!

And hell, at least IE does not use the old Netscape HTML rendering engine, LOL! (would have been nice if in the earlier days IE was a tad wee bit more ... complient though...)

Re:Just waiting for the press release...

Oh and of cource microsoft would not want anyone to develop an exploits for their products, we need to trust them to do their clossed patch right like the have done before....

iis accepts /..
microsoft issues fix
iis accepts hex encoded /..
microsoft issues fix
iis accepts hexencoded hexencoded /.. request
microsoft issus fix and is so pissed of about all the failing http request checking they release a piece of code to accept the incoming conections check the requests and then relay the request to a "real iis webserver"(contradiction in terms) )

The weird thing, there actually are a load of free/open alternative webservers that perform decent on windows especially compared to the amount of mail servers

Re:Just waiting for the press release...

well, MS used the Open SOurce technology, so they only have themselves to blame for not examining it properly! If someone tried to use MS technology they would not have avd the luxory of examining the Source Code.

Re:Just waiting for the press release...

[mpe]

With GPL selling of software is impossibel as long as you are not the OWNER of the software.

Utter rubbish, you can sell GPL software for any price someone is prepared to pay you for it, subject to complying with the terms of the licence. Just that since anyone else can compete with you, trying to make massive profits will typically put you out of business.

Re:Just waiting for the press release...

[ergo98]

Just that since anyone else can compete with you, trying to make massive profits will typically put you out of business.

Uh, trying to make any profit (or trying to even make a remote amount of your costs) will put you out of business. GPL software cannot be commercialized: It doesn't work.

Re:Just waiting for the press release...

[ergo98]

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks

Utter bullshit. How would it have "avoided the risk"? The problem EXISTED in zLib (while being a open source product, BTW. Yet another example that the claims of open source bulletproofness is nothing more than a myth), and the reality is that about 99.99% of the public ISN'T (EVER) going to download the new zlib source and recompile their binaries.

Now what they could do is use zlib as a linked library (which is allowed because it isn't GPLd: Yet another vote against the GPL as being a great license), in which case the public could install the new zlib library and everything would be great again. This is actually what many users of zlib on the Windows platform do: Encapsulate zlib as a nice handy, self contained little dll.

Re:Just waiting for the press release...

[leonbrooks]

WindowsNT?

Oh you mean where they actualy PAID some real developers and coders to come in and make a real OS? (as opposed to buying one for pocket change. :D )

No, not exactly. Windows NT was at first spelling-error-compatible with MICA - a variant of Digital Equipment Corporation (aka DEC) VMS - which may just have been a coincidence but for the fact that they hired away the head MICA developer from DEC to do this.

Oh and after they ditched the stolen Stacker code the issues with the built in compression on MS systems pretty much went away

I think that's mostly because people stopped using compressed drives.

at least IE does not use the old Netscape HTML rendering engine

Yah. Terrible shame that M$ don't use Gecko instead, though. Since Gecko's modular, they wouldn't even have to worry about that terrifying GPL business.

Re:Just waiting for the press release...

[Com2Kid]

Except that when IE first came out Gecko wasn't in its current Kick Ass form.

"Recently in the press, there have been a lot of articles about something Netscape calls "Gecko." This is marketing hoopla around two Mozilla projects: NGLayout (formerly known as Raptor) and XPFE. "

---http://www.mozilla.org/newlayout/gecko.html

"Page reorganization: The layout engine used in Mozilla (which is known by many names) started off as a project to write a new layout engine for Mozilla and became the layout engine of Mozilla and the foundation for a nearly-complete rewrite in late 1998. "
----http://www.mozilla.org/newlayout/

In other words, in 1996 or what was to become the Gecko that we all know and love was still. . . . That ol' Netscape rendering engine. ^_^

I'm not sure I understand...

[YoPt]

the real implications behind. I'll proabbly be flamed for just looking for info, but how does this change anything that we have known about MS software being insecure?

Darn!

[sysrequest]

"[...]but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

Darn, and I thought they were caught with their pants down.

But to me it still is interesting that a company that is trying to stomp every competitor, and is spreading so much FUD about any sort of free or open software is using it themselves. (We all knew that, I just thought I'd emphasize it again.)

Re:Darn!

[October_30th]

That's like saying that Microsoft doesn't hate the free market economy. They just hate a free market economy where they can't abuse their monopoly status.

Re:Darn!

[Sanity]

and is spreading so much FUD about any sort of free or open software is using it themselves

If you look at what they have said, they have no-problem with non-viral Open Source software such as the BSD license and the LGPL, they are only worried about licenses that try to spread themselves to cover other people's code (such as the GPL).

Re:Darn!

[swv3752]

If you look at what they have said, they have no-problem with non-viral Open Source software such as the BSD license and the LGPL, they are only worried about licenses that try to spread themselves to cover other people's code (such as the GPL).

So what is the beef with the GPL? Don't want to give away the source to your programs? Then don't, just don't use GPL code in your programs. If they want to uphold thier draconian activation licences, then they have no ground to complain about the GPL. Microsoft is greedy and wants to extend and embrace everything. The GPL prevents them from doingthis directly. That is why they hate it.

Re:Darn!

[Alsee]

they give away a bunch of source to a bunch of stuff (though nothing really good)

&LT Bash &GT
As opposed to the other stuff which *is* really good?
&LT \Bash &GT

-

Re:Darn!

[kz45]

The GPL prevents them from doingthis directly

No, it prevents the draconian GPL license from embracing and extending their work.

I seriously doubth they would want to use GPL'd source anyway..most of it is attempted replications of proprietary stuff that MS created.

Re:Darn!

[leonbrooks]

I seriously doubth they would want to use GPL'd source anyway..most of it is attempted replications of proprietary stuff that MS created.

Where's `OS Bob' then? (-:

Seriously, most of it is attempting to make stuff work that Microsoft implemented in a broken way. And in general it succeeds rampantly. (-:

Re:Darn!

[kz45]

And in general it succeeds rampantly. (-:

This is more of the exception than the rule.

Re:Darn!

[mpe]

So what is the beef with the GPL?

They only like copyright to work in their favour..

Re:Seriously? Microsoft use open source code?

[ZaneMcAuley]

Whoops, considering they advise not even reading open source for risk of integration of the code into their codebase and risking breach of the license.

Re:Seriously? Microsoft use open source code?

[T5]

No way. M$'s doesn't perform well enough to have come from BSD.

Re:Seriously? Microsoft use open source code?

[Axe]

It seems to be not the cae since Windows 2000 - did not they redo the stack for it? Am I right?

Re:Seriously? Microsoft use open source code?

[1g$man]

Wrong. They advise not reading GPL code, not open source code.

That is quite a big difference.

If we can't see MS's source

[darnellmc]

How do we know they never used GPL'ed code anywhere?

Re:If we can't see MS's source

You don't, and you never will know.

That's one of the neat things about GPL'd code. It can't just be pulled in fullcloth and made something you sell, but you can easily incorporate parts of it, after scrubbing off mention of the GPL, that copying.txt file, and doing some global search-and-replace on some trivial structures. Use a little different calling/passing method for a few of the routines and it's YOURS.

Besides, once the IP radicals have forced copyright to be a short-term thing, say seven years, all the GPL'd code older than seven years will magically become public domain anyway.

Re:If we can't see MS's source

[Stonehand]

Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

Re:If we can't see MS's source

[Mr+Windows]

That's OK in principle, but how can anyone who looks at a piece of code know whether it really was written by MS or was GPLed with the serial number (erm, copyright notice) filed off? MS removed the copyright notice of zlib, according to the article, so it's not beyond them to do that with a piece of GPLed code. Not that I'd ever suggest that they'd do such a thing, but it's obviously very hard to check for plagarism (unless MS put all their code through turnitin!).

Re:If we can't see MS's source

The same way we that we can determine wether a piece of GPL code was original or copied off someone else, perhaps MS. And was it not Redhat who were recently found out to have taken BSD code and filed off the "serial number (erm, copyright notice)"?

Re:If we can't see MS's source

That's it ... fuel the fire with speculation, conjecture, and fiction!!! Always makes for a good argument. You should be a lawyer!

Re:If we can't see MS's source

[Cyno]

Because that would be illegal, to use GPL'ed code for commercial use and not release the source. But I'd love to see Microsoft write their own OS from scratch the way GNU did. ;)

Re:If we can't see MS's source

[telstar]

Here's the quote from the article:

"For the library, the only license requirement is that a copyright notice be included in the program source-code, if released. Microsoft, which rarely releases source code, didn't need to include the string in the company's programs, but zlib creator Gailly wishes the giant gave credit."

Since they didn't release the source code, they didn't violate the license. End of story.

Re:If we can't see MS's source

If I planned the world's greatest party, but no one showed up, does it matter how good my planning was?

Consider that before the next time you compare a hobby OS to an actual industry that puts food on tables.

Re:If we can't see MS's source

Um, not an MS fan boy but...
They did write their own OS. It's called
Windows NT/2000/XP.

Re:If we can't see MS's source

You're missing the point, the original code is not talkin about MS using zlib, but asking how can we know if MS uses GPLed OpenSource in general. R

Re:If we can't see MS's source

[panaceaa]

"Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products."

"Craig Mundie, senior vice president of Microsoft, said last May. '(There) is a real problem in the licensing model that many open-source software products employ: the General Public License.'"

This really makes you wonder if Microsoft's stance against the GPL is really about getting more code from the open source community to use in their own projects. If there was a public backlash against the GPL, the community may feel pressure to change to other license models, and Microsoft could get more of code for their projects written for free.

Re:If we can't see MS's source

[Wolfier]

Does it matter?

If I want to use GPL code in my program without releasing, I can just

1. write a library wrapping up your GPL proggie
2. link to the library dynamically from my proggie

All I have to release is the source code of the wrapper library. Well, at least it is true in GPL V2.

Re:If we can't see MS's source

We don't, but it would be extraordinarilly stupid and extremely unlikely.

Why use GPL code when there is so much BSD code available to "borrow?"

MS =does= hire an IP lawyer or two.

Re:If we can't see MS's source

I understood the point ... but the author of that post contradicts himself. He says:

it's not beyond them to do that with a piece of GPLed code

He implies that Microsoft DOES use GPLed code ... but follows it up with

Not that I'd ever suggest that they'd do such a thing

Yet he just did. I caught the sarcasm ... but Given that Microsoft has a corporate policy forbidding the use of GPLed code, the assumption that they do use GPLed code is equivalent to any other unsubstantiated claim, and has no basis in fact.

Re:If we can't see MS's source

[jedidiah]

The proper term is REACTIONARY, not radical.

Copyright was originally a short-term thing.

Re:If we can't see MS's source

You mean GPLed code like this?
http://www.microsoft.com/Windows2000/interi x/
And yes, Microsoft does give access to the source.
So saying "Microsoft doesn't use GPLed software" is false. Which of course makes Bill Gates and the rest of the PR teams FUD about the GPL all the more ironic.

Re:If we can't see MS's source

[Cyno]

Do you mean no one working for RedHat eats food?

Re:If we can't see MS's source

[dossen]

They release sourcecode (if I remember correctly they have cds of it)

Re:If we can't see MS's source

[Stonehand]

Interesting. ISTR that the LGPL was originally for that purpose -- to allow you to link with GPL'd code without needing to GPL/LGPL your own code.

Re:If we can't see MS's source

[MarkLR]

Won't giving the source code to a university be considered releasing it? It would be fairly easy for someone with access to the code at one of these universities to report if the code contains the zlib copyright.

Re:If we can't see MS's source

[thogard]

I suspect MS used quite a bit of GCC since version 5 of their C compiler had many of the some of the same optimization bugs as GCC. Anyone got access to the source for the old versions of MS C?

Re:If we can't see MS's source

Interix is a software package that was developed and originally distributed by a company called Softway Systems. They received under NDA, the NT kernel source, which allowed then to produce Interix, which is a rather nice Posix subsystem that runs on top of the NT kernel. It runs alongside the Win32 subsystem, the Win16 subsystem, and the OS/2 V.1 subsystems.

It comes bundled with a lot of Unix commands and tools, some of which are GPL'd. It even comes with a version of GCC, X11R6, and Motif, ported to run native on NT, W2K, or XP. In fact this means that properly installed and configured, I am able to rsh into my NT box and open an XTerm, and display it on any other X-enabled desktop (including Exceed, if I want to run X apps native on NT).

This is a cool product, and it's still available for about $100 from Microsoft.

As I said, the product was all developed by Softway Systems, and Microsoft bought the company. Microsoft does not use GPL'd software in their main product line. The accurate thing to say is that Microsoft is a reseller of some GPL'd software, and that they include access to all the source code therof.

Interix is a way cool product. It's loads better than Cygwin, which is a kludge .DLL product that runs on top of Win32, not as a separate native subsystem directly on the NT Kernel. Shortly before Microsoft bought Softway Systems, the management of Softway put out a call to the Open Source community asking them if they were interested in Interix being open sourced in some fashion. As far as I know very few people answered his call.

Re:If we can't see MS's source

[pauljlucas]

Actually, MS (or anybody else) can use GPL'd software and not have to disclose source if they get a separate license from the original author who is free to grant licenses at will.

Re:If we can't see MS's source

[turgon]

>Won't giving the source code to a university be considered releasing it?

No. Releasing it means no restrictions, and anyone can download it/look at it. They only leyt some universities/companies see some of the code, and then only after they legally obligate them via NDR.

Well, duh.

since zlib is not GPL'd they are under no obligation to release the source code to any of their products.

Gee, well duh.

'Since Bill Gates office is not within the boundaries of the Cleveland zoo, he doesn't have to pay admission each day to go to work.'

I mean, what does 'obligation to release the source code' have to do with anything? Is this going to be one of those 'flog any non GPL license' discussion threads?

Re:Well, duh.

[Chris+Burke]

Well, I could hope that maybe the reason is that lots of people might be familiar with zlib, but not know that it is under a non-GPL free software license, and they were just trying to stave off "Does Microsoft have to release their code now?!" type crap...

No, I don't think that's true either.

Tally anybody?

[ILikeRed]

I wonder if anyone is keeping a running tally since the security initiative started???

Here is another bug with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....

Re:Tally anybody?

[Mr+Windows]

How long is the security initiative? ISTR "one month with no new development" to concentrate on security. Of course, it's daft to think that you can turn a large organisation which concentrates on adding lots of features into an organisation which concentrates on absolute security in products and processes in a month, the training issues alone prevent that being realistic or effective.

Re:Tally anybody?

[Sam+Jooky]

*BZZZZT*

You used the acronym 'ISTR' twice already. Please stop using it as you confused my little brain which didn't immediately recognize it and then forced me to sit here saying things like:
"I see that really ..."
"I say to Randolph ..."
"I suck toes righteously ..."
...
"I seem to recall!"

:)

sapienza

oh goody

[smack_attack]

Time for today'$ round of +5 Funny Micro$oft ba$hing (I u$e the $ in$tead of a 's' to $ymbolize that they are an axi$ of evil computing, no one has thought of this before me. HAHA!)

Re:oh goody

[NanoGator]

Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.

Re:oh goody

[smack_attack]

Yeah, I've got plenty of karma to burn as well, so those mods who feel it's appropriate to mod me down because I don't march to the drums can kiss my ass.

BTW, I use XP on my desktop and I love it. I use Debian on my servers and I love that too. Windows does not fit well on a server just as Linux does not fit well on the Desktop, why can't people understand that?

Re:oh goody

[pyrrho]

> have never spent time with Windows 2000.

I'm sure this is a typo. You must have meant "did time".

Re:oh goody

[Chris+Burke]

I use Win2k on a daily basis and I hate it. But I take comfort in that my main workstation is a linux box, and the win2k box is there just because I'm porting code at the moment. But yes, I have spent much time with win2k. Much like a venereal disease, intimite knowledge of the subject doesn't make me want to bash it -less-.

Re:oh goody

[Alzheimers]

Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.

I'll be more than glad to cheer when MS does something good. Wake me up if it happens.

ZZzz..

Re:oh goody

[geekoid]

Well, I spend time with 2000, and its almost as good as kde and gnome.
And i've only got to crashes, which cause the machine to auto-reboot.
To have a really crappy product(s) then releasing something thats better doesn't mean the new thing is good, just not as crappy.

So what, exactly, has MS done thats good?

Re:oh goody

[geekoid]

First off, its nice to know you'll stand up for what you think only if you have karma to burn. i.e. nothing to lose.

I won't use XP, because I don't trust it, at all. I'd like to see MS put together a nice OS thats trustworthy to me, not to the varies media orginiations, not to MS, to me.

Re:oh goody

Microsoft did something good a long time ago. The PC-speaker sound driver for Windows 3.1. That... kicked... ass.

Re:oh goody

[NanoGator]

People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.

I think there are anti-ms people who think that becaues IIS is insecure as a webserver, that MS themselves should die. There are people of the Linux world that wishes everybody would use Linux and forget Microsoft. They fail to realize that the adoption of Linux isn't slow because of MS, it's slow because it's not beating MS at doing what they like to do.

There's room in this world for both. If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too.

In any case, this isn't an anti-Linux/pro-Microsoft rant, this is more of a 'Be happy to have what you've got' rant. If MS disappears, what will fuel the fire to make Linux better?

It's in everybody's best interest if Microsoft does well, believe it or not.

Re:oh goody

[NanoGator]

I can imagine porting code being a pain in the ass. I know MS's API is a little weird, and I can certainly understand you having issues getting down that deep into it.

Where I come from is I use Win2K for doing 3D animation. A lot of people I know doing 3D stuff are running on Win2k. We have to rely on a machine constantly rendering overnight, over weekends etc, and we cannot afford to have it crash. I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.

I've witnessed a number of Win2k machines of a huge variety of hardware (i.e. not custom made all from one provider) render for many many hours at a time and never crash. I have never lost rendering time to a Windows 2000 problem. None of my artist friends have ever complained about that.

Seems to me if a program can use so much Windows resources for so long and still behave properly, Microsoft must have done something right.

Re:oh goody

[smack_attack]

Windows isn't for everyone. It's built from the bottom up (meaning it's targeted at the lowest common denominator user). For you, I'm sure that a trustworthy OS is one that you can pick apart and see the guts of... AND THAT'S FINE! I'm not saying that Linux is better than Windows or vice versa, I'm simply saying that some people don't care how their OS works and what dependency tree they need to check if they want to install an update for their laptop speakers. It's about ease of use versus lookig under the covers. Some of us don't care how the OS works as long as it does.

Re:oh goody

[urmensch]

maybe because I use linux on my desktop and love it much more than XP and 2K, which I have also used.

to each their own!

Re:oh goody

[Jondor]

Actualy I do, at a rate of 2 BSOD's a week.. Of course that's only for unimportant "work related" stuff. My home system runs linux and hasn't been unvoluntairly down for a real long time now.. Neither have the systems which run my websites and databases..

Re:oh goody

[NanoGator]

"So what, exactly, has MS done thats good?"

What, you mean besides using Windows 95 to make the appeal of computers so broad that nearly everybody has one? Or maybe bringing the internet out of the geek neighborhood and out into the main stream? Or how about making an OS that can install on such a broad range of hardware that you can cheaply put together a system running Windows?

Did MS do this singlehandedly? Nope, I'm not saying that. They were instrumental in it though. Despite how much everybody hates to admit it, Windows 95 had a HUGE part in making computers as broadly supported as they are today. I remember when having a computer meant you were a nerd.

Did MS use illegal tactics? Yep. They've done shitty stuff. They've made shitty products. I'm not disputing that. But they're not entirely bad either. As a matter of fact, it's MS's shortcomings that are making people fight to make Linux as a replacement to MS.

You can hate MS all you want, more power to ya, but if you're successful in the IT industry, MS was probably instrumental in that either directly or indirectly. No Microsoft? Computers = toys for geeks.

Re:oh goody

Its more like parole. You aren't completely free, but it a hell of a lot better than being locked up.

Re:oh goody

[Spider[DAC]]

People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.

no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place.
You can and should modify your lightsources whenever you render something, because a 3D rendered scene is just that, 3D rendering. NOT a so called "perfect simulation of light" because that is left to the creator of the scene.
it is the scene creator that has to make sure he gets his lighting, world and all other factors correct for the desired result.


Bah. Paintbrush artists.

Re:oh goody

[NanoGator]

"no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place."

Err okay. It's not a black and white situation. 3D programs do different things than 2D programs do, and its silly to limit your toolset by expecting it to come out of the renderer perfect.

Getting back on topic, it's like complaining that Windows 2000 is a crappy 3D workstation because it sucks as a webserver . The truth of the matter is that there isn't one grand unified solution that works for every little thing. Me personally, I'd rather use a Macintosh for my mobile needs, Windows 2000 for my 3D Workstation and gaming platform, and Linux running Apache as my web server, and Linux again as a mailserver.

Re:oh goody

you must have pretty crappy hardware. Unless you are using faulty memory, overclocking/overheating your CPU, or very sloppy drivers you should never experience any blue screens in a NT-based kernel OS (NT4/2K/XP). sorry to bust your bubble but linux will also display similar behavior in what's known as a 'panic'.

Re:oh goody

[TummyX]

So your W2K box crashes 2 times a week and you haven't fixed it? Have you even tried?

My W2K server has been up 196 days and counting. I've NEVER encountered a BSOD on my XP notebook.

Perhaps you should try upgrading your drivers to MS cerftified ones.

Re:oh goody

[uebernewby]

I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.

Maybe, just out of curiosity, you should try one of the newer distros - SuSE or Mandrake are laughably easy to setup nowadays. Pop in the cd, tell it what kind of hardware you have, done. Although I must say I agree with you that if you're looking for a platform to do 3D, image processing, video or audio on, Win2K is probably a better choice.

Re:oh goody

There's room in this world for both.

It would be nice if that were true, but in Microsoft's world view, there is room for only one operating system. If free software does not vigorously compete with MS, it will be marginalized to the point of uselessness under heaps of proprietary protocols and data formats.

Microsoft is not a good citizen and alternatives will not be safe until MS loses large chunks of their markets. That is just the way it is.

Re:oh goody

[NanoGator]

I just wanted to respond and let you know I appreciate the tone of your answer. I've had a couple of people recommend SuSE, and it's on my list to try.

Again, thank you for being civil.

Re:oh goody

[NanoGator]

I think you're right there. I can't help but wonder if the new file system they announced is intended to keep people from dual booting Linux boxes. How much ya wanna bet that Lilo doesn't work with it without some kind of patch?

The good news is that every time MS closes a freedom with people (like XP requiring registration, or a security flaw in their software), Linux has an opportunity to be more attractive.

Re:oh goody

[jedidiah]

I've been NT since '94. It peaked with 3.5.1 and has been downhill from there. I've spent plenty of time with NT5. It is my workday OS. I even had dellusions about improving the computing condition of my family members by subjecting them to it.

It either failed to live up to immediate requirements or failed to live up to the performance of it's DOS based predecessors in daily use.

The problem with Microsoft is that it's main focus is not technology but market domination. Technology is a far distant second (or worse) and merely a means to and end for them.

What makes Bill a better megalomaniac doesn't necesarily make for a better product.

If GNU, software development sloth encarnate, could sneak up behind Microsoft then there are some serious problems out there in Redmond.

Re:oh goody

[jedidiah]

Win95? Apple achieved better 11 years earlier.

The whole "random collection of spare parts" thing has still yet to be completely managed by Microsoft. They still screw it up often enough for Linux to be in a position to recover the situation.

Microsoft deserves NO credit for PC hardware compatibility. The hardware usability standards were pioneered by Intel and Apple and only grudgingly adopted by Microsoft.

It's the hardware vendors MANUFACTURERS that make installing new hardware on WinDOS easy.

No, Microsoft wasn't the one that make computers more than "toys for geeks". That credit goes to the developers of the Web and early web browsers. THAT is the killer app that pulls in the sixpack family.

Microsoft was late on that technology too, and had to muscle it's way into marketshare when they finally got off of their posteriors.

Re:oh goody

What have they done that's good? Are you flipping insane? One word: DirectX

Re:oh goody

[An+Onerous+Coward]

"If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too."

You can't compare the bloatiness of XP and Red Hat 7.2 by simply comparing how many megabytes each chews up. You have to find some sort of bloat/functionality metric. In such a comparison, I think that any Linux distro would win handily.

When you install either OS, you're also installing a lot of auxillary software. Red Hat gives you a C/C++ compiler for free, while you would have to buy VC++6 from Microsoft. Red Hat includes an IRC client, which is a separate download under Windows. Red Hat gives you more text editors than you can possibly be interested in (joe, several variations of VI, Emacs and XEmacs, gEdit, NEdit, Abiword, Kate). You even have the option of installing StarOffice 5.2, free. With MS, you get Notepad, Wordpad, and EDIT (command-line). And last I heard, Notepad *still* had that 64K limit, which is simply braindead. Red Hat gives you TuxRacer, while you would have to shell out $50 for Microsoft's HALO. :)

Finally, the docs that ship with Red Hat are probably way more thorough (though less organized) than anything Microsoft gives you.

The point is, if you can see where the bloat is coming from, then it really isn't bloat. Most Linux distros have big installs because they provide a lot of different utilities and a lot of documentation. I'm hard pressed to figure out where the bloat in Windows comes from.

"It's in everybody's best interest if Microsoft does well, believe it or not."

If, by "does well," you mean "continues to exist, continues to improve its software, and continues to provide incentives for competitors to improve theirs" then I fully agree. If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong. Microsoft has its place in the world, I'll agree. But that place is not the center of the world's information economy.

Re:oh goody

[NanoGator]

I don't think we have compatible definitions of the word 'bloat'. When I used it, Red Hat (KDE) had so much going on it was difficult to track down very specific items. It was slow to repond, and flat out frustrating to use. Windows 2000, on the same machine, was much more responsive. That's either bloat or inefficiency. When Windows takes too long to access the registry, that's sometimes considered bloat. Programs take up too much space (70 megs to download Star Office, for example...) is considered bloat. For me, Windows 2000 is the OS of choice on this machine. If I had the "It's cool to hate MS" attitude and went with Red Hat, I woudln't be any better off. I'd be hurting myself, and that was the point I was making.

" If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong."

I disagree. Let's talk about proprietary formats for a sec, those aren't 100% bad for everybody. Although I realize this can be used to leverage a monopoly, there's a lot to be said for having a format that MS can diddle with. This gives MS some room to innovate. MS invented the .DOC format, right? Well that proprietary format keeps other people out, that's true. But it also allows MS to make changes and make the format do more. Look at what a .DOC file can do that a .TXT file can't. You can attach other files inside it, format your text, etc. If MS was adhering to a standard like HTML for example, how would they be able to innovate without bending it towards proprietry at some point?

When they do this, they create an opportunity for somebody else to come in and make a better format. When Unisys tried to make people pay for using .GIF files, the .PNG standard was developed. .PNG Is a totally kick ass format for us artists who need lossless compression and alpha channel support. This format came around BECAUSE somebody tried to strangle a format they owned.

Long story short? Every time MS tries to leverage their monopoly, a new opportunity arises. Embrace that philosophy, because that is exactly the type of thing that will make Linux a big player out there.

Re:oh goody

[robhancock]

BTW, Notepad does not have a 64K limit in Windows NT4/2000/XP..

Re:oh goody

[Chemicalscum]

Bloat is not how many Gigs of hard drive you need to install all packages - on this basis Debian would be the most boated release ever. Bloat is requiring ever more RAM and ever faster CPU's to run an OS and a reasonable set of apps. On this basis while Linux does seem to be following the same increasingly bloated path as Windows at least you have an option of running a lean system with a windowmanager or light desktop environment such as Windowmaker or XFce respectively. However I have given into bloat - at home away from this goddam Windows machine I run Gnome.

Re:oh goody

[civilizedINTENSITY]

"Some of us don't care how the OS works as long as it does. "

Of course, but the issue only exsists at the point in time where it *doesn't* work, at which point the "welded-shut car hood" system goes to crap.
Also a concern is not just if the OS does what I tell it to, but what else its doing that I can't tell it to stop doing...

Wasn't this partly on fault of glibc?

I thought the bug was caused by glibc, which made the bug worthless on non-glibc systems.

Checked out the new (A)nal (C)unt CD?

[JohnDenver]

Has anyone ever noticed that Amazon dotcom lists (A)nal (C)unt as just plain vanilla AC?

What would AC/DC mean then? (A)nal (C)unt or (D)anal (C)unt?

You thought I was going to say (D)ick (C)unt, huh? The reason I came up with Danal can be attributed to a cigarette brand. Have you guys ever seen the brand, Doral? I know it ryjmes with Coral, but I always pronounces it Oral plus a D. Hence, Danal, the only suppository cigarette.

Share the idea with a really drunk buddy, and he'll pee himself.

So now I have 50 karma, might as well turn troll...

In other words

So in other words, Microsoft software sucks because of Open Source. Did anyone NOT see this coming?

Re:In other words

[DA-MAN]

No, Microsoft sucks because they've been on an anti-opensource crusade and are using open source in all their products. It's the hippocricy(sp?).

Re:In other words

[nickynicky9doors]

maybe... try 'hippoCrickey' this is the sound the happy hippo hunter from Australia makes when successful in his hippo hunt

Re:In other words

[kz45]

No, Microsoft sucks because they've been on an anti-opensource crusade and are using open source in all their products. It's the hippocricy(sp?).

No, microsoft is using legally licensed code in their operating system, which happens to be BSD licensed.

They are on an anti-GPL crusade, which is largely different.

Get your facts straight.

Re:Seriously? Microsoft use open source code?

[larien]

I get the impression that 90% of the world's operating systems (including Windows and commerical versions of Unix) use some code from the BSD TCP/IP stack. Of course, the BSD license is more forgiving than the GPL regarding source code, this isn't a license violation.

Of course, having everything derive code from the same source is a risk; isn't this part of the reason the ping of death was so much of an issue?

Re:Seriously? Microsoft use open source code?

