Microsoft Port 25 interviews Miguel de Icaza

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Worthless drivel

What the fuck kind of insane summary is that? Even for Slashdot, that steps over the line.

Re:Worthless drivel

[MustardMan]

No kidding - forget secure coding guidelines... how about some "writing in English guidelines"?

Re:Worthless drivel

[Fearless+Freep]

More a slam on Port 25 than a summary of the interview

Re:Worthless drivel

[WilliamSChips]

Wow, multiple-personality disorder and schizophrenia--that's pretty nasty.

Re:Worthless drivel

[Iguanaphobic]

Like this?

Re:Worthless drivel

[GIL_Dude]

Totally agreed.

Re:Worthless drivel

[cerberusss]

I like that mindless drivelling. It reminds me of that hottie from Sex and the City.

Re:Worthless drivel

[zaajats]

Umm... what interview?

Re:Worthless drivel

[JackieBrown]

The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested Url: /archive/2006/08/11/Let_2700_s-talk-Mono_3A00_--Sa m-interviews-Miguel-de-Icaza.aspx

revelaed

miguel is the liebermann of open source

Re:revelaed

[grammar+fascist]

More like the Howard Dean, I thought.

Re:revelaed

[aichpvee]

Of course they'd interview him. gnome and mono are no threat to microsoft. mono is never going to be compatible enough that their locked in customers could switch and gnome is never going to be usable enough to be a desktop threat to windows. It even helps them, because as long as there are so many gtk apps that have no proper alternative and gnome controls so much of gtk there will be minimal threat from any desktop Linux, even the ones that don't ship gnome.

Re:revelaed

[sproketboy]

"It even helps them"... Yes it does since apparently a growing number of morons out there delude themselves into thinking that they can go cross-platform with mono. --- mono is a disease - Java is the cure.

Re:revelaed

[PartyOnTheSand]

but isn't it true somehow?
it might not be as elegant like using c++ together with some explicit cross platform libraries, but it seems possible to go cross platform over mono, not?
which problems do you see in this approach?
that novell will stop developing mono? for a specific platform?
thx for clarification

Link to interview doesn't work.

[RingDev]

Just goto http://port25.technet.com/ and click the link on the front page.

-Rick

Re:Link to interview doesn't work.

[neonprimetime]

Win a million dollars if you can spot the difference! The link doesn't work cause of the funky character after 3A00_ and before Sam.

Re:Link to interview doesn't work.

[RingDev]

The -- (two hyphens) is resolving to %E2%80%94

The link should be: http://port25.technet.com/archive/2006/08/11/Let_2 700_s-talk-Mono_3A00_--Sam-interviews-Miguel-de-Ic aza.aspx

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

-Rick

Re:Link to interview doesn't work.

some ass hat

I think with the aid of an ass hat, you insentitive clod.

Re:Link to interview doesn't work.

funky double wide hyphen character

Is that what it's called, I thought it was the em dash. Whew! Almost lost my geek cred there!

Re:Link to interview doesn't work.

[thethibs]

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

The "double wide hyphen character" is called a dash—not funky at all—and it's common punctuation among the literate. Word's substitution is handy in place of Alt+0151. When you see a double-hyphen in Ascii text, the writer is asking you to read them as a dash.

Quite a few fonts will connect a pair of hyphens to look like a single dash. The technical term is em-dash and the HTML entity name is —.

In any case, the substitution is only done during typing, and even then only where it's used correctly. So you can't blame Word for this one.

Re:Link to interview doesn't work.

[prockcore]

word resolves -- to it's funky double wide hyphen character.

By "funky double wide hyphen character" you mean industry standard UTF-8 representation of em-dash?

Re:Link to interview doesn't work.

Well it may be a "great feature", but it certainly failed to be useful in this particular instance. This and also ' being replaced by ’, which happens to be non-representable (turns into ?) on ISO 8859-1 encoded websites. If you see writing on the internet with alot of oddly placed question marks, it's probably MS Word's doing.

There are other methods for inputting the em dash that are less accident prone, such as the more explicit option-shift-hyphen on Macs, and probably something with the Alt Gr key for Windows on European keyboards, and hyphen-space for Japanese IME. Unfortunately for US English keyboards, the only direct option is Alt+0151.

Re:Link to interview doesn't work.

[cortana]

You mean, the fault of the idiot web developer who didn't mark the page as being encoded in windows-125x.

