Microsoft, zlib, and Security Flaws

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

Just waiting for the press release...

[Nonesuch]

Any bets on how long before Microsoft issues a press release noting that this is yet another risk of using evil open source and open standards?

Re:Just waiting for the press release...

[Mr+Windows]

ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").

Re:Just waiting for the press release...

[Mr+Windows]

There is the extra risk of using a proprietry product which incorporates OS products. I've fixed (nearly...) all the software on my machine that uses zlib, because it's OS, and I can do it/use someone else's patch and check that it's been done.

How long will we have to wait for a "patch" from MS, and how will we know that it does exactly what it says on the tin? ISTR that the DCMA (if that's the correct acronym) would prevent people in the US reverse engineering any patch to verify that it works, so it's down to testing (insert comment about testing not showing the absence of bugs).

Re:Just waiting for the press release...

[gr3g]

Well then what are we are waiting for? GPL zlib 1.4.4 (is that the right number?) and then if M$ wants to upgrade we will have them! of course this won't work, oh well.

Re:Just waiting for the press release...

[jmu1]

I'll bite, but only for a nibble.

The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.

Re:Just waiting for the press release...

[graystar]

Except they used it. So if they use evil and risky open source software why did they do it?

Re:Just waiting for the press release...

[wickedhobo]

That's like shooting yourself in the foot and then touting why guns are bad and should be banned.

Re:Just waiting for the press release...

[jedidiah]

This bug doesn't alter anything really. This situation is more a success of the Bazaar development model rather than one of it's failure. Due to wide availability of sourcecode, a VAR descovered an esoteric bug while providing tech support for another program.

Microsoft can hurl propaganda any day it likes.

I don't think this situation really gives them a "leg up" in that sort of endeavor.

Re:Just waiting for the press release...

[grub]

actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products

The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.

Re:Just waiting for the press release...

[angel'o'sphere]

again I risk a flaimbater rating :-)
Well, he got a +5 Interesting rating for a realy silly comment. I'm even more wondering that no one is answering to it.


ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + e of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").


Can you explain what the difference is between open source and GPL in relation to fixing a bug in an open source library?

I would asume you are able to just download zlib and fix it and write a nice email to MS about that fact.

Frankly: the benefit of GPL and Open Source is definitly not that everyone can go and fix a bug.

The benefit is that everyone has the POTENTIAL to do that.

I for my self have not the ability to go and fix THAT bug in ZLIB. I never looked at ZLIB. It will take weeks for me to find the place where the bug is.

Probably you can find the bug. Fine for you.

OTOH there are shareholders, workers and customers who are interested in being able to SELL/BUY the software.

With GPL selling of software is impossibel as long as you are not the OWNER of the software. Like e.g. Sleeping Cat.

Regards,
angel'o'sphere

Re:Just waiting for the press release...

[leonbrooks]

So if they use evil and risky open source software why did they do it?

Oh, it's OK for them to use BSD-ish software, just not for their poor stupid customers who have no brains (else why would they either buy our stuff or trust us?).

Seriously, I'm betting it was desperation. They couldn't get their own stuff to work for love nor money, so they borrowed someone else's brains. It worked pretty well for NT (AKA Digital Equipment Corp's MICA or broken VMS in fancy dress) and for SQL Server. Not so well for Stacker or SpyGlass, but in the end they came out ahead, which is all that really matters to a corporation like that.

Re:Just waiting for the press release...

[Com2Kid]

The idea is that if a product you own uses Zlib and is compleatly opensource, that you can most likely just download the fixed zlib source and the source to the program and compile and have a version of the program that does not have the bug.

Which would mean that you get to avoid any vulnerability periods in your software during which the bug is widely known but there is no security fix for it.

THAT is what open source is all about, if something breaks, even if you cannot fix it, you can download the fixed modual and the original sourcecode and compile it all together with the handy included step by step instructions. :)

Re:Just waiting for the press release...

[Com2Kid]

WindowsNT?

Oh you mean where they actualy PAID some real developers and coders to come in and make a real OS? (as opposed to buying one for pocket change. :D )

Hell, dude, that was a GOOD thing. MS got their heads out of their collective asses for a second and realized that they needed some Real Talent.

Oh and after they ditched the stolen Stacker code the issues with the built in compression on MS systems pretty much went away, LOL!

And hell, at least IE does not use the old Netscape HTML rendering engine, LOL! (would have been nice if in the earlier days IE was a tad wee bit more ... complient though...)

Re:Just waiting for the press release...

[mpe]

With GPL selling of software is impossibel as long as you are not the OWNER of the software.

Utter rubbish, you can sell GPL software for any price someone is prepared to pay you for it, subject to complying with the terms of the licence. Just that since anyone else can compete with you, trying to make massive profits will typically put you out of business.

Re:Just waiting for the press release...

[ergo98]

Just that since anyone else can compete with you, trying to make massive profits will typically put you out of business.

Uh, trying to make any profit (or trying to even make a remote amount of your costs) will put you out of business. GPL software cannot be commercialized: It doesn't work.

Re:Just waiting for the press release...

[ergo98]

Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks

Utter bullshit. How would it have "avoided the risk"? The problem EXISTED in zLib (while being a open source product, BTW. Yet another example that the claims of open source bulletproofness is nothing more than a myth), and the reality is that about 99.99% of the public ISN'T (EVER) going to download the new zlib source and recompile their binaries.

Now what they could do is use zlib as a linked library (which is allowed because it isn't GPLd: Yet another vote against the GPL as being a great license), in which case the public could install the new zlib library and everything would be great again. This is actually what many users of zlib on the Windows platform do: Encapsulate zlib as a nice handy, self contained little dll.

Re:Just waiting for the press release...

[leonbrooks]

WindowsNT?

Oh you mean where they actualy PAID some real developers and coders to come in and make a real OS? (as opposed to buying one for pocket change. :D )

No, not exactly. Windows NT was at first spelling-error-compatible with MICA - a variant of Digital Equipment Corporation (aka DEC) VMS - which may just have been a coincidence but for the fact that they hired away the head MICA developer from DEC to do this.

Oh and after they ditched the stolen Stacker code the issues with the built in compression on MS systems pretty much went away

I think that's mostly because people stopped using compressed drives.

at least IE does not use the old Netscape HTML rendering engine

Yah. Terrible shame that M$ don't use Gecko instead, though. Since Gecko's modular, they wouldn't even have to worry about that terrifying GPL business.

Re:Just waiting for the press release...

[Com2Kid]

Except that when IE first came out Gecko wasn't in its current Kick Ass form.

"Recently in the press, there have been a lot of articles about something Netscape calls "Gecko." This is marketing hoopla around two Mozilla projects: NGLayout (formerly known as Raptor) and XPFE. "

---http://www.mozilla.org/newlayout/gecko.html

"Page reorganization: The layout engine used in Mozilla (which is known by many names) started off as a project to write a new layout engine for Mozilla and became the layout engine of Mozilla and the foundation for a nearly-complete rewrite in late 1998. "
----http://www.mozilla.org/newlayout/

In other words, in 1996 or what was to become the Gecko that we all know and love was still. . . . That ol' Netscape rendering engine. ^_^

Darn!

[sysrequest]

"[...]but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

Darn, and I thought they were caught with their pants down.

But to me it still is interesting that a company that is trying to stomp every competitor, and is spreading so much FUD about any sort of free or open software is using it themselves. (We all knew that, I just thought I'd emphasize it again.)

Re:Darn!

[Sanity]

and is spreading so much FUD about any sort of free or open software is using it themselves

If you look at what they have said, they have no-problem with non-viral Open Source software such as the BSD license and the LGPL, they are only worried about licenses that try to spread themselves to cover other people's code (such as the GPL).

Re:Darn!

[swv3752]

If you look at what they have said, they have no-problem with non-viral Open Source software such as the BSD license and the LGPL, they are only worried about licenses that try to spread themselves to cover other people's code (such as the GPL).

So what is the beef with the GPL? Don't want to give away the source to your programs? Then don't, just don't use GPL code in your programs. If they want to uphold thier draconian activation licences, then they have no ground to complain about the GPL. Microsoft is greedy and wants to extend and embrace everything. The GPL prevents them from doingthis directly. That is why they hate it.

Re:Darn!

[Alsee]

they give away a bunch of source to a bunch of stuff (though nothing really good)

&LT Bash &GT
As opposed to the other stuff which *is* really good?
&LT \Bash &GT

-

Re:Darn!

[kz45]

The GPL prevents them from doingthis directly

No, it prevents the draconian GPL license from embracing and extending their work.

I seriously doubth they would want to use GPL'd source anyway..most of it is attempted replications of proprietary stuff that MS created.

Re:Darn!

[leonbrooks]

I seriously doubth they would want to use GPL'd source anyway..most of it is attempted replications of proprietary stuff that MS created.

Where's `OS Bob' then? (-:

Seriously, most of it is attempting to make stuff work that Microsoft implemented in a broken way. And in general it succeeds rampantly. (-:

Re:Darn!

[kz45]

And in general it succeeds rampantly. (-:

This is more of the exception than the rule.

Re:Darn!

[mpe]

So what is the beef with the GPL?

They only like copyright to work in their favour..

Re:BSD is dying

[toby+w]

what?

Re:Seriously? Microsoft use open source code?

[ZaneMcAuley]

Whoops, considering they advise not even reading open source for risk of integration of the code into their codebase and risking breach of the license.

Re:Seriously? Microsoft use open source code?

[T5]

No way. M$'s doesn't perform well enough to have come from BSD.

Re:Seriously? Microsoft use open source code?

[Axe]

It seems to be not the cae since Windows 2000 - did not they redo the stack for it? Am I right?

Re:Seriously? Microsoft use open source code?

[1g$man]

Wrong. They advise not reading GPL code, not open source code.

That is quite a big difference.

If we can't see MS's source

[darnellmc]

How do we know they never used GPL'ed code anywhere?

Re:If we can't see MS's source

[Stonehand]

Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

Re:If we can't see MS's source

[Mr+Windows]

That's OK in principle, but how can anyone who looks at a piece of code know whether it really was written by MS or was GPLed with the serial number (erm, copyright notice) filed off? MS removed the copyright notice of zlib, according to the article, so it's not beyond them to do that with a piece of GPLed code. Not that I'd ever suggest that they'd do such a thing, but it's obviously very hard to check for plagarism (unless MS put all their code through turnitin!).

Re:If we can't see MS's source

[telstar]

Here's the quote from the article:

"For the library, the only license requirement is that a copyright notice be included in the program source-code, if released. Microsoft, which rarely releases source code, didn't need to include the string in the company's programs, but zlib creator Gailly wishes the giant gave credit."

Since they didn't release the source code, they didn't violate the license. End of story.

Re:If we can't see MS's source

[panaceaa]

"Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products."

"Craig Mundie, senior vice president of Microsoft, said last May. '(There) is a real problem in the licensing model that many open-source software products employ: the General Public License.'"

This really makes you wonder if Microsoft's stance against the GPL is really about getting more code from the open source community to use in their own projects. If there was a public backlash against the GPL, the community may feel pressure to change to other license models, and Microsoft could get more of code for their projects written for free.

Re:If we can't see MS's source

[Wolfier]

Does it matter?

If I want to use GPL code in my program without releasing, I can just

1. write a library wrapping up your GPL proggie
2. link to the library dynamically from my proggie

All I have to release is the source code of the wrapper library. Well, at least it is true in GPL V2.

Re:If we can't see MS's source

[jedidiah]

The proper term is REACTIONARY, not radical.

Copyright was originally a short-term thing.

Re:If we can't see MS's source

[Cyno]

Do you mean no one working for RedHat eats food?

Re:If we can't see MS's source

[dossen]

They release sourcecode (if I remember correctly they have cds of it)

Re:If we can't see MS's source

[Stonehand]

Interesting. ISTR that the LGPL was originally for that purpose -- to allow you to link with GPL'd code without needing to GPL/LGPL your own code.

Re:If we can't see MS's source

[MarkLR]

Won't giving the source code to a university be considered releasing it? It would be fairly easy for someone with access to the code at one of these universities to report if the code contains the zlib copyright.

Re:If we can't see MS's source

[thogard]

I suspect MS used quite a bit of GCC since version 5 of their C compiler had many of the some of the same optimization bugs as GCC. Anyone got access to the source for the old versions of MS C?

Re:If we can't see MS's source

[pauljlucas]

Actually, MS (or anybody else) can use GPL'd software and not have to disclose source if they get a separate license from the original author who is free to grant licenses at will.

Re:If we can't see MS's source

[turgon]

>Won't giving the source code to a university be considered releasing it?

No. Releasing it means no restrictions, and anyone can download it/look at it. They only leyt some universities/companies see some of the code, and then only after they legally obligate them via NDR.

Tally anybody?

[ILikeRed]

I wonder if anyone is keeping a running tally since the security initiative started???

Here is another bug with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....

Re:Tally anybody?

[Mr+Windows]

How long is the security initiative? ISTR "one month with no new development" to concentrate on security. Of course, it's daft to think that you can turn a large organisation which concentrates on adding lots of features into an organisation which concentrates on absolute security in products and processes in a month, the training issues alone prevent that being realistic or effective.

Re:Seriously? Microsoft use open source code?

[larien]

I get the impression that 90% of the world's operating systems (including Windows and commerical versions of Unix) use some code from the BSD TCP/IP stack. Of course, the BSD license is more forgiving than the GPL regarding source code, this isn't a license violation.

Of course, having everything derive code from the same source is a risk; isn't this part of the reason the ping of death was so much of an issue?

Re:Seriously? Microsoft use open source code?

[Jinky]

You'd be right :), starting with Win2k, and in WinXP, they're using basically Unix TCP/IP sockets. Must admit that it does work much better than Win9x for network connectivity.

This wouldn't have happened...

[bourne]

...if the government hadn't worked so hard to limit Microsoft's ability to innovate.

:P

InstallShield

[sharkey]

InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

Re:InstallShield

[DebtAngel]

InstallShield is now a GUI for the Microsoft Installer, which is most certainly a Microsoft product.

Using Microsoft Installer is a requirement to get the official "designed for Microsoft Windows 2000" sticker on your product, and I assume its the same for XP. Wise also has a front end to the Installer system, IIRC and FWIW.

Re:InstallShield

[ChrisDolan]

Similarly, IE is not written by Microsoft either. It's alien technology. It was discovered by a MS coder who stumbled on a crashed spacecraft while hiking in the woods in the mid-90s. Using him as a vessel, the program infected the Windows codebase and has grown since then, digging it's tendrils deeper and deeper into the system.

So when MS says they can't remove IE from Windows, it's true.

Re:InstallShield

[lseltzer]

So what? InstallShield is not Windows Installer. The article doesn't say that the problem is with Windows Installer, it says the problem is with Install Shield, which is not a Microsoft program.

The article is obviously wrong about something: either the problem really is with Installer or it's with InstallShield and shouldn't have been mentioned, since it's not a Microsoft product.

Re:InstallShield

[Tsujigiri]

So when MS says they can't remove IE from Windows, it's true.

Actually they can, it's just that The Beast won't let them...

Re:InstallShield

[Skuggan]

With the same reasoning you could say that Windows is an Intel technology, just because Windows is only GUI for the Intel processor.

Re:InstallShield

[armb]

> Similarly, IE is not written by Microsoft either.

Originally, it wasn't, but is there any of Spyglass Mosaic still left in IE?

not enough bugs eh?

[sydney]

I don't have any idea why MS chose to use the zlib library but it wasn't for "buglessness". MS creates enough of their own bugs they don't need to go borrow someone elses. Of course they didn't know about the bugs at the time, but still, methinks they used the code for less altruistic purposes.

Re:not enough bugs eh?

[DA-MAN]

Hey it could have been worse, they could have contributed to the main project!

We gotta be careful what we wish for. Microsoft using open source with a BSD-style or X11-style licenses is really a godsend, imagine Microsoft code in the Linux kernel...

notification issue

[ethereal]

Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.

It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?

The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.

Re:notification issue

[garett_spencley]

I don't see it as the zlib author's responsibility to notify everyone that uses their library.

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

--
Garett

Re:notification issue

[rasherbuyer]

Xfree statically links zlib un-adulterated, so just recompile with the new zlib code in place of the old.

(I gave up my moderator status for this)

Re:notification issue

[Florian+Weimer]

Some distributors have patched XFree86 to link dynamically against the system zlib.

Re:notification issue

[Florian+Weimer]

It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this.

I don't believe this is true. Look at this list. Many vendors were contacted in advance, vendors of proprietary and free software. However, CERT/CC probably assumed that this is a pure UNIX vulnerability, and did not contact all vendors. (In fact, they should have contacted Microsoft nevertheless, because of Interix.)

However, we can clearly see one thing (if you look at the find-zlib output): Most proprietary vendors do not update their copies of zlib at all. Previous versions of zlib had their problems, too, and yet the vendors didn't care, even though the software was still maintained. Probably they had already forgotten that the code came from an external source. Free Software projects are different here, I guess: New upstream sources are merged in a rather timely fashion.

Re:notification issue

[angel'o'sphere]

Oh man ... where do the posters and the moderators have their brain?

... and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib.

And? Why don't you do the same on a "typical Win XYZ install"?

Very eassy to find out which *.exe files link to zlib.dll.

E.g. use dumpbin.exe for it.

Or just use strings.exe. Oops that does not exist on a typical win xyz machine, but its a 20 liner in C. Surely there is a GPL version somewhere which compiles on Win XYZ.

He he, I agree with the rest of your post, of course.

Regards,
angel'o'sphere

Re:notification issue

[csbruce]

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Unless I am missing my guess, I ran into this particular bug in zlib about a year ago and I e-mailed the people at the project address. They responded that they already knew about it and sent me the patch. So what exactly is it that happened recently? Did someone figure out a way to use the bug to crack a system and this set off all kinds of alarms? There should have been a zlib fix-up release a long time ago.

Re:notification issue

The problem is that glibc doesn't handle the zlib bug properly, and the bug produces a buffer overflow.

So it's a bug in only Linux (which uses glibc) and all the hand waving here is an attempt to muddy the truth up.

The people who know their shit can figure it out in a few minutes. Then those in the know who are Linux advocates can wipe the egg off their face and get on with life.

The people who don't know shit, of course, will continue to run around trying to pretend it's not a Linux-specific security problem. The egg will dry on their faces.

Re:notification issue

[csbruce]

The problem is that glibc doesn't handle the zlib bug properly, and the bug produces a buffer overflow.

No, I think that any reasonable programmer would classify an attempt to free() a memory block twice as an application bug. The glibc library could handle it more gracefully, but it's really not obligated to. The only special required behaviour about the ANSI-C free() interface is that it is obligated to accept a NULL pointer as a no-op.