[Jinky]

You'd be right :), starting with Win2k, and in WinXP, they're using basically Unix TCP/IP sockets. Must admit that it does work much better than Win9x for network connectivity.

This wouldn't have happened...

[bourne]

...if the government hadn't worked so hard to limit Microsoft's ability to innovate.

:P

Re:This wouldn't have happened...

[rusty0101]

I beg your pardon, this looks like the same level of Inovation microsoft has been doing since Day one.

port basic
buy qdos
borrow from Apple and Xerox
borrow from BSD
borrow from open source.

....

-Rusty

Re:This wouldn't have happened...

if you released your butt cheeks a little you'd realize that the parent to your post was using the literary technique called "sarcasm".

InstallShield

[sharkey]

InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

Re:InstallShield

[DebtAngel]

InstallShield is now a GUI for the Microsoft Installer, which is most certainly a Microsoft product.

Using Microsoft Installer is a requirement to get the official "designed for Microsoft Windows 2000" sticker on your product, and I assume its the same for XP. Wise also has a front end to the Installer system, IIRC and FWIW.

Re:InstallShield

[ChrisDolan]

Similarly, IE is not written by Microsoft either. It's alien technology. It was discovered by a MS coder who stumbled on a crashed spacecraft while hiking in the woods in the mid-90s. Using him as a vessel, the program infected the Windows codebase and has grown since then, digging it's tendrils deeper and deeper into the system.

So when MS says they can't remove IE from Windows, it's true.

Re:InstallShield

[lseltzer]

So what? InstallShield is not Windows Installer. The article doesn't say that the problem is with Windows Installer, it says the problem is with Install Shield, which is not a Microsoft program.

The article is obviously wrong about something: either the problem really is with Installer or it's with InstallShield and shouldn't have been mentioned, since it's not a Microsoft product.

Re:InstallShield

I HIGHLY doubt that Windows Installer uses
any zip technology. As far as I know it uses
their version of .zip files, .cab files.
The Installshield mixup is just that, most
reporters/journalists don't know squat about
computers. If you know anything about computers
and know any people who know nothing about
computers, then you know what I mean.
They(the people who know nothing) seem to
think you will about anything that has to do
with a computer.

Re:InstallShield

[metacell]

Was that the spacecraft presumably lost in space after an ALGOL 60 programmer typed a comma instead of a dot?

Re:InstallShield

[Tsujigiri]

So when MS says they can't remove IE from Windows, it's true.

Actually they can, it's just that The Beast won't let them...

Re:InstallShield

Hence microsofts own installer called "microsoft installer" (remmber? the .msi files...)

Re:InstallShield

[Skuggan]

With the same reasoning you could say that Windows is an Intel technology, just because Windows is only GUI for the Intel processor.

Re:InstallShield

[armb]

> Similarly, IE is not written by Microsoft either.

Originally, it wasn't, but is there any of Spyglass Mosaic still left in IE?

Redhat stock's in the shitter.

$7 according to one share. That's only $6 more than K-MART!! Haha hahahah. OSS is NOT a valid business model. http://goatse.cx

Win2k news thought...

that they should post this infoworld article this morning. and I quote
Just for some balance, Linux also has its problems. If you actually compare them, the amount of vulnerabilities found in Windows and all Linux flavors combined are almost the same on a yearly basis. So just choose the best OS platform for the application and PRACTICE SECURE COMPUTING.

Oh the irony.

Re:Win2k news thought...

[ghostlibrary]

Argh! Bad statistics alert!

"vulnerabilities found in Windows and all Linux flavors combined are almost the same"

So if I am running RedHat, Mandrake, SUSE, and Debian simultaneously, I have the same number of flaws as a single run of Win2k?

They should either use the average (among linux dists) or the max (ditto), vs Win. Or sum across all current Win flavors (ME, Win2k. maybe NT) to compare against all linux flavors (summed).

Argh!

Re:Win2k news thought...

[Chris+Burke]

I think it would be better to take the -union- of the vulnerabilities across all Linux distributions. This would prevent duplicates being counted (if you did the operation correctly), but would give an idea for flaws that may exist in distros.

Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.

And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.

Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.

not enough bugs eh?

[sydney]

I don't have any idea why MS chose to use the zlib library but it wasn't for "buglessness". MS creates enough of their own bugs they don't need to go borrow someone elses. Of course they didn't know about the bugs at the time, but still, methinks they used the code for less altruistic purposes.

Re:not enough bugs eh?

[DA-MAN]

Hey it could have been worse, they could have contributed to the main project!

We gotta be careful what we wish for. Microsoft using open source with a BSD-style or X11-style licenses is really a godsend, imagine Microsoft code in the Linux kernel...

notification issue

[ethereal]

Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.

It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?

The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.

Re:notification issue

[garett_spencley]

I don't see it as the zlib author's responsibility to notify everyone that uses their library.

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

--
Garett

Re:notification issue

[rasherbuyer]

Xfree statically links zlib un-adulterated, so just recompile with the new zlib code in place of the old.

(I gave up my moderator status for this)

Re:notification issue

[Florian+Weimer]

Some distributors have patched XFree86 to link dynamically against the system zlib.

Re:notification issue

[Florian+Weimer]

It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this.

I don't believe this is true. Look at this list. Many vendors were contacted in advance, vendors of proprietary and free software. However, CERT/CC probably assumed that this is a pure UNIX vulnerability, and did not contact all vendors. (In fact, they should have contacted Microsoft nevertheless, because of Interix.)

However, we can clearly see one thing (if you look at the find-zlib output): Most proprietary vendors do not update their copies of zlib at all. Previous versions of zlib had their problems, too, and yet the vendors didn't care, even though the software was still maintained. Probably they had already forgotten that the code came from an external source. Free Software projects are different here, I guess: New upstream sources are merged in a rather timely fashion.

Re:notification issue

[angel'o'sphere]

Oh man ... where do the posters and the moderators have their brain?

... and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib.

And? Why don't you do the same on a "typical Win XYZ install"?

Very eassy to find out which *.exe files link to zlib.dll.

E.g. use dumpbin.exe for it.

Or just use strings.exe. Oops that does not exist on a typical win xyz machine, but its a 20 liner in C. Surely there is a GPL version somewhere which compiles on Win XYZ.

He he, I agree with the rest of your post, of course.

Regards,
angel'o'sphere

Re:notification issue

[csbruce]

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Unless I am missing my guess, I ran into this particular bug in zlib about a year ago and I e-mailed the people at the project address. They responded that they already knew about it and sent me the patch. So what exactly is it that happened recently? Did someone figure out a way to use the bug to crack a system and this set off all kinds of alarms? There should have been a zlib fix-up release a long time ago.

Re:notification issue

The problem is that glibc doesn't handle the zlib bug properly, and the bug produces a buffer overflow.

So it's a bug in only Linux (which uses glibc) and all the hand waving here is an attempt to muddy the truth up.

The people who know their shit can figure it out in a few minutes. Then those in the know who are Linux advocates can wipe the egg off their face and get on with life.

The people who don't know shit, of course, will continue to run around trying to pretend it's not a Linux-specific security problem. The egg will dry on their faces.

Re:notification issue

[csbruce]

The problem is that glibc doesn't handle the zlib bug properly, and the bug produces a buffer overflow.

No, I think that any reasonable programmer would classify an attempt to free() a memory block twice as an application bug. The glibc library could handle it more gracefully, but it's really not obligated to. The only special required behaviour about the ANSI-C free() interface is that it is obligated to accept a NULL pointer as a no-op.

Re:notification issue

That's just the simple part of the problem. Some projects use their own forked and heavily patched version of zlib, so determining if they are vulnerable is really hard, if the fork has taken place a couple of years ago :(

Re:notification issue

[ethereal]

Good point. I was assuming that if you were Microsoft and you didn't want to let on that you were using open-source code, you wouldn't just leave a zlib.dll laying around. So I was assuming dynamic linking for open-source projects (not necessarily true) and static linking for closed-source projects (also not necessarily true). My mistake.

Re:notification issue

[elgardo]

But wouldn't it be nice if double-free()ing didn't fsck things up? Or are we going to play the "the application should know not to double-free()" game, the same way Microsoft enjoyed playing the "the client should know not to ask for resources it doesn't have access to, because it is not the responsibility of the server to know" game?

Re:notification issue

[peter]

Try writing a memory manager some time. I had to for a CS class, and I screwed it up big time. (I'm usually pretty good at designing software to do what I want, so my point it that it's hard.) Also, if the MM has to be able to handle double-freeing, it would have to keep more lists of stuff, and that would slow things down. For some things, allowing double-frees would be faster, while for other things I would guess that the performance benefits from not having to be able to detect it would be greater than the trouble the application has to go to to avoid it. Portable applications need to avoid it anyway, since ANSI C says it might not work. Guaranteeing it to work on GNU systems would make it that much harder to port programs written for GNU systems to other, non-GNU systems. (And what a nasty, only occasionally harmful, probably little known incompatibility it would be, too.)

Since the C standard is already established, there is little point in considering changing glibc.

BTW, I don't know about the Micros~1 "game" you referred to, so I don't know how accurate your analogy is.

Point: Open Source.

[metacell]

No... Microsoft will, of course, apply the open source patch to it's zlib package and recompile, thus demonstrating the viability of the open source approach to security (keep the system open, so anyone can patch the security holes, instead of keeping it closed, hoping that nobody will discover the security holes that are inevitably there).

And Open Source scores one point.

Re:Point: Open Source.

[l33t+j03]

Too bad you haven't scored any dollars. Or market share. Or women.

Re:Point: Open Source.

If you are reading this, you most likely have no social skills.

You are correct sir.

Re:Point: Open Source.

I have yet to see a Microsoft security press release that fixes some OSS bug! hahhhaha. It only goes one way.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seriously? Microsoft use open source code?

[ZaneMcAuley]

Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

Slow, buggy M$...

[IO+ERROR]

Microsoft is still trying to determine which apps incorporated zlib code? My Linux box already has all its apps fixed. How long until M$ gets patches out? Weeks? Months?

Re:Slow, buggy M$...

You're part of the small percentage of unemployed Linux users who can sit on Usenet reading about every new bug as it comes out.

Many people in the past have praised Linux as 'the box just sat up there and accrued hundreds of days of uptime doing it's job.' There are thousands of Linux boxes that have NOT been fixed. Some were set up by a Linux guru who moved on, and now there's nobody who knows anything more than the root password, if that.

Part of the TCO of Linux is nursing it along, i.e. applying the bug fixes every day or so.

InstallShield patches will come from the company who sells that product, BTW. Not 'emm-dollarsign' whatever the fuck that means.

Re:Slow, buggy M$...

[October_30th]

Indeed.

Recently some university admins I know have started banning private Linux installations on the campus network simply because the default distros are leaky as hell and with the latest SSH hole things have gotten even worse.

Some have even said that the latest Windows versions are more secure out of box than the mainstream Linux distros.

Re:Slow, buggy M$...

[satterth]

Do know how many statically compiled binaries are on your system ? Did any of those use the lib in question ?

thought so.

/satterth

Re:Slow, buggy M$...

[dossen]

Does it really matter. Any proper system should be able to rebuild completly from source, catching ALL statically linked binaries.

Re:Slow, buggy M$...

[Stonehand]

Incomplete solution. Some software packages include their *own*, possibly tweaked, versions of zlib, so even creating a new static library and recompiling won't work with those -- you'd need to edit the source of every package that has its own private version, as well.

So unless he's done THAT, or every maintainer of every package he uses is on the ball, he can't really be sure.

Re:Slow, buggy M$...

[dossen]

Absolutely true, I did not consider included versions of zlib, but for the few packages where it is not just an option to use the included one, I expect an update to come along. What I was fixing was the packages that link the _system_ zlib statically. Fixing other versions might even be more tricky, since there would be a reason for not just using the zlib on the system.

So to elaborate you also have to get updated sources befor recompiling (just didn't think of it, since it happens automagically).

Um?

[jonnyfish]

And yet again, it is being reported that this zlib issue is leaving a "hefty" portion of systems vulnerable to attack. Forgive my ignorance, but how? In the previous discussion on the topic, I read some posts that sort of explained a possible risk that might occur if there's a full moon and the lighting is just right.

So I ask you: what? From what I've heard the worst that could happen is your system could crash. I hardly see that as any sort of real issue, since programs like to do that all the time.

Re:Um?

[Mr+Windows]

It's OK for me if my system crashes when I'm in bed: I just powercycle when I get up. If I'm running a bank (say) which depends on its machines to stay in business, it's a different matter: denial of service is more than a pain, it's a P45 (pink slip??) kind of thing.

Re:Um?

[garett_spencley]

The problem is a buffer overflow which is a lot more serious than a crash.

I apologize in advance if I'm being a little too trivial but I'm assuming that you are 100% non-technical just incase this post appeals to someone or some people who are.

When a program needs to temporarily store an ammount of data it uses what's called a buffer. This is just a segment of memory where it can store it's data.

A buffer overflow occurs when the buffer get's filled past it's allocated regions. So in other words let's say the programmer has set up a buffer that's 1024 bytes. An overflow is when the user fills that 1024 byte buffer with more than 1024 bytes.

What happens? Well ideally the extra data wouldn't get stored in memory at all but unfortunately computers don't work that way. Instead whatever is stored in memory AFTER the 1024 bytes gets overwritten.

So let's say the programmer had the following code in his buggy program.

buffer[1024] // set up a buffer that's 1024 bytes
read data, buffer // read data into buffer
do something

What the hacker has to do is input 1024 of garbage and then overwrite the memory with some other computer instruction. Like the instructions necessary to execute a shell.

You see when the buffer is overflown the "do something" instruction will get overwritten with whatever data the hacker puts into the buffer. If the program is running as root then when the "do something" instruction is overwritten with the instructions to execute a shell the hacker will have himself root access!

But it's even more serious than that becuase let's say the program is a web server running as nobody. Before the hacker exploits the buffer overflow he has no access. But he knows about this overflow so he overflow's it by sending apache a very long request containing the instructions to execute a shell. He has just gained "nobody" access to the system and from there he can figure out how to get root access.

The solution is for the programmer to make sure that the user is only entering in 1024 bytes of data at the most. Unfortunately many programs weren't written to do this.

I hope this explains to people why these bugs are more serious than "my system will crash".

--
Garett

Re:Um?

[angel'o'sphere]

This happens in C programs and alike.

Use C++ and a decent library or ...
Java.

He he, not: "just kidding".

In Java overflows like that are impossible.

BTW: that is an educational problem of programmers, not a GPL/OS or closed source problem.

Regards,
angel'o'sphere

Re:Um?

Forgive the ignorance.

How does a programmer make use of a buffer without allowing overflow? I really don't know. This question is for my own future reference. (And anyone else who was wondering.)

Thanks

Re:Um?

[reflective+recursion]

It's simple. Just count the number of chars, ints, whatever that you're placing into the buffer and stop when you hit the last one. Also, make sure you stay away from crap like gets() ("man gets"). Use only functions which you can supply a buffer size. You tend to use so many buffers that after awhile it becomes easy to forget about checking them and you get very lazy. Other than that, buffer overflows are very simple bugs, but usually a pain in the ass to find.

Re:Um?

[dannannan]

This is a good non-technical explanation of a buffer overflow, but I'd like to point out many buffer overflows do not allow for such exploits as the poster suggests. Lots of them just lead to crashes. This is due to the difficulty (and sometimes impossibility) of getting the attacked application to actually execute the "code" that's overwritten past the end of the buffer.

I've got some free time on my hands, so for those technical types who want an example of a buffer overrun with an analysis and how to fix it...

Recently I was working on a win32 program that contained a call to wvsprintfA() (see MSDN for details -- wvsprintfA is the ASCII version of wvsprintf). This function takes a buffer, a format string, and a variable argument list, and renders the some formatted output into the supplied buffer. Conspicuously absent from the argument list to this function is the buffer size (so that wvsprintf knows when to stop). Documentation says it's hardcoded to stop at 1024 bytes, but it's actually 1025 bytes (found this out the hard way). This is because even though it will truncate ASCII strings down to 1024 chars or less, it always writes a null-terminator character on the end. So for results that are too big, if you're buffer's only 1024 bytes, you're going to have a 1 byte overrun.

This leads to a very important point. How the memory immediately following your buffer is used determines what kinds of exploits are possible in the event of an overrun (this can be machine dependent). Whether the buffer is in a thread's stack space, or in a heap, or in a code image will have a significant impact on what's possible.

In the case of my overrun, the buffer was allocated on a thread's stack. For those familiar with C/C++ (on x86, I can't speak for other hardware platforms) with most compilers that looks something like this:

void foo(int bar, char *toobig)
{
char *buffer[1024]; // this is a stack allocated buffer

wvsprintf(buffer, "%s", toobig);
}

Looking at the code, it may appear that the call to wvsprintf is what comes next in memory after the buffer, but if you take this in context, you'll realize that that's not the case. What's next in memory here (in the case of my compiler at least) is going to be a saved stack frame base pointer from the caller, followed by the calling function's return address, followed by the parameters passed to foo in this call (most likely -- again, depends on compiler, calling convention, optimizer settings, etc.).

STACK (in order of increasing memory addresses):

buffer (1024 bytes)

saved EBP (<-- foo's EBP should point here)
return address
int bar
char *toobig
foo's caller's local vars
foo's caller's saved EBP (<-- foo's caller's EBP should point here)
foo's caller's return address

(Stack layout will vary depending on your compiler, platform, etc.)

So, since this buffer can get overrun by one byte, part of the caller's saved stack frame base pointer (EBP) could be overwritten! On the platform where I observed this, pointers were 32-bits wide (4 bytes) and the byte ordering on my hardware has less significant bytes at lower memory addresses. This means that the lowest order byte of the saved base pointer can be overwritten, and in this case predictably by a zero (0x00) if it does happen. This doesn't cause a crash right away; rather, it has the effect of misaligning the caller's stack frame so that when foo returns, EBP is incorrectly restored, so all addresses that the caller computes relative to EBP will be off -- for example, local variables in the caller of foo will be trashed, as well as its caller's saved base pointer and return address, since they've been "relocated" ;-). (Note that in the off chance that foo's caller's EBP just so happened to be aligned on a 256-byte boundary this overrun would have no affect at all!)

This caused a crash after foo returned and subsequently foo's caller returned to its caller -- because foo's caller's return address wasn't where it used to be relative to EBP, seeing as EBP was erroneously adjusted to point to a lower address.

void foocaller(char *s)
{
foo(0, s);

// EBP is now bogus if the buffer in foo
// was overrun. Better not use any
// local variables or try to return from
// this point on!

bar();

return; // <-- crashed after this, fortunately
}

The return address that was actually used was "garbage" data left over on the stack -- in the middle of the space that was occupied by the buffer in foo. Note that execution of bar() in foocaller() could potentially overwrite this space too. (In my case, that's what happened, since bar made lots of calls and had enough local variables.) This means that the return address is potentially up for grabs! Fortunately in my case, the stack frames written by bar and its subfunctions was always such that the return address would be overwritten with an unreadable memory address, so my program would access violate (SIG_SEGV) and stop when foocaller attempted to return.

This particular problem is avoided by allocating 1025 bytes instead of 1024 bytes for the buffer, because of the nature of wvsprintfA.

Scary what one little byte can do, eh? Be very cautious when copying data around!

So it turns out that the only exploit in this buffer overrun was that you could make my code crash. You couldn't actually get arbitrary code to run even though you could influence the contents of the buffer from outside of the program. But it was a close call.

D

Re:Um?

Goop. I guess it works.
Golly, fancy that!

Re:Seriously? Microsoft use open source code?

[axlrosen]

Of course, having everything derive code from the same source is a risk

Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.

Innovation?

[Conare]

Is this another example of why MS needs to be free of regulation in order to Innovat...ively copy other peoples work?

Shame.

Debian?

[DRO0]

Naive question probably, but if zlib isn't GPL then does Debian use a different library and if so, is it affected by this issue?

Re:Debian?

[DRO0]

Never mind, I need more sleep.

Re:Debian?

[Mr+Windows]

Debian aren't restricted to GPLed stuff; any piece of software which fits the Debian Free Software Guidelines (which includes stuff with the GPL, BSD, and Artistic licences) can be included in main. Other stuff can be included in non-free too.

Re:Seriously? Microsoft use open source code?

[bytes256]

Richard Stallman? Dick, is that you?

Now what would have been interesting...

[borgquite]

is if when they released the patch for the security flaw they made the patch GPL... just imagine Microsoft having to recode all that stuff for themselves :)

Re:Now what would have been interesting...

[DA-MAN]

or fork off the last version before the GPL, that would be hilarious....

Imagine http://mszlib.sourceforge.net/

LOL!!

Re:Now what would have been interesting...

[Cuthalion]

Haha! If microsoft had to code up a simple compression library it would take them a WEEK! HAHAH!!!!

And what about everyone else who uses zlib but not the GPL? I know of several commercial products that do.

Corrections

[Seor+Obvious]

1. MS does not make InstallSheild (perhaps you meant MSI)

2. zlib is not GPL, it's zlib license, DUH.

3. You are a moron

4. So are Slashdot "editors".

hrm...

[Em+Emalb]

"The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well. "

Disclaimer: I am not a security weenie, so I don't know this for fact......*deep breath*....

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

*bash MS* bash bash bash....it's popular right?

Re:hrm...

This is the 'deflect as much blame as possible on Microsoft while tsk tsking the zlib developers for not using the GPL' skit.

If you wanted anything interesting, you shouldn't have clicked to read the comments.

Re:hrm...

[IO+ERROR]

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.

*bash MS* bash bash bash....it's popular right?

It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

Re:hrm...

[Why+Should+I]

Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

Silly you.

Re:hrm...

Because that's what this board is about. If you do a: "man Slashdot" it comes back with "attack Microsoft". I leave it up to somebody to demonstrate the exploit of this on a Windows box.

Re:hrm...

[irix]

It was news for Linux/UNIX earlier this week idiot. Go crawl back under your Microsoft apologist rock please.

Re:hrm...

[brettb]

Of course some ./er's will take the opportunity to bash Microsoft but the article itself isn't.
The zlib library vulernabilty and how *nix based systems are affected has
already been discussed on slashdot.

This Cnet article references the previous Cnet article on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.

I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.

This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software

.

Re:hrm...

[Black+Parrot]

> Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.

Re:hrm...

[sheldon]

It was well known at the time the Linux article came out that Microsoft also had zlib code in their software.

I mean... DUH... IIS and IE support the Content-Encoding extensions from HTTP 1.1 that use gzip for compression and the easiest way for them to have implemented that was functions from zlib.

Now what I want to know is how you have come to the conclusion that Microsoft uses the code in the specific way necessary to exploit it. Or if they even use that particular function, or if they haven't already fixed it long ago in their source tree.

Speculation and wild claims don't add any value, and that's what this article does and what your post does. Yes, it is popular to bash MS.

Now let's get to the real question. How come this bug got into zlib in the first place?

Re:hrm...

Now let's get to the real question. How come this bug got into zlib in the first place?

because someone fucked up, as we all do from time to time. not very surprising or interesting.

Re:hrm...

[WeaselGod]

a more likely scenerio is that they are testing the fix. Microsoft is usually rather quick about releasing things, but they believe in testing it first. Great concept that.

Oh, and it will be available on windows update so that it will actually have wide spread adoption. Lets see how wide spread the linux fix is. Since 80% of redhat boxes are rooted in the first 24 hours there seems to be a rather large precedence for boxes not being patched when they should be. Get off your fucking high horse buddy. Microsoft may be a lot of things, but they aren't stupid. If they were they would never have gained absolute control of the desktop.

Re:hrm...

That assumes their clients are smart and require a smart manufacturer delivering smart products to make them successful. This is however a case of a slightly less moronic imbecile selling to a vast crowd of completely hopeless cretins with brains that would make an ant feel superior. Not stupid? Relative to whom? You? Certainly.

Re:hrm...

[uebernewby]

Bullshit. The zlib MS uses is just as open source as the one on linux.

Re:hrm...

[cperciva]

Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities.

And what does the comparison tell us?
1. A Open Source Operating System contained a bug which could be a security flaw. Patches were released within a few days.
2. A Closed Source Operating System contained the same bug, but due to design differences, the bug was not a security flaw. Since the bug wasn't an urgent problem, it got added to the bug-fixes-for-the-next-service-pack queue.

I think if you want any sort of exact comparison, you'd have to look at cases where the same bug caused the same level of harm.

Re:hrm...

[praedor]

Consider this: it appears that M$ will have to release a fixpak/security pak for a bunch of apps while for me with linux (and people using BSD, etc) all we need to do is install the new zlib - which was available virtually at the same time the POTENTIAL vulnerability was discovered/released. Then, all *nix people need do is restart whatever net-connected app/server they were running that uses zlib and it is fixed. No replacing apps with fixed apps, just replace the lib without ever rebooting.

You will eventually receive a big security fix from M$ that replaces whole applications AND have to reboot to make it work.

So, two comparisons can be made between the free-os users and the M$ slaves: 1) fixes are produced and available immediately for free-os people but it will be a while before M$ figures out what to do, and 2) simply installing the new lib and, perhaps, restarting a couple applications is all it takes for a fix for the free-oses but M$ users will have to replace whole applications and reboot.

M$ kinda trashes itself in comparison.

Re:hrm...

[jedidiah]

Microsoft will likely be the LAST vendor to have fixes available for this. This is contrary to the fact that they have the greatest resources of anyone that may use zlib.

Re:hrm...

[statusbar]

Microsoft has many programmers on the payroll. What I would like to know is WHAT DO THEY DO? Are they not capabile of writing their own zlib?

jeff

Re:hrm...

Really?

I run a RedHat 7.2 server at home and have no idea what this library is. (i'm not a coder).

Should I be looging on to redhat network and download some new rpm?

Seriusly?

Re:hrm...

[Florian+Weimer]

Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.

Not quite correct. Most vendors hat several weeks to work on a fix. As usual, they were notified in advance, because of the potential seriousness of this problem (if it were actually exploitable).

Re:hrm...

[krmt]

*bash MS* bash bash bash....it's popular right?

Well, is this really bashing? I think it's more bringing to attention a security flaw that may have slipped by. This one happens to be interesting because of the politics involved, as well as the fact that the same security flaw affects just about all of us (which is a testament to Free Software in itself.) That doesn't make it bashing though, it just means that everyone running Windows will likely have to patch their systems the same way that the Linux users did.

But then, bashing slashdot these days has become even more popular than bashing MS.

Re:hrm...

[JordanH]

• Are they not capabile of writing their own zlib?

But, that wouldn't be taking advantage of the "healthy eco-system of free and proprietary code" that Bill likes to tout so much.

Funny, MS is a big black hole, sucking in all the advantages of any Open Source they can find for their products, and, AFAIK, never producing any Open Source for the community and yet they have the nerve to whine about the "pac-man nature" of the GPL.

Re:hrm...

[leonbrooks]

Open Source Operating System contained a bug which could be a security flaw. [...]

Closed Source Operating System contained the same bug, but due to design differences, the bug was not a security flaw.

FWIW, it is not yet a security flaw for the OSOS. If someone eventually figures out how to exploit it (difficulty level: 8, bonus points for an animated splash screen, souble bonus for multiple architectures), most OSOS systems will have long since been patched against it, and the few remaining will be self-curing.

Meanwhile, the CSOS vendor has absolutely NFI whether they have a security vulnerability or not, and won't know for many weeks or months. Because it is CS, we can't fix it for them.

Since the bug wasn't an urgent problem, it got added to the bug-fixes-for-the-next-service-pack queue.

IRL, that's the bug-changes-for-the-next-SP queue.

Re:hrm...

Word is the script kiddies already have a few exploit kits cooked up for this bug on systems running the buggy zlib in combination with the glibc library.

Surprise, surprise, the only OS using glibc is Linux.

Re:hrm...

Oh, I dunno.

When are the Corel Linux fixes becoming available?

How about the Turbo Linux fixes?

FIRST HETEROSEXUAL POST

Note to GAY MODERATORS: This post is NOT offtopic; it's INFORMATIVE. GET A CLUE

INTRODUCTION

Eating a woman's pussy is about the most wonderful thing you can do for her. It makes her feel loved, admired, sexy, and of course it makes her cum like crazy. Many women prefer it to intercourse, and for most, it is the easiest way to cum with a man. You may have the littlest dick on the planet, but if you give great head, you will be appreciated as a fabulous lover. Yes, it's that important. Besides, lots of women expect it these days - you might as well know what you're doing.

First off, guys seem to have a strange love/hate relationship with women's genitalia. Guys that can't wait to get their dick into one are often reluctant to put their face "down there". For every guy who says he loves to eat pussy, there's another one who's squeamish. Women know this, and it affects their ability to lay back and enjoy the experience. There is nothing more exciting to a woman than to know that her partner finds her delicious. Don't be coy; tell her. When a guy fingers a lady and then smells, licks, sucks the juice off his finger and sighs as if in heaven, she knows this is her lucky day.

What if your sweet lady doesn't smell or taste very sweet? Don't suffer. (Don't complain, either.) Take a nice hot shower or bath together. Lather up both of your bodies and slide them together. It's like a whole body fuck. Soap up her vulva, washing between her outer and inner lips. Spread her lips apart and gently wash her clitoris. Hey, don't stop - this feels great! Run your soapy hand down the crack of her ass, and rub a finger all around her anus. You can stick one finger in and wash around inside too, if you anticipate any anal play, and I suggest you do. But don't put those soapy fingers up her vagina. Instead, rinse them off well and stick one or two inside, making a circular motion. Think about washing the inside of a tall glass - same thing. Now wasn't that fun? And now you can feel free to let your tongue wander anywhere it pleases...

So now what? You've found a comfy spot to play, you've been kissing passionately, your tongues darting around each other's mouths like playful otters. You've moved down to nibble one of her hardening nipples and she's starting to groan, grinding her pelvis against your stomach. STOP. I know it was just starting to get good. But was she really groaning and humping you, or was it your own excitement you were detecting? I strongly prefer to be excited before a guy starts plunging his tongue into my inner recesses. Use your judgement, and kiss, lick, and fondle your way down her stomach, up her thighs, until she's arching up her back trying to get you to eat her. Of course, if she really was groaning and grinding, go for it... I also don't particularly enjoy a guy endlessly nibbling my inner thigh while my clit is quivering in anticipation.

POSITIONS

If the woman you are with is somewhat hesitant about your going down on her, start off with her lying on her back, perhaps half-sitting. Lay down between her legs, with her legs over your shoulders. She may enjoy laying or sitting at the edge of the bed with you kneeling. She can also straddle your face, but be prepared to get very wet. There are endless varieties of positions where you can press your face up to her cunt, some of which strike me as more acrobatic than erotic, but feel free to experiment. And then there's 69...

69 is one of my favorite positions. On the plus side, you both get to enjoy the sublime sensations of getting head, simultaneously. The upside down positioning of a woman's pussy and your mouth is an easy fit and there's more room for your hands. On the negative side, it's a less than ideal position for a woman to give head. Plus, if you need to read this article, you may be better off concentrating your energies on pleasing her, without too much distraction. But even for experienced 69'ers, it's easy to short-change your partner. "It feels soooo good, I'm just gonna stop for a second and concentrate on what you're...aaaarrrgghhh". Get the picture? Some show of will-power is in order.

69 can be done male on top, female on top, or side by side. The latter two are easier, though it's more restful with both partners laying down. Some women love being licked on all fours, so if female-on-top 69 drives her wild, take the hint and find some other ways to eat her in this position. I happen to enjoy male on top, but for many women this is a sure choking position. If a woman can, or wants to try, to deep throat you, this is THE position. When her head is thrust back you can really slide your cock all the way down her throat. But don't forget what you're supposed to be doing!

So there you are staring at it - the mysterious hole from whence you came, and into which you hope to cum again... First, an anatomy lesson...

THE CLITORIS

Before I go any further, a few words about the clitoris, accent on the first syllable. Most of you know it, but for those who don't, it is THE woman's sex organ, period. It may feel great to be fucked vaginally, anally or otherwise, but if the stimulation is not right there, on the clitoris, you're ignoring the place that's going to make her cum, and presumably that's why you're reading this, right? It's right there at the top juncture of her inner lips, a small knob of pink flesh. This is where it's at boys, and don't forget it. Almost any licking and sucking of the labia or vaginal entrance is going to feel just dandy; just remember that this is pleasurable teasing, not the main event. I can't tell you how many guys have thrust their tongues up my vagina thinking that this was going to make me cum. They were wrong. Of course, with a little manual stimulation....but I'm getting ahead of myself.

Women feel differently about how much direct stimulation they can take on their clitoris. Some women will adore it if you suck hard on their exposed clits, others will shriek in pain. You may encounter a woman who is completely unable to take direct stimulation of her clit; the goal is still the same, but you'll have to stimulate it indirectly, such as through her labia. IMPORTANT NOTE: Often, what is unacceptably rough at first may be fine after she's very excited. The fact is, most women really need a good bit of stimulation before a targeted attack on their clitoris, but once they're there, that's where you want to devote your attention.

The key here is go slow, ask questions, and if she's comfortable with it, leave the lights on and really explore. Body language often does tell what feels best, but I promise, she will appreciate your attentiveness if you ask outright. If she seems shy, get her to guide your hands and mouth with her own hand, and pay attention. If she starts bucking up against your mouth and gasping in ragged little breaths, for God's sake, don't use this opportunity to try something different. Just keep doing exactly what you're doing.

THE TONGUE

I want to reiterate, there is almost nothing you can do that won't feel terrific, so relax! I promise, you may be confused and uncertain, but she's in heaven. Any licking and sucking of the labia, vaginal entrance, clitoris, or anal area is going to feel just great, and I'd no sooner tell guys to "do it exactly like this" than I would tell every chef to follow the same recipe. But for those who are compelled to RTFM, here are a few techniques that you might like to try:

Try lapping her pussy from vaginal entrance up to her clit, leaving your tongue soft and jaw relaxed. This is a good way to start your tonguing.
Run your tongue between the inner and outer labia on one side, while holding the two together with your lips. Good job, now do the other side.
Fuck her pussy with your tongue - in and out, around and around, etc. This feels nice. Not wonderful or incredible or earth-shaking; nice.
Spread her outer lips with your hand. Then, with your tongue pointed and stiff, gently flick here and there. Feel free to roam, but keep coming back to her clit. This drives some women wild, and others can't take it. Some may prefer that you always leave your tongue soft, so when you try this, pay attention to whether those moans are ecstacy or pain.
The following techniques should not be introduced until your partner is really hot (i.e. she's no longer coherent). These are very intense actions which may be "too much" for some women, even when nearing orgasm.

With her clit still exposed, give it a quick little suck - pulling it into your mouth briefly and letting it go. This is a lot like licking a bit of cake batter off of your pinky. This feels incredible, and is a fine thing to do if you feel like torturing her (see PUTTING IT ALL TOGETHER below).
Take her exposed clit into your mouth and gently (at first, anyway) suck on it, simultaneously flicking your tongue over and around it. This can be done very lightly or very aggressively, and combined with fingering, will usually rapidly produce an intense orgasm.
Another choice technique involves rolling your tongue into a tube. If you can't do this with your tongue, you can't learn it - it's genetic. For those who can, this works best in an inverted or 69 position. Roll your tongue into a tube around the shaft of her clitoris. Slide it up and down; in effect, your tongue makes a tiny pussy for her clit to fuck. This also is likely to bring her over the edge.
FINGERS
Fingers are a valuable adjunct to eating pussy. Most women masturbate by pressing a finger or fingers over their clit, possibly "thru" the skin of their inner or outer lips, and vigorously rubbing in a circular or back-and-forth direction. You can do this too, and it is most helpful to ask, or better yet, have her show you how she likes it done. You will never be a good lover until you can bring your woman to climax with your hands. When you fuck her from behind, or up her ass, or really in any position which doesn't allow her to simultaneously rub her vulva against your body, reach down or around and rub her clit. I know it's distracting, but just do it anyway. One important point to note: make sure that your fingers are well lubricated. There is nothing more uncomfortable (and sometimes downright painful) than a dry finger roughly rubbed across one's clitoris.

Of course, that's not all you can do with your fingers. One technique which is very exciting is to spread her lips wide apart with one hand, and with your index finger straight like a pencil, flick the side of it rapidly across her clit. This motion alone will often bring a woman to orgasm. Combining this with the addition of some tongue action elsewhere is nothing short of bliss.

Sticking one or more fingers inside her vagina is also wonderful. You can simply move them in and out (this feels best with at least two or three fingers, pushed in hard), or wriggling them around. A particularly intense motion is to face your hand so that you have two fingers inside her with your palm facing the front of her body. Now move your fingers rapidly, as if waving hello. You are aiming to stimulate a particular part of the woman's vagina - namely the lower anterior (front) part. When combined with sucking her clit, this is nearly certain to bring her to a fast and intense climax.

An excellent way to begin manual stimulation is to stick one (and later two) fingers inside her, with your palm cupped over the mons area. I'm talking about that fleshy "mound" over her pubic bone. Your finger goes in and out and the ball of your hand is pressed hard against her vulva. You may want to rub or even shake the entire area with your palm.

Fingers also do nice things to tight little butt holes, but that's a whole other story...

ANAL PLAY

This stuff is purely optional. If anal play doesn't turn you on, don't do it. If you're uncomfortable, she'll pick up on your feelings and start wondering if it's her pussy that's turning you off. Don't feel that you can't be a good lover without anal play; you can.

Cleanliness is of the essence. (remember that nice soapy shower?) Scoop out some luscious juices (from a very wet pussy) with your finger and rub it around her anus. (If she isn't well lubricated, saliva works too.) If that's all you or she feels comfortable with, fine - it still feels great. But I think most women enjoy the feel of a finger pushed up their ass while they're being fucked or eaten. You need to be gentle, possibly even leaving your finger still. Try moving it in and out a little, or around in a circle. If she starts moaning, you know you're doing something right.

It's really fun to feel a woman's anus rhythmically squeezing your finger as she cums. (And it's great for her, too) You're probably thinking about what that would feel like around your dick, and it's something you should certainly explore. Ass-fucking is somewhat out of the scope of this article, but suffice to say, if she doesn't like a finger up her butt, she sure as hell won't want your big dick up there. Even if she does enjoy this sort of play, she may still be somewhat apprehensive about putting something so large up there. The keys to success are sufficient (i.e. copious amounts of) lubrication (a water-soluble type such as K-Y, which is safe for condoms), relaxation on her part, and a slow, gentle, approach. She'll certainly tell you if she wants you to thrust harder or deeper. And remember, if you want to feel that delicious squeezing around your cock, reach around and diddle that clit!

As for anallingus - why not? Don't feel like you HAVE to do it to satisfy your woman. But if the idea turns you on, great. Let your tongue rove as it pleases. It's not necessary to actually put your tongue inside her butt to stimulate the area. Back and forth, around and around, you get the picture.

One hygiene note: once that finger (or your penis) has been inside her ass, don't even think about putting it anywhere else. Carelessness in this regard can cause a horrendous infection.

MENSTRUATION

I haven't met a lot of men who are completely comfortable going down on a woman when she has her period. But some are. Most women are at their horniest before and sometimes during their period. You should definitely find a way to make her cum when she's bleeding, be it thru intercourse, manual, or oral stimulation. If you feel comfortable going down on her, great. It's perfectly safe. You may suggest that she insert a tampon, and then wash up. (As you now know, you don't need to get anywhere near her vagina to make her cum.) Or you could lay down a few old towels, turn out the lights, and forget about it.

PUTTING IT ALL TOGETHER

I think variety is crucial. Some guy posted an article detailing a road map of kissing and licking (first here, then here, etc.) Much better to do the unexpected; sometimes a hungry, aggressive approach, other times a laid-back, leisurely one. You can even even include your nose, or your chin into the act. Start slow, that's the key, and let your lover guide the speed of the crescendo. In all cases, start gently. Roughness and clumsiness are big turn-offs. As she gets more and more excited, pay more attention to her clitoris. When she's three breathes away from cumming, moving your mouth off or away from her clit is agony. That's fine if you're intentionally torturing her, just understand that this is what you are doing. The only prohibition is to be reasonably gentle with her clit. Nibbling or biting is fine elsewhere, but we're talking about a sensitive spot.

Speaking of prolonging the agony... I think this is great fun. Bring your partner just to the edge of orgasm, and stop. This is not easy unless you really know your lover well. Instead, just have her help you. Say, "Grab my head and stop me just before you think you're gonna cum." Then take your sweet time. Blow on her clit, take it into your mouth just briefly, flick it just the very slightest bit. You will have this woman squirming and moaning like she's dying. Finger her deeply, enjoy the ecstasy you are imparting, and finally, have pity. Let the poor woman cum.

UUUUNNNNGGGGGHHHHHH!!!!!! (or, I'M COMING!!!)

Okay, she's practically suffocating you, she's pressed so hard against your face; she's screaming and bucking up in the air; you feel her pussy contracting wildly - how long should you keep it up?? The simple answer is, until she makes you stop. Some women may stop you after five seconds from the start of their climax, others may be able to roll right into another orgasm if you keep going. Do come up for air, but remember, her excitement does not drop off as sharply as yours does. Play it safe by continuing the stimulation.

How many times does she need to cum? Some women are very content to have one orgasm. A whole lot of women would really like to cum again, but need about five minutes to recoup. Many women are so sensitive right after they cum that they may push your head violently away. This doesn't necessarily mean they've had enough, only that you need to stop for a few minutes. In fact most women, given a short rest between, are capable of cumming again and again. A smaller percentage of women are able to cum repeatedly with continued stimulation. This is the much-touted multiple-orgasm that is experienced by a minority of women. I know this makes it difficult to know when enough is enough, but there's a simple answer: ask her.

GODI'MSOEXCITEDITFEELSGREATBUTIJUSTCAN'TCOME

It happens to all of us sometimes - distraction, embarrassment, anxiety, or just an inability to "let go". What do you do about it? The first question is, can she easily bring herself to a climax in the privacy of her own home. If the answer is no - then she needs to do some homework. There are two books on the subject that I know of: For Yourself: The Fulfillment of Female Sexuality by Lonnie Barbach, and Sex for One: The Joy of Selfloving by Betty Dodson; pick up one. Then tell her to read it, study it, and practice, practice, practice!

Now if your partner is orgasmic only when alone - ask her point blank: "Is there something different I can do?" Many women are shy about criticizing their lovers, but if asked outright will surprise you with a very specific answer. It may be a simple matter of mechanics, like a little to right please, or not so rough, or more pressure and faster. Ah... perfect.

But suppose everything is wonderful. She says you're doing everything right but she just can't cum. There are two probable causes: selfconsciousness and/or self-loathing. For women who can't help watching themselves, the best approach is to eliminate anything that focuses her attention on what the two of you are doing. This is a "be here now" kind of thing - definitely not an introspective activity. Get that mirror off the ceiling. Dim the lights or turn them off completely. Put on some soft music. Share a glass of port. (I said A glass - getting drunk will definitely not help). Have her lay on her back, or propped up comfortably with some pillows. This is not the time for her to sit on your face, or the edge of the bed, or standing up against a wall. Arrange a time when you can devote a long period to eating her pussy, and then just keep it up. Forget everything I said about asking her questions - just close your eyes and get into it. I know this can be a difficult and exhausting exercise, but she will be extravagantly thankful for your efforts. It gets easier each time. If all else fails, get accustomed to masturbating together. Gradually begin to add your stimulation to her own, right before she's about to cum anyway. Over time, you can take over completely.

For women who themselves feel that their cunts are dirty or distasteful, all of the above methods may be helpful, but the underlying issue must also be addressed. I am amazed at how many women are ambivalent about their own genitals. They don't love "that part" of their body, and they can't believe that you would either. Yes, it is important to be clean. But clean means a daily shower which includes washing the vulva. It doesn't mean vainly attempting to remove every trace of smell or taste. The natural fragrance and secretions of a healthy woman are beautiful and erotic. Hopefully you agree (and if not, try hard to cultivate this attitude). When she learns to love her pussy, she will be infinitely more comfortable with your loving it too.

How to Eat Pussy

Hey, I have a lot of respect for all you guys who like to eat pussy because there are too few of you out there. And I'm not the only woman who says this. Furthermore, some of you guys who are giving it the old college try are not doing too well, so maybe this little lesson will help you out. When a woman finds a man who gives good head, she's found a treasure she's not going to let go of too quickly. This is one rare customer and she knows it. She won't even tell her girlfriends about it or that guy will become the most popular man in town. So, remember, most guys can fuck, and those who can usually do it satisfactorily, but the guy who gives good head, he's got it made.

Most women are shy about their bodies. Even if you've got the world's most gorgeous woman in bed with you, she's going to worry about how you like her body. Tell her it's beautiful, tell her which parts you like best, tell her anything, but get her to trust you enough to let you down between her legs.

Now stop and look at what you see. Beautiful, isn't it? There is nothing that makes a woman more unique than her pussy. I know. I've seen plenty of them. They come in all different sizes, colors and shapes; some are tucked inside like a little girl's cunnie and some have thick luscious lips that come out to greet you. Some are nested in brushes of fur and others are covered with transparent fuzz. Appreciate your woman's unique qualities and tell her what makes her special.

Women are a good deal more verbal than men, especially during love-making. They also respond more to verbal love, which means, the more you talk to her, the easier it will be to get her off. So all the time you're petting and stroking her beautiful pussy, talk to her about it.

Now look at it again. Gently pull the lips apart and look at her inner lips, even lick them if you want to. Now spread the tops of her pussy up until you can find her clit. Women have clits in all different sizes, just like you guys have different sized cocks. It doesn't mean a thing as far as her capacity for orgasm. All it means is more of her is hidden underneath her foreskin.

Whenever you touch a woman's pussy, make sure your finger is wet. You can lick it or moisten it with juices from inside her. Be sure, by all means, to wet it before you touch her clit because it doesn't have any juices of it's own and it's extremely sensitive. Your finger will stick to it if it's dry and that hurts. But you don't want to touch her clit anyway. You have to work up to that. Before she becomes aroused, her clit is too delicate to be handled.

Approach her pussy slowly. Women, even more so than men, love to be teased. The inner part of her thigh is her most tender spot. Lick it, kiss it, make designs on it with the tip of your tongue. Come dangerously close to her pussy, then float away. Make her anticipate it.

Now lick the crease where her leg joins her pussy. Nuzzle your face into her bush. Brush your lips over her slit without pressing down on it to further excite her. After you've done this to the point where your lady is bucking up from her seat and she's straining to get more of you closer to her, then put your lips right on top of her slit.

Kiss her, gently, then harder. Now use your tongue to separate her pussy lips and when she opens up, run your tongue up and down between the layers of pussy flesh. Gently spread her legs more with your hands. Everything you do with a woman you're about to eat must be done gently.

Tongue-fuck her. This feels define. It also teases the hell out of her because by now she wants some attention given to her clit. Check it out. See if her clit has gotten hard enough to peek out of it's covering. If so, lick it. If you can't see it, it might still be waiting for you underneath. So bring your tongue up tot he top of her slit and feel for her clit. You may barely experience it's presence. But even if you can't feel the tiny pearl, you can make it rise by licking the skin that covers it. Lick hard now and press into her skin.

Gently pull the pussy lips away and flick your tongue against the clit, hood covered or not. Do this quickly. This should cause her legs to shudder. When you sense she's getting up there toward orgasm, make your lips into an O and take the clit into your mouth. Start to suck gently and watch your lady's face for her reaction. If she can handle it, begin to suck harder. If she digs it, suck even harder. Go with her. If she lifts her pelvis into the air with the tension of her rising orgasm, move with her, don't fight her. Hang on, and keep your hot mouth on her clit. Don't let go. That's what she'll be saying too: 'Don't stop. Don't ever stop!'

There's a reason for that, most men stop too soon. Just like with cock sucking, this is something worth learning about and worth learning to do well. I know a man who's a lousy fuck, simply lousy, but he can eat pussy like nobody I know and he never has trouble getting a date. Girls are falling all over him.

But back to your pussy eating session...There's another thing you can do to intensify your woman's pleasure. You can finger-fuck her while she's enjoying your clit-licking talents. Before, curing or after. She'll really like it. In addition to the erogenous zones surrounding her clit, a woman has another extremely sensitive area at the roof of her vagina. This is what you rub up against when you're fucking her. Well, since your cock is pretty far away from your mouth, your fingers will have to do the fucking.

Take two fingers. One is too skinny and three is too wide and therefore can't get deep enough. Make sure they're wet so you don't irritate her skin. Slide them inside, slowly at first, then a little faster. Fuck her with them rhythmically. Speed up only when she does. Listen to her breathing.

She'll let you know what to do. If you're sucking her clit and finger-fucking her at the same time, you're giving her far more stimulation than you would be giving her with your cock alone. So you can count on it that she's getting high on this. If there's any doubt, check her out for symptoms. Each woman is unique. You may have one who's nipples get hard when she's excited or only when she's having an orgasm. Your girl might flush red or begin to tremble. Get to know her symptoms and you'll be a more sensitive lover.

When she starts to have an orgasm, for heaven's sakes, don't let go of that clit. Hang in there for the duration. When she starts to come down from the first orgasm, press your tongue along the underside of the clit, leaving your lips covering the top. Move your tongue in and out of her cunt. If your fingers are inside, move them a little too, gently though, things are extremely sensitive just now.

If you play your cards right, you'll get some multiple orgasms this way. A woman stays excited for a full hour after she's had an orgasm. Do you realize the full impact of that information? The potential? One woman was clocked at 56 orgasms at one sitting. Do you know what effect you would have on a woman you gave 56 orgasms to? She'd be yours as long as you wanted her.

The last advice I have for you is this: After you've made her come, make her your slave by giving her the best head she's ever had, don't leave her alone just yet. Talk to her, stroke her body, caress her breasts. Keep making love to her quietly until she's come all the way down. A man can get off and go to sleep in the same breath and feel no remorse, no sense of loss. But a woman by nature requires some sensitivity from her lover in those first few moments after sex.

Oral sex can be the most exciting sexual experiences you can have. But it's what you make it. Take your time, practice often, pay attention to your lover's signals, and most of all, enjoy yourself.

Female Oral Sex Techniques

TASTE:

In my experience, one of the main reasons that partners avoid female oral sex is due to a percieved or even experienced poor taste. While it is true that women run the range from pleasant (tasty!) to sour or uric tasting, there are easy steps to ensure that your partner will be tasting her sweetest.

First and most obviously, a good vigorous shower will do much to neutralize the taste of your partner. In fact, oral sex in the shower, while not a favorite method of mine, has a completely neutral taste if you stick to the upper regions of your partner's sex. If your partner has not showered recently, or has physically exerted herself recently, her taste will be much stronger. This, however, can be a good thing!

Secondly, foreplay will improve upon both the taste and the experience in general if your can get her juices flowing. I have never found an extremely aroused, wet woman to taste unpleasant. Quite the contrary!

FOREPLAY:

Do it! Take your time! Have fun! Experiment! A common male misunderstanding is that females are aroused most through physical contact. Not true. I have aroused women greatly simply by acting sexy. Tension is a wonderful tool, use it. If you can build tension to the point where the barest touch sends electric shivers through both of you, you can't lose! Similarly, even the best love techniques will not turn on a woman who isn't in the mood. (If you can get her in the mood, well then you're talking.)

Take your time, explore your partner (there's a lot more there than nipples and a clitoris!), build tension, have fun.

POSITIONS:

There are two basic positions that I have found very versitile and succesful. For a very comfortable session, have her lie on her back with legs spread and knees bent slightly. Lie on your stomach between her legs, put your right arm under her left leg and your left arm under her right - somewhat of an intimate hug. Now you should find your head situated conveniently and comfortably near the center of your attention.

Less comfortable, but a bit wilder is the following. Lie on your back, prop a couple of pillows (or fold one over) under your head. Have your partner kneel facing you with one knee on each side of your head, above your shoulders. The sexy part of this position (IMHO) is that your partner can look down at you and watch you eating her out. (Yum) Versatility and comfort are reduced for the giver, so I only occasionally partake in this position.

These are by no means the only positions. Again, experiment, have fun. If you can find a bed where your partner can lie down with her legs dangling off the bed and resting flat on the floor, you're in luck. Now you can have her sit just at the edge of the bed, lie back, and give you plenty of access while you kneel/sit in front of her sex.

GEOGRAPHY:

Woman are very different in some respects of their genitalia, but the major parts are the same. A woman's sex from the oral sex point of view consists of two sets of lips (outer and inner) that meet just below the vaginal opening and some variable distance above the clitoris; the vaginal opening (immediately above the nether meeting of above-mentioned lips), a smooth section of skin between the vaginal opening and the clitoris (I have no clue as to its technical name, hereafter it will be refered to as the "scav") and the clitoris and its surrounding folds.

If you get the chance, explore your partner in a location with decent lighting. Use your hand to spread her sex and explore her, find out what's where and what's what. Like I said earlier, women are different. Especially the location and shape of the clitoris. It can be buried, protruding, surrounded by many folds of flesh, or hanging out it the open. The best method I have found for finding your partner's clitoris (If all else fails, ask!), is to place a finger at the very base of her sex and gently run it up her scav until you feel a slight bump. That's it.

OK, ENOUGH OF THE DETAILS, NOW THE NITTY-GRITTY:

So your partner is showered, excited and feeling sexy. It's the big moment, what to do? Don't simply dive in. Take your time, excite her. In my opinion, I can usually tell how good my partner is at oral sex by how she "goes down" on me. By "going down" I mean the process by which she goes from kising my lips to sucking oh-so-wonderfully on my sex.

Depending on your partner, different methods of going down will work more effectively. If you've gotten to this point with your partner, you should have a fair idea of what she likes. Take advantage of that knowledge. One thing that I highly recommend however, is a sexy look. Sexy looks can make all the difference, and the best place to throw one in is as you're licking, sucking and kissing your way down her stomach stop, look up and smile devilishly.

Unbutton your partners jean's, pull the tabs back and kiss her newly exposed flesh. Unzip her pants, pull the tabs back as far as they can go and place light, tender kisses on her abdomen and around the top of her panties. Watch it, some women are very ticklish here!

(Note the above doesn't work so well if she doesn't have jeans on but you're all smart enough to figure it out...) Once you've removed everything but her panties, stop. You have a unique opportunity for further arousal. Kiss her legs and inner thighs with gentle kisses. Work your way up each leg and make a point of stopping at the line of her underwear. Kiss again along the top of her underwear, and along the other two borders.

Now move to her cotton (silk? lace? latex?) covered sex. Plant firm, dry kisses through her underwear on her sex, low and right around the vaginal entrance works best for me. If your partner is really excited, often her underwear will be damp and will smell (pleasantly) of her sex.

Removing the underwear is again a matter of choice. You know your partner best, I prefer either gently sliding it all the way off with my fingers, or pulling it part way down with my teeth first.

DIRECT KISSING:

It is not unusual for your partner's lips to be closed together. A very excited woman's lips may be slightly spread allready ("pouting"). Again, building tension can be accomplished by light kisses on either side of her sex as well as light blowing. (Do not inflate your partner! This can be very dangerous!!) Spreading her lips can be accomplished by placing your tongue first at the base of her sex, and then firmly running your tongue all the way up. Continue with a few long licks from the base of her sex all the way to the top past her clitoris. Vary the firmness of your tongue from hard and pointed to broad and soft.

THE BIG "O":

The best and most proven method of making your partner cum through oral sex is by repeated, rythmic stroking of her clitoris with your tongue. The tongue is uniquely suited for this purpose because of it's texture, versatility, and pliability. It is difficult (and tiring) to apply too much pressure to your partner's clitoris. Some women are much more sensitive than others however. Be receptive to any sharp gasps, you could be being too affectionate. If this is the case, move away from direct contact or adopt a gentler technique.

Repeated, rythmic stroking can be accomplished in a variety of ways. I prefer either rapid, repeated verticle licks with a firm, pointed tongue, or planting your tongue firmly against your partner's clitoris and vigorously shaking your head back and forth. (Tiring, maybe. But it's worth it!) If you are having trouble finding the correct angle or method for rhythmically lingually carresing her clitoris, or if you want to try something fun and new:

Toungue the abc's. No seriously! This is a great oral excercise on any part of the body. Toungue the abc's starting with lower case, and moving though upper case. (Heck, you could do the whole ANSI ASCII set if you'd like!) Be especially perceptive while you do this, vary your speed and watch for sharp intakes of breath - chances are you've hit the right angle. The abc's give a large variety of different strokes, so come back to this excersize as often as you'd like.

A general rule of thumb (tongue?) is to start slow and pick up the pace as you go along. This is definately a general rule though, feel free to break it by varying your rhythm, both slowly and predictably as well as quickly and startlingly.

OTHER FUN THINGS TO DO:

Lick between the inner and outer lips; penetrate the vagina deeply (a much stronger, iron-like taste here); "tease" the entrance to her vagina with rapid pokes of your toungue at varying depths; don't forget your hands, often a woman will feel a need or ache for something inside of her while very aroused, oblige her with a finger or two. Both kissing and manually manipulating your partner is tough, anyone with succesful methods is welcome to pipe in.

Talk to your partner, ask her what she likes. Experiment (if you can) with many different partners. What excites one woman a lot may not excite another as much, but may still be well worth trying. On the other hand, you may not notice a subtle pleasurable technique on one woman that can be easily learned on another. The better you know your parnter, the more effectively you can please her. Have fun!

A FINAL NOTE:

I tried to be a lot less pretentious than the male version of this article for a few reasons. The major one is that women are very different, the above suggestions may work wonderfully with one woman and so-so with another. Some women simply aren't responsive to oral sex due to strong moral constraints. Secondly, I am not an expert, though I love oral sex and have had the joy of pleasuring 10-20 women. Third, I am still young (18) and have a lot to learn.

So feel free to comment on what you've read (men and women) and reply either over the net or to me personally. Thanks. Hope you found this helpfull and enjoy!

Q. What is cunnilingus?

Cunnilingus is the fine art of making love to a vagina with your mouth and tongue. It is a delicate skill, requiring patience, practice, and dedication to get it right, but any woman you learn to do it right for will appreciate you all the more for it.

What applies to the penis applies to the vulva-- every one is different, requiring a different touch to make its owner happy. But few tools can equal the tongue for the amount of pleasure it can deliver to a happy vagina.

This article assumes that you know what a vulva looks like and can identify with some precision the mons veneris, labia majora, clitoral hood, clitoris, labia minora, urethra, vagina, and perineum, to name them (approximately) from top to bottom.

Q. How fast should I go?

This isn't an attack. Don't go after the clitoris like a fireman attacking a fire. Quite often at first, the clitoris is far too sensitive for direct stimulation. Lick around it, stimulating the hood, teasing her inner labia, tasting her. Take your time and listen to her. Some women make noise, and some do not. It will be a while before you learn exactly what your lover prefers as far as oral sex is concerned.

Some women may like additional stimulation-- a finger or two into the vagina, or perhaps even the anus. She may want your hands to reach up and play with her breasts, or she may want your fingers to hold her labia apart so that your tongue can get at her vulva more directly.

Q. I've heard cunnilingus doesn't taste good.

If the taste or smell bothers you or is a concern, ask her to wash first. Most people who enjoy cunnilingus agree that a clean vagina is a good, if acquired, taste.

As a woman nears her climax, she may want more direct stimulation. In general, fast, rhythmic stimulation is most effective at causing climax-- but there shouldn't be a rush to get there. Take your time and learn to appreciate what you can do for her.

Q. What about cunnilingus during menstruation?

Some people are particularly turned off at the suggestion of cunnilingus during menstruation. If it is a concern to you, then wait. A tampon may well hold the blood back, as will a diaphragm, but some men can't stand the taste anyway. If your partner is healthy, however, there is no particular danger in menstrual blood, and some women find that orgasms during their periods allievate cramps.