Re:notification issue

[ethereal]

Good point. I was assuming that if you were Microsoft and you didn't want to let on that you were using open-source code, you wouldn't just leave a zlib.dll laying around. So I was assuming dynamic linking for open-source projects (not necessarily true) and static linking for closed-source projects (also not necessarily true). My mistake.

Re:notification issue

[elgardo]

But wouldn't it be nice if double-free()ing didn't fsck things up? Or are we going to play the "the application should know not to double-free()" game, the same way Microsoft enjoyed playing the "the client should know not to ask for resources it doesn't have access to, because it is not the responsibility of the server to know" game?

Re:notification issue

[peter]

Try writing a memory manager some time. I had to for a CS class, and I screwed it up big time. (I'm usually pretty good at designing software to do what I want, so my point it that it's hard.) Also, if the MM has to be able to handle double-freeing, it would have to keep more lists of stuff, and that would slow things down. For some things, allowing double-frees would be faster, while for other things I would guess that the performance benefits from not having to be able to detect it would be greater than the trouble the application has to go to to avoid it. Portable applications need to avoid it anyway, since ANSI C says it might not work. Guaranteeing it to work on GNU systems would make it that much harder to port programs written for GNU systems to other, non-GNU systems. (And what a nasty, only occasionally harmful, probably little known incompatibility it would be, too.)

Since the C standard is already established, there is little point in considering changing glibc.

BTW, I don't know about the Micros~1 "game" you referred to, so I don't know how accurate your analogy is.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seriously? Microsoft use open source code?

[ZaneMcAuley]

Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

Slow, buggy M$...

[IO+ERROR]

Microsoft is still trying to determine which apps incorporated zlib code? My Linux box already has all its apps fixed. How long until M$ gets patches out? Weeks? Months?

Re:Slow, buggy M$...

[satterth]

Do know how many statically compiled binaries are on your system ? Did any of those use the lib in question ?

thought so.

/satterth

Re:Slow, buggy M$...

[dossen]

Does it really matter. Any proper system should be able to rebuild completly from source, catching ALL statically linked binaries.

Re:Slow, buggy M$...

[Stonehand]

Incomplete solution. Some software packages include their *own*, possibly tweaked, versions of zlib, so even creating a new static library and recompiling won't work with those -- you'd need to edit the source of every package that has its own private version, as well.

So unless he's done THAT, or every maintainer of every package he uses is on the ball, he can't really be sure.

Re:Slow, buggy M$...

[dossen]

Absolutely true, I did not consider included versions of zlib, but for the few packages where it is not just an option to use the included one, I expect an update to come along. What I was fixing was the packages that link the _system_ zlib statically. Fixing other versions might even be more tricky, since there would be a reason for not just using the zlib on the system.

So to elaborate you also have to get updated sources befor recompiling (just didn't think of it, since it happens automagically).

Um?

[jonnyfish]

And yet again, it is being reported that this zlib issue is leaving a "hefty" portion of systems vulnerable to attack. Forgive my ignorance, but how? In the previous discussion on the topic, I read some posts that sort of explained a possible risk that might occur if there's a full moon and the lighting is just right.

So I ask you: what? From what I've heard the worst that could happen is your system could crash. I hardly see that as any sort of real issue, since programs like to do that all the time.

Re:Um?

[Mr+Windows]

It's OK for me if my system crashes when I'm in bed: I just powercycle when I get up. If I'm running a bank (say) which depends on its machines to stay in business, it's a different matter: denial of service is more than a pain, it's a P45 (pink slip??) kind of thing.

Re:Um?

[garett_spencley]

The problem is a buffer overflow which is a lot more serious than a crash.

I apologize in advance if I'm being a little too trivial but I'm assuming that you are 100% non-technical just incase this post appeals to someone or some people who are.

When a program needs to temporarily store an ammount of data it uses what's called a buffer. This is just a segment of memory where it can store it's data.

A buffer overflow occurs when the buffer get's filled past it's allocated regions. So in other words let's say the programmer has set up a buffer that's 1024 bytes. An overflow is when the user fills that 1024 byte buffer with more than 1024 bytes.

What happens? Well ideally the extra data wouldn't get stored in memory at all but unfortunately computers don't work that way. Instead whatever is stored in memory AFTER the 1024 bytes gets overwritten.

So let's say the programmer had the following code in his buggy program.

buffer[1024] // set up a buffer that's 1024 bytes
read data, buffer // read data into buffer
do something

What the hacker has to do is input 1024 of garbage and then overwrite the memory with some other computer instruction. Like the instructions necessary to execute a shell.

You see when the buffer is overflown the "do something" instruction will get overwritten with whatever data the hacker puts into the buffer. If the program is running as root then when the "do something" instruction is overwritten with the instructions to execute a shell the hacker will have himself root access!

But it's even more serious than that becuase let's say the program is a web server running as nobody. Before the hacker exploits the buffer overflow he has no access. But he knows about this overflow so he overflow's it by sending apache a very long request containing the instructions to execute a shell. He has just gained "nobody" access to the system and from there he can figure out how to get root access.

The solution is for the programmer to make sure that the user is only entering in 1024 bytes of data at the most. Unfortunately many programs weren't written to do this.

I hope this explains to people why these bugs are more serious than "my system will crash".

--
Garett

Re:Um?

[angel'o'sphere]

This happens in C programs and alike.

Use C++ and a decent library or ...
Java.

He he, not: "just kidding".

In Java overflows like that are impossible.

BTW: that is an educational problem of programmers, not a GPL/OS or closed source problem.

Regards,
angel'o'sphere

Re:Um?

[reflective+recursion]

It's simple. Just count the number of chars, ints, whatever that you're placing into the buffer and stop when you hit the last one. Also, make sure you stay away from crap like gets() ("man gets"). Use only functions which you can supply a buffer size. You tend to use so many buffers that after awhile it becomes easy to forget about checking them and you get very lazy. Other than that, buffer overflows are very simple bugs, but usually a pain in the ass to find.

Re:Um?

[dannannan]

This is a good non-technical explanation of a buffer overflow, but I'd like to point out many buffer overflows do not allow for such exploits as the poster suggests. Lots of them just lead to crashes. This is due to the difficulty (and sometimes impossibility) of getting the attacked application to actually execute the "code" that's overwritten past the end of the buffer.

I've got some free time on my hands, so for those technical types who want an example of a buffer overrun with an analysis and how to fix it...

Recently I was working on a win32 program that contained a call to wvsprintfA() (see MSDN for details -- wvsprintfA is the ASCII version of wvsprintf). This function takes a buffer, a format string, and a variable argument list, and renders the some formatted output into the supplied buffer. Conspicuously absent from the argument list to this function is the buffer size (so that wvsprintf knows when to stop). Documentation says it's hardcoded to stop at 1024 bytes, but it's actually 1025 bytes (found this out the hard way). This is because even though it will truncate ASCII strings down to 1024 chars or less, it always writes a null-terminator character on the end. So for results that are too big, if you're buffer's only 1024 bytes, you're going to have a 1 byte overrun.

This leads to a very important point. How the memory immediately following your buffer is used determines what kinds of exploits are possible in the event of an overrun (this can be machine dependent). Whether the buffer is in a thread's stack space, or in a heap, or in a code image will have a significant impact on what's possible.

In the case of my overrun, the buffer was allocated on a thread's stack. For those familiar with C/C++ (on x86, I can't speak for other hardware platforms) with most compilers that looks something like this:

void foo(int bar, char *toobig)
{
char *buffer[1024]; // this is a stack allocated buffer

wvsprintf(buffer, "%s", toobig);
}

Looking at the code, it may appear that the call to wvsprintf is what comes next in memory after the buffer, but if you take this in context, you'll realize that that's not the case. What's next in memory here (in the case of my compiler at least) is going to be a saved stack frame base pointer from the caller, followed by the calling function's return address, followed by the parameters passed to foo in this call (most likely -- again, depends on compiler, calling convention, optimizer settings, etc.).

STACK (in order of increasing memory addresses):

buffer (1024 bytes)

saved EBP (<-- foo's EBP should point here)
return address
int bar
char *toobig
foo's caller's local vars
foo's caller's saved EBP (<-- foo's caller's EBP should point here)
foo's caller's return address

(Stack layout will vary depending on your compiler, platform, etc.)

So, since this buffer can get overrun by one byte, part of the caller's saved stack frame base pointer (EBP) could be overwritten! On the platform where I observed this, pointers were 32-bits wide (4 bytes) and the byte ordering on my hardware has less significant bytes at lower memory addresses. This means that the lowest order byte of the saved base pointer can be overwritten, and in this case predictably by a zero (0x00) if it does happen. This doesn't cause a crash right away; rather, it has the effect of misaligning the caller's stack frame so that when foo returns, EBP is incorrectly restored, so all addresses that the caller computes relative to EBP will be off -- for example, local variables in the caller of foo will be trashed, as well as its caller's saved base pointer and return address, since they've been "relocated" ;-). (Note that in the off chance that foo's caller's EBP just so happened to be aligned on a 256-byte boundary this overrun would have no affect at all!)

This caused a crash after foo returned and subsequently foo's caller returned to its caller -- because foo's caller's return address wasn't where it used to be relative to EBP, seeing as EBP was erroneously adjusted to point to a lower address.

void foocaller(char *s)
{
foo(0, s);

// EBP is now bogus if the buffer in foo
// was overrun. Better not use any
// local variables or try to return from
// this point on!

bar();

return; // <-- crashed after this, fortunately
}

The return address that was actually used was "garbage" data left over on the stack -- in the middle of the space that was occupied by the buffer in foo. Note that execution of bar() in foocaller() could potentially overwrite this space too. (In my case, that's what happened, since bar made lots of calls and had enough local variables.) This means that the return address is potentially up for grabs! Fortunately in my case, the stack frames written by bar and its subfunctions was always such that the return address would be overwritten with an unreadable memory address, so my program would access violate (SIG_SEGV) and stop when foocaller attempted to return.

This particular problem is avoided by allocating 1025 bytes instead of 1024 bytes for the buffer, because of the nature of wvsprintfA.

Scary what one little byte can do, eh? Be very cautious when copying data around!

So it turns out that the only exploit in this buffer overrun was that you could make my code crash. You couldn't actually get arbitrary code to run even though you could influence the contents of the buffer from outside of the program. But it was a close call.

D

Re:Seriously? Microsoft use open source code?

[axlrosen]

Of course, having everything derive code from the same source is a risk

Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.

Innovation?

[Conare]

Is this another example of why MS needs to be free of regulation in order to Innovat...ively copy other peoples work?

Shame.

Debian?

[DRO0]

Naive question probably, but if zlib isn't GPL then does Debian use a different library and if so, is it affected by this issue?

Re:Debian?

[DRO0]

Never mind, I need more sleep.

Re:Debian?

[Mr+Windows]

Debian aren't restricted to GPLed stuff; any piece of software which fits the Debian Free Software Guidelines (which includes stuff with the GPL, BSD, and Artistic licences) can be included in main. Other stuff can be included in non-free too.

Now what would have been interesting...

[borgquite]

is if when they released the patch for the security flaw they made the patch GPL... just imagine Microsoft having to recode all that stuff for themselves :)

Re:Now what would have been interesting...

[DA-MAN]

or fork off the last version before the GPL, that would be hilarious....

Imagine http://mszlib.sourceforge.net/

LOL!!

Re:Now what would have been interesting...

[Cuthalion]

Haha! If microsoft had to code up a simple compression library it would take them a WEEK! HAHAH!!!!

And what about everyone else who uses zlib but not the GPL? I know of several commercial products that do.

hrm...

[Em+Emalb]

"The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well. "

Disclaimer: I am not a security weenie, so I don't know this for fact......*deep breath*....

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

*bash MS* bash bash bash....it's popular right?

Re:hrm...

[IO+ERROR]

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.

*bash MS* bash bash bash....it's popular right?

It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

Re:hrm...

[Why+Should+I]

Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

Silly you.

Re:hrm...

[irix]

It was news for Linux/UNIX earlier this week idiot. Go crawl back under your Microsoft apologist rock please.

Re:hrm...

[brettb]

Of course some ./er's will take the opportunity to bash Microsoft but the article itself isn't.
The zlib library vulernabilty and how *nix based systems are affected has
already been discussed on slashdot.

This Cnet article references the previous Cnet article on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.

I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.

This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software

.

Re:hrm...

[Black+Parrot]

> Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.

Re:hrm...

[sheldon]

It was well known at the time the Linux article came out that Microsoft also had zlib code in their software.

I mean... DUH... IIS and IE support the Content-Encoding extensions from HTTP 1.1 that use gzip for compression and the easiest way for them to have implemented that was functions from zlib.

Now what I want to know is how you have come to the conclusion that Microsoft uses the code in the specific way necessary to exploit it. Or if they even use that particular function, or if they haven't already fixed it long ago in their source tree.

Speculation and wild claims don't add any value, and that's what this article does and what your post does. Yes, it is popular to bash MS.

Now let's get to the real question. How come this bug got into zlib in the first place?

Re:hrm...

[WeaselGod]

a more likely scenerio is that they are testing the fix. Microsoft is usually rather quick about releasing things, but they believe in testing it first. Great concept that.

Oh, and it will be available on windows update so that it will actually have wide spread adoption. Lets see how wide spread the linux fix is. Since 80% of redhat boxes are rooted in the first 24 hours there seems to be a rather large precedence for boxes not being patched when they should be. Get off your fucking high horse buddy. Microsoft may be a lot of things, but they aren't stupid. If they were they would never have gained absolute control of the desktop.

Re:hrm...

[uebernewby]

Bullshit. The zlib MS uses is just as open source as the one on linux.

Re:hrm...

[cperciva]

Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities.

And what does the comparison tell us?
1. A Open Source Operating System contained a bug which could be a security flaw. Patches were released within a few days.
2. A Closed Source Operating System contained the same bug, but due to design differences, the bug was not a security flaw. Since the bug wasn't an urgent problem, it got added to the bug-fixes-for-the-next-service-pack queue.

I think if you want any sort of exact comparison, you'd have to look at cases where the same bug caused the same level of harm.

Re:hrm...

[praedor]

Consider this: it appears that M$ will have to release a fixpak/security pak for a bunch of apps while for me with linux (and people using BSD, etc) all we need to do is install the new zlib - which was available virtually at the same time the POTENTIAL vulnerability was discovered/released. Then, all *nix people need do is restart whatever net-connected app/server they were running that uses zlib and it is fixed. No replacing apps with fixed apps, just replace the lib without ever rebooting.

You will eventually receive a big security fix from M$ that replaces whole applications AND have to reboot to make it work.

So, two comparisons can be made between the free-os users and the M$ slaves: 1) fixes are produced and available immediately for free-os people but it will be a while before M$ figures out what to do, and 2) simply installing the new lib and, perhaps, restarting a couple applications is all it takes for a fix for the free-oses but M$ users will have to replace whole applications and reboot.

M$ kinda trashes itself in comparison.

Re:hrm...

[jedidiah]

Microsoft will likely be the LAST vendor to have fixes available for this. This is contrary to the fact that they have the greatest resources of anyone that may use zlib.

Re:hrm...

[statusbar]

Microsoft has many programmers on the payroll. What I would like to know is WHAT DO THEY DO? Are they not capabile of writing their own zlib?

jeff

Re:hrm...

[Florian+Weimer]

Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.

Not quite correct. Most vendors hat several weeks to work on a fix. As usual, they were notified in advance, because of the potential seriousness of this problem (if it were actually exploitable).

Re:hrm...

[krmt]

*bash MS* bash bash bash....it's popular right?

Well, is this really bashing? I think it's more bringing to attention a security flaw that may have slipped by. This one happens to be interesting because of the politics involved, as well as the fact that the same security flaw affects just about all of us (which is a testament to Free Software in itself.) That doesn't make it bashing though, it just means that everyone running Windows will likely have to patch their systems the same way that the Linux users did.

But then, bashing slashdot these days has become even more popular than bashing MS.

Re:hrm...

[JordanH]

• Are they not capabile of writing their own zlib?

But, that wouldn't be taking advantage of the "healthy eco-system of free and proprietary code" that Bill likes to tout so much.

Funny, MS is a big black hole, sucking in all the advantages of any Open Source they can find for their products, and, AFAIK, never producing any Open Source for the community and yet they have the nerve to whine about the "pac-man nature" of the GPL.

Re:hrm...

[leonbrooks]

Open Source Operating System contained a bug which could be a security flaw. [...]

Closed Source Operating System contained the same bug, but due to design differences, the bug was not a security flaw.

FWIW, it is not yet a security flaw for the OSOS. If someone eventually figures out how to exploit it (difficulty level: 8, bonus points for an animated splash screen, souble bonus for multiple architectures), most OSOS systems will have long since been patched against it, and the few remaining will be self-curing.

Meanwhile, the CSOS vendor has absolutely NFI whether they have a security vulnerability or not, and won't know for many weeks or months. Because it is CS, we can't fix it for them.

Since the bug wasn't an urgent problem, it got added to the bug-fixes-for-the-next-service-pack queue.

IRL, that's the bug-changes-for-the-next-SP queue.

Re:Win2k news thought...

[ghostlibrary]

Argh! Bad statistics alert!

"vulnerabilities found in Windows and all Linux flavors combined are almost the same"

So if I am running RedHat, Mandrake, SUSE, and Debian simultaneously, I have the same number of flaws as a single run of Win2k?

They should either use the average (among linux dists) or the max (ditto), vs Win. Or sum across all current Win flavors (ME, Win2k. maybe NT) to compare against all linux flavors (summed).

Argh!

Memo from Bill

[soap.xml]

Development Team,
Thank you! I have been saying for years that Open Source is EVIL! Now we have even more proof. With this latest failure of open source code we can push even more people into using our products. We can even say that we "tried" to use open source, and look what it brought us. Once again, Thanks! Marketing and I appriciate it.

-Bill

Re:Seriously? Microsoft use open source code?

[DA-MAN]

And Windriver or whoever controlled BSDI at the time made some serious cash in that deal. They got paid to make the tcp/ip stack work well in 2000/XP and they've done a good job of it.

I just wonder if Microsoft was able to taint some of the BSD coders by allowing them to view their code. I'm sure integrating something like a TCP/IP stack required access to some 2000/XP src code. Anyone know?

Here is a list of apps vunerable

[ZaneMcAuley]

http://www.gzip.org/zlib/apps.html

At least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

"Borrowed"? Whats the license for zlib?

Re:Here is a list of apps vunerable

[Mr+Windows]

zlib has it's own licence, which doesn't prohibit what MS have done. At the moment, that is... :)

Re:Here is a list of apps vunerable

[ZaneMcAuley]

So if they use that version with that license, theyre ok, but if the license changes (in other releases), can they still use that version but not the new one unless they comply with the new license (for that version).

What im asking is what if the license changes for code (after that version is used and released according to the license with it) that is existing within products are there today. How are they impacted?