In my experience, when you try to explain to a man "in the moment" that he is doing oral sex (or sometimes anything) wrong, often the result is a disaster. You aren't into it, because you are trying to direct, and I guess for many guys it comes off as simply insulting. It isn't a very "supportive process," to borrow a friend's phraseology.

Example: "No, not there,...there..." (Quizzical looks, no change in behavior.)

Now, if you go looking for diagrams of women's vaginas, you will find yourself either looking at medical textbooks or special references, such as Our Bodies, Ourselves --- which, is presented as a "for women only" sort of thing. The original edition even gave this little rap to men about not buying it "for" women. Yeesh! Good book, but talk about "attitude." The new edition has thankfully dropped this negative proscription.

You will sometimes NOT even find a clear picture of a woman's vagina in a general sex reference, such as the original The Joy of Sex. And you won't find a discussion of the parts of the vulva in most places. Now, go look for a picture of a man's penis that is reasonably edifying, and you'll find them all over. I only discovered this when I tried to look it up, and since I had never purchased Our Bodies, Ourselves, I was SOL (corrected that, recently). I however, and all women, have a ready-made "reference manual," provided we have gotten over the idea, or never had it, that looking at it will somehow be a "bad thing." Men don't have this reference manual readily "at hand," at least if their partner, if they have one, is not immediately available and cooperative.

I have also read, and just reread, the Cunnilingus FAQ. Though it seemed excellent in terms of mood, style of approach, all the "beginning" stuff, I found when I applied her technique suggestions to me and my experience as a recipient, or my experience as a giver, it was a bit short on specifics. I am sure the described approach works very well for the woman who wrote it :), but I have a few things that seem unsaid.

So, you have gone through all the beginning motions, taking a reasonable amount of time, and you are starting to "get down to business." First, PLEASE turn on the lights. Working in the dark is for experts at best. I am assuming you are sitting between her legs, facing her, or some variation on this. Now really LOOK at what is there. Where her hair is (or was, some people shave) is the mons veneris, the pubic mound. If she is not aroused, everything is likely, but not guaranteed, to be enclosed within the outer lips or labia majora, the edges of the pubic mound that comes together to enclose her vulva.

As you spread this apart (she can bring her knees up and out, and/or you can use your hands), you will now see the inner folds of skin of the vulva, the inner lips or labia minora. These (usually) go all around the vaginal opening, and come in a variety of interesting and pleasing shapes and textures.

As you observe that this encircles the vaginal opening, at the top of this you will find what might look like a button or might look like a very tiny penis, covered by an additional flap of skin. The flap of skin is the "hood" of the clitoris, and is very sensitive, as is the clitoris. This is the female equivalent of the male foreskin, though it is much looser than that corresponding organ.

If you see what looks like a button underneath the hood, then what you are seeing is the glans of the clitoris, exactly equivalent to your own penis glans, or head of the penis. If you see a bit more than that, then there is probably some of the shaft of the clitoris extending in your partner. I stress this since most men would not be particularly enthused by a blow job that only gave attention to their penis head and extended not a centimeter below there. Many might find it annoying or even painful, depending on how rough their partner is with them and how sensitive they are to pain in that area. However, told "give attention to the clitoris," by fable and book, many brave soldiers run to do battle on the field of their woman's desires with their tongue, only to find their partner is telling them to please stop, it hurts, or it doesn't do anything for me. This may or may not be a comment on your technique, some women don't like oral sex. I would just like to suggest an approach that probably has a higher average success rate.

The shaft of the clitoris is attached internally, back into the body of the woman. Pressure on the spot above the glans and underneath the hood will generally give you access to the part of the shaft equivalent to the part of your penis that is towards your body, whereas underneath the glans will give you access to the part of the shaft that is equivalent to the part of your penis that is away from your body. It is likely that the skin directly below the glans will be functionally equivalent to what is for most men the most sensitive and pleasurable part of the penis for play, and the inner vaginal lips are also usually quite sensitive "in a good way." Going down/in/back, you may or may not see the urethra, if you do this is the location of the grafenberg spot (g-spot), which we have all heard on this newsgroup is quite varied in response, some women love stimulation there, others do not. Try licking your tongue around there, if it is visible, and see, in the course of your "investigations."

O.K., so now you have the picture. You did trim/file your nails first, didn't you? Play with your hands, play with your mouth, go all over, gently at first, increasing stimulation and focus as her body responds, and coming in "closer on" the clitoral area as she becomes more aroused. Lick, suck, point your tongue and apply pressure, use it like a "miniature penis" under the glans, penetrating her as you go, make little circles with your tongue, lick up and down along the skin in front of the clitoris, up and down the inner vaginal lips, etc. These are ideas, find some others, listen to her responses and comments. Remember to GO SLOW --- I believe impatience and expectations of quick response are "generally recognized as" the most common error in sexual encounters. Eventually the clitoris will become probably become erect, and stimulation that is "more direct" (like enclosing your mouth on the area and gently sucking) will stimulate a sufficient amount of the organ in question to be interesting. Watch what you are doing, and what happens, the entire area will become "engorged" and swollen if things are proceeding closer to orgasm.

Some women may not, or may prefer not, to orgasm this way. Most will probably, however, enjoy the experience a great deal. Hopefully this "explanation and comparison" to the corresponding male body parts will allow you to not be (still) in the dark with the lights on.

Memo from Bill

[soap.xml]

Development Team,
Thank you! I have been saying for years that Open Source is EVIL! Now we have even more proof. With this latest failure of open source code we can push even more people into using our products. We can even say that we "tried" to use open source, and look what it brought us. Once again, Thanks! Marketing and I appriciate it.

-Bill

walk like a man

[Yr0]

Marie has set up home
With a man who's half my age
A halfwit in a leotard
Stands on my stage

The standards have fallen
My value has dropped
But don't shed a tear

Some walk like they own the place
Whilst others creep in fear

Try if you can
To walk like a man
But you don't come near

You've got to fly like an eagle
Prowl like a lion in Africa
Leap like a salmon
Pulled from the sea
To keep up with me
You've got to walk like a panther tonight
Walk like a panther tonight

The old home town just looks the same
Like a derelict man who has died out of shame
Like a jumble sale left out in the rain
It's not good
It's not right

The standards have fallen
My value has dropped
But don't shed a tear

Some walk like they own the place
Whilst others creep in fear

So try if you can
To walk like a man
But you don't come near

You've got to fly like an eagle
Prowl like a lion in Africa
Leap like a salmon
Pulled from the sea
To keep up with me
You've got to walk like a panther tonight
Walk like a panther tonight

Where did you leave your self-respect?
You look like a reptile
Your house is a wreck
Your existence an insult
And stains that are suspect
Cover your clothes

The standards have fallen
My value has dropped
But don't shed a tear

Some walk like they own the place
Whilst others live in fear

So try if you can
To walk like a man
But you don't come near

You've got to fly like an eagle
Prowl like a lion in Africa
Leap like a salmon
Pulled from the sea
To keep up with me
You've got to walk like a panther tonight
Walk like a panther tonight x5

Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic,nflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic.Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) > Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic,nflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic.Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) >Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic,nflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic.Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) >

Re:Seriously? Microsoft use open source code?

[DA-MAN]

And Windriver or whoever controlled BSDI at the time made some serious cash in that deal. They got paid to make the tcp/ip stack work well in 2000/XP and they've done a good job of it.

I just wonder if Microsoft was able to taint some of the BSD coders by allowing them to view their code. I'm sure integrating something like a TCP/IP stack required access to some 2000/XP src code. Anyone know?

Re:Seriously? Microsoft use open source code?

[l33t+j03]

So who do you figure will take Microsoft to court?

I'd really like to see Microsoft as the defendant in the first GPL case, that'd be a blast. I'd buy a ticket.

Here is a list of apps vunerable

[ZaneMcAuley]

http://www.gzip.org/zlib/apps.html

At least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

"Borrowed"? Whats the license for zlib?

Re:Here is a list of apps vunerable

[Mr+Windows]

zlib has it's own licence, which doesn't prohibit what MS have done. At the moment, that is... :)

Re:Here is a list of apps vunerable

[ZaneMcAuley]

So if they use that version with that license, theyre ok, but if the license changes (in other releases), can they still use that version but not the new one unless they comply with the new license (for that version).

What im asking is what if the license changes for code (after that version is used and released according to the license with it) that is existing within products are there today. How are they impacted?

Re:Here is a list of apps vunerable

[IO+ERROR]

From zlib-1.1.3:

Copyright notice:

(C) 1995-1998 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu

If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code.

If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes.

Re:Here is a list of apps vunerable

[nvrrobx]

Here is the license for zlib

The summary is:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Re:Here is a list of apps vunerable

[leviramsey]

What im asking is what if the license changes for code (after that version is used and released according to the license with it) that is existing within products are there today. How are they impacted?

There is no change. The license is a fixed contract which is agreed to at the time specified in the license (ie clickthru in the case of MS, at first use or examination in the case of the GPL). Unless the license states that future revisions to the license shall amend this license, changing the license can't do a damn thing.

This is why it's legal to have dual-licensed software. For instance, MySQL sells a non-GPL version of MySQL (which is 100% identical, except the GPL comments are replaced with MySQL license comments). In theory, if Linus wanted to release the Linux kernel under an MS EULA (with s/Microsoft/Linus Torvalds/), he could, although parts of the kernel that he lacks the copyright to (such as ReiserFS, which is available under a commercial license) couldn't be included. Linus closed-sourcing Linux is possible but difficult, given the degree of collaboration.

Re:Here is a list of apps vunerable

[Mr+Windows]

ENOPUNCT

A piece of software can be included in Debian if it meets the DFSG. If a particular release of a piece of software (eg foo version 1.0) meets these guidelines now, it'll meet them forever. If the foo copyright holder then decides that foo version 1.1 will be closed source (or otherwise not meet DFSG), then foo 1.1 won't be included in Debian. Once a piece of software has been released under a particular licence, anyone who's received it under that licence then has the right to use it under the terms of that licence. In the case of open source licences, that means forever, and so foo 1.0 will always be Free.

Re:Here is a list of apps vunerable

Ah, but they were planning on giving it back you see.

Re:Here is a list of apps vunerable

Does anyone else find it amusing how they point out that "nine of Microsoft's major applications" appear to be affected, and then list Office as 1 application? Hmm, seems like that could include Word, Excel, Access, Publisher, PowerPoint, and a number of other utility type programs... That's 5+ right there! I wonder how that would be represented in the SecurityFocus statistics....

Insecurity.

[metacell]

I don't think the point of the article is that Microsoft is insecure ('cept about keeping their market share, of course :). I think it was interesting that Microsoft used open source code in software they sell externally. I didn't know that before. It was also interesting that security flaws in Microsoft products was caused by open source code. Kind of turns the tables on those geeks. (Wait... what site am I at? Oh, Slashdot! Damn...)^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^HKind of turns the tables on those Microsofties, doesn't it? And then comes the interesting question: what will they do about it? Apply the open source patch within 24 hrs, and admit that open source gets fixed damn fast, then hang their head in shame waiting week after week for the patch to reach out to all the end-users. Muahahahhahaha... So, I dissed Microsoft. Do I get my Karma now?

Re:Insecurity.

Stop it!

Borrowed Code?

[Spit_Fire1]

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.
the colors were just screaming security flaw already weren't they?

Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.
And now they are forced to admit what we already knew, they haven't written anything original since...well...ever! :P

The zlib compression library doesn't use the GPL, however.
and the war between MS and GPL coninues, maybe the linux community could use Anime-based uniforms to storm microsoft and take the code back.

Re:Borrowed Code?

Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products

Interestingly enough, most of the products (if not all of them) they mention as being vulnerable were not created by MS either (e.g. DirectX, Internet Explorer etc). The whole fuss over this ZLib thing is obviously just FUD. I mean, just doing something like "printf("\t\t\b\b\b\b");" will reboot an XP system, I don't see any noise over that, or a fix for it. New security exploits are discovered at least once a week on Windows systems, and the silence is deafening.

Re:Seriously? Microsoft use open source code?

I've seen this so often that it's worth a comment.

The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.

This might be considered a troll?

But perhaps that is why microsoft is so afraid to let the states in the antitrust case look at their code. If some one were to discovered they actually a lot of open source code, that would be a huge embarrasement.

GPL is not about giving things away

[pyrrho]

Microsoft is an old hand at using public domain stuff! They don't dislike it... like all companies they grew used to swallowing it up! It's even cheaper than buying QDOS was.

No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.

Re:GPL is not about giving things away

It's just like a bunch of wobbly old church ladies, carrying on about the evils of rum, the way the zealots rant and carry on about the GNU license.

Re:Seriously? Microsoft use open source code?

This is particularly critical with something like the TCP/IP stack. Everybody using a stack derived from a common code base means both sides of the interface on many connections, even on different platforms, are based on the same data structures, etc. This is a good thing, no matter how the Linux folk (Linus arbitrarily decided at one point 'he didn't like the Berkeley stack' so they used some other code instead) try to spin it.

Re:Seriously? Microsoft use open source code?

[King+of+the+World]

You sound authoritive. Any links for proof?

they use open source BECAUSE

[filbert009]

1. It was already written and IMHO they are too cheap to write thier own software 2. read #1 over and over ALSO they used it extensivly so if they patch.... look for TONS of new "feature/bug/phone home style apps to be inserted"

... pants on fire!

[metacell]

""[...]but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products.""

"Darn, and I thought they were caught with their pants down."

Hey, that's a great idea. Find a way to sneak GPL'd code into, say, MFC, without Microsoft knowing it, then go to court to make them release all their software as Open Source.

Microsoft will, of course, apply all the delaying tactics they can... which gives us time to patch and rerelease Windows NT, IE and SQL server while the legal grinds are churning.

It just might work!

Re:... pants on fire!

[NickV]

That would be a great test of the GPL actually, considering it's never been actually tested legally. Remember that.

If something like that were to happen, I'd imagine that the GPL would probably be killed in court by high powered lawyers from all the major software companies (not just MS.)

Re:... pants on fire!

[xonker]

then go to court to make them release all their software as Open Source.

More than likely, this wouldn't happen. The most likely outcome would be that a judge would uphold the clause in the GPL that forbids future distribution of GPL'ed code -- but I doubt that a few lines of GPL'ed code would cause a judge to require M$ to GPL, say, Windows.

Even if Microsoft had to GPL something, it's likely they could limit it to one application or library -- for instance, if they used GPL'ed code for something in Word, they would probably only have to GPL that version of Word and could excise the GPL'ed code from that version and release the next version under their normal licensing. Even if they violate the GPL, they still hold the copyright and the worst that could be done is force them to release one GPL'ed version of source code. But using GPL'ed code in one app wouldn't require them to release everything.

It would, however, be a big embarrassment to M$ and I wouldn't mind seeing them squirm a little.

Re:... pants on fire!

[dossen]

Well, as has been said many a time before, this would not be a good thing for microsoft or any other vendor. The GPL is the agreement that grants you the right to use the code in your product and distribute it. If the GPL should fail, then vendors would have NO right to distribute software based on GPL'ed source. The GPL is not a restriction on public domain, it is a set of rights granted by the holder of the copyright.

Re:... pants on fire!

[kz45]

then go to court to make them release all their software as Open Source.

This statement proves that you hate MS products, solely on the basis of ideals (IE: Proporietary).

Otherwise, why bother having the Microsoft source? They suck right?

Just because microsoft used OSS in their operating system, doesn't make open source as a whole better. It makes the BSD stack better. this would have happened regardless of the license. (if it was any different, microsft probably would have just bought it).

Re:... pants on fire!

[xonker]

WTF?

Your reply has nothing to do with my post. It really has nothing to do with the parent post that I responded to.

Re:... pants on fire!

not just killed, but i could easily see GPL being stabbed, punctured, wounded, twisted, and worst of all, flabberghasted.

Re:... pants on fire!

[mpe]

If something like that were to happen, I'd imagine that the GPL would probably be killed in court by high powered lawyers from all the major software companies (not just MS.)

The only way you could "kill" the GPL would be to void copyright protection on software. Effectivly every piece of proprietary software would immediatly enter the public domain.

Re:Seriously? Microsoft use open source code?

[ichimunki]

Why? Unless you incorporate it wholesale or re-use a patented algorithm, you do have Fair Use rights under existing copyright law.

Re:Seriously? Microsoft use open source code?

Why?

Unless it's GPL infected it's not illegal to incorporate it.

Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.

Re:Seriously? Microsoft use open source code?

[leviramsey]

Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.

The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgement:

[ACKNOWLEDGEMENT DELETED FOR BREVITY --LR]

There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).

Re:Seriously? Microsoft use open source code?

A guy with the email address 'fake@nospam.org' is challanging someone else's credentials??

heh

you make this crap up

you make this up /.

anything to bash MS you spread, don't matter WHO makes it up.

What do YOU want to do today?
/. says "Bash Microsoft"

Which explains why MS is not attacked more

As long as MS makes heavier use of OSS, they will be less prone to attacks.
They currently use the TCP Stack from BSD, they redesigned SMB services based on Samba (they had to cold room it due to GPL). This helps explain how MS is getting faster and less cracks.
Of course, this also explains why they oppose GPL.

Re:Which explains why MS is not attacked more

[FuzzieNorn]

Recent versions of Windows use a rewritten TCP/IP stack, so even if they did use the BSD stack for Win95/NT4/etc (which they almost definitely did, based on its behaviour), they aren't using it any more.

Re:Which explains why MS is not attacked more

All this explains is your own personal prejudice

Re:Which explains why MS is not attacked more

[robhancock]

I believe it was rewritten TO use the BSD-style (or even just the BSD) stack for Windows 2000. I think 95/NT used some crap stack that they wrote themselves.

Re:Which explains why MS is not attacked more

They directly use the BSD stack, which is totally legal.
BTW, it came about in nt 4.0 and moved into 2000

If you ever had any doubt...

[SlashChick]

...that Microsoft uses free software, I invite you to take a look at this.

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

Now type "help". Check out this line at the bottom of the output:

view FILE - sort an 'ls' output file and view it with pg

Uh, yeah. Oops.

Re:If you ever had any doubt...

Works on XP too. That's friggin hilarious. :)

Re:If you ever had any doubt...

[Gabey]

Actually, I think that's referring to the ls commands that you can give to nslookup:

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

-gps

Re:If you ever had any doubt...

You forgot to check out the line directly above it:

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

Re:If you ever had any doubt...

[ashpool7]

Are you sure they just didn't use XENIX sources?

Re:If you ever had any doubt...

[istartedi]

I'm surprised that anybody has to be "convinced" MS uses Open Source code. I've always thought it was common knowledge. Also, you could have just looked in Help About for IE and seen that it uses the Independant JPEG Group code. Based on this prior behavior, I always assumed they used the free PNG implementation. Since PNG uses zlib, MS uses zlib.

Now, if MS were smart they'd have a standard place for libjpeg.dll, libpng.dll, and zlib.dll but as far as I know there is no such thing. Either the functions are in some other DLLs, or the names are obfuscated. This bug, combined with MS's "security initiative" represents a golden opportunity: MS could take the occasion to give us "standard" DLLs so that developers would no longer have to package them, and could instead say something like "make sure you have this service pack and if you don't, here it is".

Re:If you ever had any doubt...

[klui]

The help says view it with pg, but under NT's nslookup, it uses more instead. Clearly copied verbatim from UNIX sources.

Re:If you ever had any doubt...

"I'm surprised that anybody has to be "convinced" MS uses Open Source code. I've always thought it was common knowledge"

Indeed, it's right in the readme.txt on the Windows CD. But that's too easy for the folks that want to use their techical voodoo powers to prove their case.

Re:If you ever had any doubt...

[DeadMeat+(TM)]

C:\WINNT\system32>strings NSLOOKUP.EXE|grep Copyright
@(#) Copyright (c) 1985,1989 Regents of the University of California.

That answer your question?

Re:If you ever had any doubt...

Doesn't Xenix predate nslookup?

Re:If you ever had any doubt...

[mpe]

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

It would have to be something with a licence such as the BSD licence which makes the code almost "public domain". Since Microsoft wouldn't want to touch anything covered by something like the GPL, since such a licence enforces copyright. They'd look very stupid as a bunch of software pirates moaning about piracy.

Re:If you ever had any doubt...

[mpe]

Now, if MS were smart they'd have a standard place for libjpeg.dll, libpng.dll, and zlib.dll but as far as I know there is no such thing. Either the functions are in some other DLLs, or the names are obfuscated.

Or possibly even different bits of them are scattered between other DLLs. Remember that Microsoft's method of making IE part of the OS appears to include deliberatly writing what amounts to "sphagetti code". If things were neatly structured then removing components would be much simpler.

Re:If you ever had any doubt...

[elgardo]

Spaghetti code is when you write a program in 100% assembly, and then go over with find/replace in order to change all labels to names of food, particularly pasta dishes.

I have done this, but unfortunately, I don't have the source code in ASCII at the moment. It's in this old token-format of Turbo Assembler for Atari ST...

Yeah...do I have a defense

if the BSA comes knocking?

Now I'd really like to see the sources to all the MS OSes.

BSD code in NT4 utils at least

[Cally]

Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.

Well it's easy to show that they use /some/ BSD
code, at least. This is Cygwin / bash on NT4:


andrew@INEGO(22:18:47)
[path...] /WINNT/system32 $ grep -i regent *.EXE
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches

Re:BSD code in NT4 utils at least

[poot_rootbeer]

[path...] /WINNT/system32 $ grep -i regent *.EXE
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches

That proves nothing. What if there are simple easter eggs in these binaries where that noted Microsoft developer and rock star, Ted Regent, snuck his name into the code?

Re:BSD code in NT4 utils at least

[joelsherrill]

My machine has a bunch of stuff on it so a virgin
Win2K system MIGHT have different results but I
handchecked that the file's date matched the
install date on the machine. So CAVEAT EMPTOR...
a slightly fancier grep and some patience ...

find . -type f | while read f
do
strings "$f" | grep -i "Copyright " | grep -v Microsoft
test $? -eq 0 && echo $f
done

showed up Thomas Lane's open source JPEG work in multiple places, Mark H. Colburn's work in system32/pax.exe, Mark Adler's PNG work in at least system32/pngfilt.dll and a few more interesting cases.

system32/offfilt.dll has Mark Adler's inflate in it.

c:\Program Files\Common Files\Microsoft Shared\VGX appears to have zlib based upon this:

$ strings Program\ Files/Common\ Files/Microsoft\ Shared/VGX/vgx.dll | grep -i Copy
4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler

And Adobe Acrobat PDFWriter also uses zlib per system32/spool/drivers/w32x86/2/pdfdd.dll.

This is far from exhaustive of 100% scientfic but a good starting point.

--joel

Re:BSD code in NT4 utils at least

From a 'virgin' w2k machine (2000 was installed, the machine was rebotted, FreeBSD was installed, and 2000 hasn't been touched). I hand doctored the output to remove garbage and improve readability.

ftp://ftp.ctc.com/xfer/cameron/copyright.txt

Re:BSD code in NT4 utils at least

[Spamhead]

WinXP (eXtra Pretty) shows this:

[world@boner system32]$ grep -i regent *.exe
Binary file finger.exe matches
Binary file ftp.exe matches
Binary file nslookup.exe matches
Binary file rcp.exe matches
Binary file rsh.exe matches

Re:BSD code in NT4 utils at least

[Cally]

Oh for heaven's sake, some people...

/cygdrive/[...]/WINNT/system32 $ strings *.EXE --print-file-name | grep -i regent
FINGER.EXE: @(#) Copyright (c) 1980 The Regents of the University of California.
FTP.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.
RCP.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.
RSH.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.


Satisfied now???

mutatis mutandis

[nickynicky9doors]

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.

Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?

Re:mutatis mutandis

[leviramsey]

Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?

I thought the only version of Windows that didn't put the GDI in kernel space was the only one with a microkernel, aka NT3.x

Re:mutatis mutandis

[afidel]

Well you seem to be implying that NT4 does not put the graphics code in the kernal, this is incorrect. This was one of the biggest "improvements" from nt 3.51 -> nt 4.0 is that the graphics subsystem got moved into the kernal for a speed increase. It is also (when coupled with crappy drivers) the second leading cause of nt instability after IIS =)

Re:mutatis mutandis

[nickynicky9doors]

Thnx I thought the change happened with NT5 akaa Windows 2000, my mistake, sorry :) So David Cutler's original 3.1 design was fundamentally changed with the intro of NT4... I guess that would explain the new version number.

Re:mutatis mutandis

I heard they put it in the kernel. I'm not sure what the kernal is, but you are misinformed either way.

Fuck they put IE in the kernel, isn't that why they are in trouble with the DOJ?

Re:mutatis mutandis

[nickynicky9doors]

uhm no. You've spewn some madness from Win9x. The discussion was centred on NT4. You're wrong you now must go far far away never to return. 'ta

Robert Lemos is an idiot.

Has anyone ever seen this guy produce an article that doesn't have major factual errors?

I know many people corrected him when he stated that this was a Linux problem in his first article about it... it's not surprising that he still hasn't pulled his head out of this ass.

Live from Dreadmond

One word:

E V I L

AMISH VIRUS!!!!

[Alan_Thicke]

You have just received the Amish Virus!
Since we do not have electricity or computers,
you are on the HONOR SYSTEM!
Please delete ALL of your files....




Thank Thee.

Re:oh goody, goddy, what it feels goody to bash!

[metacell]

"I bet that most ppl who bash MS have never spent time with Windows 2000."

I must admit I'm feeling guilty.

I switched to XP after a few months.

:-)

None the less ...

[TheViffer]

"if" M$ does use GPLed source, somewhere down the line it will come out.

Case in point. A GPLed piece of software has bug X, and strangly enough, a M$ product has the same bug.

It maybe worth the time to test major bugs in GPLed software against M$ programs if such simularities do exist.

Just a thought.

Re:None the less ...

[rjamestaylor]

Why wait for a bug? Scan for "signatures". That's how the use of BSD's TCP/IP stack was determined (that, and the "Regent" copyright).

Re:None the less ...

[mpe]

Why wait for a bug? Scan for "signatures". That's how the use of BSD's TCP/IP stack was determined (that, and the "Regent" copyright).

The BSD licence allows Microsoft to use the code. So why do they need to take the copyright statements out. If they were pirating GPL code they would be utterly stupid to leave any such easy to find indications in.

Re:None the less ...

[rjamestaylor]

Take a chill pill. My point wasn't that MS did something WRONG by using BSD code. Not even that they did something HYPOCRITICAL (they haven't; they have clearly come out in favor of the BSD license). The point was, I thought clear, that if one wanted to determine WHICH project MS adopted for a particular purpose one need not wait for a characteristic bug, but could scan for signitures in the compiled code. Even though MS has the requisite BSD copyright, there is not a clear deliniation fro m MS exactly what code, or to what extent, MS used in their product. The use of the BSD copyright just let people know that there was SOME part of Windows using BSD code. It was left as an excercise to the user to figure out which piece.

There, now my response doesn't sound like a criticism of MS, does it? Well, it actually is. Though MS is right to use and repeat the BSD © not specifying what was used and where makes identifying vulnerabilities difficult to the user (but not to exploits). Closed Source is sucky that way.

Prison

[KDENCE]

Microsoft is like a prison cell with a bad lock, just when you think all is safe and bend over to tie your shoes you get screwed!

Just when I start thinking that ms is top of the line above all they come out with some security flaw out there, of course tomorrow we'll be able to dload some new service pack, but I hope they start being a little bit more proactive than reactive.

. . . and to all a good night!

Re:Prison

WTF?

The security flaw related to zlib ONLY occurs in Linux.

Hell, it doesn't occur in any of the BSD's or Microsoft's products. It only occurs in Linux because Linux uses the GNU C library (glibc), and none of the other OSes do.

What kind of shit are you smoking, dude?

Re:Seriously? Microsoft use open source code?

Yeah, nothing like finding a bug in one piece of code and having it affect the ENTIRE INTERNET.

Keep your license politics out of technical discussions. And while your at it, try to stick to facts, instead of software development urban legends.

subsequent delivery

HA HA HA HA FRAT BOY

Rock over London

Rock over London
Rock on Chicago.
Bush Administration:
Creating a permanent corporate police state.

Fixes from MS

[ZaneMcAuley]

So we expect more Hotfixes or SPs for these products? When?

This highlights taking a dependancy on externally maintained code is risky. Turn around time in fixes and integration into the codebase, verification of the fixes for those products etc...

Re:Seriously? Microsoft use open source code?

If you are reading this, you most likely have no social skills.

You are correct sir.

Operating Systems That Are DYING!

The verdict from major market research firms is in: they unanimously confirm that the following operating systems are DYING:

• AIX is dying.
• AmigaOS is dying.
• BSD is dying.
• BeOS is dying.
• CPM is dying.
• DOS is dying.
• FreeBSD is dying.
• GNU Hurd is dying.
• HP-UX is dying.
• IRIX is dying.
• Inferno is dying.
• Linux is dying.
• LynxOS is dying.
• MINIX is dying.
• MacOS is dying.
• Mach is dying.
• MicroC/OS is dying.
• NachOS is dying.
• NeXT is dying.
• Nemesis is dying.
• NetBSD is dying.
• NetWare is dying.
• OS-400 is dying.
• OS-9 is dying.
• OS/2 is dying.
• Oberon is dying.
• OpenBSD is dying.
• Palm OS is dying.
• Plan 9 is dying.
• pSOS is dying.
• QNX is dying.
• RTEMS is dying.
• SCO is dying.
• Solaris is dying.
• SunOS is dying.
• TRON is dying.
• ThreadX is dying.
• TinyOS is dying.
• Unix is dying.
• VMS is dying.
• VxWorks is dying.
• Windows 2000 is dying.
• Windows 3.11 is dying.
• Windows 95 is dying.
• Windows 98 is dying.
• Windows CE is dying.
• Windows ME is dying.
• Windows NT is dying.
• Windows XP is dying.

The Free On-Line Dictionary of Computing defines an operating system as: "The low-level software which handles the interface to peripheral hardware, schedules tasks, allocates storage, and presents a default interface to the user when no application program is running. The OS may be split into a kernel which is always present and various system programs which use facilities provided by the kernel to perform higher-level house-keeping tasks, often acting as servers in a client-server relationship. Some would include a graphical user interface and window system as part of the OS, others would not.

The operating system loader, BIOS, or other firmware required at boot time or when installing the operating system would generally not be considered part of the operating system, though this distinction is unclear in the case of a rommable operating system such as RISC OS. The facilities an operating system provides and its general design philosophy exert an extremely strong influence on programming style and on the technical cultures that grow up around the machines on which it runs.

The comp.os.research FAQ makes the following distinction between micro- and macrokernels:

"A recurrent topic of discussion in this newsgroup has been the comparison between microkernel (for example Mach and QNX) and `macrokernel' (traditional Unix) operating systems. The basic notion of a microkernel consists of devolving as much functionality as possible into processes rather than the kernel itself; different systems take different approaches to implementing this.

For example, some systems (such as Mach) leave device drivers in the kernel, and place higher-level services (such as file systems) outside; others (such as QNX) move device drivers outside of the kernel.

However, anecdotal evidence [93-03-03-07-56.52] suggests that the distinction between microkernel and monolithic architectures is becoming more blurred as time goes on, as the two advance. For example, most modern monolithic kernels now implement multiple threads of execution and fine-grained parallelism. Architecturally, this approach begins to appear similar to a microkernel with several kernel-space processes working from shared memory.

As an aside, people often complain that the Mach system can't be a `real' microkernel, because it is so large (at least, this is the argument most frequently cited). However, I have been told that automatically-generated code stubs contribute very significantly to the size of the kernel, and that some size reduction would be likely if MIG (the stub generator) produced better code. [Can someone from CMU comment on this?] As mentioned above, the leaving of device drivers in the kernel also contributes to Mach's size.

Debating microkernels versus monolithic kernels on the basis of kernel size misses the central, architectural point. In the same way as the point of a RISC processor is not to minimise the instruction count, but rather to make a different tradeoff between what is implemented in the processor instruction set and what is implemented in other ways, the microkernel architectural issue is to determine which services are implemented in the microkernel, and which services are implemented external to that microkernel. By making appropriate choices here, the goal is to enhance various OS attributes in a manner that might not be addressable with a monolithic kernel OS. System attributes such as performance, flexibility, realtime, etc. are all variables which are taken into account.

Re:Operating Systems That Are DYING!

[Marrow]

So the major OS's in the world that are NOT dying
are VM, MVS, VSE, OS/390. I guess we all have to
learn SNA, VTAM, and JCL to make our way in the
world.

change it

[geekoid]

MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.
This would force MS eithe to pay up, or go to court and fight against the very thing they want.

Re:change it

[leviramsey]

MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.

Somebody doesn't get it

There is no universal right to retroactively change a contract (in a unilateral matter). Such a right must be granted in an earlier contract. So MS can change the EULA and have it be binding because you have agreed to any modifications which may be made by MS (with the option to return the software if you don't agree with them).

Zlib's license lacks a clause like this (and did when Microsoft took the code). Therfore, moving the project to GPL would only affect the new codebase.

And if Zlib were GPL'd, a fork would happen? Why? Because the BSD zealots would take the last non-GPL'd version and develop it under a BSD license, since they can't use the GPL.

Re:change it

Weird, really weird.

You're calling the BSD developers the zealots.

I've so seldom seen the word 'zealot' flipped around and used in exactly the opposite way. Is today 'backwards' day and we're to believe the zealots are the ones who say 'use our source code however you like?'

Re:change it

[mpe]

There is no universal right to retroactively change a contract (in a unilateral matter). Such a right must be granted in an earlier contract.

Isn't one of the objections to UCITA that it does allow such changing of contracts?

Re:change it

[leviramsey]

Isn't one of the objections to UCITA that it does allow such changing of contracts?

UCITA, IIRC, essentially amends contract law to specifically allow modification of the contract ex post facto in the case of click-thru licenses. Without UCITA, such is probably legal, but not necessarily (no court has heard a case on the issue). Again, the operative principle is that it has to be referenced in a prior agreement between the parties.

Essentially, UCITA sets the idea of later modification to a click-thru license in stone (barring constitutionality challenges, of course).

Re:change it

Two words: Brett Glass.

Take Us Right Down

Please tell me: what does HURD rhyhme with?

Trollnificent!

Re:Seriously? Microsoft use open source code?

[bytes256]

even if that is true, ftp, telnet, and several other command-line network utilities are obviously of almost pure BSD origin.

It's NOT a buffer overflow!!!!!!

[Smallest]

it's a double-free problem. the two are totally different.

read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt

-c

Re:It's NOT a buffer overflow!!!!!!

[garett_spencley]

You're right I'm sorry I got confused.

The current version of gzip has a buffer overflow and I confused that with zlib's double-free.

Sorry about.

Anyway zlib's issue can be used to cause denial-of-service attacks etc. These are also worse than your system crashing. Imagine not being able to use either your computer or the network etc. You reboot and still you can't do your banking, check your e-mail and quite possibly not even able to use your computer because the DOS is just re-instated minutes after your computer reboots.

--
Garett

Re:Seriously? Microsoft use open source code?

Firstly, I have heard this several times before, so I suspect it is true. Secondly, the telnet and ftp *clients* are hardly critical parts of the TCP/IP *stack*.

Scan MS stuff for GPLed code

[pyrrho]

I bet some is in there! I just bet! For god's sake, someone less lazy... um I mean less busy, than me, find GPLed code in Microsoft. I want RMS to make us all call XP GNU/XP.

Re:Scan MS stuff for GPLed code

I bet some is in there! I just bet! For god's sake, someone less lazy... um I mean less busy, than me, find GPLed code in Microsoft. I want RMS to make us all call XP GNU/XP.

Are you an idiot? XP isn't open source, so there is no source to scan.

Re:Scan MS stuff for GPLed code

He means binary signatures I am sure. Not a trivial task, that.

Re:Scan MS stuff for GPLed code

http://www.microsoft.com/Windows2000/interix/

Re:Scan MS stuff for GPLed code

[Florian+Weimer]

You can just look for data tables contained in the source code. These tables are rather invariant under compiler transformation, otherwise find-zlib wouldn't work. (Most vendors didn't bother to strip the copyright string, so this isn't really important in this case.)

Geez

[SquierStrat]

Well first off I've gotta say:
HA HA!!!!!

Are any of us REALLY surprised at this though? This is Microsoft afterall. Even my chemistry TA was complaining about them today...

Re:Geez

Oh Really! This bug was found in Linux first. The problem was greater on Linux than is is on MS or *BSD because like the BSD zlib this is detected and stopped before anything extremely bad happens unlike on Linux.

Re:Geez

[SquierStrat]

uh...I was referring to the fact that microsoft is hypocritical in that they criticize open-source software constantly yet, they use it.

I'm fully aware that it's a problem that was first found on the unices!

Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.

How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

Re:Geez

[Trisk]

How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

I think you're referring to OpenBSD releasing with a patched version of zlib that had already taken care of this vulnerability, probably incidentally. This only occurred on OpenBSD, AFAIK.

Re:Geez

[lpontiac]

What's he's probably getting to re: BSD..

C programs generally use two functions, malloc and free, to allocate and deallocate memory repectively. So the code should do this:

ptr = malloc(number_of_bytes);
/* do stuff */
free(ptr);

The problem that zlib has is a double-free bug; it does this:

ptr = malloc(number_of_bytes);
/* do stuff */
free(ptr);
free(ptr); /* double free */

Keep in mind that it doesn't have all of this in one nice code sequence, hence the bug wasn't obvious. Anyways, regarding why it might be worse on some architectures: You're not allowed to call free twice like that, however it's possible that it won't do any harm.

FreeBSD will actually detect the double free and print out a warning. glibc (the C library used by most Linux distros) will crash and burn. Other OS' may exhibit different responses.

Nothing

[Sloppy]

It means nothing. It's just a widespread () but low-intensity) disaster, and MS customers happen to be among the victims.

If there's a lesson about security in all this, it has something to do with static linking. Or maybe something to do with extreme (over??) standardization, where everyone and their dog ended up using the excellent zlib.

Re:Nothing

[optikSmoke]

I think the lesson would be more to do with static linking. If all of these suddenly-vulnerable apps had dynamically linked to zlib, the "overstandardization" would have been an asset in fixing such bugs - one library used by many programs patched for its own set of bugs, instead of many libs/implementations used by many programs patched seperately for their sets of bugs.

XP Users will be A-OK

[GoodChristian]

I realize that as time goes by many fixes will be needed for WinXP.
Fortunatly, it has a pretty cool feature called Windows Update. It scans your system and tells you what fixes you need.
Even cooler is that it will also look for fixes that your other programs and hardware need - like new drivers for your vid card or an update to Office.
They also keep a record of all the fixes and updates that you have installed and makes it easy for you to remove them. So far my system has had 26 upgrades.
So I am sure that when and if a fix is needed, XP users will get it extra fast.
On a side note, I was always a cathedral fan. Proof? Name one DECENT game that was produced with OSS. Yep, thought so.

Re:XP Users will be A-OK

[swordgeek]

"Name one DECENT game that was produced with OSS. Yep, thought so."

NETHACK!!!!

OK, I'll be quiet now.

"no reports of any exploitations"

[Ami+Ganguli]

From the advisory

There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.

I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

Re:"no reports of any exploitations"

[gclef]

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

and you think this is bad? Why?

If all the vulnerable machines get patched before anyone's affected, I'd think the system worked just as it should. I"d rather not wait until there's some nasty reprise of Nimda before starting to patch my systems.

Re:"no reports of any exploitations"

[Ami+Ganguli]

It's not bad that they publicize the vulnerability, but it's bad to make it into a bigger issue than it really is. It means that when a more serious security risk comes along nobody will pay attention.

What are you going to do in response to the next Code-Red? Declare a state of emergancy and call out the army?

Re:"no reports of any exploitations"

[gclef]

Someone's already found a way to exploit this over ssh. There's hints (I stopped reading the thread to see if they finished it) of it working for ftp. The code with the problem is used in a huge number of places in multiple OS's.

How big does it have to get before we acknowledge that it's a serious risk and start the patch run? I've been following the security lists about this, and I don't think the coverage is overdone at all.

Re:"no reports of any exploitations"

[Florian+Weimer]

I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.

If you look at the zlib versions some vendors are shipping and compare it with the zlib ChangeLog, you'll discover that there is far more than just a potential risk ("fix array overlay in deflate.c which sometimes caused bad compressed data" and so on). Maybe these problems are finally adressed now, though (or the vendors have silently fixed these bugs themselves over the years).

Re:"no reports of any exploitations"

[KjetilK]

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

How do you know that? Black-hats may have known about this for ages and exploiting it silently. Do not confuse lack of reports with lack of attacks.

OK, since free software users have more a sense of community and being publically acknowledged for having found the hole is a big ego-booster, it is less likely to happen around here, but I wouldn't count on it for security.

Should it say "sort a 'dir' output file"?

No. When one types "help", the command listed above "view FILE" is (surprise!) "ls". So it's not a mistake per se (as implied by your 'oops').

Of course, it's still an indication that yes, they probably ported nslookup from elsewhere.

More than DoS Possible

[Midnight+Ryder]

From the ZLib page:

There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.

It would take some pretty slick work to actually get something to execute arbitary code with this particular bug, but, it's possible. So it does raise the risk level back to what you originally stated, Garett.

Fellow preachers! Let's convert Microsoft!

[metacell]

Ah, but what if we made GPL'd code that was so good and so far ahead of everything else, Microsoft didn't have any choice but using it in their products... nah. They wouldn't be able to sell any licenses that way. It would be financial suicide.

'Cept if it's some product they give away for free anyway, like IE.

Re:Fellow preachers! Let's convert Microsoft!

[kz45]

Ah, but what if we made GPL'd code that was so good and so far ahead of everything

It will never happen. Most GPL projects never go anywhere because agreements can't be met, and the people contributing have to go to a normal job.

Then explain the "pg" part...

[SlashChick]

...since DOS doesn't have a command called "pg".

Re:Then explain the "pg" part...

[maxpublic]

I dunno if there's a slashdot anti-microsoft conspiracy, but I do know what BillG fanboys do in their spare time....

Max

Re:Then explain the "pg" part...

[BlowCat]

nslookup wasn't ported by fanboys. It was ported by Microsoft employees or contractors.

Re:Then explain the "pg" part...

who the hell modded up the previous post as "interesting" it can be funny or clueless not "interesting"

Innovation in the computer industry.

[metacell]

"I beg your pardon, this looks like the same level of Inovation microsoft has been doing since Day one.

port basic
buy qdos
borrow from Apple and Xerox
borrow from BSD
borrow from open source.

...."

Ah, much like Red Hat, SuSE and Mandrake then.

Seems like Microsoft got the point of Open Source long before Linus Torvalds started hacking away: it's all about borrowing.

Re:Innovation in the computer industry.

[jedidiah]

Open Source was never about plagarism.

That is ALL that Microsoft is about.

They only look similar if you aren't paying attention.

Re:Innovation in the computer industry.

[caspper69]

Uhhh...

Then why do so many of the "new" window managers that Linux zealots are promoting look so much like Windows?

I can see it now..

Linux Zealot: Boss, we've got to change all of our desktops to Linux now! It's finally ready for the desktop.

Boss: I thought it was hard to use.

Linux Zealot: Not at all. It's MUCH better than anything a company of professional developers working full time could create. And it doesn't have ANY security vulnerabilities, and it NEVER crashes.

Boss: Sounds pretty good. Have they made the User Interface any better?

Linux Zealot: Oh yes, much better. KDE has added a start menu, right-click context menus, My Computer, Control Panels and even a way to (almost) automatically install/uninstall programs.

Boss: Sounds like Windows 95 that was released 7 years ago. I guess that's ok, but does Linux support our hardware?

Linux Zealot: Not all of it, but there are some close driver matches, and if I hack away at it enough, maybe our hardware will work. There's also a guy in his basement in Cleveland working on a driver for our video cards. His latest post to /. says he'll be done in a few weeks.

Boss: Well, I don't like the idea of not knowing when/if our hardware will be supported, but we'll be upgrading soon, so that's not a really big deal. What about software? We've got hundreds of thousands of dollars invested in several custom VB applications that make our lives 1000x easier. Will they run?

Linux Zealot: No, not yet. But there's a new project started by some college kids in Arizona that will allow us to quickly convert VB applications to X applications. Right now it doesn't do shit, but I'm sure in a few years they'll get it to run flawlessly!

Boss: Well, what about all of the documents and spreadsheets we've typed over the last 10 years. Will we be able to read those? Oh yeah, and if we switch, will we still be able to use Office?

Linux Zealot: Office? What is that? Oh, Star Office, yeah, it'll run just fine...

Boss: No.. Word. Excel. Powerpoint. The tools that the entire civilized world relies upon to get WORK done?

Linux Zealot: Well, not yet, but there's some guys working on this thing called WINE that...

I'm sure you get the point. I'm also quite certain that this post will "disappear." Don't belive it happens? ANY post too MS or too anti-OSS seems to magically vanish from /. Seems as though Open Source advocates aren't as "Open" as they claim.

This whole comment on plagarism just pisses me off. Get a fscking clue.

Re:Seriously? Microsoft use open source code?

Your information is slightly outdated.

The BSD license no longer contains the advertisement clause, and has not contained it for some time.

If one must troll, one must learn some facts first.

Re:Seriously? Microsoft use open source code?

Probably not, does the name Trumpet WinSock ring a bell?

But knowing microsoft, IE is probably inter-mixed with the TCP/IP stack

You should take a look,

You should take a look at this.
I guess that explains it all, and if not, you had a good laugh.

And if you didn't laugh, you should learn to relax but

GPL!

Doesn't this violate the GPL?

zlib or glibc?

[dzym]

As I recall, this was only an issue if you had a double-free because of glibc, and I believe the original article specifically singled out Linux because it was dependant on the specific behavior of glibc.

How is this an issue for Microsoft software?

Re:Seriously? Microsoft use open source code?

[leviramsey]

I took the license from the FreeBSD website

Check the url in my post

The difference between Proprietary and Open code

[Rick+the+Red]

This just points out the difference between proprietary code and open code. Those using open code incorporating this flaw have had a fix available for days (if they choose to patch and compile the source). Those using proprietary code incorporating this flaw will have to wait for the vendor to release a fix, if ever.

If that's not a good arguement against depending on proprietary code (as for running a business), try this: If the flaw was not in open code incorporated into the proprietary code, but rather existed exclusively in the proprietary code alone (yeah, right -- proprietary code with bugs! LOL :-) then we might never know the flaw existed, let alone get a fix, unless some cracker with ethics told the world when they found the flaw rather than keep the exploit to themselves.

Microsoft

[wazootyman]

Okay, I'd like to make several points about the comments in response to this topic.

Where do you guys get the idea that Microsoft is full of inept and lazy programmers? That just doesn't make any sense. I, for one, have talked to several Microsoft employees that have come out to my university (Michigan State) for presentations, and they all say the same thing: People who work there have a genuine passion to make good software. If you don't have the drive and motivation, you won't succeed. I mean honestly, I'm certain there are many great open source programmers, BUT, they've got to earn a living some how. If you are very talented, I'm sure a large corporation like Microsoft would pay you VERY well for your skills. I'm sure they have a lot of applicants, and as a result only hire the best. It would only make sense.

Last year the lead developer of the C++ compiler team made quite the lengthy presentation in a nearby hotel auditorium. I don't know compilers that well (I'm EE, not CS), but I'll tell you this much...that man is a genious. He really knew his stuff, and it was evident by the reactions of the CS professors in attendance. He, as many of the Microsoft employees have stated, seemed to really like his job.

...He wasn't some bumbling code-stealing idiot that you guys would make him out to be.

Re:Microsoft

[jedidiah]

No amount of programming talent can make up for fundementally flawed management.

Re:Microsoft

And its not the employees of microsoft that are under attack, its the marketing tactics and buggy products they claim are better then anything else. Also the evil business tactics they use.

Re:Microsoft

All that shit is nice.. I'm sure they only hire the best, those aren't the people who make the decisions. If they were the software would probably work alot better than it does. Of course Microsoft would also make less money

Re:Microsoft

What a bunch of goddamn ninnies you all are.

Please go back to using your Fucking Mac and quit polluting the Linux community.

Re:Microsoft

...and yet my wife's w2k machine crashes every couple of days. how do you explain that? they can be as brilliant as you'd claim they are but they seem to not be able to give me a decent product that runs smoothly. contrast that to the mechanic down the street who keeps my car going for years on end. to me, the mechanic is waaaay more 'brilliant'. your definition of brilliance may vary.

Re:Microsoft

Where do you guys get the idea that Microsoft is full of inept and lazy programmers?

Uh, gee, I don't know, but perhaps it is because of the INCREDIBLY SEVERE quality problems they have historically always had with their software products? Just a wild guess.

I'm not saying their progammers are inept and/or lazy, the ones I've met were also very good. But presumably for other reasons they do have a severe quality problem (actually I believe this is a simple result of them having no incentive to try hard because they're already dominant -- I've known about horribly obvious, blatant bugs in many of their products (MS Word, Windows Explorer, SourceSafe etc) some of which took over five years to be fixed, and many of which are still not fixed to this day). Considering that MS is currently piling up over $1billion cash pure profit every month, I'm sure they can afford to hire a few more qualified testers and developers to fix the problems, but quite obviously they *are not interested in doing so*. Their products are mostly fairly stagnant.

Anyway, that was an overly long tirade, but my point is that even though it may be *incorrect* to assume that their programmers are inept, it certainly isn't *unreasonable* for people to think so, given what comes out of MS. That is, you can hardly blame people for thinking it.

Microsoft's use of zlib is not the issue

[ahde]

Its stupid to bring up the GPL or other open source licenses or argue about whether Microsoft is stealing code. I'm glad they use zlib. I'm glad they used portions of the BSD tcp/ip stack. I'm glad they decided to support (to the best of their ability) standards like C and HTML. I'm glad I don't have to depend on Microsoft anymore. But if they hadn't used open source programs I'd have never been exposed to other options except for the likes of Novell and Sun.

The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.

You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.

The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.

Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.

Re:Microsoft's use of zlib is not the issue

[cperciva]

Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No.

Did it occur to you *why* they haven't said anything?

Because this bug doesn't pose a security risk in Windows.

You're comparing apples and oranges... in Linux, this was a critical issue because linux's free() will quite happily trash your heap if you give it a chance. Under BSD and Windows, this is not a critical issue, because both BSD and Windows have marginally slower (but much safer) free() calls which will not trash your heap on a double free.

This bug (might) exist in the mentioned windows software, but it is a completely harmless bug, thus there is no reason to issue patches immediately.

Re:Microsoft's use of zlib is not the issue

[WNight]

The issue, imho, isn't that MS uses open-source. That's what it's for after all. The issue is that MS uses open-source for its own advantage, while seeking to hurt the open-source movement whenever they do something that's not to MS's liking.

Basically, while we shouldn't believe what they say, we should force them to act as if they do.

Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

If they don't, can they really expect to have any credibility left?

Re:Microsoft's use of zlib is not the issue

[sheldon]

But what if there is no problem with the Microsoft software?

Should Microsoft issue a press-release saying "despite what some Linux kiddies think, our software has no issues."?

Would you believe them anyway?

Now back to our regularly scheduled Microsoft bashing...

Re:Microsoft's use of zlib is not the issue

[reflective+recursion]

Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

Erm. Your logic is broken to me. Why don't we examine this:

There is a free compression library, zlib, which is an asset to the public (and proprietary software business, because of it being BSD licensed and not GPL).

The fact that people spent their own time on zlib is a liability. Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program (not that is matters too much, since there are many other compression tools).

Society does not move forward without using other's tools, but society does not move at all without monetary incentive. There is a reason for money, and it is not for "evil" purposes despite how bad /. readers believe it to be. Throwing out software because of how it was created is plain ignorance and wasteful. There are more useful things to be done than paying someone to rewrite a compression library.

Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.

Re:Microsoft's use of zlib is not the issue

Nope.

Microsoft doesn't oppose Open Source in general. They oppose certain licenses which happen to allow source code to be distributed, but which push a political ideology to REQUIRE all source code to be distributed.

Specifically, they oppose the GNU license, as do many, many smart people in the software industry.

People in history who think they know it all, who say 'our methods are the way forward, you may as well surrender to the truth' have often been frightening people. Lenin fit into the camp, as did Hitler.

It's never that simple.

Re:Microsoft's use of zlib is not the issue

Godwin's Law for slashdot

"As a slashdot discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches one." There is a tradition that, once this occurs, that thread is over, and whoever mentioned the Nazis has automatically lost whatever argument was in progress. Godwin's Law thus practically guarantees the existence of an upper bound on thread length.

Re:Microsoft's use of zlib is not the issue

[WNight]

Microsoft may dislike the GPL more, but they are down on all open source, publicly. Their comments about how it costs the government money, doesn't put it in the hands of the programmers, etc... That wasn't about GPLed code, just all open source code.

So, let's see them put their money where their mouthpieces are. If they say open source is bad, they should never, never, use it. If they do, we have no choice but to assume that they lied.

Re:Microsoft's use of zlib is not the issue

[WNight]

I want Microsoft to be honest. To give up the FUD, and argue the issue openly.

If they say open source is so bad (regardless of if it is) then they shouldn't use it. If they use it, it's because it helps them. If it helps them, it's not so bad now, is it?

--

A world with open source will still require people to code new things, and to customize current things. There'll always be new things.

If you can only make your living from re-inventing the wheel, then perhaps you do deserve to starve. But frankly, if you depend on artificial scarcity you're taking advantage of others to make a buck. Not really anyone I care about anyways. So, go ahead and starve, or get some skills of use in a different economy.

Times move on. People made obsolete by the change will always bitch, but that doesn't mean we should stop. Or do you think people are obligated to buy your buggy whips?

Re:Microsoft's use of zlib is not the issue

[reflective+recursion]

If they say open source is so bad (regardless of if it is) then they shouldn't use it. If they use it, it's because it helps them. If it helps them, it's not so bad now, is it?

I don't think Microsoft is saying that open source is bad. I do believe they know more about business and supporting programmers than anyone who creates free software. RMS just doesn't give a damn if you starve because programming is no longer rewarded financially. He gets paid via non-profit organization to sit on his ass and attack people who create proprietary software. I'd also like to see the taxes RMS has paid his entire life. Compare that to any programmer working for Microsoft, and I guarantee that even the entry-level position people are paying more taxes in a few years than RMS has ever paid.

A world with open source will still require people to code new things, and to customize current things. There'll always be new things.

You seem to forget that it takes an incentive to create new software. You know who foots that massive bill to create new software? People like Microsoft and Intuit. You know who will foot that bill if all software was free software? NO ONE. Not one person or organization will have the capacity to have software created for the common good. The only software that will be created is the "scratch-an-itch" type, except it will be highly specialized and not for the general public. In that case, there is not even incentive to release or maintain a source repository for it. It is simply throwing money down the drain at that point.

But frankly, if you depend on artificial scarcity you're taking advantage of others to make a buck.

It is not artificial scarcity. It is no different than paying for a magazine or newspaper subscription or music. Scarcity is when the creation of actual, physical goods is limited by natural resources. Paying for software is not the same as paying for a computer. When you pay for a computer, you are part of the demand for that computer. Computers face the reality of scarcity. That is why memory prices keep jumping around. When you pay for software you are paying for the labor that went into that service. You also pay whatever extra the giver of that service wishes. Sure, software may appear to be a good when it sits on the shelf. Underneath, software is simply a service. There is a little cost for the scarcity of material such as for the manual and CD-ROM, but that is it.

Re:Microsoft's use of zlib is not the issue

[ahde]

that is an issue, but its a different issue.

Re:Microsoft's use of zlib is not the issue

[WNight]

RMS is irrelevant to this discussion. What is relevant is that Microsoft is afraid of the possibility for people to make their own software. With large projects taking many man-years, open source is the only way large projects could happen.

I don't forget that it takes incentive to create software. I have worked for many companies with the incentive to create software. I've had contracts rangding from $2k to $30k for developing a custom DB interface, or customizing existing software. They obviously feel that new software would save them money in the long run and are willing to spend on this. These companies weren't even billion-dollar multinationals.

I think this disproves the idea that programmers would starve in an open source world. No project is going to perfectly suit all users, and not all users needs are going to "scratch the developers itch" so much software that industry wants won't just happen for free. They can either adjust to fit the software, or have the software adjusted to fit them.

As to the issue of scarcity... Software *is* an artificial scarcity. Once you have one, you can make a million copies for near zero cost. There's no financial incentive for a company to do so, but the facts remain that all the costs are up-front.

Anyways, the long and short of it is that Microsoft blatantly and deliberately attacks open source. Then they go and use open source, while saying terrible things about it. This is totally dishonest. If open source software is bad, don't use it. If you use it, admit that it's not bad.

Re:Seriously? Microsoft use open source code?

[xtremex]

Actually, it comes from VMS. VMS is so alien to the UNIX way of thinking. So, Windows is basically a hodge-podge of VMS plus some System V additions, and a pretty shell.

Can you handle the truth?

[metacell]

Microsoft hires a lot of smart programmers and system designers who make intelligent decisions about how to design software and what code to re-use. Microsoft's programmers use open source code because it's good, it's standard, and it's familiar to them.

There are also a lot of competent programmers squashing out the bugs at Microsoft, but a large company has a lot more red tape to go through before anything is released.

The majority of Microsoft's products are good, but not always the best in their field.

Microsoft's flagship product, Windows NT/2K/XP, is an advanced operating system that strikes a good balance between security and backwards compatibility. Except for the tacked-on Internet Explorer interface, it's robust, feature-rich and modern with a very broad hardware support.

Microsoft is also very skilled in both adapting to and manipulating the market, and at using it's dominance in one market to gain dominance in others.

Because they're not stupid

[Alex+Kalita]

Microsoft knows that putting GPL code in a closed source product would open them up to lawsuits, so they avoid it at all costs. The article even mentions that Microsoft developers are banned from using GPL source code. They have used non-GLP code before, and in every case they have complied with the associated license. I wish we could put these silly accusations to rest. The only supporting evidence anyone has given is "because they're Microsoft".

Replying to my own message

[jonnyfish]

Yes, I am a somewhat technical person, and that's why I'm asking. I know what buffer overflow is, and the zlib issue is not it. This may be an issue, but surely something that doesn't require this much coverage or worrying.

Re:Replying to my own message

[dannannan]

I know what buffer overflow is, and the zlib issue is not it. This may be an issue, but surely something that doesn't require this much coverage or worrying.

A double-free can be just as bad. For example:

1. Suppose some code frees a buffer.
2. Then some other piece of code asks the allocator for a block of memory, and happens to get the block that was just freed.
3. Next, suppose the already-freed block is double-freed.
4. Suppose, finally, that some code asks the allocator for a block of memory again and it receives the block that was just double-freed.

Now two pieces of code are using the same buffer for two different purposes without knowing it. Maybe one of the pieces of code is using the buffer to write data from an untrusted source. This corrupted data could then mistakenly be trusted by the other piece of code.

For example, if one function thinks the memory is a C++ class with a vtable, and the other thinks it's a buffer to store incoming data from a socket, whoever's sending the data to the socket has an opportunity to replace a function pointer with one of their choosing, and the next time a virtual method is called by the code that thinks the buffer is a C++ class instance with a valid vtable, it's curtains.

Yikes!

D

They don't know what their own code has?

[loconet]

"...However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable. "

You're telling me their own people don't know what products uses what? Either they want to see if they can deny the use of zlib or they're just clueless. The lather seems more possible.