Re:Here is a list of apps vunerable

[IO+ERROR]

From zlib-1.1.3:

Copyright notice:

(C) 1995-1998 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu

If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code.

If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes.

Re:Here is a list of apps vunerable

[nvrrobx]

Here is the license for zlib

The summary is:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Re:Here is a list of apps vunerable

[leviramsey]

What im asking is what if the license changes for code (after that version is used and released according to the license with it) that is existing within products are there today. How are they impacted?

There is no change. The license is a fixed contract which is agreed to at the time specified in the license (ie clickthru in the case of MS, at first use or examination in the case of the GPL). Unless the license states that future revisions to the license shall amend this license, changing the license can't do a damn thing.

This is why it's legal to have dual-licensed software. For instance, MySQL sells a non-GPL version of MySQL (which is 100% identical, except the GPL comments are replaced with MySQL license comments). In theory, if Linus wanted to release the Linux kernel under an MS EULA (with s/Microsoft/Linus Torvalds/), he could, although parts of the kernel that he lacks the copyright to (such as ReiserFS, which is available under a commercial license) couldn't be included. Linus closed-sourcing Linux is possible but difficult, given the degree of collaboration.

Re:Here is a list of apps vunerable

[Mr+Windows]

ENOPUNCT

A piece of software can be included in Debian if it meets the DFSG. If a particular release of a piece of software (eg foo version 1.0) meets these guidelines now, it'll meet them forever. If the foo copyright holder then decides that foo version 1.1 will be closed source (or otherwise not meet DFSG), then foo 1.1 won't be included in Debian. Once a piece of software has been released under a particular licence, anyone who's received it under that licence then has the right to use it under the terms of that licence. In the case of open source licences, that means forever, and so foo 1.0 will always be Free.

Re:oh goody

[NanoGator]

Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.

Borrowed Code?

[Spit_Fire1]

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.
the colors were just screaming security flaw already weren't they?

Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.
And now they are forced to admit what we already knew, they haven't written anything original since...well...ever! :P

The zlib compression library doesn't use the GPL, however.
and the war between MS and GPL coninues, maybe the linux community could use Anime-based uniforms to storm microsoft and take the code back.

Re:Seriously? Microsoft use open source code?

I've seen this so often that it's worth a comment.

The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.

This might be considered a troll?

But perhaps that is why microsoft is so afraid to let the states in the antitrust case look at their code. If some one were to discovered they actually a lot of open source code, that would be a huge embarrasement.

Re:In other words

[DA-MAN]

No, Microsoft sucks because they've been on an anti-opensource crusade and are using open source in all their products. It's the hippocricy(sp?).

GPL is not about giving things away

[pyrrho]

Microsoft is an old hand at using public domain stuff! They don't dislike it... like all companies they grew used to swallowing it up! It's even cheaper than buying QDOS was.

No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.

they use open source BECAUSE

[filbert009]

1. It was already written and IMHO they are too cheap to write thier own software 2. read #1 over and over ALSO they used it extensivly so if they patch.... look for TONS of new "feature/bug/phone home style apps to be inserted"

Re:Seriously? Microsoft use open source code?

[ichimunki]

Why? Unless you incorporate it wholesale or re-use a patented algorithm, you do have Fair Use rights under existing copyright law.

Re:Seriously? Microsoft use open source code?

Why?

Unless it's GPL infected it's not illegal to incorporate it.

Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.

Re:oh goody

[smack_attack]

Yeah, I've got plenty of karma to burn as well, so those mods who feel it's appropriate to mod me down because I don't march to the drums can kiss my ass.

BTW, I use XP on my desktop and I love it. I use Debian on my servers and I love that too. Windows does not fit well on a server just as Linux does not fit well on the Desktop, why can't people understand that?

Re:Well, duh.

[Chris+Burke]

Well, I could hope that maybe the reason is that lots of people might be familiar with zlib, but not know that it is under a non-GPL free software license, and they were just trying to stave off "Does Microsoft have to release their code now?!" type crap...

No, I don't think that's true either.

Re:Seriously? Microsoft use open source code?

[leviramsey]

Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.

The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgement:

[ACKNOWLEDGEMENT DELETED FOR BREVITY --LR]

There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).

Re:Seriously? Microsoft use open source code?

A guy with the email address 'fake@nospam.org' is challanging someone else's credentials??

heh

Re:oh goody

[pyrrho]

> have never spent time with Windows 2000.

I'm sure this is a typo. You must have meant "did time".

Which explains why MS is not attacked more

As long as MS makes heavier use of OSS, they will be less prone to attacks.
They currently use the TCP Stack from BSD, they redesigned SMB services based on Samba (they had to cold room it due to GPL). This helps explain how MS is getting faster and less cracks.
Of course, this also explains why they oppose GPL.

Re:Which explains why MS is not attacked more

[FuzzieNorn]

Recent versions of Windows use a rewritten TCP/IP stack, so even if they did use the BSD stack for Win95/NT4/etc (which they almost definitely did, based on its behaviour), they aren't using it any more.

Re:Which explains why MS is not attacked more

[robhancock]

I believe it was rewritten TO use the BSD-style (or even just the BSD) stack for Windows 2000. I think 95/NT used some crap stack that they wrote themselves.

Re:oh goody

[Chris+Burke]

I use Win2k on a daily basis and I hate it. But I take comfort in that my main workstation is a linux box, and the win2k box is there just because I'm porting code at the moment. But yes, I have spent much time with win2k. Much like a venereal disease, intimite knowledge of the subject doesn't make me want to bash it -less-.

If you ever had any doubt...

[SlashChick]

...that Microsoft uses free software, I invite you to take a look at this.

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

Now type "help". Check out this line at the bottom of the output:

view FILE - sort an 'ls' output file and view it with pg

Uh, yeah. Oops.

Re:If you ever had any doubt...

[Gabey]

Actually, I think that's referring to the ls commands that you can give to nslookup:

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

-gps

Re:If you ever had any doubt...

[ashpool7]

Are you sure they just didn't use XENIX sources?

Re:If you ever had any doubt...

[istartedi]

I'm surprised that anybody has to be "convinced" MS uses Open Source code. I've always thought it was common knowledge. Also, you could have just looked in Help About for IE and seen that it uses the Independant JPEG Group code. Based on this prior behavior, I always assumed they used the free PNG implementation. Since PNG uses zlib, MS uses zlib.

Now, if MS were smart they'd have a standard place for libjpeg.dll, libpng.dll, and zlib.dll but as far as I know there is no such thing. Either the functions are in some other DLLs, or the names are obfuscated. This bug, combined with MS's "security initiative" represents a golden opportunity: MS could take the occasion to give us "standard" DLLs so that developers would no longer have to package them, and could instead say something like "make sure you have this service pack and if you don't, here it is".

Re:If you ever had any doubt...

[klui]

The help says view it with pg, but under NT's nslookup, it uses more instead. Clearly copied verbatim from UNIX sources.

Re:If you ever had any doubt...

[DeadMeat+(TM)]

C:\WINNT\system32>strings NSLOOKUP.EXE|grep Copyright
@(#) Copyright (c) 1985,1989 Regents of the University of California.

That answer your question?

Re:If you ever had any doubt...

[mpe]

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

It would have to be something with a licence such as the BSD licence which makes the code almost "public domain". Since Microsoft wouldn't want to touch anything covered by something like the GPL, since such a licence enforces copyright. They'd look very stupid as a bunch of software pirates moaning about piracy.

Re:If you ever had any doubt...

[mpe]

Now, if MS were smart they'd have a standard place for libjpeg.dll, libpng.dll, and zlib.dll but as far as I know there is no such thing. Either the functions are in some other DLLs, or the names are obfuscated.

Or possibly even different bits of them are scattered between other DLLs. Remember that Microsoft's method of making IE part of the OS appears to include deliberatly writing what amounts to "sphagetti code". If things were neatly structured then removing components would be much simpler.

Re:If you ever had any doubt...

[elgardo]

Spaghetti code is when you write a program in 100% assembly, and then go over with find/replace in order to change all labels to names of food, particularly pasta dishes.

I have done this, but unfortunately, I don't have the source code in ASCII at the moment. It's in this old token-format of Turbo Assembler for Atari ST...

Re:oh goody

[Alzheimers]

Heh yah I've noticed that. It's really cool to hate Microsoft. It sure is great that we get news of MS screwing up. Too bad nobody ever pays attention to the good things MS does. I bet that most ppl who bash MS have never spent time with Windows 2000.

I'll be more than glad to cheer when MS does something good. Wake me up if it happens.

ZZzz..

Re:oh goody

[geekoid]

Well, I spend time with 2000, and its almost as good as kde and gnome.
And i've only got to crashes, which cause the machine to auto-reboot.
To have a really crappy product(s) then releasing something thats better doesn't mean the new thing is good, just not as crappy.

So what, exactly, has MS done thats good?

Re:... pants on fire!

[NickV]

That would be a great test of the GPL actually, considering it's never been actually tested legally. Remember that.

If something like that were to happen, I'd imagine that the GPL would probably be killed in court by high powered lawyers from all the major software companies (not just MS.)

BSD code in NT4 utils at least

[Cally]

Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.

Well it's easy to show that they use /some/ BSD
code, at least. This is Cygwin / bash on NT4:


andrew@INEGO(22:18:47)
[path...] /WINNT/system32 $ grep -i regent *.EXE
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches

Re:BSD code in NT4 utils at least

[poot_rootbeer]

[path...] /WINNT/system32 $ grep -i regent *.EXE
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches

That proves nothing. What if there are simple easter eggs in these binaries where that noted Microsoft developer and rock star, Ted Regent, snuck his name into the code?

Re:BSD code in NT4 utils at least

[joelsherrill]

My machine has a bunch of stuff on it so a virgin
Win2K system MIGHT have different results but I
handchecked that the file's date matched the
install date on the machine. So CAVEAT EMPTOR...
a slightly fancier grep and some patience ...

find . -type f | while read f
do
strings "$f" | grep -i "Copyright " | grep -v Microsoft
test $? -eq 0 && echo $f
done

showed up Thomas Lane's open source JPEG work in multiple places, Mark H. Colburn's work in system32/pax.exe, Mark Adler's PNG work in at least system32/pngfilt.dll and a few more interesting cases.

system32/offfilt.dll has Mark Adler's inflate in it.

c:\Program Files\Common Files\Microsoft Shared\VGX appears to have zlib based upon this:

$ strings Program\ Files/Common\ Files/Microsoft\ Shared/VGX/vgx.dll | grep -i Copy
4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler

And Adobe Acrobat PDFWriter also uses zlib per system32/spool/drivers/w32x86/2/pdfdd.dll.

This is far from exhaustive of 100% scientfic but a good starting point.

--joel

Re:BSD code in NT4 utils at least

[Spamhead]

WinXP (eXtra Pretty) shows this:

[world@boner system32]$ grep -i regent *.exe
Binary file finger.exe matches
Binary file ftp.exe matches
Binary file nslookup.exe matches
Binary file rcp.exe matches
Binary file rsh.exe matches

Re:BSD code in NT4 utils at least

[Cally]

Oh for heaven's sake, some people...

/cygdrive/[...]/WINNT/system32 $ strings *.EXE --print-file-name | grep -i regent
FINGER.EXE: @(#) Copyright (c) 1980 The Regents of the University of California.
FTP.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.
RCP.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.
RSH.EXE: @(#) Copyright (c) 1983 The Regents of the University of California.


Satisfied now???

mutatis mutandis

[nickynicky9doors]

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.

Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?

Re:mutatis mutandis

[leviramsey]

Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?

I thought the only version of Windows that didn't put the GDI in kernel space was the only one with a microkernel, aka NT3.x

Re:mutatis mutandis

[afidel]

Well you seem to be implying that NT4 does not put the graphics code in the kernal, this is incorrect. This was one of the biggest "improvements" from nt 3.51 -> nt 4.0 is that the graphics subsystem got moved into the kernal for a speed increase. It is also (when coupled with crappy drivers) the second leading cause of nt instability after IIS =)

Re:mutatis mutandis

[nickynicky9doors]

Thnx I thought the change happened with NT5 akaa Windows 2000, my mistake, sorry :) So David Cutler's original 3.1 design was fundamentally changed with the intro of NT4... I guess that would explain the new version number.

Re:mutatis mutandis

[nickynicky9doors]

uhm no. You've spewn some madness from Win9x. The discussion was centred on NT4. You're wrong you now must go far far away never to return. 'ta

None the less ...

[TheViffer]

"if" M$ does use GPLed source, somewhere down the line it will come out.

Case in point. A GPLed piece of software has bug X, and strangly enough, a M$ product has the same bug.

It maybe worth the time to test major bugs in GPLed software against M$ programs if such simularities do exist.

Just a thought.

Re:None the less ...

[rjamestaylor]

Why wait for a bug? Scan for "signatures". That's how the use of BSD's TCP/IP stack was determined (that, and the "Regent" copyright).

Re:None the less ...

[mpe]

Why wait for a bug? Scan for "signatures". That's how the use of BSD's TCP/IP stack was determined (that, and the "Regent" copyright).

The BSD licence allows Microsoft to use the code. So why do they need to take the copyright statements out. If they were pirating GPL code they would be utterly stupid to leave any such easy to find indications in.

Re:None the less ...

[rjamestaylor]

Take a chill pill. My point wasn't that MS did something WRONG by using BSD code. Not even that they did something HYPOCRITICAL (they haven't; they have clearly come out in favor of the BSD license). The point was, I thought clear, that if one wanted to determine WHICH project MS adopted for a particular purpose one need not wait for a characteristic bug, but could scan for signitures in the compiled code. Even though MS has the requisite BSD copyright, there is not a clear deliniation fro m MS exactly what code, or to what extent, MS used in their product. The use of the BSD copyright just let people know that there was SOME part of Windows using BSD code. It was left as an excercise to the user to figure out which piece.

There, now my response doesn't sound like a criticism of MS, does it? Well, it actually is. Though MS is right to use and repeat the BSD © not specifying what was used and where makes identifying vulnerabilities difficult to the user (but not to exploits). Closed Source is sucky that way.

Re:oh goody

[geekoid]

First off, its nice to know you'll stand up for what you think only if you have karma to burn. i.e. nothing to lose.

I won't use XP, because I don't trust it, at all. I'd like to see MS put together a nice OS thats trustworthy to me, not to the varies media orginiations, not to MS, to me.

Re:Win2k news thought...

[Chris+Burke]

I think it would be better to take the -union- of the vulnerabilities across all Linux distributions. This would prevent duplicates being counted (if you did the operation correctly), but would give an idea for flaws that may exist in distros.

Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.

And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.

Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.

Re:oh goody

[NanoGator]

People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.

I think there are anti-ms people who think that becaues IIS is insecure as a webserver, that MS themselves should die. There are people of the Linux world that wishes everybody would use Linux and forget Microsoft. They fail to realize that the adoption of Linux isn't slow because of MS, it's slow because it's not beating MS at doing what they like to do.

There's room in this world for both. If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too.

In any case, this isn't an anti-Linux/pro-Microsoft rant, this is more of a 'Be happy to have what you've got' rant. If MS disappears, what will fuel the fire to make Linux better?

It's in everybody's best interest if Microsoft does well, believe it or not.

Fixes from MS

[ZaneMcAuley]

So we expect more Hotfixes or SPs for these products? When?

This highlights taking a dependancy on externally maintained code is risky. Turn around time in fixes and integration into the codebase, verification of the fixes for those products etc...

change it

[geekoid]

MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.
This would force MS eithe to pay up, or go to court and fight against the very thing they want.

Re:change it

[leviramsey]

MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.

Somebody doesn't get it

There is no universal right to retroactively change a contract (in a unilateral matter). Such a right must be granted in an earlier contract. So MS can change the EULA and have it be binding because you have agreed to any modifications which may be made by MS (with the option to return the software if you don't agree with them).

Zlib's license lacks a clause like this (and did when Microsoft took the code). Therfore, moving the project to GPL would only affect the new codebase.

And if Zlib were GPL'd, a fork would happen? Why? Because the BSD zealots would take the last non-GPL'd version and develop it under a BSD license, since they can't use the GPL.

Re:change it

[mpe]

There is no universal right to retroactively change a contract (in a unilateral matter). Such a right must be granted in an earlier contract.

Isn't one of the objections to UCITA that it does allow such changing of contracts?

Re:change it

[leviramsey]

Isn't one of the objections to UCITA that it does allow such changing of contracts?

UCITA, IIRC, essentially amends contract law to specifically allow modification of the contract ex post facto in the case of click-thru licenses. Without UCITA, such is probably legal, but not necessarily (no court has heard a case on the issue). Again, the operative principle is that it has to be referenced in a prior agreement between the parties.

Essentially, UCITA sets the idea of later modification to a click-thru license in stone (barring constitutionality challenges, of course).

Re:In other words

[nickynicky9doors]

maybe... try 'hippoCrickey' this is the sound the happy hippo hunter from Australia makes when successful in his hippo hunt

It's NOT a buffer overflow!!!!!!

[Smallest]

it's a double-free problem. the two are totally different.

read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt

-c

Re:It's NOT a buffer overflow!!!!!!

[garett_spencley]

You're right I'm sorry I got confused.

The current version of gzip has a buffer overflow and I confused that with zlib's double-free.

Sorry about.

Anyway zlib's issue can be used to cause denial-of-service attacks etc. These are also worse than your system crashing. Imagine not being able to use either your computer or the network etc. You reboot and still you can't do your banking, check your e-mail and quite possibly not even able to use your computer because the DOS is just re-instated minutes after your computer reboots.

--
Garett

Re:oh goody

[NanoGator]

I can imagine porting code being a pain in the ass. I know MS's API is a little weird, and I can certainly understand you having issues getting down that deep into it.

Where I come from is I use Win2K for doing 3D animation. A lot of people I know doing 3D stuff are running on Win2k. We have to rely on a machine constantly rendering overnight, over weekends etc, and we cannot afford to have it crash. I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.

I've witnessed a number of Win2k machines of a huge variety of hardware (i.e. not custom made all from one provider) render for many many hours at a time and never crash. I have never lost rendering time to a Windows 2000 problem. None of my artist friends have ever complained about that.

Seems to me if a program can use so much Windows resources for so long and still behave properly, Microsoft must have done something right.

Re:oh goody

[smack_attack]

Windows isn't for everyone. It's built from the bottom up (meaning it's targeted at the lowest common denominator user). For you, I'm sure that a trustworthy OS is one that you can pick apart and see the guts of... AND THAT'S FINE! I'm not saying that Linux is better than Windows or vice versa, I'm simply saying that some people don't care how their OS works and what dependency tree they need to check if they want to install an update for their laptop speakers. It's about ease of use versus lookig under the covers. Some of us don't care how the OS works as long as it does.

Re:... pants on fire!

[xonker]

then go to court to make them release all their software as Open Source.