HABBA FUNGULE

[lkaos]

It is NOT a buffer overflow. Every is happy that your karma whoring because you know what a 'buffer overflow' is but your also helping spread this FUD.

The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.

Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.

At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.

Right now, this 'security issue' is entirely theoritical.

Put yourself in MS's position

[uebernewby]

They're not dealing with a fairly small number of reasonably savvy users who go to read slashdot, discover that zlib has a bug and decide to go fix their systems. MS deals with millions upon millions of 'ordinary users' who run dozens of programs that have zlib linked statically (we've just been told) and who have absolutely no idea what zlib is, what their systems use it for or how to patch it (well, they can't, because it's statically linked). So it makes sense for MS to determine first which apps are affected, in what way (is DirectX ever going to run into this problem? if yes, what are the consequences? if no, or if the consequences aren't serious enough, getting millions upon millions of clueless users to download a DirectX patch ASAP isn't worth the trouble). I agree with you that they should have information handy on which of their apps link to zlib, but who's to say they don't and they're just taking this time to conduct a risk inventory (they're a big ass bureaucratic monstrosity after all)?

Re:Put yourself in MS's position

[mpe]

MS deals with millions upon millions of 'ordinary users' who run dozens of programs that have zlib linked statically (we've just been told) and who have absolutely no idea what zlib is, what their systems use it for or how to patch it (well, they can't, because it's statically linked).

Since all of Microsoft's operating systems support dynamic linking youc an lay a fair bit of blame on Microsoft for choosing to statically link their apps. One of the main advantages of dynamic linking is easy upgrading, either for bug fixes or functionality.
Also it was Microsoft's policy to design around a paradigm of end-user administration.
How can they reasonably blame anyone else?

Re:Put yourself in MS's position

[uebernewby]

Of course they are to blame and of course static linking isn't always a smart thing to do, I was just saying that because they design their software to be easy to use (not such a bad decision IMHO - I'd hate to have my dad run linux), getting patches out the door is going to be a little more difficult for them to do than it is for Linux distros.

Re:Seriously? Microsoft use open source code?

[jedidiah]

I'm curious too. Why should we believe a fish tale like that when Win2K still has an /etc/hosts file embedded into it?

Re:oh goody get a clue

[fro_less]

I have spent alot of quality time with 2000 (migrate from NT4 to Win2000 AD = no fun ). Most people hate it because the have to use it at work, even though there are better alternatives. MS bashing goes on because their products .... WTF why am I explaining this to you, SHUT UP TROLL.

zlib demonstrates the strength of Linux security

[dybdahl]

The zlib incident has clearly demonstrated how well the Linux security model works. Within 24 hours after publishing the vulnerability, Linux servers were fixed all over the world, and still nobody seems to know how much Microsoft products are vulnerable.

We will probably see more and more software and code that runs on both open-source platforms and on Windows, which means that we will also see more incidents where Microsoft's security service performance can be measured against the competition.

Re:InstallShield vs. InstallAnywhere plug

[Grizelmac]

InstallShield has lost the lead in ease of use to InstallAnywhere. It doesn't use anything from Microsoft, and performs better for the other platforms as well.

I dig it.
http://www.zerog.com

/plug

Re:Seriously? Microsoft use open source code?

[bytes256]

Well no crap...I didn't say they were part of the stack...my point was that Microsoft uses open source code all the time...I just used the example of BSD

Re:Seriously? Microsoft use open source code?

[edhall]

That's the 4.4BSD license, a license that predates FreeBSD (and the other open-source BSDs). It contains the dreaded "advertising clause," which is (IMHO) rightfully viewed as non-free. That's why FreeBSD uses this license which drops the advertising clause and is almost universally viewed as a free license; the other open-source BSDs did the same thing.

-Ed

If there is a fix, doesnt MS have the fix also ?

[Quazion]

I hear all these people about a flaw in the MS OS ?
Maybe there, but its fixxed probably, now what i wonder about is when they come with the patch.

But then i also read some thing about the a difrent C version of MS, so maybe they dont need the fix.

Now i wonder why i even wrote this..

Quazion

No such domain (Offtopic)

[The+Cat]

Can someone please explain why zdnet and news, etc. are all on a non-existent domain?

; > DiG 9.2.0rc3 > news.com.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER

I don't get it. com.com seems to be some kind of travel agency. Any ideas?

(Sorry for the offtopic question)

Re:No such domain (Offtopic)

[The+Cat]

Figures.. here is the real DNS information:

; DiG 9.2.0rc3 news.com.com
;; global options: printcmd
;; Got answer:
;; HEADER opcode: QUERY, status: NXDOMAIN, id: 46230
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;news.com.com. IN A

Whacking MS Memes

[_Sprocket_]

Good troll. Just in case someone actually takes this seriously...

a more likely scenerio is that they are testing the fix. Microsoft is usually rather quick about releasing things, but they believe in testing it first. Great concept that.

Microsoft's fast responces to security issues is a recent event. They do not have a history of fast responce. But they do have a history of putting out fixes that cause problems. It is common practice to delay rolling out hotfixes and service packs to allow for discovery of these bugs and subsequent fixes.

Oh, and it will be available on windows update so that it will actually have wide spread adoption. Lets see how wide spread the linux fix is.

Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.

Since 80% of redhat boxes are rooted in the first 24 hours there seems to be a rather large precedence for boxes not being patched when they should be.

Nice statistic. Got a valid reference for it? Or is that just a bogus number to make your rant sound nice?

Microsoft may be a lot of things, but they aren't stupid. If they were they would never have gained absolute control of the desktop.

People often confuse Microsoft's marketing savvy with their technical ability. They are a technical company who excels at marketing. You're crowing about their marketing. This is a technical issue (information security is not a marketing issue - despite how many companies, MS included, tend to handle it).

Re:Whacking MS Memes

[kz45]

Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.

CodeRead and Nimda damaged many systems only because admins never got the patch from microsoft.

Re:Whacking MS Memes

[Datafage]

Yeah, and the original poster said that MS always achieved widespread patching.

BSD license vs MIT license?

[cpeterso]

If the BSD license no longer has the dreaded advertising clause, then how does it differ from the MIT license? Why doesn't FreeBSD simply switch to the MIT license? Maybe there is some university rivalry.. or maybe they don't want to rename their project to "FreeMIT". ;-)

Re:BSD license vs MIT license?

[Ace+Rimmer]

The difference is now only in formulation. But the MIT licence is way shorter so I prefer that one ;)

Re:BSD license vs MIT license?

It would be FreeMSD, if you want to get pedantic about it.

Re:oh goody get a clue

[NanoGator]

Name a better alternative. Windows 2000 is easy to deploy on a variety of harware, easy to use, and has well supported software. The gotcha is that it costs lotsa money to license. Can you honestly tell me there is a better alternative? The only alternative I have as a 3D Artist is Macintosh. And though I'd like to have one, Windows works on the hardware investment I've already made.

Linux is hard to install, requires a more knowledgable support people, and has less driver support. This is why Windows is big in the corporate world. Obviously Microsoft isn't so bad if it's doing what people are paying for it to do.

As for being a troll, a troll rarely makes a good point. Getting back to my original point, this attitude of "It sure is cool to hate Microsoft" is blinding people to alternatives that may very well work for them. Call me a troll for disagreeing with you if you like, but I'm not-anti Linux.

Fuck M$

I hope this forces more people to use the GPL and get away from the "steal this software" type of licenses like the BSD. I think M$ owes a lot of open source developers some serious money and has another person pointed out maybe they can change their license to the GPL and sue sue sue!

Re:Anime Uniforms

Give me a Gundam: Mobile Armor suit and I'll make the world a better place!

double free() considered harmful

[nyet]

NOT crashing on a double free might be just as bad (or worse) than crashing on a double free, since it generally means somebody is accessing a free'd pointer for other reasons (prior to the second free). In *this* particular case, allowing a double free might be better than not allowing it, but in general, ANY program that does a double free probably has far more destructive bugs hiding in it.

Re:Seriously? Microsoft use open source code?

[Beatlebum]

I bet part of the reason MSFT is so averse to having its precious source code inspected is the possibility it contains GPL'd code that infringes on the license.

Fuck you!

This is exactly why software is not all GPLed! There are some things that are good for everyone and keeping it all to yourself is just as fucking shithead of you as it is of MS.

Re:Fuck you!

The GPL doesn't keep it all to yourself idiot. It is a I give to you, you give back to me thing called sharing. Something the BSD style license don't have.

Re:Seriously? Microsoft use open source code?

[toopc]

I bet part of the reason MSFT is so averse to having its precious source code inspected is the possibility it contains GPL'd code that infringes on the license.

doubtful...

http://research.microsoft.com/university/ntsrcli ci nfo.asp

Microsoft® makes source code to Microsoft operating system products like Windows XP, Windows 2000 and Windows CE available to universities and other "not-for-profit" research institutions at no charge. Currently, there are over 100 universities worldwide with our source licenses.

"The issue at hand is choice"

[gotan]

This is again Mundie piping up with that stupid argument, that the GPL is bad because it limits the licensees choices. Now where's my choice when i want to develop using Microsofts sourcecode (if i can get my hands on it, even some governments can't)? Well, i have to accept Microsofts conditions. With the GPL and similar licenses i have to agree to the conditions of the respective authors (which choose the GPL as a license). So where's the difference? I'm sure it's easier to satisfy the GPL than Microsoft anyway. If only someone would ask what Microsofts conditions are for using their sourcecode when Mundie goes on a rampage again, that should shut him up for good.

Meanwhile the TCP/IP stack and now the zlib (and probably some other open source software Microsoft choose to make money off) shows what all that rhetorics of Mundie really is about: They want to take without giving, and they have seen that there's some nice open source software they'd like to get their hands on if only it weren't for that pesky GPL. Apparently that there's some open source software, that's too good to ignore, even for innovative Microsoft. It's really unfair that the GPL is asking Microsoft to share with others if they want to benefit from that software.
--

Re:Seriously? Microsoft use open source code?

[warlock]

This is a "bug" in the webpage... someone forgot to update it apparently, since the 4.4BSD license has been updated years ago. Check the addendum here:

ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.L ic ense.Change

The removal of the advertising clause retroactively applies to any BSD licensed sources that Berkeley has the copyright of, including 4.4BSDLite which FreeBSD is based on, and since the FreeBSD additions are covered with the FreeBSD license which is the BSD license without the advertising clause and references to the "Berkeley Regents" replaced with "FreeBSD Project", this effectively means that there is absolutely no advertising clause issue.

There are of course some non-free (in the BSD sense, I am not trolling!) sources, most of them GPL, however if one is looking to release modified FreeBSD binaries without providing the source, he can simply rm -rf /usr/src/gnu or make sure he doesn't ship any of them, which for a lot of applications is not necessary anyway.

Re:zlib demonstrates the strength of Linux securit

I'm glad it demonstrates something. It sure as hell doesn't demonstrate that OSS is more secure because of more eyes!

That isn't Microsoft.

[evilpaul13]

Installshield that is. MS has the "Windows Installer." Installshield is a separate entity.

PHP page compression ?

[phobonetik]

How could this affect PHP4's use of zlib? I assume this is used when you use gzip compression on pages using the ob_handler?

Re:Seriously? Microsoft use open source code?

You couldn't tell SysV from VMS by their installations. Shut the fuck up you naive teenager and stop "flashing words" to make yourself appear somehow intelligent. You appear stupid and pompous. LASTLY, The shell model Windows followed was dropped long ago. Fuck off.

IM TOTALLY SICK OF THIS SHIT

When this "security flaw" affects LINUX, you simply title the article "software bug" but when it affects Microsoft straight away its a "security flaw".

TALK ABOUT BIASED!!!

Re:IM TOTALLY SICK OF THIS SHIT

You've gotta remember that some of these people, in particular the people who run this site, view it all as a holy war. There's good and there's evil. Linux and Open Source is good and Microsoft is evil.

That kind of ninny-headed thinking is probably one of the worst threats facing the viable future of Open Source/Free Software. Interesting projects like Linux become a platform for nutcases with a grudge. All the creeps who flooded the Amiga, OS/2, and Macintosh community have made their way over to Linux, and they're draggin' it down.

Re:Seriously? Microsoft use open source code?

[xtremex]

I will ignore your comment as you have NO idea what you are talking about.

OS from scratch

[leonbrooks]

I'd love to see Microsoft write their own OS from scratch the way GNU did. ;)

That's true, they never have written an OS from scratch. Windows 9X is DOS-plus-GUI-shell and DOS was derived from QDOS; Windows NT is DEC's MICA, broken and in fancy clothes, and 2k, XP, Longhorn etc are all derived from that. What about CE? Maybe that's why you need an expensive mega-micro-beast to run it on.

If MS truly want OS security, why not just wrap their user interface around OpenBSD? The licence allows it, provided credit is given (and that can be done in very fine print).

XFree86 patch for dynamic zlib

[leonbrooks]

Some distributors have patched XFree86 to link dynamically against the system zlib.

Mandrake, for example. That and any other package for which this was straightforward to do.

MELON. MELON. MELON. +++ REBUILD FROM SOURCE.

[leonbrooks]

Any proper system should be able to rebuild completly from source, catching ALL statically linked binaries.

For your compiling pleasure, Mandrake 8.2 includes a tool to do just that. But you will also have to grep the entire source tree to catch self-included static copies of zlib. Just be glad that you can do this. (-:

``Hello, Microsoft Technical Support here. Can I have your money, er, support number please? ... Thanks, OK, now what seems to be the problem? ... Rebuild from source? Sir, don't you mean reboot...?''

Another fine reason to give money to Mandrake instead of Microsoft.

Re:MELON. MELON. MELON. +++ REBUILD FROM SOURCE.

[xanadu-xtroot.com]

What's the name of the tool you speak of? This is the first I've heard of this handy thing.

TIA!

Re:BSD code in NT4 utils at least (d'oh)

:%s,rebotted,rebooted,g

Microsoft NOT vulnerable to zlib bug!

[jpmorgan]

The security vulnerability is due to zlib trying to free the same section of memory twice. The glibc memory allocation routines aren't very smart, and will cause heap corruption if you try to do this. This heap corruption can be exploited.

The Microsoft runtime libraries have smarter memory allocation and deallocation - attempting to free the same area of memory twice does not result in heap corruption. Consequently the zlib bug isn't a security vulnerability in Windows.

Re:Microsoft NOT vulnerable to zlib bug!

Just like it isn't a bug in Free/Net/OpenBSD.

The zlib error isn't the security flaw. It's the glibc error that results that is a security flaw.

It's a uniquely Linux security flaw.

WHY DO PEOPLE PERSIST IN IGNORING THAT FACT??

Extent and Response

[Erris]

Hmmm the article mentions about every piece of M$ crap ever made, On Thursday, researchers reported that at least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

Gosh, what else do they make besides a second rate search engine? That there is no security on M$ is no secret.

Their response according to the article is:

Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library.

Meanwhile, in a dark Seatle back room someone is running "apt-get update" for a fix! Well, that's what I did. No problems now.

Re:zlib demonstrates the strength of Linux securit

Yeah thats true.. I mean when you have alot more eyes looking at something no matter how long it takes to find it'll eventually be found, one way or another.

When you have a small pool of eyes not even bothering looking you don't find anything.. So obviously it's more secure.

Dumbass.

ha ha, Sheldon you silly boy.

[twitter]

But what if there is no problem with the Microsoft software?

Well, that could be. I don't have any problems with my M$ software. It sits on floppies and CD's where it can be installed to use some obscure piece of hardware on a second rate computer never attached to the internet. Most of the time, however, it never causes problems.

Bad Microsoft, bad! Quit saying that free software is unusable while using it. Oh yes, good luck hunting thought that vast tree of poorly documented closed source junk you have been purchsing from other companies for the last ten years. Is this what you will build the Digital Rights Management Operating System, TM and patented use of other people's code? Slap! Crack! What a joke of a company. What shall become of all the M$ stock when the world figures out that M$ is the equivalent of an Ice Vendor in Antartica?

They wanted to be the asshole in the middle, stripping ideas and programs from others, to sell as The Sole Operating System. All the people they ruined could be hard at work fixing their codes. Now, those codes will continue to be distributed unmodified. The task is too great for a single company. Like most such ventures, in the end Microsoft can only manage to be assholes.

Affects linux

Do you think linux does not use zlib ?

Re:Seriously? Microsoft use open source code?

[King+of+the+World]

Dude, the King of the World doesn't bother challenging. He merely questions with a smile. Surely, I cannot be expected to believe a post without evidence as to do so would pollute the mind.

MS should use some GPL code and see what happens

[Sabalon]

Seriously - they should come up with some small little product that it doesn't matter if they have to release the source code to. They should put some GPL'd code in there - perhaps not even try to hide it too much.

And then they should see what happens. I guess they figure not many in the GNU crowds care much for them anyway, so they won't lose "loyal customers".

However, it'd either do two things:

a) show MS that it doesn't matter cause no one dared to file a suit

b) give the GPL it's day in court and see what happens.

The only downside is that whoever decides to take this to court better be loaded. It could be a long uphill battle.

It would be interesting to see the outcome though...however with MS's legal team, perhaps it may not be a good outcome.

Update Services

[_Sprocket_]

Datafage already did a fine job at pointing out the issue - the fact that having an update on Windows Update does not guarentee "widespread adoption" as the origional poster claims. Codered and Nimda are two examples where such a system should have limited damage. It didn't.

There is another interesting point to make here. The origional poster implys updates will be slow to trickle in to the Linux install base, while Windows Update offers a shortcut to the process. Microsoft's Windows Update service is not unique. Its not even first of its kind. Linux distributers such as Redhat and Mandrake have long offered a simular service. Debian has had such a system in place even earlier.

In short, Windows Update provides neither a panacea nor unique solution to the issue.

Re:Update Services

[mpe]

The origional poster implys updates will be slow to trickle in to the Linux install base, while Windows Update offers a shortcut to the process.

A lot of the time Windows Update appears to be more about marketing the latest version of Internet Explorer and co than distributing important fixes.

Try it and get sued

[LatJoor]

I'm afraid you misunderstand the license. What you suggest still involves linking your program to the GPLed code at runtime, which is expressly forbidden by the GPL.

Besides, you have to release the code of the wrapper library under the GPL, which in turn requires you to release the code of your other program under the GPL as well. The chain will continue no matter how many "wrappers" you write.

Re:Try it and get sued

[Wolfier]

I understand I have to release the wrapper. The point of writing it is to convert whatever the program is, into a library.

Even if what you said is true, if I'm determined enough, I still won't get sued if I do it right. I'll bet you anything on it.

How about - write a CORBA server with the GPL code. Release the server source code. Write your program as a CORBA client. Done. There's no linking between your program and the GPL code. Static OR dynamic. There simply is some network traffics involved.

Re:Try it and get sued

[LatJoor]

Yes, if you separate the GPL code and your program, then it's not a violation of the license, any more than it's a violation of the license to run proprietary software on the Linux kernel, or write proprietary code that accesses a MySQL database. However, when you do this you're no longer circumventing what the program's author intended to accomplish. Plus, you've made a new contribution to the software by writing a CORBA server for everyone to use. This isn't a loophole, it's how the GPL is intended to work.

Re:Try it and get sued

[Wolfier]

Hehe. I guess you're right here. I don't have any intention to violate the GPL, but I just want to point out that, if you want to use GPL code that would **give you the same results as if you're directly linking to it like you use a library**, you can do so without releasing the client you write to use that library - it'd just a bit tedious, and involves doing something along the line of RPC.

As far as I know, it wasn't what RMS had in mind when he invented the GPL.

Yeah, I've made a few new contributions by writing a CORBA server. Who cares - most companies don't fear the GPL because "they have to make contribution". They fear it because "they may have to release their own code". As far as I'm concerned, the CORBA server does not have to have anything specific to your application, and, how hard it is to convert a library to play with CORBA? Not at all in most cases - so the "contribution" would just be saving some time for the community on some tedious task. But not a new idea.

Re:zlib demonstrates the strength of Linux securit

still nobody seems to know how much Microsoft products are vulnerable.

No Microsoft products are vulnerable, just like no Net/Open/FreeBSD programs are vulnerable. The zlib bug doesn't ripple down into the system and become a security flaw except on the only OS that has embraced glibc, and that is Linux.

Get it through your thick fucking head, dude.

Re:zlib demonstrates the strength of Linux securit

Sorry. There are eye and there are eyes. Clearly this demonstrates that just throwing it out into the world and hoping that eyes at random will find the bug isn't a foolproof strategy.

I am really tired of the 'few eyes/many eyes' meme and how it's turned into a dogma.

Sorry, Eric Raymond didn't reinvent Software Engineering when he wrote his diatribe. There are many other far more experienced people out there doing a better job, some not even based on crappy neo-pagan metaphors and matchbook-cover political economy.

Fuck you, Mister Malda.

add C:\windows\command\fdisk /mbr to your friend's autoexec.bat file. It prevents certain boot sector viruses.

Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

It's been 14 seconds since you hit 'reply'!

If this error seems to be incorrect, please provide the following in your report to SourceForge.net:

Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day
* Please choose 'formkeys' for the category!
Thank you
-------
yeah, fuck off, Rob. I had a constructive comment, but now I'll just leave this shit instead.

Bugin open source software! blame microsoft...

[fortinbras47]

"Bug found in open source software"
And so Microsoft gets ranted against?

I know Microsoft has lots of security flaws, but subscribe to bugtraq, debian security etc... and linux has a LOT of bugs too. Seriously people...

Of course, you do realise...

[Trisk]

It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

... that this "Multiplatform InstallShield" is a joke.

Re:Seriously? Microsoft use open source code?

Um, what the heck are you talking about?

Does anybody know if Trumpet Winsock uses zlib?

We all know Microsoft doesn't use Trumpet Winsock, but this fellow, er, asked first...

Re:Seriously? Microsoft use open source code?

Windows 95/98/ME/NT3/NT4 all have a hosts file, too.

It's, umm, a functional method of establishing a static host table. Hell, I use mine to block images.slashdot.org so I don't get any of the spam or pretty BS when I read this site.

Fuck you, Mister Malda.

Yet again, the slashcode censors my comment.

Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 1 minute since you last successfully posted a comment

If this error seems to be incorrect, please provide the following in your report to SourceForge.net:

Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day
* Please choose 'formkeys' for the category!
Thank you

grep is not the utility you're looking for.

[Trisk]

strings will display ASCII strings embedded in a binary.
With the additional '--print-file-name' option for the GNU binutils version, it's even more useful.

From Windows NT 5.0:
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Berkeley'
nslookup.exe: @(#)nslookup.c 5.39 (Berkeley) 6/24/90
nslookup.exe: @(#)commands.l 5.13 (Berkeley) 7/24/90
nslookup.exe: @(#)debug.c 5.22 (Berkeley) 6/29/90
nslookup.exe: @(#)list.c 5.20 (Berkeley) 6/1/90
nslookup.exe: @(#)subr.c 5.22 (Berkeley) 8/3/90
nslookup.exe: @(#)skip.c 5.9 (Berkeley) 8/3/90
nslookup.exe: @(#)getinfo.c 5.22 (Berkeley) 6/1/90
nslookup.exe: @(#)send.c 5.17 (Berkeley) 6/29/90
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Regents.*University of California'
finger.exe: @(#) Copyright (c) 1980 The Regents of the University of California.
ftp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
nslookup.exe: @(#) Copyright (c) 1985,1989 Regents of the University of California.
rcp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
rsh.exe: @(#) Copyright (c) 1983 The Regents of the University of California.

Re:grep is not the utility you're looking for.

[Trisk]

As for zlib (remember that some copyright noticed may have been removed):
[trisk@kainga:/vfat/windows]% find . -type f -print | xargs strings -f 2>/dev/null | grep '[di].flate'
./system32/dllcache/vgx.dll: 4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
./system32/dllcache/vgx.dll: f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler
./system32/offfilt.dll: inflate 1.0.4 Copyright 1995-1996 Mark Adler
./system32/pngfilt.dll: i inflate 1.0.4 Copyright 1995-1996 Mark Adler
./system32/urlmon.dll: PROTOCOLS\Filter\deflate
./system32/urlmon.dll: Accept-Encoding: gzip, deflate
./system32/urlmon.dll: Accept-Encoding: gzip, deflate
./system32/QuickTime.qts: inflate 1.0.4 Copyright 1995-1996 Mark Adler

vgx.dll and offfilter.dll are probably MS Office libs. (inflate(), deflate() are zlib functions, btw). QuickTime.qts is just shown since it's also interesting.

it's not

[Otis_INF]

The double free bug in zlib doesn't affect MS systems since the msvcrt lib isn't affected by a free of a NULL pointer. This article on CNet shows the need for pageviews.

Re:it's not

[mvdwege]

Neither is glibc. A free(3) on a NULL pointer is defined as a no-op. Only a free(3) on an already free(3)ed pointer is problematic. According to the manpage it will cause 'undefined behaviour', which is later clarified as possible heap corruption, and this behaviour is according to the C99 specification.

You'd better learn a little more about things before you open your mouth about it.

Mart

Hmm interesting,

If I open ftp.exe (for Win95) with Notepad I see the following information:

Copyright (c) 1983 The Regents of the University of California. All rights reserved.

Looks like they do believe in inovation.

P.

Re:Seriously? Microsoft use open source code?

[trezor]

And ofcourse they now support raw-sockets in WinXP. For average users by default. Who'll say "I saw that one coming" when a major WinXP based DDoS attack starts to rage the net?

Are they complying with the licence?

[alriddoch]

Reading up on the zlib licence, which is short and easy to understand, I find this clause:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

The way I read this, if software uses zlib code, then the authors of their software must not claim to have written the code. Microsoft are not obliged to acknowledge the zlib authors anywhere, but if they make a copyright statement saying that the code was written by Microsoft, then surely they are claiming that they wrote the zlib code in their product, and are therefor breaking this clause?

Does anyone know if Microsofts' copyright statements comply?

I am probably too late for this point to be discussed.

Microsoft's Allocator

[dewdney]

The reason why it is mostly a non-issue with Microsoft is because their RTL's alloc implementation is protected against double frees. This makes it a tiny bit slower.

But microsoft tried to remove this protection in one of their Visual Studio services packs - the result - Microsoft's ( and other's ) programs crashing randomly all over the place. They quickly reversed the 'optimization'

More worryingly -that means that alot of programs are actually relient on that thin safety net!

zlib

[Rogain]

As I've said before, non-GPL opensource licenses lead you to being a sucker. And that microsoft has used zlib so much should make the author(s) of zlib feel like big time suckers: Microsoft made the cash, you got blamed for M$'s lack of security auditing!

Re:Seriously? Microsoft use open source code?

[Chemicalscum]

How would any university user know - they would not be GPL coders because of the NDA and fear of contamination. Perhaps Eben Moglen should find someone who can thoroughly examine the MS code who won't be writing anymore GPL code - but I guess MS would find some way of stopping that!

There is money and then there is MONEY

[bubbha]

In your view, the society moves forward as a side affect of individuals pursuing BIG MONEY. I suspect that if you do some reading on just who are the people who create innovative technology you will find that they are people motivated only partly by money but much more for having a burning desire for the subject area they are addressing. BIG MONEY is made by those who can take other people's innovations and market them. Frequently, the winner is as much politically connected as they are financially astute. What motivates open source developers is the burning desire to "make a difference" in some way...in the area they care about - programming and software development. How about this, we won't worry about the "starving programmers" of the world if you stop worring about the "starving Billionaires" of the workd.

The Tragedy of the Commons.

The fact that people spent their own time on zlib is a liability.

Spending money is a liability too, because all money is a representation of the amount of work it would take to mine an equal portion of gold. One has to also work to get money.

Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program

Example: A free park would only be useful to society if people are restricted from charging and restricting others from and entering the park. Why then do we have parks? The makers are not rewarded, and no one else is entitled to be rewarded financially.

There are other factors that influence people to do things, e.g. emotional costs. If you see an addressed, stamped envelope on the ground, would you pick it up and mail it? If you answer yes, then, why did you do it? No one is paying you to do it, you did it for emotional reasons. If you answer no, then you are a defector. You better hope that no one knows about it. With anonymity comes increases in defectors, as people realize they don't have to contribute, they can just take. That's why the government makes taxation mandatory and not voluntary.

Humans are very emotional and that's what drives people to cooperate. Without that cooperation, society would never work. Individuals that fail to cooperate are viewed as defectors. People hate defectors and will go out of their way to punish them because they reduce the quality of... life.

(not that is matters too much, since there are many other compression tools).

Then why are you complaining?

Society does not move forward without using other's tools, but society does not move at all without monetary incentive.

Read what I said earlier.

There is a reason for money, and it is not for "evil" purposes despite how bad /. readers believe it to be.

No one is saying that money is evil.

Throwing out software because of how it was created is plain ignorance and wasteful.

Who is "Throwing out software?"

There are more useful things to be done than paying someone to rewrite a compression library.

And there are more useful things than rotting in jail, hence why smart people don't break the law, lest they get punished. As for lazy people, the punishment for not doing anything is that you have to write a compression library.

Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.

You don't know that any of that would happen.

Re:The Tragedy of the Commons.

[reflective+recursion]

Spending money is a liability too, because all money is a representation of the amount of work it would take to mine an equal portion of gold. One has to also work to get money.

To society, spending money is not a liability. The government gets tax money and people's time is given actual monetary value. If all software was open source then programmers would have to jump from "gig to gig" looking for work. There would also be hundreds of forks of the major software and almost no new software being created (because programmer's free time is gone since they have to actively look for work and noone wants to foot the bill and support a whole new software package being written).

Example: A free park would only be useful to society if people are restricted from charging and restricting others from and entering the park. Why then do we have parks? The makers are not rewarded, and no one else is entitled to be rewarded financially.

Uhm. A park is created when the city decides to use tax-payer dollars and pays for the creation of such a park. The park is an incentive for people to move to the city and help the economy there. Thus, the free park has actual economic value and is not a by-product of people's free time. Do you really think people create parks in their spare time? I'd like to see something like Central Park in NYC maintained on nothing but good will, as you imply.

If you see an addressed, stamped envelope on the ground, would you pick it up and mail it? If you answer yes, then, why did you do it? No one is paying you to do it, you did it for emotional reasons. If you answer no, then you are a defector. You better hope that no one knows about it. With anonymity comes increases in defectors, as people realize they don't have to contribute, they can just take. That's why the government makes taxation mandatory and not voluntary.

Picking one envelope off the ground and sticking it in the nearest mailbox would be charity. If there were enough people dropping their mail, then it might be of value to pay someone to go along the streets and pick up all envelopes and mail them. Then you would have a tax-payer supported mail picker-upper. This is no different from garbage collection. When you see a bottle on the side of the street you may wish to pick it up and throw it away. This is charity. The guys who come in a big truck and pick up everyone's pile of trash is not charity.

Humans are very emotional and that's what drives people to cooperate.

Oh really? When you drive around town looking for the best price on a computer and then finally decide on one, is that cooperation? Of course. You are paying people for an actual good. They now have profit from whatever mark-up was on that computer and can expand their business. Was it based on emotions? No. It was all about you looking for the best price. This type of cooperation happens more than any other in America. I have yet to find co-workers who can remain in cooperation for even short periods of time, yet money has a way of removing prejudice, religous beliefs, etc. and getting to the bottom of cooperation.

No one is saying that money is evil.

It is implied by the way people bash Microsoft. They are bashing them for no other reason than because the "richest man in the world," Bill Gates owns the company. People are so stuck on the Robin Hood story of "rob from the rich give to the poor" and have this idea that rich people in America are the greedy robber-barons of ancient times. This is not the case, as money in America is actually created. There is not a pile of gold that Bill Gates is hoarding. Whatever money he has, you could have also. But you have to see that opportunity yourself. What? Not smart enough to see it? Neither am I. Nor was anyone at IBM or Digital. Or Apple. People seem to forget how many millionares (and otherwise very happy people) Bill Gates has made.

No one is saying that money is evil.

Microsoft would be, if they rewrote the zlib compression.

And there are more useful things than rotting in jail, hence why smart people don't break the law, lest they get punished. As for lazy people, the punishment for not doing anything is that you have to write a compression library.

Why do you insist on stereotyping Microsoft as "do nothing?" They have more programmers working for them at any given moment than the whole free software movement has ever had. These people are not just standing around with their thumb up their ass. Otherwise Microsoft would not be making money, now would they? I'm not sure what you mean by "rotting in jail." There were no laws broken by using zlib, if that is what you mean.

You don't know that any of that would happen.

Of course I don't. What I do know is that if you remove the value of software, then the monetary incentive is gone with it. You should join the Free Software Business mailing list for a glimpse of the future. What you will witness is people trying to fit a square peg in a round hole, and do not realize that software has greater value if it is proprietary than open.

Re:The Tragedy of the Commons.

[reflective+recursion]

The second quote..

No one is saying that money is evil.

should have been..

Who is "Throwing out software?"

Re:The Tragedy of the Commons.

[WNight]

Yawn. It's an old story. "If you bash Microsoft, you're jealous."

I bash Microsoft because that would desperately love to make open source software illegal.

Despite all their claims, open source software is a viable commercial alternative. I'm proof of that. I've used open source software for my clients, and written new software for organizations that are largely using open source.

Microsoft wants to force people to buy software from a large company. They don't want people to realize that software can be produced by a single coder in a reasonable ammount of time.

They lie to accomplish this goal. Microsoft's history has been one long lie. They lied in court, they faked evidence, they lie about open source, etc, etc. Then they have the gall to use open source software after saying it'll destroy the economy.

I want to know why they can get away with this shit. It seems to be just because they're rich. If anyone else lied to a judge like that they'd be spending a month or two in jail for contempt, at a minimum.

No, I don't dislike Bill because he's rich. I dislike Bill because he's doing his upmost to make sure that I'll never be rich, by destroying the business oportunities of anyone who isn't Microsoft.

How much does MS pay you to astro-turf for them?

Re:The Tragedy of the Commons.

• If all software was open source then programmers would have to jump from "gig to gig" looking for work. There would also be hundreds of forks of the major software and almost no new software being created (because programmer's free time is gone since they have to actively look for work and noone wants to foot the bill and support a whole new software package being written).

Complete nonsense, this threat is more likely to be from Microsoft towards non-microsoft software companies, see DRI, Novell, SCO, Lotus, WordPerfect corp, Borland, et al., most of whose employees are no longer paid by them. Surprisingly the world hasn't collapsed yet. Or maybe this is the cause of the current dot-com depression and it is Microsoft's fault.

Microsoft would also like to see the demise of Nintendo and Sony consoles, Palm, embedded software companies, and anyone else that is in the way of their total world domination.

Do you really think that staff at Caldera, Lineo, Red Hat and many others are not paid?

Do you really think that most programmers, the ones developing corporate in-house systems will just carry on but not be paid ? Or do you think that the corporates will not bother running their enterprise systems if someone uses a piece of GPLed software ?

Developers will still be paid just as they are now. Amateurs, acadaemics, and students will still develop software as a hobby or byproduct, just as they have done for 40 years, well before any GPL.

The only difference is that proprietary software developers (such as Microsoft) will have to pay people to develop their own non-GPL code instead of just using someone else's. There will be more paid developers.

You have this really strange fantasy view (as promoted by MS) that the GPL is some sort of fungus or cancer that will, like The Blob, seep in through the air-conditioning and attach itself to code as the programmer writes it instantly making him unemployable.

GPL developers will charge their users for services, just as they do now and will make money. Non-GPL developers will carry on exactly as they do now - unless MS kills their company.

Re:The Tragedy of the Commons.

[reflective+recursion]

Yawn. It's an old story. "If you bash Microsoft, you're jealous."

It's nice that you think that, but no. I'm saying you (and others) are trying to fit the Robin Hood story over the "Microsoft story." It is implied by the heavy use of "M$" and "Micro$oft" --notice the $ sign. It is a very ingrained story, from elementary school, and it needs weeding out. Microsoft does not pin anyone down. They throw their weight around, but that is capitalism for you. The fact that there is a MacOS, Linux, FreeBSD, etc. prove that Microsoft has no power to get rid of them.

I bash Microsoft because that would desperately love to make open source software illegal.

Oh really? Much like RMS wants to make all software free software? Sounds like freedom to me. Whatever software I write, Bill Gates doesn't give a damn what I do with it. If I'm going for his market, he will do whatever he can to stop me. Who wouldn't? Anyone would (unless you simply don't believe in capitalism and competition). Whenever I write software, RMS will insist I make it free software. Why? Because he is greedy. He wants it all for himself--for no other reason. Look up his reasoning in an interview he did at one time if you don't believe me. He doesn't have any grand vision. He just wants all software he ever uses to be free software (and no, Open Source(TM) is not good enough). You, like many Slashdot readers, are blindsided by Microsoft's mistakes. You look at Bill Gates' fortune and you look at all the shitty software Microsoft has ever made and you put two and two together and come to the conclusion that Microsoft is a bad organization. Then you turn every story about Microsoft into how Microsoft wants to control the world. Every little mistake is scrutinized and turned into a "Microsoft evil-doing." Microsoft is not just Bill Gates and the executives. Microsoft is the shareholders all across America and the world. In every community and city and state. Microsoft is also the employees, who I'm sure have no qualms about Microsoft. Microsoft is the corporation that holds people's faith that the NASDAQ index will once again rise. This is important to countless people's 401k's and retirement plans.

No, I don't dislike Bill because he's rich. I dislike Bill because he's doing his upmost to make sure that I'll never be rich, by destroying the business oportunities of anyone who isn't Microsoft.

If you are going for Microsoft's market, then you have to compete with Microsoft, no? They aren't going to simply step aside and say "welcome to our market! make yourself at home!" Look at Adobe. They still make money, from what I understand. Look at Intuit, Autodesk, etc. Many started before Microsoft was around or even big. Want to know a little secret? Lotus was bigger than Microsoft. Yes, it's true. Microsoft got ahead of Lotus by being smarter about business.

How much does MS pay you to astro-turf for them?

And how much does the FSF pay you to spread this anti-capitalism trite?

Re:The Tragedy of the Commons.

[reflective+recursion]

GPL developers will charge their users for services, just as they do now and will make money. Non-GPL developers will carry on exactly as they do now - unless MS kills their company.

This is too funny. I just love how Ximian is now turning towards proprietary software to get a little cashflow for when their multi million-dollar VC supply runs short. The irony is too much! My sides are hurting from laughter!

Re:The Tragedy of the Commons.

[WNight]

You know, your cut and paste arguments would be better if you tailored them to the people you were arguing with. I didn't talk about capitalism or communism. Where do you come up with it?

I make money, in a capitalist system, by programming.

I just don't want Microsoft getting that declared to be illegal just because I work with open source software.

Let's use this capitalist thing that you keep going on about. How is Bill buying laws against open source (which he's trying to do, having Mundy say it destroys economies) a capitalist act? Shouldn't MS be competing? Releasing a better product?

There are many do-it-yourself markets in the world. Nobody bitches on Slashdot that handy homeowners are putting plumbers out of business by unclogging their own toilets and fixing their own broken pipes.

That's because people have had time to realize that this isn't bad in any way. Money saved on plumbers gets spent elsewhere, to raise the standard of living. Plumbers can find another line of work, or get good enough to compete in a smaller field.

You're the one proposing a corporate welfare state. Let's pass laws making it illegal for people to do their own programming, just to keep Microsoft making their money.

And then with the 401k plans. Wah! If you invest in a volatile market you expect risk. I don't see anybody crying over my retirement fund, so why should I go out of business over theirs?

Truly, the open source programmers and I are arguing for the only true capitalist point of view here. If a big company can't compete with us, let them go the way of the dinosaur.

Don't forget, I'm perfectly willing to compete. If Microsoft can fill the niche I do, without simply making it illegal for me to do it, then I will move on to another job. Either I'll find a new niche, or a new career. Unlike the world's richest man, I don't expect everyone to take care of me.

Why do we have this idea that capitalism excuses all actions? A capitalism should say "Welcome to our market", and then try to make sure that their products are better and cheaper. Microsoft has continually used illegal product linking and direct sabotage to destroy the markets of their competitors. ("DOS ain't done till Lotus don't run.")

Re:The Tragedy of the Commons.

[reflective+recursion]

Prove that Microsoft is trying to make open source code illegal.

You're the one proposing a corporate welfare state. Let's pass laws making it illegal for people to do their own programming, just to keep Microsoft making their money.

You obviously haven't read a damn thing I've written. I haven't said a thing about laws being passed. If Microsoft can get laws passed then it is because the government is corrupt. If Microsoft can bribe the government then they are both at fault. But, I need proof and I'm not seeing any.

And then with the 401k plans. Wah! If you invest in a volatile market you expect risk. I don't see anybody crying over my retirement fund, so why should I go out of business over theirs?

I was simply stating that Microsoft is more than just Bill Gates and the executives. Two words: reading comprehension.

Truly, the open source programmers and I are arguing for the only true capitalist point of view here. If a big company can't compete with us, let them go the way of the dinosaur.

Yes, and when you are reduced to a freelance computer "technician" and are no longer a "professional" don't come crying to me when your salary gets cut in half. It's nice that you can make money in the service industry (such as corporate database programming and web devel), but the consumer market is not the same.

Don't forget, I'm perfectly willing to compete. If Microsoft can fill the niche I do, without simply making it illegal for me to do it, then I will move on to another job. Either I'll find a new niche, or a new career. Unlike the world's richest man, I don't expect everyone to take care of me.

No you aren't. RMS says all software must be free software. Thats not competition, thats dictatorship. Maybe there is no niche because there are not enough people that need source code. From my point-of-view, Microsoft is simply shrugging off free software as a fad. They don't really believe it will produce what they can, but I do believe they are worried about the philosophy the FSF shoves down people's throats. Why are they worried? Because people will start demanding free software. And I'm not talking about source code. People are already starting to demand it--and they don't even need the goddamn source code and don't even know how to program! FSF is basically making the value of software nil. No one will pay for it if there is so much free (no-cost) software out there. I'm sure Intuit, Autodesk, and especially Adobe are worried also.

The Free Software Foundation stresses that free software means freedom, but their logic that "free software does not mean no-cost software" is completely broken. They are not willing to see that once source code has been released it is inherently no-cost.

If all software is free software, then no new software will get created (like I said earlier). Do you know the price tag of something like MS Office or AutoCAD being created? I'm sure it is well into the million dollar range. Who in the world would pay that much and then have it released for public consumption? No one! They may purchase the software and resell it (like MS has done many many times), but they will not release under the GPL. The only time payment can be collected on GPL'd software is at the initial transfer. Once two parties have free software you can be sure that the entire world will have access to that software. Do you understand where I'm going here? There will be no support system to continue the development of the software. It will be left up to thousands of development shops to pick up development and the entire computing world will become fragmented. There will be no defacto standards that hold computing systems together. The computing world will become one big spaghetti system. All software talking different protocols, using different file names, and some not even having concepts of "files." If you think the communication between Windows and Linux/BSD is bad, wait until anyone can come along and stomp on protocols. You can already see this happening between Red Hat and various other Linux distros. Certain assumptions about what a "Linux system" is don't hold true and things tend to break. Once computing systems get larger, free software methods break down quick. Try compiling and installing GNOME by hand and you will see that it takes a near miracle to install correctly. It is much easier to download RPMs and install like that. Do you see now, where the value of software is. It isn't being able to modify it (as long as the software is still supported). The value is having it work and work correctly and together. How many times do you really have an urge to modify the source code for bash? Mozilla? X? Not much, I bet. As software becomes more complex, the need for source code diminishes (think of the push for OO programming, and why abstraction is such an important part). There may be a market for you to sign some sort of NDA with a company to let you access source code and modify it (provided you don't distribute). I see nothing wrong with that. I also don't see a problem with software becoming GPL after it has expired (such as id Software did with Quake, Quake2, and Doom). Those, IMO, are valid reasons for having source code. What the FSF wants is too much for me, and their views are very extremist.

Here is another way to look at this: Maybe Microsoft does want software dictatorship (and Apple wants the whole freaking computer!). Who wouldn't, if they were in that position? They have an obligation to raise their stock price and they have to keep control of their architecture. But, FSF wants software anarchy. If you were an end-user who didn't know a serial port from USB, what would you rather have? My money would be safe with Microsoft. It would be a fairly simple choice, too. The cheap x86 architecture and the numerous applications available because of the cheapness. Who controls the middle is really a non-issue, as long as everything works. Microsoft makes everything work. How well is subjective, though...

Re:The Tragedy of the Commons.

[WNight]

You're stuck in assuming that because Microsoft is a large part of the software world now, that it must always be so.

Not only were standards developed before MS was around, but most of the important standards we use today still predate MS. MS in fact has a habit for trying to stifle the development of standards.

As for the development of large software - consider the BSD system, and the Linux system. Both contain large parts (kernels, filesystems) which took a lot of development and didn't provide functionality until done. Then there's Gnome, KDE, PERL, PYTHON, RUBY, and so on. The free software world has created huge projects, on its own, with no direct profit motive. KDE provides a ton more functionality than early MS desktops. (IMHO it's between 95 and 2k, with less OLE, but much better usability.) Either way, it's an example of a project that took probably millions of dollars of time, were it billed, to create and yet was written by hobbyists, for free. And they all realized that to do their favorite part (the itch) they had to help get the rest working, so they cooperated to write the less-fun bits.

GNOME may be hard to install by hand, but there are RPMs (free software created with a profit motive) and DEBs and likely other smaller package systems.

Free software is raising the bar on paid software. Much the way that home repairs with help from Home Depot are raising the bar on professional carpenters and plumbers. Why don't you feel that this is a trajedy? Are there going to be no standards for nail or lumber size, just because most of the work is done by individuals?

I think that individuals benefit the most from standards... They're the ones who would take a large hit from having to code up a ton of file-translation code. Or, in a home-repair metaphor, have all lumber custom-cut to their specified sizes. Experience bears this out. Microsoft is the creator of weird new formats. Free software tends to use either standard formats, documents it, or at least provides the source code for reading it.

I highly doubt my salary will get cut in half. I'm already in what you for some reason call the service industry (most of my work is writing new custom programs, not providing troubleshooting or help). Really, it's the same thing I did while employed to work on a large software project, except that I work much more closely with the end users. (You don't understand the power of custom software until a user asks for a feature on Monday and you can demo it on Wednesday and merge it into stable code by the end of the week. They love this.)

RMS doesn't say all software MUST be free. He says he believes it should, but he's also said he's not willing to force people. The choice to use GPLed software (and thus release their own) is theirs to make.

Microsoft on the other hand appears to be trying to force people to not use free software. Normally a company doesn't speak out against their competitors, essentially calling them communists and hinting that they destroy the economy by reducing tax, etc, etc. It appears they're lobbying for legal protection. Only time will tell though.

And as for MS being more than Bill Gates... Who cares? Even though he's not the CEO anymore he still appears to be the driving force. A lot of people might have tied their money to him, but that doesn't change how you should see his actions. It's basically him saying he wants more money and control and he's continuing his policy of crushing others (through illegal or quasi-legal means) to get it. It's been a long time since MS has just released a competing product and let the market choose. You may see him as a model capitalist. Whatever. I see him as a threat to the livelihoods of everyone, including myself.

It's just a real chuckle how you think that MS promotes standards. Haven't you paid any attention to how MS perverts existing standards, ignores them to make their own formats, and tries to disrupt anyone who uses their standards? (SAMBA, File converters from MS-Word, etc.)

Once again, you're saying things that make me think you must either be getting paid, or perhaps are trying to defend MS because you've got stock and don't want the price to drop.

Re:The Tragedy of the Commons.

[reflective+recursion]

I could honestly care less if Microsoft dropped off the face of the earth tomorrow. But, I would never wish that. Think of the many people who were hurt by the Enron disaster. People's lives truely are at stake. I'm not excusing Enron, though. They committed a crime and got caught. I see no wrong-doing with Microsoft. Only a bunch of whining brats who couldn't handle the competition (Netscape, whom had absolutely no business plan and was out to rape investors with their IPO, or Sun who has yet to get their shit together ~7 years after Java was created).

The free software world has created huge projects

Yes, but the incompatibility is becoming greater as the free software/OSS community becomes larger. It is also becoming more like searching for a gold nugget in a pile of shit when trying to find quality software (look at Freshmeat now compared to Freshmeat around 98-99).

Either way, it's an example of a project that took probably millions of dollars of time, were it billed, to create and yet was written by hobbyists, for free.

Yes, and who do you suppose will fund this if all software is free software?

Free software is raising the bar on paid software.

No, it's destroying the value of software. Once consumers (the masses) are unwilling to pay for software (no demand) then there will be no commercial software. It will be created by free time or government grants, etc. only. This will trigger the end of the consumer PC and the beginning of networked/all-in-one computers (when consumers get tired of the chaos of downloading software and move on to simpler, and complete systems). Some like that idea; I don't. It will likely cause an increase in price of the x86 architecture due to decreasing demand.

Microsoft is the creator of weird new formats.

You lost me there. There is this little OS called Linux. On this mysterious beast there is no less than 2 standard online help systems. "man" and "info." At any given moment the help of other systems comes into play, such as ghostview (for PostScript) or Acrobat (for PDF) for the various commercial software available for this beast. If you want to talk about weird incompatibilites and quirks look in /etc or the dotfiles in $HOME. Or the fact that hidden files begin with a dot (!). Why? All this excess baggage that Linux carries around--consumers don't need this.

Free software tends to use either standard formats, documents it, or at least provides the source code for reading it.

And proprietary vendors tend to either make their formats work, or they expect to receive a call about it to their tech support. Free software creates more standards than proprietary, IMO. Look at tar, gzip, bzip2, ar, etc. etc. Then you have sh, bash, csh, tsh, etc. Each shell is practically a whole new incompatible platform that software must work with.

You don't understand the power of custom software until a user asks for a feature on Monday and you can demo it on Wednesday and merge it into stable code by the end of the week. They love this.

And plumbers get the same treatment after they fix a nasty leak.

The reason your salary has not been cut is because software, for the most part, still has value. What I find perplexing about the situation of Microsoft's perceived monopoly, is they may have a monopoly by good they may have done. Let me explain. When Bill Gates decides to sell proprietary software, no one was doing it. There were paid programmers, I'm sure. But, I'm willing to bet that they were paid very modest sums. I believe they were viewed more as "secretarial" positions, rather than professions such as Doctors or Lawyers. If you read the history of Microsoft it has been said that Bill Gates worked his employees very hard with, what I assume, minimal pay. They are a start-up, after all. Now that Microsoft is growing they can afford to pay higher salaries for higher talent. Why is there a need for "higher talent?" Perhaps because Microsoft's key selling point is the features they have and ease-of-use. Before proprietary, software was simply made to do a job. Who cared about talent then? This is why Unix stressed efficiency, while DOS grew features and ease-of-use that other systems didn't have. Are they responsible, in part, for raising programmer's salary? I would think they played a big part. This is where I also believe they, inadvertently, created a barrier to entry in the market. Programmer time is now expensive. Thus, they have a lock on barrier to entry. You can either get the software you want, or the pay you want. Ultimately you can not have both.

The fact that you can start out entry-level in the 40-50k range while teachers remain in the 20-30k range says plenty about the perceived value of programmer time and of software. Why would anyone want to destroy this perceived value by making it appear as if software is easy to create and doesn't really matter? When mom-and-pop understand fully that compatible quality software can be made with programmer's free time, for free, what is stopping them from demanding this from Microsoft, Intuit, etc.? This is what I am arguing is Microsoft's viewpoint. This is what I truely believe is their "beef" with open source. I honestly do not think they worry about Linux or KDE/GNOME taking their market as much as they worry about the philosophy of the FSF and RMS spreading like wildfire. Linux may hurt Microsoft's market, but it will be the FSF that brings the entire software industry to its knees.

Re:The Tragedy of the Commons.

[WNight]

It's funny that you complain about the number of projects on Freshmeat. That's not where you're supposed to go to find a finished project. It hosts development projects. Some of them are finished, but the majority, not suprisingly, are under development. It's like blaming GeoCities for the bad web pages they host.

Yes, and who do you suppose will fund this if all software is free software?

I presume the same people as now. The developers. Interested users.

Why? All this excess baggage that Linux carries around--consumers don't need this.

Why get rid of it? All the formats are open and documented. All the shells except Bash are deprecated, etc. The rest are just there for people who grew up with old systems.

And proprietary vendors tend to either make their formats work,

Nobody is claiming that proprietary formats don't work. People are claiming proprietary formats don't work with anything else.

If WordPerfect can't import MS Word files, WordPerfect gets blamed, despite the fact that MS made to convoluted and undocumented format.

Each shell is practically a whole new incompatible platform that software must work with.

When a script runs it specifies the shell it wants. Programs that run under a shell (such as an installer script) pick one and support it. They then work fine when run under any shell.

Have you used unix? For more than a day or two perhaps?

And plumbers get the same treatment after they fix a nasty leak.

Perhaps after they install new plumbing perhaps. But what's wrong with that? I don't see why programming should be held to be anything other than a specialized trade. I'm not ashamed at the idea that I provide a valuable product/service and get paid for it.

There were paid programmers, I'm sure. But, I'm willing to bet that they were paid very modest sums. I believe they were viewed more as "secretarial" positions, rather than professions such as Doctors or Lawyers. [snip] Are they responsible, in part, for raising programmer's salary?

Chuckle. An older friend of mine bitches about the low wages these days. He made $150k+ per year, once over $220k, 1970s dollars, for programming back on old IBM mainframes. Today he makes $60k or something. Not a bad wage by any means, but a fraction of what he made before.

Why would anyone want to destroy this perceived value by making it appear as if software is easy to create and doesn't really matter? When mom-and-pop understand fully that compatible quality software can be made with programmer's free time, for free, what is stopping them from demanding this from Microsoft, Intuit, etc.?

I'm sure you also argue against including compilers with an OS, or making them freely available. I mean, if people see that they can write programs they're going to write their own and never use Microsoft's right?

I am very glad that I can program. I automate many tasks that take my friends hours. Even the ones who can use 3rd-party macro programs can't compete with a perl script I can hack together. If I want to see how a fractal changes if I modify the formula, I can. They have to ask me or hope that someone on the net had the same curiosity as them.

This is a gift that I want to share with everyone. They may never use it, but they'll be able to. Linux will never be locked down, but I can easily imagine a day when to "combat viruses" all code run on a Windows computer must be cryptographically signed. When users are crippled because a company wants to potentially squeeze more money from them in the future.

The reason your salary has not been cut is because software, for the most part, still has value.

One of the contracts I've taken was an ordering/tracking system for a company that made circuit boards. Previously an order (of anything complex) could take up to 30-40 minutes, with a few binders full of pricing charts, to price. The calculation screen(s) I made had space for 80+ variables, accessing hundreds of tables for pricing data. But you could give the customer a price as soon as you were done entering the data. It saved further time by passing the order to work stations at the various steps in the process. From ordering to a sealed computer hung over the drill press in the machine room, to accounting and shipping at the end.

The project saved an average of 15 minutes per order. It also meant that they passed notes and all design docs (the cirsuit diagrams) along as files, instead of taking a folder from station to station.

They mentioned a years or so after the project was finished that they hadn't lost an order since it was put in, and that they loved being able to pull up a spreadsheet that told them how many dollars worth of product were due to be done at any time, where work was backed up, etc. They were working to integrate it into a bonus system for the workers, as well as to let them know ahead of time about potential work shortages.

At my estimate (just of time saved initially) it let them do three times as much work per customer service rep. It eliminated one job (a guy who was moved into customer service instead of fired) of lugging paper around, keeping files straight, etc. It removed the requirement for a room of files, plus the printing costs, storage for old files, probably 5% of machinist time... Hell, even one of the accountants said he was happier because he didn't get stinky files with fiberglass shavings and etching fluid stains on them.

And you don't think that has value? Probably $400 / day, or more. That was the best $20k they ever spent.

But there's no way an off-the-shelf package would do what they want. Too much custom stuff. I've seen some systems for designing a pricing layout by drag and drop... fairly nice, but nowhere near the level of complexity something like this takes. And I doubt anyone will bother making it that good, for the .1% of customers who want it.

I've seen places where almost any business could benefit from custom software. Let me talk to the employees and identify their bitches and I can find even more. 10 minutes a day of hassle doesn't seem like much, but if you're paying $20/hour that's $3.33. Multiply by five employees, times 250 (working days per year) and you're at $4k. Figure in saved training time, and it's starting to look pretty sweet. (That was solved by a few simple batch files to open the right applications, perform incremental backups, etc.)

This will always have value.

[...] but it will be the FSF that brings the entire software industry to its knees.

Once again. Only if the work of paid professionals can't match the hobby work of a bunch of geeks. (Which you seem to think is really really crappy...)

But if they can't match the free software, what right to they have to bitch? They just want corporate welfare. "Rise up Joe Sixpack, cast down the shackles of free software made by the people and send half a month's wage to the world's richest man to sustain his lifestyle." It's not really concerning anyone except the rich who've sunk their mutual funds into MS stock.

Re:The Tragedy of the Commons.

[reflective+recursion]

This article came across the Free Software Business mailing list today. Why Shawn Gordon, of theKompany.com, will not use the GPL.

We sell one product that is GPL. On at least a weekly basis we get someone telling us that we have to give them the source code because it is GPL. Some of them become verbally violent and abusive when I point out that the GPL provides for us to charge for the source code, we just have to make it available, and this we have done. Some of these people even tried to hack our system to get the code because they thought it was their God-given right to have it. These are also typically the people who contribute nothing to the community.

Keep in mind that these are people who are technical enough to install something like Linux, and they are already ignorant of what the GPL is about.

I had RMS come to me on this product to make sure we weren't violating the GPL, and he admitted that we were not, but in the course of the conversation he proceeded to project onto the KDE project aspects of theKompany in a totally inappropriate fashion and was very negative about KDE in this regard. Now, to my mind there is far more corporate involvement and control over GNOME than KDE, but RMS chose to see things the way he wanted to see them in this instance and say that it was too bad the KDE didn't stand for freedom.

Proof of RMS' extremist viewpoint and his narrow mindedness.

What is the net result of this? We won't use the GPL for anything anymore. It is far too frustrating to deal with; it is ambigiously worded in places that make it just too risky for a company like us. I've heard the arguments about selling services, but for what we are doing it just really doesn't work. Look at it this way. I can send 1,000 copies to a distributor who will put it on store shelves around the world. People will walk in, pick it up and buy it. Now let's say that the software was free (as in cost) and I just sell services. Well, now I can't put it on a store shelf and for every customer; I have to go and hunt them down somehow and persuade them to use our free software and then pay us for support -- but they should only really need support if our software is hard to use or poorly designed, which isn't the case or our objective.

I really like that last statement. Take a look at Sendmail, and its obfuscation of configuring it. Is it deliberate? Maybe. What I do know is that Sendmail makes money from their support and they have made no attempt to make their software easier to use. I believe you could also say the same thing about Perl. While there is plenty of free documentation, it seems new features are added just so people can write books documenting those new features. So they have something to support.

Re:The Tragedy of the Commons.

[WNight]

So? One company decided they didn't like the GPL, mostly based on RMS. Oh well.

For a single counter-example, http://www.merilus.com/ is a company making a linux-based encrypted VPN router/packet filter on a card based on the Crusoe chip. They release all their software.

Companies may find it hard to make money when giving software away for free, but they can always leverage their trademark and sell it retail. Nobody can forge it or they can sue. Sure, you can get it for free, but the average consumer isn't going to know that. If you include a nice installer on the CD and don't on the downloaded version you've got the attention of most regular users.

But... Let's play pretend for a minute. Let's imagine that there isn't a market for selling GPLed software.