More than likely, this wouldn't happen. The most likely outcome would be that a judge would uphold the clause in the GPL that forbids future distribution of GPL'ed code -- but I doubt that a few lines of GPL'ed code would cause a judge to require M$ to GPL, say, Windows.

Even if Microsoft had to GPL something, it's likely they could limit it to one application or library -- for instance, if they used GPL'ed code for something in Word, they would probably only have to GPL that version of Word and could excise the GPL'ed code from that version and release the next version under their normal licensing. Even if they violate the GPL, they still hold the copyright and the worst that could be done is force them to release one GPL'ed version of source code. But using GPL'ed code in one app wouldn't require them to release everything.

It would, however, be a big embarrassment to M$ and I wouldn't mind seeing them squirm a little.

Scan MS stuff for GPLed code

[pyrrho]

I bet some is in there! I just bet! For god's sake, someone less lazy... um I mean less busy, than me, find GPLed code in Microsoft. I want RMS to make us all call XP GNU/XP.

Re:Scan MS stuff for GPLed code

[Florian+Weimer]

You can just look for data tables contained in the source code. These tables are rather invariant under compiler transformation, otherwise find-zlib wouldn't work. (Most vendors didn't bother to strip the copyright string, so this isn't really important in this case.)

Geez

[SquierStrat]

Well first off I've gotta say:
HA HA!!!!!

Are any of us REALLY surprised at this though? This is Microsoft afterall. Even my chemistry TA was complaining about them today...

Re:Geez

[SquierStrat]

uh...I was referring to the fact that microsoft is hypocritical in that they criticize open-source software constantly yet, they use it.

I'm fully aware that it's a problem that was first found on the unices!

Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.

How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

Re:Geez

[Trisk]

How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

I think you're referring to OpenBSD releasing with a patched version of zlib that had already taken care of this vulnerability, probably incidentally. This only occurred on OpenBSD, AFAIK.

Re:Geez

[lpontiac]

What's he's probably getting to re: BSD..

C programs generally use two functions, malloc and free, to allocate and deallocate memory repectively. So the code should do this:

ptr = malloc(number_of_bytes);
/* do stuff */
free(ptr);

The problem that zlib has is a double-free bug; it does this:

ptr = malloc(number_of_bytes);
/* do stuff */
free(ptr);
free(ptr); /* double free */

Keep in mind that it doesn't have all of this in one nice code sequence, hence the bug wasn't obvious. Anyways, regarding why it might be worse on some architectures: You're not allowed to call free twice like that, however it's possible that it won't do any harm.

FreeBSD will actually detect the double free and print out a warning. glibc (the C library used by most Linux distros) will crash and burn. Other OS' may exhibit different responses.

Nothing

[Sloppy]

It means nothing. It's just a widespread () but low-intensity) disaster, and MS customers happen to be among the victims.

If there's a lesson about security in all this, it has something to do with static linking. Or maybe something to do with extreme (over??) standardization, where everyone and their dog ended up using the excellent zlib.

Re:Nothing

[optikSmoke]

I think the lesson would be more to do with static linking. If all of these suddenly-vulnerable apps had dynamically linked to zlib, the "overstandardization" would have been an asset in fixing such bugs - one library used by many programs patched for its own set of bugs, instead of many libs/implementations used by many programs patched seperately for their sets of bugs.

"no reports of any exploitations"

[Ami+Ganguli]

From the advisory

There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.

I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

Re:"no reports of any exploitations"

[gclef]

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

and you think this is bad? Why?

If all the vulnerable machines get patched before anyone's affected, I'd think the system worked just as it should. I"d rather not wait until there's some nasty reprise of Nimda before starting to patch my systems.

Re:"no reports of any exploitations"

[Ami+Ganguli]

It's not bad that they publicize the vulnerability, but it's bad to make it into a bigger issue than it really is. It means that when a more serious security risk comes along nobody will pay attention.

What are you going to do in response to the next Code-Red? Declare a state of emergancy and call out the army?

Re:"no reports of any exploitations"

[gclef]

Someone's already found a way to exploit this over ssh. There's hints (I stopped reading the thread to see if they finished it) of it working for ftp. The code with the problem is used in a huge number of places in multiple OS's.

How big does it have to get before we acknowledge that it's a serious risk and start the patch run? I've been following the security lists about this, and I don't think the coverage is overdone at all.

Re:"no reports of any exploitations"

[Florian+Weimer]

I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.

If you look at the zlib versions some vendors are shipping and compare it with the zlib ChangeLog, you'll discover that there is far more than just a potential risk ("fix array overlay in deflate.c which sometimes caused bad compressed data" and so on). Maybe these problems are finally adressed now, though (or the vendors have silently fixed these bugs themselves over the years).

Re:"no reports of any exploitations"

[KjetilK]

All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.

How do you know that? Black-hats may have known about this for ages and exploiting it silently. Do not confuse lack of reports with lack of attacks.

OK, since free software users have more a sense of community and being publically acknowledged for having found the hole is a big ego-booster, it is less likely to happen around here, but I wouldn't count on it for security.

Re:oh goody

[urmensch]

maybe because I use linux on my desktop and love it much more than XP and 2K, which I have also used.

to each their own!

More than DoS Possible

[Midnight+Ryder]

From the ZLib page:

There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.

It would take some pretty slick work to actually get something to execute arbitary code with this particular bug, but, it's possible. So it does raise the risk level back to what you originally stated, Garett.

Re:oh goody

[Jondor]

Actualy I do, at a rate of 2 BSOD's a week.. Of course that's only for unimportant "work related" stuff. My home system runs linux and hasn't been unvoluntairly down for a real long time now.. Neither have the systems which run my websites and databases..

Then explain the "pg" part...

[SlashChick]

...since DOS doesn't have a command called "pg".

Re:Then explain the "pg" part...

[BlowCat]

nslookup wasn't ported by fanboys. It was ported by Microsoft employees or contractors.

Re:oh goody

[NanoGator]

"So what, exactly, has MS done thats good?"

What, you mean besides using Windows 95 to make the appeal of computers so broad that nearly everybody has one? Or maybe bringing the internet out of the geek neighborhood and out into the main stream? Or how about making an OS that can install on such a broad range of hardware that you can cheaply put together a system running Windows?

Did MS do this singlehandedly? Nope, I'm not saying that. They were instrumental in it though. Despite how much everybody hates to admit it, Windows 95 had a HUGE part in making computers as broadly supported as they are today. I remember when having a computer meant you were a nerd.

Did MS use illegal tactics? Yep. They've done shitty stuff. They've made shitty products. I'm not disputing that. But they're not entirely bad either. As a matter of fact, it's MS's shortcomings that are making people fight to make Linux as a replacement to MS.

You can hate MS all you want, more power to ya, but if you're successful in the IT industry, MS was probably instrumental in that either directly or indirectly. No Microsoft? Computers = toys for geeks.

zlib or glibc?

[dzym]

As I recall, this was only an issue if you had a double-free because of glibc, and I believe the original article specifically singled out Linux because it was dependant on the specific behavior of glibc.

How is this an issue for Microsoft software?

Re:XP Users will be A-OK

[swordgeek]

"Name one DECENT game that was produced with OSS. Yep, thought so."

NETHACK!!!!

OK, I'll be quiet now.

Re:Seriously? Microsoft use open source code?

[leviramsey]

I took the license from the FreeBSD website

Check the url in my post

The difference between Proprietary and Open code

[Rick+the+Red]

This just points out the difference between proprietary code and open code. Those using open code incorporating this flaw have had a fix available for days (if they choose to patch and compile the source). Those using proprietary code incorporating this flaw will have to wait for the vendor to release a fix, if ever.

If that's not a good arguement against depending on proprietary code (as for running a business), try this: If the flaw was not in open code incorporated into the proprietary code, but rather existed exclusively in the proprietary code alone (yeah, right -- proprietary code with bugs! LOL :-) then we might never know the flaw existed, let alone get a fix, unless some cracker with ethics told the world when they found the flaw rather than keep the exploit to themselves.

Microsoft

[wazootyman]

Okay, I'd like to make several points about the comments in response to this topic.

Where do you guys get the idea that Microsoft is full of inept and lazy programmers? That just doesn't make any sense. I, for one, have talked to several Microsoft employees that have come out to my university (Michigan State) for presentations, and they all say the same thing: People who work there have a genuine passion to make good software. If you don't have the drive and motivation, you won't succeed. I mean honestly, I'm certain there are many great open source programmers, BUT, they've got to earn a living some how. If you are very talented, I'm sure a large corporation like Microsoft would pay you VERY well for your skills. I'm sure they have a lot of applicants, and as a result only hire the best. It would only make sense.

Last year the lead developer of the C++ compiler team made quite the lengthy presentation in a nearby hotel auditorium. I don't know compilers that well (I'm EE, not CS), but I'll tell you this much...that man is a genious. He really knew his stuff, and it was evident by the reactions of the CS professors in attendance. He, as many of the Microsoft employees have stated, seemed to really like his job.

...He wasn't some bumbling code-stealing idiot that you guys would make him out to be.

Re:Microsoft

[jedidiah]

No amount of programming talent can make up for fundementally flawed management.

Microsoft's use of zlib is not the issue

[ahde]

Its stupid to bring up the GPL or other open source licenses or argue about whether Microsoft is stealing code. I'm glad they use zlib. I'm glad they used portions of the BSD tcp/ip stack. I'm glad they decided to support (to the best of their ability) standards like C and HTML. I'm glad I don't have to depend on Microsoft anymore. But if they hadn't used open source programs I'd have never been exposed to other options except for the likes of Novell and Sun.

The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.

You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.

The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.

Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.

Re:Microsoft's use of zlib is not the issue

[cperciva]

Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No.

Did it occur to you *why* they haven't said anything?

Because this bug doesn't pose a security risk in Windows.

You're comparing apples and oranges... in Linux, this was a critical issue because linux's free() will quite happily trash your heap if you give it a chance. Under BSD and Windows, this is not a critical issue, because both BSD and Windows have marginally slower (but much safer) free() calls which will not trash your heap on a double free.

This bug (might) exist in the mentioned windows software, but it is a completely harmless bug, thus there is no reason to issue patches immediately.

Re:Microsoft's use of zlib is not the issue

[WNight]

The issue, imho, isn't that MS uses open-source. That's what it's for after all. The issue is that MS uses open-source for its own advantage, while seeking to hurt the open-source movement whenever they do something that's not to MS's liking.

Basically, while we shouldn't believe what they say, we should force them to act as if they do.

Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

If they don't, can they really expect to have any credibility left?

Re:Microsoft's use of zlib is not the issue

[sheldon]

But what if there is no problem with the Microsoft software?

Should Microsoft issue a press-release saying "despite what some Linux kiddies think, our software has no issues."?

Would you believe them anyway?

Now back to our regularly scheduled Microsoft bashing...

Re:Microsoft's use of zlib is not the issue

[reflective+recursion]

Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

Erm. Your logic is broken to me. Why don't we examine this:

There is a free compression library, zlib, which is an asset to the public (and proprietary software business, because of it being BSD licensed and not GPL).

The fact that people spent their own time on zlib is a liability. Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program (not that is matters too much, since there are many other compression tools).

Society does not move forward without using other's tools, but society does not move at all without monetary incentive. There is a reason for money, and it is not for "evil" purposes despite how bad /. readers believe it to be. Throwing out software because of how it was created is plain ignorance and wasteful. There are more useful things to be done than paying someone to rewrite a compression library.

Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.

Re:Microsoft's use of zlib is not the issue

Nope.

Microsoft doesn't oppose Open Source in general. They oppose certain licenses which happen to allow source code to be distributed, but which push a political ideology to REQUIRE all source code to be distributed.

Specifically, they oppose the GNU license, as do many, many smart people in the software industry.

People in history who think they know it all, who say 'our methods are the way forward, you may as well surrender to the truth' have often been frightening people. Lenin fit into the camp, as did Hitler.

It's never that simple.

Re:Microsoft's use of zlib is not the issue

[WNight]

Microsoft may dislike the GPL more, but they are down on all open source, publicly. Their comments about how it costs the government money, doesn't put it in the hands of the programmers, etc... That wasn't about GPLed code, just all open source code.

So, let's see them put their money where their mouthpieces are. If they say open source is bad, they should never, never, use it. If they do, we have no choice but to assume that they lied.

Re:Microsoft's use of zlib is not the issue

[WNight]

I want Microsoft to be honest. To give up the FUD, and argue the issue openly.

If they say open source is so bad (regardless of if it is) then they shouldn't use it. If they use it, it's because it helps them. If it helps them, it's not so bad now, is it?

--

A world with open source will still require people to code new things, and to customize current things. There'll always be new things.

If you can only make your living from re-inventing the wheel, then perhaps you do deserve to starve. But frankly, if you depend on artificial scarcity you're taking advantage of others to make a buck. Not really anyone I care about anyways. So, go ahead and starve, or get some skills of use in a different economy.

Times move on. People made obsolete by the change will always bitch, but that doesn't mean we should stop. Or do you think people are obligated to buy your buggy whips?

Re:Microsoft's use of zlib is not the issue

[reflective+recursion]

If they say open source is so bad (regardless of if it is) then they shouldn't use it. If they use it, it's because it helps them. If it helps them, it's not so bad now, is it?

I don't think Microsoft is saying that open source is bad. I do believe they know more about business and supporting programmers than anyone who creates free software. RMS just doesn't give a damn if you starve because programming is no longer rewarded financially. He gets paid via non-profit organization to sit on his ass and attack people who create proprietary software. I'd also like to see the taxes RMS has paid his entire life. Compare that to any programmer working for Microsoft, and I guarantee that even the entry-level position people are paying more taxes in a few years than RMS has ever paid.

A world with open source will still require people to code new things, and to customize current things. There'll always be new things.

You seem to forget that it takes an incentive to create new software. You know who foots that massive bill to create new software? People like Microsoft and Intuit. You know who will foot that bill if all software was free software? NO ONE. Not one person or organization will have the capacity to have software created for the common good. The only software that will be created is the "scratch-an-itch" type, except it will be highly specialized and not for the general public. In that case, there is not even incentive to release or maintain a source repository for it. It is simply throwing money down the drain at that point.

But frankly, if you depend on artificial scarcity you're taking advantage of others to make a buck.

It is not artificial scarcity. It is no different than paying for a magazine or newspaper subscription or music. Scarcity is when the creation of actual, physical goods is limited by natural resources. Paying for software is not the same as paying for a computer. When you pay for a computer, you are part of the demand for that computer. Computers face the reality of scarcity. That is why memory prices keep jumping around. When you pay for software you are paying for the labor that went into that service. You also pay whatever extra the giver of that service wishes. Sure, software may appear to be a good when it sits on the shelf. Underneath, software is simply a service. There is a little cost for the scarcity of material such as for the manual and CD-ROM, but that is it.

Re:Microsoft's use of zlib is not the issue

[ahde]

that is an issue, but its a different issue.

Re:Microsoft's use of zlib is not the issue

[WNight]

RMS is irrelevant to this discussion. What is relevant is that Microsoft is afraid of the possibility for people to make their own software. With large projects taking many man-years, open source is the only way large projects could happen.

I don't forget that it takes incentive to create software. I have worked for many companies with the incentive to create software. I've had contracts rangding from $2k to $30k for developing a custom DB interface, or customizing existing software. They obviously feel that new software would save them money in the long run and are willing to spend on this. These companies weren't even billion-dollar multinationals.

I think this disproves the idea that programmers would starve in an open source world. No project is going to perfectly suit all users, and not all users needs are going to "scratch the developers itch" so much software that industry wants won't just happen for free. They can either adjust to fit the software, or have the software adjusted to fit them.

As to the issue of scarcity... Software *is* an artificial scarcity. Once you have one, you can make a million copies for near zero cost. There's no financial incentive for a company to do so, but the facts remain that all the costs are up-front.

Anyways, the long and short of it is that Microsoft blatantly and deliberately attacks open source. Then they go and use open source, while saying terrible things about it. This is totally dishonest. If open source software is bad, don't use it. If you use it, admit that it's not bad.

Re:oh goody

[Spider[DAC]]

People have a stigma that there should be one solution to every single problem out that. It's like that in the 3D space. There are purists that believe that when you 3D render a scene, the image must be perfect when they go to hit the render button. They don't undrestand that it is okay to divide up your 3D work into layers and tweak each one of those seperately (i.e. color correction or sharpening). I guess they feel that the render program should be a 'perfect simulation of light' and that they shouldn't have to 'fix an image'. They fail to see that the best simulation of light we have (reality) even needs to be touched up from time to time.

no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place.
You can and should modify your lightsources whenever you render something, because a 3D rendered scene is just that, 3D rendering. NOT a so called "perfect simulation of light" because that is left to the creator of the scene.
it is the scene creator that has to make sure he gets his lighting, world and all other factors correct for the desired result.


Bah. Paintbrush artists.

Re:Seriously? Microsoft use open source code?

[xtremex]

Actually, it comes from VMS. VMS is so alien to the UNIX way of thinking. So, Windows is basically a hodge-podge of VMS plus some System V additions, and a pretty shell.

Because they're not stupid

[Alex+Kalita]

Microsoft knows that putting GPL code in a closed source product would open them up to lawsuits, so they avoid it at all costs. The article even mentions that Microsoft developers are banned from using GPL source code. They have used non-GLP code before, and in every case they have complied with the associated license. I wish we could put these silly accusations to rest. The only supporting evidence anyone has given is "because they're Microsoft".

Replying to my own message

[jonnyfish]

Yes, I am a somewhat technical person, and that's why I'm asking. I know what buffer overflow is, and the zlib issue is not it. This may be an issue, but surely something that doesn't require this much coverage or worrying.

Re:Replying to my own message

[dannannan]

I know what buffer overflow is, and the zlib issue is not it. This may be an issue, but surely something that doesn't require this much coverage or worrying.

A double-free can be just as bad. For example:

1. Suppose some code frees a buffer.
2. Then some other piece of code asks the allocator for a block of memory, and happens to get the block that was just freed.
3. Next, suppose the already-freed block is double-freed.
4. Suppose, finally, that some code asks the allocator for a block of memory again and it receives the block that was just double-freed.

Now two pieces of code are using the same buffer for two different purposes without knowing it. Maybe one of the pieces of code is using the buffer to write data from an untrusted source. This corrupted data could then mistakenly be trusted by the other piece of code.

For example, if one function thinks the memory is a C++ class with a vtable, and the other thinks it's a buffer to store incoming data from a socket, whoever's sending the data to the socket has an opportunity to replace a function pointer with one of their choosing, and the next time a virtual method is called by the code that thinks the buffer is a C++ class instance with a valid vtable, it's curtains.

Yikes!

D

They don't know what their own code has?

[loconet]

"...However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable. "

You're telling me their own people don't know what products uses what? Either they want to see if they can deny the use of zlib or they're just clueless. The lather seems more possible.

HABBA FUNGULE

[lkaos]

It is NOT a buffer overflow. Every is happy that your karma whoring because you know what a 'buffer overflow' is but your also helping spread this FUD.

The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.

Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.

At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.

Right now, this 'security issue' is entirely theoritical.

Re:oh goody

[NanoGator]

"no. This "tewaking" only means that they have -failed- to get the correct result from their scene description in the first place, and that they must resort to manually tweaking the result instead of actually going back and modifying what was wrong in the first place."

Err okay. It's not a black and white situation. 3D programs do different things than 2D programs do, and its silly to limit your toolset by expecting it to come out of the renderer perfect.

Getting back on topic, it's like complaining that Windows 2000 is a crappy 3D workstation because it sucks as a webserver . The truth of the matter is that there isn't one grand unified solution that works for every little thing. Me personally, I'd rather use a Macintosh for my mobile needs, Windows 2000 for my 3D Workstation and gaming platform, and Linux running Apache as my web server, and Linux again as a mailserver.

Put yourself in MS's position

[uebernewby]

They're not dealing with a fairly small number of reasonably savvy users who go to read slashdot, discover that zlib has a bug and decide to go fix their systems. MS deals with millions upon millions of 'ordinary users' who run dozens of programs that have zlib linked statically (we've just been told) and who have absolutely no idea what zlib is, what their systems use it for or how to patch it (well, they can't, because it's statically linked). So it makes sense for MS to determine first which apps are affected, in what way (is DirectX ever going to run into this problem? if yes, what are the consequences? if no, or if the consequences aren't serious enough, getting millions upon millions of clueless users to download a DirectX patch ASAP isn't worth the trouble). I agree with you that they should have information handy on which of their apps link to zlib, but who's to say they don't and they're just taking this time to conduct a risk inventory (they're a big ass bureaucratic monstrosity after all)?

Re:Put yourself in MS's position

[mpe]

MS deals with millions upon millions of 'ordinary users' who run dozens of programs that have zlib linked statically (we've just been told) and who have absolutely no idea what zlib is, what their systems use it for or how to patch it (well, they can't, because it's statically linked).

Since all of Microsoft's operating systems support dynamic linking youc an lay a fair bit of blame on Microsoft for choosing to statically link their apps. One of the main advantages of dynamic linking is easy upgrading, either for bug fixes or functionality.
Also it was Microsoft's policy to design around a paradigm of end-user administration.
How can they reasonably blame anyone else?

Re:Put yourself in MS's position

[uebernewby]

Of course they are to blame and of course static linking isn't always a smart thing to do, I was just saying that because they design their software to be easy to use (not such a bad decision IMHO - I'd hate to have my dad run linux), getting patches out the door is going to be a little more difficult for them to do than it is for Linux distros.

Re:Seriously? Microsoft use open source code?

[jedidiah]

I'm curious too. Why should we believe a fish tale like that when Win2K still has an /etc/hosts file embedded into it?

Re:oh goody get a clue

[fro_less]

I have spent alot of quality time with 2000 (migrate from NT4 to Win2000 AD = no fun ). Most people hate it because the have to use it at work, even though there are better alternatives. MS bashing goes on because their products .... WTF why am I explaining this to you, SHUT UP TROLL.

Re:oh goody

[TummyX]

So your W2K box crashes 2 times a week and you haven't fixed it? Have you even tried?

My W2K server has been up 196 days and counting. I've NEVER encountered a BSOD on my XP notebook.

Perhaps you should try upgrading your drivers to MS cerftified ones.

zlib demonstrates the strength of Linux security

[dybdahl]

The zlib incident has clearly demonstrated how well the Linux security model works. Within 24 hours after publishing the vulnerability, Linux servers were fixed all over the world, and still nobody seems to know how much Microsoft products are vulnerable.

We will probably see more and more software and code that runs on both open-source platforms and on Windows, which means that we will also see more incidents where Microsoft's security service performance can be measured against the competition.

Re:Seriously? Microsoft use open source code?

[edhall]

That's the 4.4BSD license, a license that predates FreeBSD (and the other open-source BSDs). It contains the dreaded "advertising clause," which is (IMHO) rightfully viewed as non-free. That's why FreeBSD uses this license which drops the advertising clause and is almost universally viewed as a free license; the other open-source BSDs did the same thing.

-Ed

Re:Innovation in the computer industry.

[jedidiah]

Open Source was never about plagarism.

That is ALL that Microsoft is about.

They only look similar if you aren't paying attention.

Re:oh goody

[uebernewby]

I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.

Maybe, just out of curiosity, you should try one of the newer distros - SuSE or Mandrake are laughably easy to setup nowadays. Pop in the cd, tell it what kind of hardware you have, done. Although I must say I agree with you that if you're looking for a platform to do 3D, image processing, video or audio on, Win2K is probably a better choice.

If there is a fix, doesnt MS have the fix also ?

[Quazion]

I hear all these people about a flaw in the MS OS ?
Maybe there, but its fixxed probably, now what i wonder about is when they come with the patch.

But then i also read some thing about the a difrent C version of MS, so maybe they dont need the fix.

Now i wonder why i even wrote this..

Quazion

No such domain (Offtopic)

[The+Cat]

Can someone please explain why zdnet and news, etc. are all on a non-existent domain?

; > DiG 9.2.0rc3 > news.com.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER

I don't get it. com.com seems to be some kind of travel agency. Any ideas?

(Sorry for the offtopic question)

Re:No such domain (Offtopic)

[The+Cat]

Figures.. here is the real DNS information:

; DiG 9.2.0rc3 news.com.com
;; global options: printcmd
;; Got answer:
;; HEADER opcode: QUERY, status: NXDOMAIN, id: 46230
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;news.com.com. IN A

Whacking MS Memes

[_Sprocket_]

Good troll. Just in case someone actually takes this seriously...

a more likely scenerio is that they are testing the fix. Microsoft is usually rather quick about releasing things, but they believe in testing it first. Great concept that.

Microsoft's fast responces to security issues is a recent event. They do not have a history of fast responce. But they do have a history of putting out fixes that cause problems. It is common practice to delay rolling out hotfixes and service packs to allow for discovery of these bugs and subsequent fixes.

Oh, and it will be available on windows update so that it will actually have wide spread adoption. Lets see how wide spread the linux fix is.

Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.

Since 80% of redhat boxes are rooted in the first 24 hours there seems to be a rather large precedence for boxes not being patched when they should be.

Nice statistic. Got a valid reference for it? Or is that just a bogus number to make your rant sound nice?

Microsoft may be a lot of things, but they aren't stupid. If they were they would never have gained absolute control of the desktop.

People often confuse Microsoft's marketing savvy with their technical ability. They are a technical company who excels at marketing. You're crowing about their marketing. This is a technical issue (information security is not a marketing issue - despite how many companies, MS included, tend to handle it).

Re:Whacking MS Memes

[kz45]

Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.

CodeRead and Nimda damaged many systems only because admins never got the patch from microsoft.

Re:Whacking MS Memes

[Datafage]

Yeah, and the original poster said that MS always achieved widespread patching.

BSD license vs MIT license?

[cpeterso]

If the BSD license no longer has the dreaded advertising clause, then how does it differ from the MIT license? Why doesn't FreeBSD simply switch to the MIT license? Maybe there is some university rivalry.. or maybe they don't want to rename their project to "FreeMIT". ;-)

Re:BSD license vs MIT license?

[Ace+Rimmer]

The difference is now only in formulation. But the MIT licence is way shorter so I prefer that one ;)

Re:oh goody get a clue

[NanoGator]

Name a better alternative. Windows 2000 is easy to deploy on a variety of harware, easy to use, and has well supported software. The gotcha is that it costs lotsa money to license. Can you honestly tell me there is a better alternative? The only alternative I have as a 3D Artist is Macintosh. And though I'd like to have one, Windows works on the hardware investment I've already made.

Linux is hard to install, requires a more knowledgable support people, and has less driver support. This is why Windows is big in the corporate world. Obviously Microsoft isn't so bad if it's doing what people are paying for it to do.

As for being a troll, a troll rarely makes a good point. Getting back to my original point, this attitude of "It sure is cool to hate Microsoft" is blinding people to alternatives that may very well work for them. Call me a troll for disagreeing with you if you like, but I'm not-anti Linux.

Re:oh goody

[NanoGator]

I just wanted to respond and let you know I appreciate the tone of your answer. I've had a couple of people recommend SuSE, and it's on my list to try.

Again, thank you for being civil.

Re:... pants on fire!

[dossen]

Well, as has been said many a time before, this would not be a good thing for microsoft or any other vendor. The GPL is the agreement that grants you the right to use the code in your product and distribute it. If the GPL should fail, then vendors would have NO right to distribute software based on GPL'ed source. The GPL is not a restriction on public domain, it is a set of rights granted by the holder of the copyright.

Re:oh goody

[NanoGator]

I think you're right there. I can't help but wonder if the new file system they announced is intended to keep people from dual booting Linux boxes. How much ya wanna bet that Lilo doesn't work with it without some kind of patch?

The good news is that every time MS closes a freedom with people (like XP requiring registration, or a security flaw in their software), Linux has an opportunity to be more attractive.

Re:oh goody

[jedidiah]

I've been NT since '94. It peaked with 3.5.1 and has been downhill from there. I've spent plenty of time with NT5. It is my workday OS. I even had dellusions about improving the computing condition of my family members by subjecting them to it.

It either failed to live up to immediate requirements or failed to live up to the performance of it's DOS based predecessors in daily use.

The problem with Microsoft is that it's main focus is not technology but market domination. Technology is a far distant second (or worse) and merely a means to and end for them.

What makes Bill a better megalomaniac doesn't necesarily make for a better product.

If GNU, software development sloth encarnate, could sneak up behind Microsoft then there are some serious problems out there in Redmond.

double free() considered harmful

[nyet]

NOT crashing on a double free might be just as bad (or worse) than crashing on a double free, since it generally means somebody is accessing a free'd pointer for other reasons (prior to the second free). In *this* particular case, allowing a double free might be better than not allowing it, but in general, ANY program that does a double free probably has far more destructive bugs hiding in it.

Re:Seriously? Microsoft use open source code?

[Beatlebum]

I bet part of the reason MSFT is so averse to having its precious source code inspected is the possibility it contains GPL'd code that infringes on the license.

Re:oh goody

[jedidiah]

Win95? Apple achieved better 11 years earlier.

The whole "random collection of spare parts" thing has still yet to be completely managed by Microsoft. They still screw it up often enough for Linux to be in a position to recover the situation.

Microsoft deserves NO credit for PC hardware compatibility. The hardware usability standards were pioneered by Intel and Apple and only grudgingly adopted by Microsoft.

It's the hardware vendors MANUFACTURERS that make installing new hardware on WinDOS easy.

No, Microsoft wasn't the one that make computers more than "toys for geeks". That credit goes to the developers of the Web and early web browsers. THAT is the killer app that pulls in the sixpack family.

Microsoft was late on that technology too, and had to muscle it's way into marketshare when they finally got off of their posteriors.

Re:Fellow preachers! Let's convert Microsoft!

[kz45]

Ah, but what if we made GPL'd code that was so good and so far ahead of everything

It will never happen. Most GPL projects never go anywhere because agreements can't be met, and the people contributing have to go to a normal job.

Re:Seriously? Microsoft use open source code?

[toopc]

I bet part of the reason MSFT is so averse to having its precious source code inspected is the possibility it contains GPL'd code that infringes on the license.

doubtful...

http://research.microsoft.com/university/ntsrcli ci nfo.asp

Microsoft® makes source code to Microsoft operating system products like Windows XP, Windows 2000 and Windows CE available to universities and other "not-for-profit" research institutions at no charge. Currently, there are over 100 universities worldwide with our source licenses.

"The issue at hand is choice"

[gotan]

This is again Mundie piping up with that stupid argument, that the GPL is bad because it limits the licensees choices. Now where's my choice when i want to develop using Microsofts sourcecode (if i can get my hands on it, even some governments can't)? Well, i have to accept Microsofts conditions. With the GPL and similar licenses i have to agree to the conditions of the respective authors (which choose the GPL as a license). So where's the difference? I'm sure it's easier to satisfy the GPL than Microsoft anyway. If only someone would ask what Microsofts conditions are for using their sourcecode when Mundie goes on a rampage again, that should shut him up for good.

Meanwhile the TCP/IP stack and now the zlib (and probably some other open source software Microsoft choose to make money off) shows what all that rhetorics of Mundie really is about: They want to take without giving, and they have seen that there's some nice open source software they'd like to get their hands on if only it weren't for that pesky GPL. Apparently that there's some open source software, that's too good to ignore, even for innovative Microsoft. It's really unfair that the GPL is asking Microsoft to share with others if they want to benefit from that software.
--

Re:Seriously? Microsoft use open source code?

[warlock]

This is a "bug" in the webpage... someone forgot to update it apparently, since the 4.4BSD license has been updated years ago. Check the addendum here:

ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.L ic ense.Change

The removal of the advertising clause retroactively applies to any BSD licensed sources that Berkeley has the copyright of, including 4.4BSDLite which FreeBSD is based on, and since the FreeBSD additions are covered with the FreeBSD license which is the BSD license without the advertising clause and references to the "Berkeley Regents" replaced with "FreeBSD Project", this effectively means that there is absolutely no advertising clause issue.

There are of course some non-free (in the BSD sense, I am not trolling!) sources, most of them GPL, however if one is looking to release modified FreeBSD binaries without providing the source, he can simply rm -rf /usr/src/gnu or make sure he doesn't ship any of them, which for a lot of applications is not necessary anyway.

That isn't Microsoft.

[evilpaul13]

Installshield that is. MS has the "Windows Installer." Installshield is a separate entity.

Re:... pants on fire!

[xonker]

WTF?

Your reply has nothing to do with my post. It really has nothing to do with the parent post that I responded to.

PHP page compression ?

[phobonetik]

How could this affect PHP4's use of zlib? I assume this is used when you use gzip compression on pages using the ob_handler?

Re:In other words

[kz45]

No, Microsoft sucks because they've been on an anti-opensource crusade and are using open source in all their products. It's the hippocricy(sp?).

No, microsoft is using legally licensed code in their operating system, which happens to be BSD licensed.

They are on an anti-GPL crusade, which is largely different.

Get your facts straight.

Re:Seriously? Microsoft use open source code?

[xtremex]

I will ignore your comment as you have NO idea what you are talking about.

Re:oh goody

[An+Onerous+Coward]

"If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too."

You can't compare the bloatiness of XP and Red Hat 7.2 by simply comparing how many megabytes each chews up. You have to find some sort of bloat/functionality metric. In such a comparison, I think that any Linux distro would win handily.

When you install either OS, you're also installing a lot of auxillary software. Red Hat gives you a C/C++ compiler for free, while you would have to buy VC++6 from Microsoft. Red Hat includes an IRC client, which is a separate download under Windows. Red Hat gives you more text editors than you can possibly be interested in (joe, several variations of VI, Emacs and XEmacs, gEdit, NEdit, Abiword, Kate). You even have the option of installing StarOffice 5.2, free. With MS, you get Notepad, Wordpad, and EDIT (command-line). And last I heard, Notepad *still* had that 64K limit, which is simply braindead. Red Hat gives you TuxRacer, while you would have to shell out $50 for Microsoft's HALO. :)

Finally, the docs that ship with Red Hat are probably way more thorough (though less organized) than anything Microsoft gives you.

The point is, if you can see where the bloat is coming from, then it really isn't bloat. Most Linux distros have big installs because they provide a lot of different utilities and a lot of documentation. I'm hard pressed to figure out where the bloat in Windows comes from.

"It's in everybody's best interest if Microsoft does well, believe it or not."

If, by "does well," you mean "continues to exist, continues to improve its software, and continues to provide incentives for competitors to improve theirs" then I fully agree. If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong. Microsoft has its place in the world, I'll agree. But that place is not the center of the world's information economy.

OS from scratch

[leonbrooks]

I'd love to see Microsoft write their own OS from scratch the way GNU did. ;)

That's true, they never have written an OS from scratch. Windows 9X is DOS-plus-GUI-shell and DOS was derived from QDOS; Windows NT is DEC's MICA, broken and in fancy clothes, and 2k, XP, Longhorn etc are all derived from that. What about CE? Maybe that's why you need an expensive mega-micro-beast to run it on.

If MS truly want OS security, why not just wrap their user interface around OpenBSD? The licence allows it, provided credit is given (and that can be done in very fine print).

XFree86 patch for dynamic zlib

[leonbrooks]

Some distributors have patched XFree86 to link dynamically against the system zlib.

Mandrake, for example. That and any other package for which this was straightforward to do.

MELON. MELON. MELON. +++ REBUILD FROM SOURCE.

[leonbrooks]

Any proper system should be able to rebuild completly from source, catching ALL statically linked binaries.

For your compiling pleasure, Mandrake 8.2 includes a tool to do just that. But you will also have to grep the entire source tree to catch self-included static copies of zlib. Just be glad that you can do this. (-:

``Hello, Microsoft Technical Support here. Can I have your money, er, support number please? ... Thanks, OK, now what seems to be the problem? ... Rebuild from source? Sir, don't you mean reboot...?''

Another fine reason to give money to Mandrake instead of Microsoft.

Re:MELON. MELON. MELON. +++ REBUILD FROM SOURCE.

[xanadu-xtroot.com]

What's the name of the tool you speak of? This is the first I've heard of this handy thing.

TIA!

Microsoft NOT vulnerable to zlib bug!

[jpmorgan]

The security vulnerability is due to zlib trying to free the same section of memory twice. The glibc memory allocation routines aren't very smart, and will cause heap corruption if you try to do this. This heap corruption can be exploited.

The Microsoft runtime libraries have smarter memory allocation and deallocation - attempting to free the same area of memory twice does not result in heap corruption. Consequently the zlib bug isn't a security vulnerability in Windows.

Re:Microsoft NOT vulnerable to zlib bug!

Just like it isn't a bug in Free/Net/OpenBSD.

The zlib error isn't the security flaw. It's the glibc error that results that is a security flaw.

It's a uniquely Linux security flaw.

WHY DO PEOPLE PERSIST IN IGNORING THAT FACT??

Extent and Response

[Erris]

Hmmm the article mentions about every piece of M$ crap ever made, On Thursday, researchers reported that at least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

Gosh, what else do they make besides a second rate search engine? That there is no security on M$ is no secret.

Their response according to the article is:

Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library.

Meanwhile, in a dark Seatle back room someone is running "apt-get update" for a fix! Well, that's what I did. No problems now.

Re:Innovation in the computer industry.

[caspper69]

Uhhh...

Then why do so many of the "new" window managers that Linux zealots are promoting look so much like Windows?

I can see it now..

Linux Zealot: Boss, we've got to change all of our desktops to Linux now! It's finally ready for the desktop.