Oh wow! The twisting worldview. There also isn't a market for selling ice to eskimos. Or really, to anyone with a fridge/freezer. But you don't hear the president of an ice-cube company complaining that putting the power of ice making in the hands of the common man is destroying the economy and rendering millions unemployable.

Things change. There's no reason the software industry has to be this big. I might even find myself out of a job, but if I'm displaced by someone who can do a better job for less money, I'm willing to go. I don't want a job that exists only because of a government mandate.

It's amazing that for a professed capitalist you have all these facist, big-government leanings. I thought the idea was that the market would sort it out. If mega-corporations can't manage because of competition from hobbyists then they aren't providing anything of value. (See Artificial Scarcity.)

Re:The Tragedy of the Commons.

Hmm, there is an error in your logic here, I think I see what it is. When someone wants protection from the operation of a free market, they are not necessarily eschewing materialism. Greedy people are _often_ not libertarian capitalists, but this doesn't mean they don't love material wealth. The main thing is, that they want security. You can see it in the operation of big cartels in the United States. The last thing they want is a free, unregulated market.

Fascism is not incompatible with great disparities in material wealth. It is, however, incompatible with Freedom, including Free Markets.

I've posted this up before, but it explains the issues better than I can:

Left and Right: The Prospects for Liberty

Even if you don't agree with it, it will likely get you thinking about market economies in a new way.

Re:The Tragedy of the Commons.

[WNight]

I agree. You don't have to be socialist to want big government.

I was trying to point out some hypocrisy on RR's arguments though. He lambastes open source as being communist, and says there (basically) "needs to be a law!" I'm just pointing out that for someone who thinks might makes right and has a generally Randian point of view, he sure seems to want government protection when something comes along that threatens him or his comfortable world.

I know he can be greedy and want a strictly regulated economy (for his benefit). But he shouldn't throw around terms like "socialist" and "communist" as slurs unless he's against a regulated market.

Myself, I'm quite socialist. Both because I think it's "right" that people don't starve, but also because I'd rather pay slightly higher taxes to ensure that the poor aren't so poor or downtrodden they feel the need to overthrow society. However, I get a kick out of tweaking psuedo-libertarians who want a free market (for them to abuse) but a set of very strict rules that force people to put up with it, and not pull similar tricks on them.

Re:The Tragedy of the Commons.

[reflective+recursion]

What the fuck are you on? Seriously. I have not once said the word "communist" or anything about creating laws. You are the one stuck on creating laws and denying freedoms. If you remember how you started this thread, you were denying Microsoft their right to use BSD-licensed software. And you call me the hypocrit.

I know he can be greedy and want a strictly regulated economy (for his benefit). But he shouldn't throw around terms like "socialist" and "communist" as slurs unless he's against a regulated market.

You have no ability to comprehend anything you read. I do not want a regulated economy, like you imply. I'm trying to prove a point, and that point is that free software destroys value in software. This, I believe, will lead to instability in the software industry. That is all I'm saying. Why can't you grasp that?

However, I get a kick out of tweaking psuedo-libertarians who want a free market (for them to abuse) but a set of very strict rules that force people to put up with it, and not pull similar tricks on them.

Pull similar tricks? Strict rules? What in the fuck are you talking about? We are having a discussion about the software industry, not government regulations. I don't give a fuck about laws. I don't give a fuck if GPL stays around for 10 million years. What I am saying is that RMS wants all software to be free software and that, in my opinion, it will lead to instability once the general public starts demanding that all software become free software (and with no proven track-record from free software businesses of making money to support the creation of software). I sound like a goddamn broken record here... I'm not talking laws, I'm talking business. I'm not talking restrictions, I'm talking instability in an industry because of FSF propaganda. Not once did I say "FSF should stop promoting the GPL." I have written GPL software myself for fucks sakes! But, I will never do it again.

Let me go ahead and call you a Nazi and a Hitler-wannabe before you imagine me saying it. Thus, I am enacting Godwin's Law and am admitting defeat. It is obvious you will believe what you want without consideration to what I am saying, or simply invent what you believe I stand for.

Re:The Tragedy of the Commons.

[reflective+recursion]

And you don't think that has value? Probably $400 / day, or more. That was the best $20k they ever spent.

Sure it has value. But, they are paying based on perceived value. What managment perceives that a programmer should make, or be paid. This changes based on what society deems a programmer to be worth. Once enough Dilbertian managers get the idea that "software is free, so it just has to be easy to create" they will start slashing programmer's salaries. At that point the programmer job market is filled with only those who love to program (those there for the money have left). They get to keep the shitty end of a deal gone wrong (free software community's "promise" of a better future through freedom of source code). I'm not a musician because I hate the thought of not having work, or being paid pennies. Don't make me become a musician.

Re:The Tragedy of the Commons.

[WNight]

You conjecture that because some software is free, a manager will object to the idea of paying someone an hourly rate to make other software?

Carpentry is an easy at-home task and almost everyone has done some. However, carpenters seem to make a living.

It's a market economy. If they can find someone as qualified as I am, who will work cheaper coding annoying doo-dads for their database, they're free to hire them. It's happened before. Sometimes I've been called back by the sheepish client to fix the mess they made.

If I have a job though, I want it to be providing a real service to a customer with freedom of choice. I'm sorry you don't have confidence in your job options in a new economy.

Re:The Tragedy of the Commons.

[WNight]

If you're accusing me of not paying full attention to what you're saying, I suggest you look in a mirror.

I'm not trying to deny Microsoft the right to anything. I'm simply calling for them to be honest for once. If they say open source is bad, let them avoid using it. If they use it, maybe they should say that it's not a bad thing.

If they can't be honest about something that obvious it really makes you wonder what else they're lying about.

Yes they are

[j7953]

"This software" in the clause you've cited probably refers to the zlib library, not to the complete product it is used in (otherwise the "use this software in a product" wouldn't make any sense). Since Microsoft is not distributing a standalone zlib library, there isn't anything to misrepresent. I'm pretty sure they left the original copyright notice in the library's code.

BTW, I've been told that on the Windows XP installation CD, you'll find a file which contains copyright ackknowledgements for much of the software that they're using in Windows (e.g. the BSD license requires reproduction of the copyright notice "in the documentation and/or other materials provided with the distribution" when distributing binaries, so you'll find the BSD license in that file). I don't have Windows XP, so I can't tell you the file name. On the Windows 2000 CD or in the installed system I haven't found the file, but I guess they put it somewhere (anything else would be pretty dumb, given how simple it is to comply with the licenses we're talking about here).

Only Slashdot

Only Slashdot could be so arrogant/ignorant to attempt to present the zlib security issues as if it were an MS problem. Even the sub-title of the News.com article says: "A security flaw in open-source software used by Linux and Unix systems for compression may affect some Microsoft products that also use the code. " Slashdot is starting to make Microsoft look like a reliable sorce for non-biased information.

Yeah, too bad nslookup is now crippled

[Marrow]

and going away....

Correcting myself

[garett_spencley]

Moments before I made the post I was reading about gzip's current buffer overflow in which you can pass a path on the command line that's more than 1020 characters and you will cause the overflow.

I confused this with zlib's problem and hence my claiming that zlib had an overflow.

I was wrong and I realized this a few minutes after posting. D'OH!

Anyway I still hope that my post helped someone to understand what buffer overflow's are about, even if it doesn't apply to zlib at present :O)

--
Garett

Re:Yes they are...no, they weren't

[civilizedINTENSITY]

Actually the stripping of the copyright notice from the bianary was a source of sore contention.

rpm-rebuilder-0.7-1mdk.noarch.rpm

[leonbrooks]

rpm-rebuilder

Re:rpm-rebuilder-0.7-1mdk.noarch.rpm

[xanadu-xtroot.com]

THANK YOU!

I call your bluff

[leonbrooks]

This is more of the exception than the rule.

There are more than 10x as many OSS projects with more than 100k installations in the field than there are M$ products in the same boat. There are more than 100 distinct OSS products (not counting libraries and such, but including games) installed on this Mandrake Linux box which see use at least once a week, and it's doing nothing special. How many copies of Mandrake Linux are there in the field? Now add in packages unique to RedHat, SuSE, Debian...

The Volunteer's Paradox

• To society, spending money is not a liability.

If spending money is not a liability, then why are you complaining?

• The government gets tax money and people's time is given actual monetary value.

Money doesn't grow on trees, people have to work for that money. Spending money to buy a piece of software is therefor, a liability. Why is it a liability to m$ to have to work or spend money, but not to people? You seem to have this view that anything that stops you from getting money or that makes you have to work is a liability, since all that money comes from some magical pipe dream in the sky, just waiting for you to collect it.

• If all software was open source...programmers would have to jump from "gig to gig" looking for work. There would also be hundreds of forks of the major software and almost no new software being created (because programmer's free time is gone since they have to actively look for work and noone wants to foot the bill and support a whole new software package being written).

It's an awfully slippery slope from GPL to Apocalypse. Don't be dramatic. All software is NOT open source. You could never have all software open source.. or all software closed source. You would have to make one of them illegal first, and there would still be underground OSS people. The only person trying to outlaw anything is M$ by lobbying lawmakers to stop the GPL, along with their heavy FUD campaign.

• A park is created when the city decides to use tax-payer dollars and pays for the creation of such a park. The park is an incentive for people to move to the city and help the economy there. Thus, the free park has actual economic value and is not a by-product of people's free time. Do you really think people create parks in their spare time?

There are free parks all over the place. Some are run and owned by the government, others are small and run by their communities respectively. Where I live, we have a free community-run park where people grow plants, vegetables, and flowers. People who use the park have to cooperate and follow the rules, or they can't use the park. Without that punishment cooperation falls apart. It all manages itself with the threat of punishment for defection. The makers of the free park put restrictions on it, after all, free park does not mean "free for all," or free land for the taking, do what you want with it. Another example, the government gave away buildings and land recently via essay contest. They gave the buildings to community organizations, not to McDonalds, Kmart, or M$. If someone comes along and takes the land, puts toll booths in, then no one can use it.

Most people who code OSS have other jobs too. They still have to put restrictions on their code just like any other person. They have a right to license their code, M$ never had a right to their code in the first place, just as we never had a right to M$ code. Since OSS can be used to run a business, it does have economic value, just like "Central Park."

• Picking one envelope off the ground and sticking it in the nearest mailbox would be charity. If there were enough people dropping their mail, then it might be of value to pay someone to go along the streets and pick up all envelopes and mail them. Then you would have a tax-payer supported mail picker-upper. This is no different from garbage collection. When you see a bottle on the side of the street you may wish to pick it up and throw it away. This is charity. The guys who come in a big truck and pick up everyone's pile of trash is not charity.

How did we get from one person picking up one envelope to trash-mail picker-upper? People drop their things all the time, some people who find them may choose to ignore or keep them, (Defection,) while some people choose to cooperate. I'm just giving you an example of defection vs cooperation, you changed the example, so now defection would be throwing all your trash all down the sidewalk, the reverse would be if the trash men threw out your trash can with the trash or vandalized your home and dumped the trash all over your lawn. Cooperation would be Not doing those things.

• When you drive around town looking for the best price on a computer and then finally decide on one, is that cooperation? Of course. You are paying people for an actual good. They now have profit from whatever mark-up was on that computer and can expand their business. Was it based on emotions? No. It was all about you looking for the best price...I have yet to find coworkers who can remain in cooperation for even short periods of time, yet money has a way of...getting to the bottom of cooperation.

That is only one form of cooperation, (money for product) as I pointed out there are other forms of cooperation. The question is how good are the goods? When consumers buy a product that self-destructs via deactivation; if the computer box is deceptive, or has nothing in it; if the product forces you to pay for all sorts of other tied services, that's viewed as defection.

People make decisions on emotions all the time. When people see a label they feel good about, they may think there is equity in that product because they see it all over the place and are familiar with it. The cheep, no-label brand may be viewed with suspicion even though it may be better and cheaper.

Money is not what makes people cooperative, it's the ability to punish the free-rider, the threat of punishment; and the removal of anonymity, so that everyone knows who the free-rider is. Without these things, cooperation falls apart.

• They are bashing them for no other reason than because the "richest man in the world," Bill Gates owns the company. People are so stuck on the Robin Hood story of "rob from the rich give to the poor."

What you fail to understand is that cooperation takes two people; a business can defect too. Enron is a defector, M$ is also a defector. It has nothing to do with how much money bill has, but how he got it, through lies and deception. With the Iterated Prisoner's Dilemma Tit-for-tat is the best strategy. This means consumers need to defect to other platforms or find a way to punish m$ in the courts.

• Microsoft would be [Throwing out software] if they rewrote the zlib compression.

And so would everybody who has to reinvent the wheel every time M$ changes their closed source OS, closed document formats and interfaces, etc, etc.. That was the point of OSS, you don't have to reinvent the wheel. How is m$ any different when they put must-abide-by restrictions and limitations on their code?

• Why do you insist on stereotyping Microsoft as "do nothing?"

I never mentioned M$. You seem to be on the defensive for them so forcefully. Do you work for them? My point is how can you complain about rewriting, e.g., GPLed code when you never wrote the code. That's like complaining because you can't "do nothing," and have a product in the end. People who are constant defectors sometimes end up wasting away in jail, but they can only blamed themselves, not the people they stole from. I should have said: The punishment for never having written a compression library, is "paying someone to" write a compression library.

"Let not him who is houseless pull down the house of another; but let him labor diligently and build one for himself, thus by example assuring that his own shall be safe from violence when built." -- Abraham Lincoln

• They have more programmers working for them at any given moment than the whole free software movement has ever had.

That's amazing! Where are these numbers? Just Curious.

• What I do know is that if you remove the value of software, then the monetary incentive is gone with it. You should join the Free Software Business mailing list for a glimpse of the future. What you will witness is people trying to fit a square peg in a round hole, and do not realize that software has greater value if it is proprietary than open.

Software has greater value if it is high quality. The monetary concept can be a distraction where people start to demand money over quality, a model where the bottom line is all that counts, getting that vapor ware out the door, all bugs included. Some companies turn un-ethical when they realize they don't have to do anything at all, they could just gain from the money invested by others, and can take without giving, like Enron and as I said with vapor ware.

Your concept is that monetary value is the only value and it is wrong. An antique may have a higher monetary value because some crazy person collects them, or may have no monetary value whatsoever, yet someone may never part with it.

PS - M$ is saying OSS is bad, and BSD is the only good OSS, yet they're not even licensing their code under BSD, instead, they came up with this Shared Source that is afflicted with most of the same things they are complaining about under OSS. If BSD is so good, then why don't they use it? The message is: "BSD is good for our competitors." Anyone who takes advice from M$ on what to do with their code is naive. And lets see the taxes billy g has paid?! He doesn't, he just gets tax free stock options. Lastly, Scarcity and Artificial Scarcity are not the same thing.

http://www.newscientist.com/news/news.jsp?id=ns9 99 91766

http://www.nature.com/nsu/020107/020107-6.html

http://www.thegamesjournal.com/articles/Aggressi on .shtml

See also: The Voter's Paradox, The Volunteer's Paradox, The Prisoner's Dilemma, and The Tragedy of the Commons.

Re:The Volunteer's Paradox

[reflective+recursion]

Money doesn't grow on trees, people have to work for that money. Spending money to buy a piece of software is therefor, a liability.

A liability for the person, but not society. Money is actually made in capitalism. It is made by giving objects (software) value. Take the value away and you take the money away. Take money away and you take jobs away.

magical pipe dream in the sky

Yes, perhaps that's what it is. Take out a dollar. Read it. "In God We Trust." Trust what? That perhaps that dollar will still hold this magical thing called value tomorrow. Software currently holds a value. Do you really want to remove value from software and place it on the service of creating that software? Think about it. The cost of creating software. How does that get paid for? It's beyond me. Maybe the government will pay for all software, if the FSF philosophy prevails.

It's an awfully slippery slope from GPL to Apocalypse. Don't be dramatic.

You might call it "dramatic," but I call it the future. Read what I wrote to the other guy in the posts above. It's not the end of the world, but it may very well be the end of the consumer computer as we know it. Apple computer is in a very good position right now, as they own the hardware and the software. Once the anarchy takes its toll upon Microsoft's architecture everyone will move to bashing Apple. Why? Because Apple provides a single solution for consumer problems. They will then inherit all Microsoft customers. Forget choice of hardware. That will be long gone. Keep in mind, though, that this is if FSF philosophy becomes the norm. When "average" people start demanding free (no-cost) software. It's a stretch, yes. I do believe it is plausible, though. There is much value in coherent architecture, which I find very lacking in open source land (infact, it's the one thing I hate most about using Linux).

Since OSS can be used to run a business, it does have economic value, just like "Central Park."

Yes, it does. But, at what cost to programmers? If a business finds value in a open source program, then they will not pay programmers to build them one. Then programmer jobs will be lost, I'm sure. Should the business be entitled to a free ride? Someone had to spent time and money building the program they are now using. Which leads to the next quote..

Money is not what makes people cooperative, it's the ability to punish the free-rider, the threat of punishment; and the removal of anonymity, so that everyone knows who the free-rider is. Without these things, cooperation falls apart.

Downloading free software via the internet is as anonymous as you can get. Say there are two businesses, A and B. Say business A pays for the development of software which runs their web-based store (or whatever you can imagine). Now business B runs a shop very much like business A (say Barnes and Noble arriving to the web shortly after Amazon.com). Now business B simply downloads the software that business A had developed--no one gets paid. Now business A is still paying for the maintainence of their software. Business B simply downloads patches and are, feature-wise, compatible to business A. Who do you think has the upper-hand? The business paying thousands for their software and features which they thought would be unique to them, or business B which is simply freeloading? If it were Barnes and Noble vs. early Amazon.com, do you know who would win? Barnes and Noble. They have brand identity. This is the reason Slashdot gets away with releasing their source code. Slashdot is a brand. It has a public image, thus value built-in. You can go start a /. clone, but it will never be as popular as Slashdot. Perhaps that is why Rob was so slow to release slashcode. Waiting for the value to build up.

I never mentioned M$. You seem to be on the defensive for them so forcefully. Do you work for them?

Well, this whole thread is about Microsoft using open source. And no, I'm not on Microsoft's payroll. I also do not own Microsoft stock, or stock in any company that Microsoft has stakes in (that I know of, anyways).

Software has greater value if it is high quality.

I doubt that. Quality plays a part, but consumers today want features and coherency. Which is why many people will accept a Windows crash every once in awhile. They want to be able to print from any application and use the network from any application. They don't want to mess with configuration and installation details.

they came up with this Shared Source [shared-source.com] that is afflicted with most of the same things they are complaining about under OSS

After looking at shared-source.com it appears that their concerns are in line with my concerns, and that their licencing is exactly what I would expect. A quote from shared-source.com on a "Microsoft claim":

In this sense, open source software based on the GPL mirrors the .com business models that proved the least successful during the past year. They ask software developers to give away for free the very thing they create that is of greatest value in the hope that somehow they'll make money selling something else. In effect, it puts at risk the continued vitality of the independent software sector.

You would probably think I was lying if I told you that I have never read this site and know nothing of Microsoft's shared source license scheme. Note at the bottom that they list Red Hat as proof that open source is commercially viable. I have yet to see proof of this, and from what I understand they also bundle proprietary software. Ximian, as you probably know, is testing the proprietary waters because of perceived future cashflow issues. At the bottom they also list the LSB as proof that Linux won't fragment--a failsafe. I have yet to see this materialize and it has been 2 (?) years now. You can't put a failsafe on every detail. CVS may help developers on a small scale, but what will happen on the larger scale? I hate to find out...

Huh?? One good thing?

It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.

Are those our only options?? We have to like all the bad things that M$ does and focus on only the good, or we can't ever complain or have any opinion at all? Is there ever any time that we can in fact, complain? If they do 3 bad things and 3 good things do we have to just let them do whatever they want?

"M$ destroyed the econemy, the software market, netscape, Java, etc... But they did that ONE good thing. Come on! That one good thing??? Huh?? One good thing?? We simply Have To let them go."

It IS hypocrisy, self-serving freeloading.

No, [M$] is using legally licensed code in their operating system, which happens to be BSD licensed. They are on an anti-GPL crusade, which is largely different. Get your facts straight.

M$ is against "OSS because it's viral" because they can't take without giving. They say "The least viral is BSD" because they CAN take without giving. Then they come out with Shared Source. Show me that M$ license that you can take without giving? Shared Source is not it. There is no relevant difference between Shared Source and GPL.

Microsoft is saying: "Don't use GPL, it's communism. Use BSD instead."

How is GPL communism and BSD not?! Is M$ opposed to communism in favor of socialism?!

It's like saying: "Killing is wrong because: Thou shalt not kill... But if you do, let me be the one who does the Killing. Other wise, it's wrong."

It's one thing to use BSD code, that's fine. But it's another to say "No one should put restrictions on their code except for me, because that's, like, communism." M$ is rationalizing again, and poorly.

So, Get YOUR facts straight.

Ximian can do whatever they need to.

• A liability for the person, but not society.

A liability is something that drains your money. An asset is something that brings in money. Money is used to trade goods. In the old days people would make things and trade them. If I make a chair and you make a log of cheese, I can trade my chair for your cheese. Today we use money for trading of services. I work at the chair factory and you work at the cheese factory but we trade money. When one buys a product, they want to get it for the least amount they can get it, and conversely, the seller wants to sell it for the most amount of money they can get, because you are trading labor for labor. It goes both ways -- people value their labor. Spending it IS a liability.

• Money is actually made in capitalism. It is made by giving objects (software) value. Take the value away and you take the money away. Take money away and you take jobs away.

Well, we could certainly give value to air and make people pay air tax, this would produce jobs, and money will magically materialize, since, as you said, society having to spend money is not a liability.

I hope that example shows you that you're wrong. When society needlessly has to spend money it is a liability. Things have value if people (in the market place) find them valuable. If people aren't willing to pay for your product you can leave the market place. The market has spoken and it said, "You lose." Simple, easy, Market driven. Ever notice how the free market is great until m$ starts losing their monopoly, and then they start crying about wanting to change the rules?

• "magical pipe dream in the sky," Yes, perhaps that's what it is. Take out a dollar. Read it. "In God We Trust." Trust what? That perhaps that dollar will still hold this magical thing called value tomorrow. Software currently holds a value. Do you really want to remove value from software and place it on the service of creating that software? Think about it. The cost of creating software. How does that get paid for? It's beyond me. Maybe the government will pay for all software, if the FSF philosophy prevails.

The Federal Reserve controls the value of money. One ounce of gold has use value equal to other commodities on the market that take approximately the same labor expenditure. When they raise the value of gold, the value of money goes down. In a free market, products are supposed to compete via improvements. The better product is rewarded. As products get better, the older products depreciate in value. Good or bad, that's a fact of reality. If you can't make better products, then the value of your software doesn't deserve value. That's what we call market driven. M$ doesn't want to play by the rules, they want to be the Federal Reserve of software. They want to raise or lower the value of software whenever they want to kill the competition, corner the market, or rob consumers. Increasing the value of software means that it will cost more for people to buy it.

• It's an awfully slippery slope from GPL to Apocalypse. Don't be dramatic.
  
  You might call it "dramatic," but I call it the future. Read what I wrote to the other guy in the posts above. It's not the end of the world, but it may very well be the end of the consumer computer as we know it. Apple computer is in a very good position right now, as they own the hardware and the software. Once the anarchy takes its toll upon Microsoft's architecture everyone will move to bashing Apple. Why? Because Apple provides a single solution for consumer problems. They will then inherit all Microsoft customers. Forget choice of hardware. That will be long gone. Keep in mind, though, that this is if FSF philosophy becomes the norm. When "average" people start demanding free (no-cost) software. It's a stretch, yes. I do believe it is plausible, though. There is much value in coherent architecture, which I find very lacking in open source land (infact, it's the one thing I hate most about using Linux).

I call it dramatic bullshit fiction.

1. People bash M$ because they are chronic defectors.

2. Apple is not a propagandizing fascist monopoly at this time, M$ is.

3. More free software on the x86 platform would not make x86 platform obsolete, but have the opposite effect. That's one reason why m$-anticompetitive actions had little effect on people switching to Apple.

4. Apple is so isolated because they would be crazy to go up against m$ or suffer the same fate as OS2. I think Apple currently runs *nix software and would obviously choose to run x86 ware, if not for that obstacle.

5. How will FSF philosophy become the norm over night. I never saw any philosophy become the norm ever. It sounds like one argument against gays: "If people are gay then no one will make babies, all humans will die, blah blah." You don't like OSS, You're part of everyone.

6. Then, what are you getting so worked up about? Did you take your medication today?

• Since OSS can be used to run a business, it does have economic value, just like "Central Park."
  
  Yes, it does. But, at what cost to programmers? If a business finds value in a open source program, then they will not pay programmers to build them one. Then programmer jobs will be lost, I'm sure. Should the business be entitled to a free ride? Someone had to spent time and money building the program they are now using. Which leads to the next quote.

Oh, my heart bleeds for the victims of a free market! You're going to have a heart attack when I tell you how the scribes lost their job when someone invented the printing press, Luddite. If programmers think they can make one piece of software and rake in the money for eternity then they won't have a job for long anyway. That's competition for you. Even m$ has to compete with themselves. How many new features can M$ add to a word processor? If people already have office97 they don't need officeXP. One of their bad solutions: software as a service, and Software Activation to help force people to upgrade when their software expires. There's that defection again. People already traded their service to you in the form of $$ for your software and they get a self-destructing product. Nothing! M$ is out of control. Consumers are angry.

You're going to shit yourself when I tell you m$ destroyed the browser market through anticompetitive actions. Netscape is a cottage industry. Please explain to me how it is ok for m$ to destroy the browser market but it's not ok for someone to make a better product? I guess they only like the rules when they work to their advantage. With its open nature, OSS can't be anticompetitive, unless you think that making the superior product is anticompetitive. But then you'd be misunderstanding capitalism or free market.

M$ is again defecting. Instead of playing by the rules and improving their products, they spend all their effort destroying competition any way they can, so they don't have to do anything. It costs less to attack and eliminate software advancement, or launch a propaganda campaign than to actually do work As long as they are a monopoly, they can sit back and still get paid.

Everyone should be able to get a good word processor without spending an arm and a leg, like AbiWord. Why should a business have to spend thousands of dollars on a word processor only to send out letters?! Does M$ want to reinvent the word processor for the next century? Why not just get that out of the way and move on to bigger challenges than office vapor ware. Nothing about OSS is forcing anyone to use it. Everyone in the world is not going to work for free just because one person can.

• Downloading free software via the internet is as anonymous as you can get. Say there are two businesses, A and B.

Downloading OSS software is not defection, it's already free. Taking source code, stamping your name on it, and never contributing back is defection. 'A' is not selling software, they are running a web based store. If they wanted to sell software they wouldn't make it free. 'A' has every right to license their code however they want. The rest of your argument is invalid.

• Software has greater value if it is high quality.
  
  I doubt that. Quality plays a part, but consumers today want features and coherency. Which is why many people will accept a Windows crash every once in awhile. They want to be able to print from any application and use the network from any application. They don't want to mess with configuration and installation details.

People don't accept a windows crash. Given the option, they would choose no crashing. I want to be able to configure whatever I want to, and even if I didn't, I know not a computer that never needs configuration. Windows needs more installation configuration than say, mandrake Linux, as it stands. People have this narrow minded idea that windows is so easy, only because they're familiar with it. Many foreigners will tell you how hard English is, but that's just because they don't know it. A good example of this is Opera. When I first used it I thought it was fast but weird and hard to use. Now I find it the most innovative browser around and can safely say with certainty, Opera has a better interface than IE. It has configurations out the wazoo, and I'm always learning new tricks with it. If you are a power user you need these things. People should not be reduced to the lowest common idiot. The fact that people use such products is not proof they choose crashes, and less features available to them.

• After looking at shared-source.com it appears that their concerns are in line with my concerns, and that their licencing is exactly what I would expect. A quote from shared-source.com on a "Microsoft claim":
• 
  
  In this sense, open source software based on the GPL mirrors the .com business models that proved the least successful during the past year. They ask software developers to give away for free the very thing they create that is of greatest value in the hope that somehow they'll make money selling something else. In effect, it puts at risk the continued vitality of the independent software sector.

That's just a slippery slope comparison to frighten people. A mighty claim even for a hypocrite. M$ "puts at risk the continued vitality of the independent software sector," in and of themselves, outside of M$, when they break the law. Why should they get upset if these companies are not going to make any money, ever. Isn't that what M$ wants? Should we punish people who offer free content? Where would the Internet be today? What about public TV or regular TV and radio, with commercials. They work by the same principal of Free content? Public parks, charity, free museums, mp3 musicians etc.

And, M$ said OSS is viral because one can't take without being tainted, yet shared source is viral in that same way. Microsoft gives away its browser and Internet mail client and free e-mail accounts. It must be m$ to which you're referring? M$

• You would probably think I was lying if I told you that I have never read this site and know nothing of Microsoft's shared source license scheme. Note at the bottom that they list Red Hat as proof that open source is commercially viable. I have yet to see proof of this, and from what I understand they also bundle proprietary software. Ximian, as you probably know, is testing the proprietary waters because of perceived future cashflow issues. At the bottom they also list the LSB as proof that Linux won't fragment--a failsafe. I have yet to see this materialize and it has been 2 (?) years now. You can't put a failsafe on every detail. CVS may help developers on a small scale, but what will happen on the larger scale? I hate to find out.

Ximian can do whatever they need to. No one is forcing you to use GPLed code. No one ever said that OSS was a get rich quick scheme. If you seek money, use another license. If you can't handle that, you have serious problems.

Re:Ximian can do whatever they need to.

[reflective+recursion]

The rest of your argument is invalid.

Just like that, eh? *poof*

And your entire "better product wins" drivel is simply defeated by mentioning the word "brand." See? I can do *poof* also. You think Nike shoes are better than cheaper ones?

I never saw any philosophy become the norm ever.

How do you think MS came into power? People had to believe in paying for proprietary software (or that their old word processors weren't good enough and needed a computer).