Boss: I thought it was hard to use.

Linux Zealot: Not at all. It's MUCH better than anything a company of professional developers working full time could create. And it doesn't have ANY security vulnerabilities, and it NEVER crashes.

Boss: Sounds pretty good. Have they made the User Interface any better?

Linux Zealot: Oh yes, much better. KDE has added a start menu, right-click context menus, My Computer, Control Panels and even a way to (almost) automatically install/uninstall programs.

Boss: Sounds like Windows 95 that was released 7 years ago. I guess that's ok, but does Linux support our hardware?

Linux Zealot: Not all of it, but there are some close driver matches, and if I hack away at it enough, maybe our hardware will work. There's also a guy in his basement in Cleveland working on a driver for our video cards. His latest post to /. says he'll be done in a few weeks.

Boss: Well, I don't like the idea of not knowing when/if our hardware will be supported, but we'll be upgrading soon, so that's not a really big deal. What about software? We've got hundreds of thousands of dollars invested in several custom VB applications that make our lives 1000x easier. Will they run?

Linux Zealot: No, not yet. But there's a new project started by some college kids in Arizona that will allow us to quickly convert VB applications to X applications. Right now it doesn't do shit, but I'm sure in a few years they'll get it to run flawlessly!

Boss: Well, what about all of the documents and spreadsheets we've typed over the last 10 years. Will we be able to read those? Oh yeah, and if we switch, will we still be able to use Office?

Linux Zealot: Office? What is that? Oh, Star Office, yeah, it'll run just fine...

Boss: No.. Word. Excel. Powerpoint. The tools that the entire civilized world relies upon to get WORK done?

Linux Zealot: Well, not yet, but there's some guys working on this thing called WINE that...

I'm sure you get the point. I'm also quite certain that this post will "disappear." Don't belive it happens? ANY post too MS or too anti-OSS seems to magically vanish from /. Seems as though Open Source advocates aren't as "Open" as they claim.

This whole comment on plagarism just pisses me off. Get a fscking clue.

Re:oh goody

[NanoGator]

I don't think we have compatible definitions of the word 'bloat'. When I used it, Red Hat (KDE) had so much going on it was difficult to track down very specific items. It was slow to repond, and flat out frustrating to use. Windows 2000, on the same machine, was much more responsive. That's either bloat or inefficiency. When Windows takes too long to access the registry, that's sometimes considered bloat. Programs take up too much space (70 megs to download Star Office, for example...) is considered bloat. For me, Windows 2000 is the OS of choice on this machine. If I had the "It's cool to hate MS" attitude and went with Red Hat, I woudln't be any better off. I'd be hurting myself, and that was the point I was making.

" If you mean, "continues to pursue Complete World Domination(TM), continues to lock customers into proprietary formats and solutions, and continues to force customers along expensive upgrade paths," then you would be wrong."

I disagree. Let's talk about proprietary formats for a sec, those aren't 100% bad for everybody. Although I realize this can be used to leverage a monopoly, there's a lot to be said for having a format that MS can diddle with. This gives MS some room to innovate. MS invented the .DOC format, right? Well that proprietary format keeps other people out, that's true. But it also allows MS to make changes and make the format do more. Look at what a .DOC file can do that a .TXT file can't. You can attach other files inside it, format your text, etc. If MS was adhering to a standard like HTML for example, how would they be able to innovate without bending it towards proprietry at some point?

When they do this, they create an opportunity for somebody else to come in and make a better format. When Unisys tried to make people pay for using .GIF files, the .PNG standard was developed. .PNG Is a totally kick ass format for us artists who need lossless compression and alpha channel support. This format came around BECAUSE somebody tried to strangle a format they owned.

Long story short? Every time MS tries to leverage their monopoly, a new opportunity arises. Embrace that philosophy, because that is exactly the type of thing that will make Linux a big player out there.

ha ha, Sheldon you silly boy.

[twitter]

But what if there is no problem with the Microsoft software?

Well, that could be. I don't have any problems with my M$ software. It sits on floppies and CD's where it can be installed to use some obscure piece of hardware on a second rate computer never attached to the internet. Most of the time, however, it never causes problems.

Bad Microsoft, bad! Quit saying that free software is unusable while using it. Oh yes, good luck hunting thought that vast tree of poorly documented closed source junk you have been purchsing from other companies for the last ten years. Is this what you will build the Digital Rights Management Operating System, TM and patented use of other people's code? Slap! Crack! What a joke of a company. What shall become of all the M$ stock when the world figures out that M$ is the equivalent of an Ice Vendor in Antartica?

They wanted to be the asshole in the middle, stripping ideas and programs from others, to sell as The Sole Operating System. All the people they ruined could be hard at work fixing their codes. Now, those codes will continue to be distributed unmodified. The task is too great for a single company. Like most such ventures, in the end Microsoft can only manage to be assholes.

MS should use some GPL code and see what happens

[Sabalon]

Seriously - they should come up with some small little product that it doesn't matter if they have to release the source code to. They should put some GPL'd code in there - perhaps not even try to hide it too much.

And then they should see what happens. I guess they figure not many in the GNU crowds care much for them anyway, so they won't lose "loyal customers".

However, it'd either do two things:

a) show MS that it doesn't matter cause no one dared to file a suit

b) give the GPL it's day in court and see what happens.

The only downside is that whoever decides to take this to court better be loaded. It could be a long uphill battle.

It would be interesting to see the outcome though...however with MS's legal team, perhaps it may not be a good outcome.

Update Services

[_Sprocket_]

Datafage already did a fine job at pointing out the issue - the fact that having an update on Windows Update does not guarentee "widespread adoption" as the origional poster claims. Codered and Nimda are two examples where such a system should have limited damage. It didn't.

There is another interesting point to make here. The origional poster implys updates will be slow to trickle in to the Linux install base, while Windows Update offers a shortcut to the process. Microsoft's Windows Update service is not unique. Its not even first of its kind. Linux distributers such as Redhat and Mandrake have long offered a simular service. Debian has had such a system in place even earlier.

In short, Windows Update provides neither a panacea nor unique solution to the issue.

Re:Update Services

[mpe]

The origional poster implys updates will be slow to trickle in to the Linux install base, while Windows Update offers a shortcut to the process.

A lot of the time Windows Update appears to be more about marketing the latest version of Internet Explorer and co than distributing important fixes.

Try it and get sued

[LatJoor]

I'm afraid you misunderstand the license. What you suggest still involves linking your program to the GPLed code at runtime, which is expressly forbidden by the GPL.

Besides, you have to release the code of the wrapper library under the GPL, which in turn requires you to release the code of your other program under the GPL as well. The chain will continue no matter how many "wrappers" you write.

Re:Try it and get sued

[Wolfier]

I understand I have to release the wrapper. The point of writing it is to convert whatever the program is, into a library.

Even if what you said is true, if I'm determined enough, I still won't get sued if I do it right. I'll bet you anything on it.

How about - write a CORBA server with the GPL code. Release the server source code. Write your program as a CORBA client. Done. There's no linking between your program and the GPL code. Static OR dynamic. There simply is some network traffics involved.

Re:Try it and get sued

[LatJoor]

Yes, if you separate the GPL code and your program, then it's not a violation of the license, any more than it's a violation of the license to run proprietary software on the Linux kernel, or write proprietary code that accesses a MySQL database. However, when you do this you're no longer circumventing what the program's author intended to accomplish. Plus, you've made a new contribution to the software by writing a CORBA server for everyone to use. This isn't a loophole, it's how the GPL is intended to work.

Re:Try it and get sued

[Wolfier]

Hehe. I guess you're right here. I don't have any intention to violate the GPL, but I just want to point out that, if you want to use GPL code that would **give you the same results as if you're directly linking to it like you use a library**, you can do so without releasing the client you write to use that library - it'd just a bit tedious, and involves doing something along the line of RPC.

As far as I know, it wasn't what RMS had in mind when he invented the GPL.

Yeah, I've made a few new contributions by writing a CORBA server. Who cares - most companies don't fear the GPL because "they have to make contribution". They fear it because "they may have to release their own code". As far as I'm concerned, the CORBA server does not have to have anything specific to your application, and, how hard it is to convert a library to play with CORBA? Not at all in most cases - so the "contribution" would just be saving some time for the community on some tedious task. But not a new idea.

Re:zlib demonstrates the strength of Linux securit

Sorry. There are eye and there are eyes. Clearly this demonstrates that just throwing it out into the world and hoping that eyes at random will find the bug isn't a foolproof strategy.

I am really tired of the 'few eyes/many eyes' meme and how it's turned into a dogma.

Sorry, Eric Raymond didn't reinvent Software Engineering when he wrote his diatribe. There are many other far more experienced people out there doing a better job, some not even based on crappy neo-pagan metaphors and matchbook-cover political economy.

Of course, you do realise...

[Trisk]

It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

... that this "Multiplatform InstallShield" is a joke.

Re:oh goody

[robhancock]

BTW, Notepad does not have a 64K limit in Windows NT4/2000/XP..

grep is not the utility you're looking for.

[Trisk]

strings will display ASCII strings embedded in a binary.
With the additional '--print-file-name' option for the GNU binutils version, it's even more useful.

From Windows NT 5.0:
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Berkeley'
nslookup.exe: @(#)nslookup.c 5.39 (Berkeley) 6/24/90
nslookup.exe: @(#)commands.l 5.13 (Berkeley) 7/24/90
nslookup.exe: @(#)debug.c 5.22 (Berkeley) 6/29/90
nslookup.exe: @(#)list.c 5.20 (Berkeley) 6/1/90
nslookup.exe: @(#)subr.c 5.22 (Berkeley) 8/3/90
nslookup.exe: @(#)skip.c 5.9 (Berkeley) 8/3/90
nslookup.exe: @(#)getinfo.c 5.22 (Berkeley) 6/1/90
nslookup.exe: @(#)send.c 5.17 (Berkeley) 6/29/90
[trisk@kainga:/vfat/windows/system32]% strings --print-file-name *.exe | grep 'Regents.*University of California'
finger.exe: @(#) Copyright (c) 1980 The Regents of the University of California.
ftp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
nslookup.exe: @(#) Copyright (c) 1985,1989 Regents of the University of California.
rcp.exe: @(#) Copyright (c) 1983 The Regents of the University of California.
rsh.exe: @(#) Copyright (c) 1983 The Regents of the University of California.

Re:grep is not the utility you're looking for.

[Trisk]

As for zlib (remember that some copyright noticed may have been removed):
[trisk@kainga:/vfat/windows]% find . -type f -print | xargs strings -f 2>/dev/null | grep '[di].flate'
./system32/dllcache/vgx.dll: 4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
./system32/dllcache/vgx.dll: f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler
./system32/offfilt.dll: inflate 1.0.4 Copyright 1995-1996 Mark Adler
./system32/pngfilt.dll: i inflate 1.0.4 Copyright 1995-1996 Mark Adler
./system32/urlmon.dll: PROTOCOLS\Filter\deflate
./system32/urlmon.dll: Accept-Encoding: gzip, deflate
./system32/urlmon.dll: Accept-Encoding: gzip, deflate
./system32/QuickTime.qts: inflate 1.0.4 Copyright 1995-1996 Mark Adler

vgx.dll and offfilter.dll are probably MS Office libs. (inflate(), deflate() are zlib functions, btw). QuickTime.qts is just shown since it's also interesting.

it's not

[Otis_INF]

The double free bug in zlib doesn't affect MS systems since the msvcrt lib isn't affected by a free of a NULL pointer. This article on CNet shows the need for pageviews.

Re:it's not

[mvdwege]

Neither is glibc. A free(3) on a NULL pointer is defined as a no-op. Only a free(3) on an already free(3)ed pointer is problematic. According to the manpage it will cause 'undefined behaviour', which is later clarified as possible heap corruption, and this behaviour is according to the C99 specification.

You'd better learn a little more about things before you open your mouth about it.

Mart

Re:Seriously? Microsoft use open source code?

[trezor]

And ofcourse they now support raw-sockets in WinXP. For average users by default. Who'll say "I saw that one coming" when a major WinXP based DDoS attack starts to rage the net?

Are they complying with the licence?

[alriddoch]

Reading up on the zlib licence, which is short and easy to understand, I find this clause:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

The way I read this, if software uses zlib code, then the authors of their software must not claim to have written the code. Microsoft are not obliged to acknowledge the zlib authors anywhere, but if they make a copyright statement saying that the code was written by Microsoft, then surely they are claiming that they wrote the zlib code in their product, and are therefor breaking this clause?

Does anyone know if Microsofts' copyright statements comply?

I am probably too late for this point to be discussed.

Microsoft's Allocator

[dewdney]

The reason why it is mostly a non-issue with Microsoft is because their RTL's alloc implementation is protected against double frees. This makes it a tiny bit slower.

But microsoft tried to remove this protection in one of their Visual Studio services packs - the result - Microsoft's ( and other's ) programs crashing randomly all over the place. They quickly reversed the 'optimization'

More worryingly -that means that alot of programs are actually relient on that thin safety net!

Re:Seriously? Microsoft use open source code?

[Chemicalscum]

How would any university user know - they would not be GPL coders because of the NDA and fear of contamination. Perhaps Eben Moglen should find someone who can thoroughly examine the MS code who won't be writing anymore GPL code - but I guess MS would find some way of stopping that!

Re:oh goody

[Chemicalscum]

Bloat is not how many Gigs of hard drive you need to install all packages - on this basis Debian would be the most boated release ever. Bloat is requiring ever more RAM and ever faster CPU's to run an OS and a reasonable set of apps. On this basis while Linux does seem to be following the same increasingly bloated path as Windows at least you have an option of running a lean system with a windowmanager or light desktop environment such as Windowmaker or XFce respectively. However I have given into bloat - at home away from this goddam Windows machine I run Gnome.

There is money and then there is MONEY

[bubbha]

In your view, the society moves forward as a side affect of individuals pursuing BIG MONEY. I suspect that if you do some reading on just who are the people who create innovative technology you will find that they are people motivated only partly by money but much more for having a burning desire for the subject area they are addressing. BIG MONEY is made by those who can take other people's innovations and market them. Frequently, the winner is as much politically connected as they are financially astute. What motivates open source developers is the burning desire to "make a difference" in some way...in the area they care about - programming and software development. How about this, we won't worry about the "starving programmers" of the world if you stop worring about the "starving Billionaires" of the workd.

Re:... pants on fire!

[mpe]

If something like that were to happen, I'd imagine that the GPL would probably be killed in court by high powered lawyers from all the major software companies (not just MS.)

The only way you could "kill" the GPL would be to void copyright protection on software. Effectivly every piece of proprietary software would immediatly enter the public domain.

Re:The Tragedy of the Commons.

[reflective+recursion]

Spending money is a liability too, because all money is a representation of the amount of work it would take to mine an equal portion of gold. One has to also work to get money.

To society, spending money is not a liability. The government gets tax money and people's time is given actual monetary value. If all software was open source then programmers would have to jump from "gig to gig" looking for work. There would also be hundreds of forks of the major software and almost no new software being created (because programmer's free time is gone since they have to actively look for work and noone wants to foot the bill and support a whole new software package being written).

Example: A free park would only be useful to society if people are restricted from charging and restricting others from and entering the park. Why then do we have parks? The makers are not rewarded, and no one else is entitled to be rewarded financially.

Uhm. A park is created when the city decides to use tax-payer dollars and pays for the creation of such a park. The park is an incentive for people to move to the city and help the economy there. Thus, the free park has actual economic value and is not a by-product of people's free time. Do you really think people create parks in their spare time? I'd like to see something like Central Park in NYC maintained on nothing but good will, as you imply.

If you see an addressed, stamped envelope on the ground, would you pick it up and mail it? If you answer yes, then, why did you do it? No one is paying you to do it, you did it for emotional reasons. If you answer no, then you are a defector. You better hope that no one knows about it. With anonymity comes increases in defectors, as people realize they don't have to contribute, they can just take. That's why the government makes taxation mandatory and not voluntary.

Picking one envelope off the ground and sticking it in the nearest mailbox would be charity. If there were enough people dropping their mail, then it might be of value to pay someone to go along the streets and pick up all envelopes and mail them. Then you would have a tax-payer supported mail picker-upper. This is no different from garbage collection. When you see a bottle on the side of the street you may wish to pick it up and throw it away. This is charity. The guys who come in a big truck and pick up everyone's pile of trash is not charity.

Humans are very emotional and that's what drives people to cooperate.

Oh really? When you drive around town looking for the best price on a computer and then finally decide on one, is that cooperation? Of course. You are paying people for an actual good. They now have profit from whatever mark-up was on that computer and can expand their business. Was it based on emotions? No. It was all about you looking for the best price. This type of cooperation happens more than any other in America. I have yet to find co-workers who can remain in cooperation for even short periods of time, yet money has a way of removing prejudice, religous beliefs, etc. and getting to the bottom of cooperation.

No one is saying that money is evil.

It is implied by the way people bash Microsoft. They are bashing them for no other reason than because the "richest man in the world," Bill Gates owns the company. People are so stuck on the Robin Hood story of "rob from the rich give to the poor" and have this idea that rich people in America are the greedy robber-barons of ancient times. This is not the case, as money in America is actually created. There is not a pile of gold that Bill Gates is hoarding. Whatever money he has, you could have also. But you have to see that opportunity yourself. What? Not smart enough to see it? Neither am I. Nor was anyone at IBM or Digital. Or Apple. People seem to forget how many millionares (and otherwise very happy people) Bill Gates has made.

No one is saying that money is evil.

Microsoft would be, if they rewrote the zlib compression.

And there are more useful things than rotting in jail, hence why smart people don't break the law, lest they get punished. As for lazy people, the punishment for not doing anything is that you have to write a compression library.

Why do you insist on stereotyping Microsoft as "do nothing?" They have more programmers working for them at any given moment than the whole free software movement has ever had. These people are not just standing around with their thumb up their ass. Otherwise Microsoft would not be making money, now would they? I'm not sure what you mean by "rotting in jail." There were no laws broken by using zlib, if that is what you mean.

You don't know that any of that would happen.

Of course I don't. What I do know is that if you remove the value of software, then the monetary incentive is gone with it. You should join the Free Software Business mailing list for a glimpse of the future. What you will witness is people trying to fit a square peg in a round hole, and do not realize that software has greater value if it is proprietary than open.

Yes they are

[j7953]

"This software" in the clause you've cited probably refers to the zlib library, not to the complete product it is used in (otherwise the "use this software in a product" wouldn't make any sense). Since Microsoft is not distributing a standalone zlib library, there isn't anything to misrepresent. I'm pretty sure they left the original copyright notice in the library's code.

BTW, I've been told that on the Windows XP installation CD, you'll find a file which contains copyright ackknowledgements for much of the software that they're using in Windows (e.g. the BSD license requires reproduction of the copyright notice "in the documentation and/or other materials provided with the distribution" when distributing binaries, so you'll find the BSD license in that file). I don't have Windows XP, so I can't tell you the file name. On the Windows 2000 CD or in the installed system I haven't found the file, but I guess they put it somewhere (anything else would be pretty dumb, given how simple it is to comply with the licenses we're talking about here).

Yeah, too bad nslookup is now crippled

[Marrow]

and going away....

Correcting myself

[garett_spencley]

Moments before I made the post I was reading about gzip's current buffer overflow in which you can pass a path on the command line that's more than 1020 characters and you will cause the overflow.

I confused this with zlib's problem and hence my claiming that zlib had an overflow.

I was wrong and I realized this a few minutes after posting. D'OH!

Anyway I still hope that my post helped someone to understand what buffer overflow's are about, even if it doesn't apply to zlib at present :O)

--
Garett

Re:Yes they are...no, they weren't

[civilizedINTENSITY]

Actually the stripping of the copyright notice from the bianary was a source of sore contention.

Re:oh goody

[civilizedINTENSITY]

"Some of us don't care how the OS works as long as it does. "

Of course, but the issue only exsists at the point in time where it *doesn't* work, at which point the "welded-shut car hood" system goes to crap.
Also a concern is not just if the OS does what I tell it to, but what else its doing that I can't tell it to stop doing...

Re:The Tragedy of the Commons.

[reflective+recursion]

The second quote..

No one is saying that money is evil.

should have been..

Who is "Throwing out software?"

Re:Operating Systems That Are DYING!

[Marrow]

So the major OS's in the world that are NOT dying
are VM, MVS, VSE, OS/390. I guess we all have to
learn SNA, VTAM, and JCL to make our way in the
world.

Re:The Tragedy of the Commons.

[WNight]

Yawn. It's an old story. "If you bash Microsoft, you're jealous."

I bash Microsoft because that would desperately love to make open source software illegal.

Despite all their claims, open source software is a viable commercial alternative. I'm proof of that. I've used open source software for my clients, and written new software for organizations that are largely using open source.

Microsoft wants to force people to buy software from a large company. They don't want people to realize that software can be produced by a single coder in a reasonable ammount of time.

They lie to accomplish this goal. Microsoft's history has been one long lie. They lied in court, they faked evidence, they lie about open source, etc, etc. Then they have the gall to use open source software after saying it'll destroy the economy.

I want to know why they can get away with this shit. It seems to be just because they're rich. If anyone else lied to a judge like that they'd be spending a month or two in jail for contempt, at a minimum.

No, I don't dislike Bill because he's rich. I dislike Bill because he's doing his upmost to make sure that I'll never be rich, by destroying the business oportunities of anyone who isn't Microsoft.

How much does MS pay you to astro-turf for them?

rpm-rebuilder-0.7-1mdk.noarch.rpm

[leonbrooks]

rpm-rebuilder

Re:rpm-rebuilder-0.7-1mdk.noarch.rpm

[xanadu-xtroot.com]

THANK YOU!

I call your bluff

[leonbrooks]

This is more of the exception than the rule.

There are more than 10x as many OSS projects with more than 100k installations in the field than there are M$ products in the same boat. There are more than 100 distinct OSS products (not counting libraries and such, but including games) installed on this Mandrake Linux box which see use at least once a week, and it's doing nothing special. How many copies of Mandrake Linux are there in the field? Now add in packages unique to RedHat, SuSE, Debian...

Re:The Tragedy of the Commons.

[reflective+recursion]

Yawn. It's an old story. "If you bash Microsoft, you're jealous."

It's nice that you think that, but no. I'm saying you (and others) are trying to fit the Robin Hood story over the "Microsoft story." It is implied by the heavy use of "M$" and "Micro$oft" --notice the $ sign. It is a very ingrained story, from elementary school, and it needs weeding out. Microsoft does not pin anyone down. They throw their weight around, but that is capitalism for you. The fact that there is a MacOS, Linux, FreeBSD, etc. prove that Microsoft has no power to get rid of them.

I bash Microsoft because that would desperately love to make open source software illegal.

Oh really? Much like RMS wants to make all software free software? Sounds like freedom to me. Whatever software I write, Bill Gates doesn't give a damn what I do with it. If I'm going for his market, he will do whatever he can to stop me. Who wouldn't? Anyone would (unless you simply don't believe in capitalism and competition). Whenever I write software, RMS will insist I make it free software. Why? Because he is greedy. He wants it all for himself--for no other reason. Look up his reasoning in an interview he did at one time if you don't believe me. He doesn't have any grand vision. He just wants all software he ever uses to be free software (and no, Open Source(TM) is not good enough). You, like many Slashdot readers, are blindsided by Microsoft's mistakes. You look at Bill Gates' fortune and you look at all the shitty software Microsoft has ever made and you put two and two together and come to the conclusion that Microsoft is a bad organization. Then you turn every story about Microsoft into how Microsoft wants to control the world. Every little mistake is scrutinized and turned into a "Microsoft evil-doing." Microsoft is not just Bill Gates and the executives. Microsoft is the shareholders all across America and the world. In every community and city and state. Microsoft is also the employees, who I'm sure have no qualms about Microsoft. Microsoft is the corporation that holds people's faith that the NASDAQ index will once again rise. This is important to countless people's 401k's and retirement plans.

No, I don't dislike Bill because he's rich. I dislike Bill because he's doing his upmost to make sure that I'll never be rich, by destroying the business oportunities of anyone who isn't Microsoft.

If you are going for Microsoft's market, then you have to compete with Microsoft, no? They aren't going to simply step aside and say "welcome to our market! make yourself at home!" Look at Adobe. They still make money, from what I understand. Look at Intuit, Autodesk, etc. Many started before Microsoft was around or even big. Want to know a little secret? Lotus was bigger than Microsoft. Yes, it's true. Microsoft got ahead of Lotus by being smarter about business.

How much does MS pay you to astro-turf for them?

And how much does the FSF pay you to spread this anti-capitalism trite?

Re:The Tragedy of the Commons.

[reflective+recursion]

GPL developers will charge their users for services, just as they do now and will make money. Non-GPL developers will carry on exactly as they do now - unless MS kills their company.

This is too funny. I just love how Ximian is now turning towards proprietary software to get a little cashflow for when their multi million-dollar VC supply runs short. The irony is too much! My sides are hurting from laughter!

Re:The Tragedy of the Commons.

[WNight]

You know, your cut and paste arguments would be better if you tailored them to the people you were arguing with. I didn't talk about capitalism or communism. Where do you come up with it?

I make money, in a capitalist system, by programming.

I just don't want Microsoft getting that declared to be illegal just because I work with open source software.

Let's use this capitalist thing that you keep going on about. How is Bill buying laws against open source (which he's trying to do, having Mundy say it destroys economies) a capitalist act? Shouldn't MS be competing? Releasing a better product?

There are many do-it-yourself markets in the world. Nobody bitches on Slashdot that handy homeowners are putting plumbers out of business by unclogging their own toilets and fixing their own broken pipes.

That's because people have had time to realize that this isn't bad in any way. Money saved on plumbers gets spent elsewhere, to raise the standard of living. Plumbers can find another line of work, or get good enough to compete in a smaller field.

You're the one proposing a corporate welfare state. Let's pass laws making it illegal for people to do their own programming, just to keep Microsoft making their money.

And then with the 401k plans. Wah! If you invest in a volatile market you expect risk. I don't see anybody crying over my retirement fund, so why should I go out of business over theirs?

Truly, the open source programmers and I are arguing for the only true capitalist point of view here. If a big company can't compete with us, let them go the way of the dinosaur.

Don't forget, I'm perfectly willing to compete. If Microsoft can fill the niche I do, without simply making it illegal for me to do it, then I will move on to another job. Either I'll find a new niche, or a new career. Unlike the world's richest man, I don't expect everyone to take care of me.

Why do we have this idea that capitalism excuses all actions? A capitalism should say "Welcome to our market", and then try to make sure that their products are better and cheaper. Microsoft has continually used illegal product linking and direct sabotage to destroy the markets of their competitors. ("DOS ain't done till Lotus don't run.")

Re:The Tragedy of the Commons.

[reflective+recursion]

Prove that Microsoft is trying to make open source code illegal.

You're the one proposing a corporate welfare state. Let's pass laws making it illegal for people to do their own programming, just to keep Microsoft making their money.

You obviously haven't read a damn thing I've written. I haven't said a thing about laws being passed. If Microsoft can get laws passed then it is because the government is corrupt. If Microsoft can bribe the government then they are both at fault. But, I need proof and I'm not seeing any.

And then with the 401k plans. Wah! If you invest in a volatile market you expect risk. I don't see anybody crying over my retirement fund, so why should I go out of business over theirs?

I was simply stating that Microsoft is more than just Bill Gates and the executives. Two words: reading comprehension.

Truly, the open source programmers and I are arguing for the only true capitalist point of view here. If a big company can't compete with us, let them go the way of the dinosaur.

Yes, and when you are reduced to a freelance computer "technician" and are no longer a "professional" don't come crying to me when your salary gets cut in half. It's nice that you can make money in the service industry (such as corporate database programming and web devel), but the consumer market is not the same.

Don't forget, I'm perfectly willing to compete. If Microsoft can fill the niche I do, without simply making it illegal for me to do it, then I will move on to another job. Either I'll find a new niche, or a new career. Unlike the world's richest man, I don't expect everyone to take care of me.

No you aren't. RMS says all software must be free software. Thats not competition, thats dictatorship. Maybe there is no niche because there are not enough people that need source code. From my point-of-view, Microsoft is simply shrugging off free software as a fad. They don't really believe it will produce what they can, but I do believe they are worried about the philosophy the FSF shoves down people's throats. Why are they worried? Because people will start demanding free software. And I'm not talking about source code. People are already starting to demand it--and they don't even need the goddamn source code and don't even know how to program! FSF is basically making the value of software nil. No one will pay for it if there is so much free (no-cost) software out there. I'm sure Intuit, Autodesk, and especially Adobe are worried also.

The Free Software Foundation stresses that free software means freedom, but their logic that "free software does not mean no-cost software" is completely broken. They are not willing to see that once source code has been released it is inherently no-cost.

If all software is free software, then no new software will get created (like I said earlier). Do you know the price tag of something like MS Office or AutoCAD being created? I'm sure it is well into the million dollar range. Who in the world would pay that much and then have it released for public consumption? No one! They may purchase the software and resell it (like MS has done many many times), but they will not release under the GPL. The only time payment can be collected on GPL'd software is at the initial transfer. Once two parties have free software you can be sure that the entire world will have access to that software. Do you understand where I'm going here? There will be no support system to continue the development of the software. It will be left up to thousands of development shops to pick up development and the entire computing world will become fragmented. There will be no defacto standards that hold computing systems together. The computing world will become one big spaghetti system. All software talking different protocols, using different file names, and some not even having concepts of "files." If you think the communication between Windows and Linux/BSD is bad, wait until anyone can come along and stomp on protocols. You can already see this happening between Red Hat and various other Linux distros. Certain assumptions about what a "Linux system" is don't hold true and things tend to break. Once computing systems get larger, free software methods break down quick. Try compiling and installing GNOME by hand and you will see that it takes a near miracle to install correctly. It is much easier to download RPMs and install like that. Do you see now, where the value of software is. It isn't being able to modify it (as long as the software is still supported). The value is having it work and work correctly and together. How many times do you really have an urge to modify the source code for bash? Mozilla? X? Not much, I bet. As software becomes more complex, the need for source code diminishes (think of the push for OO programming, and why abstraction is such an important part). There may be a market for you to sign some sort of NDA with a company to let you access source code and modify it (provided you don't distribute). I see nothing wrong with that. I also don't see a problem with software becoming GPL after it has expired (such as id Software did with Quake, Quake2, and Doom). Those, IMO, are valid reasons for having source code. What the FSF wants is too much for me, and their views are very extremist.

Here is another way to look at this: Maybe Microsoft does want software dictatorship (and Apple wants the whole freaking computer!). Who wouldn't, if they were in that position? They have an obligation to raise their stock price and they have to keep control of their architecture. But, FSF wants software anarchy. If you were an end-user who didn't know a serial port from USB, what would you rather have? My money would be safe with Microsoft. It would be a fairly simple choice, too. The cheap x86 architecture and the numerous applications available because of the cheapness. Who controls the middle is really a non-issue, as long as everything works. Microsoft makes everything work. How well is subjective, though...

Re:The Volunteer's Paradox

[reflective+recursion]

Money doesn't grow on trees, people have to work for that money. Spending money to buy a piece of software is therefor, a liability.

A liability for the person, but not society. Money is actually made in capitalism. It is made by giving objects (software) value. Take the value away and you take the money away. Take money away and you take jobs away.

magical pipe dream in the sky

Yes, perhaps that's what it is. Take out a dollar. Read it. "In God We Trust." Trust what? That perhaps that dollar will still hold this magical thing called value tomorrow. Software currently holds a value. Do you really want to remove value from software and place it on the service of creating that software? Think about it. The cost of creating software. How does that get paid for? It's beyond me. Maybe the government will pay for all software, if the FSF philosophy prevails.

It's an awfully slippery slope from GPL to Apocalypse. Don't be dramatic.

You might call it "dramatic," but I call it the future. Read what I wrote to the other guy in the posts above. It's not the end of the world, but it may very well be the end of the consumer computer as we know it. Apple computer is in a very good position right now, as they own the hardware and the software. Once the anarchy takes its toll upon Microsoft's architecture everyone will move to bashing Apple. Why? Because Apple provides a single solution for consumer problems. They will then inherit all Microsoft customers. Forget choice of hardware. That will be long gone. Keep in mind, though, that this is if FSF philosophy becomes the norm. When "average" people start demanding free (no-cost) software. It's a stretch, yes. I do believe it is plausible, though. There is much value in coherent architecture, which I find very lacking in open source land (infact, it's the one thing I hate most about using Linux).

Since OSS can be used to run a business, it does have economic value, just like "Central Park."

Yes, it does. But, at what cost to programmers? If a business finds value in a open source program, then they will not pay programmers to build them one. Then programmer jobs will be lost, I'm sure. Should the business be entitled to a free ride? Someone had to spent time and money building the program they are now using. Which leads to the next quote..

Money is not what makes people cooperative, it's the ability to punish the free-rider, the threat of punishment; and the removal of anonymity, so that everyone knows who the free-rider is. Without these things, cooperation falls apart.

Downloading free software via the internet is as anonymous as you can get. Say there are two businesses, A and B. Say business A pays for the development of software which runs their web-based store (or whatever you can imagine). Now business B runs a shop very much like business A (say Barnes and Noble arriving to the web shortly after Amazon.com). Now business B simply downloads the software that business A had developed--no one gets paid. Now business A is still paying for the maintainence of their software. Business B simply downloads patches and are, feature-wise, compatible to business A. Who do you think has the upper-hand? The business paying thousands for their software and features which they thought would be unique to them, or business B which is simply freeloading? If it were Barnes and Noble vs. early Amazon.com, do you know who would win? Barnes and Noble. They have brand identity. This is the reason Slashdot gets away with releasing their source code. Slashdot is a brand. It has a public image, thus value built-in. You can go start a /. clone, but it will never be as popular as Slashdot. Perhaps that is why Rob was so slow to release slashcode. Waiting for the value to build up.

I never mentioned M$. You seem to be on the defensive for them so forcefully. Do you work for them?

Well, this whole thread is about Microsoft using open source. And no, I'm not on Microsoft's payroll. I also do not own Microsoft stock, or stock in any company that Microsoft has stakes in (that I know of, anyways).

Software has greater value if it is high quality.

I doubt that. Quality plays a part, but consumers today want features and coherency. Which is why many people will accept a Windows crash every once in awhile. They want to be able to print from any application and use the network from any application. They don't want to mess with configuration and installation details.

they came up with this Shared Source [shared-source.com] that is afflicted with most of the same things they are complaining about under OSS

After looking at shared-source.com it appears that their concerns are in line with my concerns, and that their licencing is exactly what I would expect. A quote from shared-source.com on a "Microsoft claim":

In this sense, open source software based on the GPL mirrors the .com business models that proved the least successful during the past year. They ask software developers to give away for free the very thing they create that is of greatest value in the hope that somehow they'll make money selling something else. In effect, it puts at risk the continued vitality of the independent software sector.

You would probably think I was lying if I told you that I have never read this site and know nothing of Microsoft's shared source license scheme. Note at the bottom that they list Red Hat as proof that open source is commercially viable. I have yet to see proof of this, and from what I understand they also bundle proprietary software. Ximian, as you probably know, is testing the proprietary waters because of perceived future cashflow issues. At the bottom they also list the LSB as proof that Linux won't fragment--a failsafe. I have yet to see this materialize and it has been 2 (?) years now. You can't put a failsafe on every detail. CVS may help developers on a small scale, but what will happen on the larger scale? I hate to find out...

Re:The Tragedy of the Commons.

[WNight]

You're stuck in assuming that because Microsoft is a large part of the software world now, that it must always be so.

Not only were standards developed before MS was around, but most of the important standards we use today still predate MS. MS in fact has a habit for trying to stifle the development of standards.

As for the development of large software - consider the BSD system, and the Linux system. Both contain large parts (kernels, filesystems) which took a lot of development and didn't provide functionality until done. Then there's Gnome, KDE, PERL, PYTHON, RUBY, and so on. The free software world has created huge projects, on its own, with no direct profit motive. KDE provides a ton more functionality than early MS desktops. (IMHO it's between 95 and 2k, with less OLE, but much better usability.) Either way, it's an example of a project that took probably millions of dollars of time, were it billed, to create and yet was written by hobbyists, for free. And they all realized that to do their favorite part (the itch) they had to help get the rest working, so they cooperated to write the less-fun bits.

GNOME may be hard to install by hand, but there are RPMs (free software created with a profit motive) and DEBs and likely other smaller package systems.

Free software is raising the bar on paid software. Much the way that home repairs with help from Home Depot are raising the bar on professional carpenters and plumbers. Why don't you feel that this is a trajedy? Are there going to be no standards for nail or lumber size, just because most of the work is done by individuals?

I think that individuals benefit the most from standards... They're the ones who would take a large hit from having to code up a ton of file-translation code. Or, in a home-repair metaphor, have all lumber custom-cut to their specified sizes. Experience bears this out. Microsoft is the creator of weird new formats. Free software tends to use either standard formats, documents it, or at least provides the source code for reading it.

I highly doubt my salary will get cut in half. I'm already in what you for some reason call the service industry (most of my work is writing new custom programs, not providing troubleshooting or help). Really, it's the same thing I did while employed to work on a large software project, except that I work much more closely with the end users. (You don't understand the power of custom software until a user asks for a feature on Monday and you can demo it on Wednesday and merge it into stable code by the end of the week. They love this.)

RMS doesn't say all software MUST be free. He says he believes it should, but he's also said he's not willing to force people. The choice to use GPLed software (and thus release their own) is theirs to make.

Microsoft on the other hand appears to be trying to force people to not use free software. Normally a company doesn't speak out against their competitors, essentially calling them communists and hinting that they destroy the economy by reducing tax, etc, etc. It appears they're lobbying for legal protection. Only time will tell though.

And as for MS being more than Bill Gates... Who cares? Even though he's not the CEO anymore he still appears to be the driving force. A lot of people might have tied their money to him, but that doesn't change how you should see his actions. It's basically him saying he wants more money and control and he's continuing his policy of crushing others (through illegal or quasi-legal means) to get it. It's been a long time since MS has just released a competing product and let the market choose. You may see him as a model capitalist. Whatever. I see him as a threat to the livelihoods of everyone, including myself.

It's just a real chuckle how you think that MS promotes standards. Haven't you paid any attention to how MS perverts existing standards, ignores them to make their own formats, and tries to disrupt anyone who uses their standards? (SAMBA, File converters from MS-Word, etc.)

Once again, you're saying things that make me think you must either be getting paid, or perhaps are trying to defend MS because you've got stock and don't want the price to drop.

Re:The Tragedy of the Commons.

[reflective+recursion]

I could honestly care less if Microsoft dropped off the face of the earth tomorrow. But, I would never wish that. Think of the many people who were hurt by the Enron disaster. People's lives truely are at stake. I'm not excusing Enron, though. They committed a crime and got caught. I see no wrong-doing with Microsoft. Only a bunch of whining brats who couldn't handle the competition (Netscape, whom had absolutely no business plan and was out to rape investors with their IPO, or Sun who has yet to get their shit together ~7 years after Java was created).

The free software world has created huge projects

Yes, but the incompatibility is becoming greater as the free software/OSS community becomes larger. It is also becoming more like searching for a gold nugget in a pile of shit when trying to find quality software (look at Freshmeat now compared to Freshmeat around 98-99).

Either way, it's an example of a project that took probably millions of dollars of time, were it billed, to create and yet was written by hobbyists, for free.

Yes, and who do you suppose will fund this if all software is free software?

Free software is raising the bar on paid software.

No, it's destroying the value of software. Once consumers (the masses) are unwilling to pay for software (no demand) then there will be no commercial software. It will be created by free time or government grants, etc. only. This will trigger the end of the consumer PC and the beginning of networked/all-in-one computers (when consumers get tired of the chaos of downloading software and move on to simpler, and complete systems). Some like that idea; I don't. It will likely cause an increase in price of the x86 architecture due to decreasing demand.

Microsoft is the creator of weird new formats.

You lost me there. There is this little OS called Linux. On this mysterious beast there is no less than 2 standard online help systems. "man" and "info." At any given moment the help of other systems comes into play, such as ghostview (for PostScript) or Acrobat (for PDF) for the various commercial software available for this beast. If you want to talk about weird incompatibilites and quirks look in /etc or the dotfiles in $HOME. Or the fact that hidden files begin with a dot (!). Why? All this excess baggage that Linux carries around--consumers don't need this.

Free software tends to use either standard formats, documents it, or at least provides the source code for reading it.

And proprietary vendors tend to either make their formats work, or they expect to receive a call about it to their tech support. Free software creates more standards than proprietary, IMO. Look at tar, gzip, bzip2, ar, etc. etc. Then you have sh, bash, csh, tsh, etc. Each shell is practically a whole new incompatible platform that software must work with.

You don't understand the power of custom software until a user asks for a feature on Monday and you can demo it on Wednesday and merge it into stable code by the end of the week. They love this.

And plumbers get the same treatment after they fix a nasty leak.

The reason your salary has not been cut is because software, for the most part, still has value. What I find perplexing about the situation of Microsoft's perceived monopoly, is they may have a monopoly by good they may have done. Let me explain. When Bill Gates decides to sell proprietary software, no one was doing it. There were paid programmers, I'm sure. But, I'm willing to bet that they were paid very modest sums. I believe they were viewed more as "secretarial" positions, rather than professions such as Doctors or Lawyers. If you read the history of Microsoft it has been said that Bill Gates worked his employees very hard with, what I assume, minimal pay. They are a start-up, after all. Now that Microsoft is growing they can afford to pay higher salaries for higher talent. Why is there a need for "higher talent?" Perhaps because Microsoft's key selling point is the features they have and ease-of-use. Before proprietary, software was simply made to do a job. Who cared about talent then? This is why Unix stressed efficiency, while DOS grew features and ease-of-use that other systems didn't have. Are they responsible, in part, for raising programmer's salary? I would think they played a big part. This is where I also believe they, inadvertently, created a barrier to entry in the market. Programmer time is now expensive. Thus, they have a lock on barrier to entry. You can either get the software you want, or the pay you want. Ultimately you can not have both.

The fact that you can start out entry-level in the 40-50k range while teachers remain in the 20-30k range says plenty about the perceived value of programmer time and of software. Why would anyone want to destroy this perceived value by making it appear as if software is easy to create and doesn't really matter? When mom-and-pop understand fully that compatible quality software can be made with programmer's free time, for free, what is stopping them from demanding this from Microsoft, Intuit, etc.? This is what I am arguing is Microsoft's viewpoint. This is what I truely believe is their "beef" with open source. I honestly do not think they worry about Linux or KDE/GNOME taking their market as much as they worry about the philosophy of the FSF and RMS spreading like wildfire. Linux may hurt Microsoft's market, but it will be the FSF that brings the entire software industry to its knees.

Re:The Tragedy of the Commons.

[WNight]

It's funny that you complain about the number of projects on Freshmeat. That's not where you're supposed to go to find a finished project. It hosts development projects. Some of them are finished, but the majority, not suprisingly, are under development. It's like blaming GeoCities for the bad web pages they host.

Yes, and who do you suppose will fund this if all software is free software?

I presume the same people as now. The developers. Interested users.

Why? All this excess baggage that Linux carries around--consumers don't need this.

Why get rid of it? All the formats are open and documented. All the shells except Bash are deprecated, etc. The rest are just there for people who grew up with old systems.

And proprietary vendors tend to either make their formats work,

Nobody is claiming that proprietary formats don't work. People are claiming proprietary formats don't work with anything else.

If WordPerfect can't import MS Word files, WordPerfect gets blamed, despite the fact that MS made to convoluted and undocumented format.

Each shell is practically a whole new incompatible platform that software must work with.

When a script runs it specifies the shell it wants. Programs that run under a shell (such as an installer script) pick one and support it. They then work fine when run under any shell.

Have you used unix? For more than a day or two perhaps?

And plumbers get the same treatment after they fix a nasty leak.

Perhaps after they install new plumbing perhaps. But what's wrong with that? I don't see why programming should be held to be anything other than a specialized trade. I'm not ashamed at the idea that I provide a valuable product/service and get paid for it.

There were paid programmers, I'm sure. But, I'm willing to bet that they were paid very modest sums. I believe they were viewed more as "secretarial" positions, rather than professions such as Doctors or Lawyers. [snip] Are they responsible, in part, for raising programmer's salary?

Chuckle. An older friend of mine bitches about the low wages these days. He made $150k+ per year, once over $220k, 1970s dollars, for programming back on old IBM mainframes. Today he makes $60k or something. Not a bad wage by any means, but a fraction of what he made before.

Why would anyone want to destroy this perceived value by making it appear as if software is easy to create and doesn't really matter? When mom-and-pop understand fully that compatible quality software can be made with programmer's free time, for free, what is stopping them from demanding this from Microsoft, Intuit, etc.?

I'm sure you also argue against including compilers with an OS, or making them freely available. I mean, if people see that they can write programs they're going to write their own and never use Microsoft's right?

I am very glad that I can program. I automate many tasks that take my friends hours. Even the ones who can use 3rd-party macro programs can't compete with a perl script I can hack together. If I want to see how a fractal changes if I modify the formula, I can. They have to ask me or hope that someone on the net had the same curiosity as them.

This is a gift that I want to share with everyone. They may never use it, but they'll be able to. Linux will never be locked down, but I can easily imagine a day when to "combat viruses" all code run on a Windows computer must be cryptographically signed. When users are crippled because a company wants to potentially squeeze more money from them in the future.

The reason your salary has not been cut is because software, for the most part, still has value.

One of the contracts I've taken was an ordering/tracking system for a company that made circuit boards. Previously an order (of anything complex) could take up to 30-40 minutes, with a few binders full of pricing charts, to price. The calculation screen(s) I made had space for 80+ variables, accessing hundreds of tables for pricing data. But you could give the customer a price as soon as you were done entering the data. It saved further time by passing the order to work stations at the various steps in the process. From ordering to a sealed computer hung over the drill press in the machine room, to accounting and shipping at the end.

The project saved an average of 15 minutes per order. It also meant that they passed notes and all design docs (the cirsuit diagrams) along as files, instead of taking a folder from station to station.

They mentioned a years or so after the project was finished that they hadn't lost an order since it was put in, and that they loved being able to pull up a spreadsheet that told them how many dollars worth of product were due to be done at any time, where work was backed up, etc. They were working to integrate it into a bonus system for the workers, as well as to let them know ahead of time about potential work shortages.

At my estimate (just of time saved initially) it let them do three times as much work per customer service rep. It eliminated one job (a guy who was moved into customer service instead of fired) of lugging paper around, keeping files straight, etc. It removed the requirement for a room of files, plus the printing costs, storage for old files, probably 5% of machinist time... Hell, even one of the accountants said he was happier because he didn't get stinky files with fiberglass shavings and etching fluid stains on them.

And you don't think that has value? Probably $400 / day, or more. That was the best $20k they ever spent.

But there's no way an off-the-shelf package would do what they want. Too much custom stuff. I've seen some systems for designing a pricing layout by drag and drop... fairly nice, but nowhere near the level of complexity something like this takes. And I doubt anyone will bother making it that good, for the .1% of customers who want it.

I've seen places where almost any business could benefit from custom software. Let me talk to the employees and identify their bitches and I can find even more. 10 minutes a day of hassle doesn't seem like much, but if you're paying $20/hour that's $3.33. Multiply by five employees, times 250 (working days per year) and you're at $4k. Figure in saved training time, and it's starting to look pretty sweet. (That was solved by a few simple batch files to open the right applications, perform incremental backups, etc.)

This will always have value.

[...] but it will be the FSF that brings the entire software industry to its knees.

Once again. Only if the work of paid professionals can't match the hobby work of a bunch of geeks. (Which you seem to think is really really crappy...)

But if they can't match the free software, what right to they have to bitch? They just want corporate welfare. "Rise up Joe Sixpack, cast down the shackles of free software made by the people and send half a month's wage to the world's richest man to sustain his lifestyle." It's not really concerning anyone except the rich who've sunk their mutual funds into MS stock.

Re:The Tragedy of the Commons.

[reflective+recursion]

This article came across the Free Software Business mailing list today. Why Shawn Gordon, of theKompany.com, will not use the GPL.

We sell one product that is GPL. On at least a weekly basis we get someone telling us that we have to give them the source code because it is GPL. Some of them become verbally violent and abusive when I point out that the GPL provides for us to charge for the source code, we just have to make it available, and this we have done. Some of these people even tried to hack our system to get the code because they thought it was their God-given right to have it. These are also typically the people who contribute nothing to the community.

Keep in mind that these are people who are technical enough to install something like Linux, and they are already ignorant of what the GPL is about.

I had RMS come to me on this product to make sure we weren't violating the GPL, and he admitted that we were not, but in the course of the conversation he proceeded to project onto the KDE project aspects of theKompany in a totally inappropriate fashion and was very negative about KDE in this regard. Now, to my mind there is far more corporate involvement and control over GNOME than KDE, but RMS chose to see things the way he wanted to see them in this instance and say that it was too bad the KDE didn't stand for freedom.

Proof of RMS' extremist viewpoint and his narrow mindedness.

What is the net result of this? We won't use the GPL for anything anymore. It is far too frustrating to deal with; it is ambigiously worded in places that make it just too risky for a company like us. I've heard the arguments about selling services, but for what we are doing it just really doesn't work. Look at it this way. I can send 1,000 copies to a distributor who will put it on store shelves around the world. People will walk in, pick it up and buy it. Now let's say that the software was free (as in cost) and I just sell services. Well, now I can't put it on a store shelf and for every customer; I have to go and hunt them down somehow and persuade them to use our free software and then pay us for support -- but they should only really need support if our software is hard to use or poorly designed, which isn't the case or our objective.

I really like that last statement. Take a look at Sendmail, and its obfuscation of configuring it. Is it deliberate? Maybe. What I do know is that Sendmail makes money from their support and they have made no attempt to make their software easier to use. I believe you could also say the same thing about Perl. While there is plenty of free documentation, it seems new features are added just so people can write books documenting those new features. So they have something to support.

Re:The Tragedy of the Commons.

[WNight]

So? One company decided they didn't like the GPL, mostly based on RMS. Oh well.

For a single counter-example, http://www.merilus.com/ is a company making a linux-based encrypted VPN router/packet filter on a card based on the Crusoe chip. They release all their software.

Companies may find it hard to make money when giving software away for free, but they can always leverage their trademark and sell it retail. Nobody can forge it or they can sue. Sure, you can get it for free, but the average consumer isn't going to know that. If you include a nice installer on the CD and don't on the downloaded version you've got the attention of most regular users.

But... Let's play pretend for a minute. Let's imagine that there isn't a market for selling GPLed software.

Oh wow! The twisting worldview. There also isn't a market for selling ice to eskimos. Or really, to anyone with a fridge/freezer. But you don't hear the president of an ice-cube company complaining that putting the power of ice making in the hands of the common man is destroying the economy and rendering millions unemployable.

Things change. There's no reason the software industry has to be this big. I might even find myself out of a job, but if I'm displaced by someone who can do a better job for less money, I'm willing to go. I don't want a job that exists only because of a government mandate.

It's amazing that for a professed capitalist you have all these facist, big-government leanings. I thought the idea was that the market would sort it out. If mega-corporations can't manage because of competition from hobbyists then they aren't providing anything of value. (See Artificial Scarcity.)

Re:The Tragedy of the Commons.

[WNight]

I agree. You don't have to be socialist to want big government.

I was trying to point out some hypocrisy on RR's arguments though. He lambastes open source as being communist, and says there (basically) "needs to be a law!" I'm just pointing out that for someone who thinks might makes right and has a generally Randian point of view, he sure seems to want government protection when something comes along that threatens him or his comfortable world.

I know he can be greedy and want a strictly regulated economy (for his benefit). But he shouldn't throw around terms like "socialist" and "communist" as slurs unless he's against a regulated market.

Myself, I'm quite socialist. Both because I think it's "right" that people don't starve, but also because I'd rather pay slightly higher taxes to ensure that the poor aren't so poor or downtrodden they feel the need to overthrow society. However, I get a kick out of tweaking psuedo-libertarians who want a free market (for them to abuse) but a set of very strict rules that force people to put up with it, and not pull similar tricks on them.

Re:The Tragedy of the Commons.

[reflective+recursion]

What the fuck are you on? Seriously. I have not once said the word "communist" or anything about creating laws. You are the one stuck on creating laws and denying freedoms. If you remember how you started this thread, you were denying Microsoft their right to use BSD-licensed software. And you call me the hypocrit.

I know he can be greedy and want a strictly regulated economy (for his benefit). But he shouldn't throw around terms like "socialist" and "communist" as slurs unless he's against a regulated market.

You have no ability to comprehend anything you read. I do not want a regulated economy, like you imply. I'm trying to prove a point, and that point is that free software destroys value in software. This, I believe, will lead to instability in the software industry. That is all I'm saying. Why can't you grasp that?

However, I get a kick out of tweaking psuedo-libertarians who want a free market (for them to abuse) but a set of very strict rules that force people to put up with it, and not pull similar tricks on them.

Pull similar tricks? Strict rules? What in the fuck are you talking about? We are having a discussion about the software industry, not government regulations. I don't give a fuck about laws. I don't give a fuck if GPL stays around for 10 million years. What I am saying is that RMS wants all software to be free software and that, in my opinion, it will lead to instability once the general public starts demanding that all software become free software (and with no proven track-record from free software businesses of making money to support the creation of software). I sound like a goddamn broken record here... I'm not talking laws, I'm talking business. I'm not talking restrictions, I'm talking instability in an industry because of FSF propaganda. Not once did I say "FSF should stop promoting the GPL." I have written GPL software myself for fucks sakes! But, I will never do it again.

Let me go ahead and call you a Nazi and a Hitler-wannabe before you imagine me saying it. Thus, I am enacting Godwin's Law and am admitting defeat. It is obvious you will believe what you want without consideration to what I am saying, or simply invent what you believe I stand for.

Re:The Tragedy of the Commons.

[reflective+recursion]

And you don't think that has value? Probably $400 / day, or more. That was the best $20k they ever spent.

Sure it has value. But, they are paying based on perceived value. What managment perceives that a programmer should make, or be paid. This changes based on what society deems a programmer to be worth. Once enough Dilbertian managers get the idea that "software is free, so it just has to be easy to create" they will start slashing programmer's salaries. At that point the programmer job market is filled with only those who love to program (those there for the money have left). They get to keep the shitty end of a deal gone wrong (free software community's "promise" of a better future through freedom of source code). I'm not a musician because I hate the thought of not having work, or being paid pennies. Don't make me become a musician.

Re:Ximian can do whatever they need to.

[reflective+recursion]

The rest of your argument is invalid.

Just like that, eh? *poof*

And your entire "better product wins" drivel is simply defeated by mentioning the word "brand." See? I can do *poof* also. You think Nike shoes are better than cheaper ones?

I never saw any philosophy become the norm ever.

How do you think MS came into power? People had to believe in paying for proprietary software (or that their old word processors weren't good enough and needed a computer).

Re:The Tragedy of the Commons.

[WNight]

You conjecture that because some software is free, a manager will object to the idea of paying someone an hourly rate to make other software?

Carpentry is an easy at-home task and almost everyone has done some. However, carpenters seem to make a living.

It's a market economy. If they can find someone as qualified as I am, who will work cheaper coding annoying doo-dads for their database, they're free to hire them. It's happened before. Sometimes I've been called back by the sheepish client to fix the mess they made.

If I have a job though, I want it to be providing a real service to a customer with freedom of choice. I'm sorry you don't have confidence in your job options in a new economy.

Re:The Tragedy of the Commons.

[WNight]

If you're accusing me of not paying full attention to what you're saying, I suggest you look in a mirror.

I'm not trying to deny Microsoft the right to anything. I'm simply calling for them to be honest for once. If they say open source is bad, let them avoid using it. If they use it, maybe they should say that it's not a bad thing.

If they can't be honest about something that obvious it really makes you wonder what else they're lying about.