There's nothing inherantly wrong with the Windows character sets, they're just an encoding!

Server Error in '/' Application.

Server Error in '/' Application.

They forgot to put a '.' after the '/' !

Microsoft employee-wannabe

[dskoll]

Miguel makes no secret of his admiration for Microsoft and is really a MSFT-employee-wannabe. All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Yawn...

Re:Microsoft employee-wannabe

And this is a bad thing how?

Re:Microsoft employee-wannabe

[the_weasel]

Well yes. Because its true. AFter four days of wrestling yet another Linux installation into a workable state, I would have to say that Microsoft has made the better desktop.

Re:Microsoft employee-wannabe

[dedazo]

I don't know about "Unix sucks" (which sounds more like FUD to me), but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

I mean, beyond "yawn".

Re:Microsoft employee-wannabe

Miguel is the poster child for "attention deficit disorder." I can't think of a single project he's seen to completion. He jumps from one "gee whiz" thing to the next, leaving a trail of half-completed crap in his wake.

Re:Microsoft employee-wannabe

[megaditto]

Well, not to troll, but wasn't it said that Gnome was ripping off Windows UI? or MacOS, I forgot.

Remember VMS desktop before Windows 95 release? A POS!
In that respect, Microsoft can be said to get the Desktop right

Re:Microsoft employee-wannabe

[mspohr]

I'm not a Linux expert but have installed Ubuntu Linux on about 10 machines (desktops and laptops) over the past two years. I haven't had to do any "wrestling". They all pretty much "just worked" with the full application suite. Even WiFi just works... and printers... etc. Full install is an hour or so.

In contrast, I have had to re-install Windows on various machines about 5 times in the past year due to viruses, spyware, etc. (two college daughters...) and each time it was a full day marathon of install, patch, drivers, application install, patch, firewall, anti-virus, etc. with many reboots... PITA!

I don't know what you are doing that you need to wrestle Linux but it certainly sounds like you could use some help from "clippy".

Re:Microsoft employee-wannabe

[DShard]

Yeah... and I've never had to do that with windows on lets say, 3.1, 95, 98, nt 4, 2000 _and_ XP... In fact, I have never had a version of windows that wasn't borked on some hardware by their installer (unless you count service packs, but I won't). I would imagine you would have to go Mac to avoid that experience, since they so tightly control the platform. From a developer perspective, win32 is a kludgy nightmare. I have no idea why any developer would enjoy it. Gnome seems at least sane... and has more languages supporting it than you can shake a stick at. The user experience on any PC just plain sucks. I have yet to find a gui that didn't feel like it was made to torture me.

Re:Microsoft employee-wannabe

[Planeflux]

Sorry to rain on your parade, but your own lack of competence with linux installations is a silly excuse for stating that "Microsoft has made the better desktop". Obviously various linux distros have their own quirks and issues, but if you can handle those, a linux system makes a great general-purpose desktop environment and is, in my opinion, way ahead of anything Microsoft has to offer at the moment. I am not biased or trying to stab Microsoft here, I just choose the best tool to get the work done. That said, it is far from perfect, and if Microsoft would come up with a better alternative, I'd gladly use that.

Re:Microsoft employee-wannabe

One has to wonder about Slashdot when an obvious troll (admiration of MS is apparently a mortal sin and de Icaza is a "wannabe") like this from someone who links to "roaringpenguin.com" is modded up to +5.

Yay for intelligence and all that.

Re:Microsoft employee-wannabe

[Burz]

And he takes abuse from MS too:

http://linux.sys-con.com/read/124218.htm

Interesting bit of history there. It really disturbs me that Miguel is leading a column of FOSS enthusiasts into the maw of MS patent enforcement, especially when he could have used his talent on something unencumbered like Parrot.

Re:Microsoft employee-wannabe

[drinkypoo]

All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Well, if you're looking at usability, then he's right on both counts. If you're looking at reliability, then he's full of shit.

Even the Microsoft CLI is more friendly than Unix, what with the "help" command. Yes, that is an irrelevant thing to you and me, but not to the teeming masses. And, it might be added, there are things that we still must go to the GUI to do on both.

The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit. I've been watching people argue about this as long as it's been happening, but make no mistake, it's been happening. I was there since before the beginning, when the only people to actually have a Unix desktop, as in a place you can throw your icons and shit, was fucking SCO, and they were followed up by Caldera, with the Caldera Network Desktop - which I actually ran. I believe it was based on redhate 1.0 or something?

KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time.

So, I don't entirely disagree. Unix has some pretty major failings in the usability department, although it certainly has gotten better. Unfortunately, it only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

Re:Microsoft employee-wannabe

...but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

1. No select->middle-click->paste buffer.

2. Ctrl-C/V/X behave inconsistently (it is entirely too easy to lose everything on the clipboard).

3. No tools out of the box to automate user tasks like bash or perl.

4. Crappy handling of file types.

5. No virtual desktops. (The powertoy hack called MSVDM doesn't actually work.)

6. Lack of support for standards: PostScript, PDF, MP3, DVD, NFS, SSH, SCP.

7. The Registry.

Re:Microsoft employee-wannabe

"but your own lack of competence with linux installations is a silly excuse for stating that 'Microsoft has made the better desktop'"

That right there is the reason why Microsoft has the dominant desktop share. Stop belittling and making excuses and make it easy for the general populace. Ubuntu has done a good job, but its not quite there for everyone yet.

Re:Microsoft employee-wannabe

1. No clipboard
2. No clipboard
3. WSH
4. Huh?
5. Implemented (window stations and multiple desktops), if not exposed. Unnecessary complexity that can be turned on by people who actually want it. Why do you think OS X doesn't have them either?
6. None of those is a standard, with the possible exception of PS, and there's plenty of that at the app level. "DVD"? WTF?
7. The registry is not part of the desktop.

You lose. Thanks for playing.

Re:Microsoft employee-wannabe

Just because you're fucking stupid doesn't mean the rest of us should suffer.

Re:Microsoft employee-wannabe

1 and 2. Of course Linux has a clipboard. Why would you think it doesn't?
3. WSH would be nice if it actually worked. Luckily, Cygwin can be installed to avoid Microsoft's shortcomings
4. Rename a virus-ridden .wmf to .jpg, and watch it still be opened as a .wmf to trash your computer
5. It's very needed complexity for everybody out there that uses more than one window at a time. The only reason OS X doesn't have them is they couldn't make them pretty enough in time for 10.4 (they're in 10.5)
6. Postscript and PDF are standards. MP3 and DVD are de-facto standards. Windows can't even read those out of the box, and even with extra Microsoft tools installed can't read OpenDocument files or vector graphics.
7. The registry is required for the desktop to run, and is thus part of the desktop.

Furthermore, Windows is unable to do many useful things like thumbnailing movies, store files larger than 2 gigabytes, read any archive format other than .zip. It can't even read E-Mail without expensive add-on software!

Re:Microsoft employee-wannabe

[goonerw]

7. The registry is required for the desktop to run, and is thus part of the desktop.

Huh? That's just as sane an argument as the filesystem is required for the desktop to run, thus it's a part of the desktop, and so is the BIOS.

Re:Microsoft employee-wannabe

[larry+bagina]

Considering his track record, that's actually an improvement. C#/.NET is at least somewhat standardized and thought out. GNOME is a complete mess. Had that effort gone into GNUStep (which is standardized and thought out), OS X users would be envious of Linux.

Re:Microsoft employee-wannabe

[dbIII]

That isn't normally a problem - but writing things off on the platform you are developing on is, as is not really understanding why the platform does the things it does. Let me first say there is a lot about gnome I like before I get into heavy criticism below.

I think a large part of at least early gnome was to try to do an MS Windows on linux - complete with the registry (extremely stupid idea) but far worse since you get one per user, and you have a mix of config files and this registry thing. If a user changes their screen resolution to something stupid with the gnome tool where do you find the gnome setting to fix it for that user after you have fixed it for all other users in xorg.conf? You have a mix of traditional config files and the registry thing within gnome itself and changes to other config files outside gnome (like xorg.conf) are not picked up by gnome. The single user non-networked approach of parts of gnome highlighted this, as well as ignoring major aspects of the platform (ignoring sockets to do an MS windows style of communication and making things executable that don't have executable file permissions!!). Other aspects were a good idea - but yes the linux sux (and don't care about other *nix) and let's do an MS windows that we can write attitude really came through - we still have to live with gconf and settings that can't be exported to other users even on the same machine until sabayon is finished to allow exporting gconf registries. Gnome outgrew him and works on multiple platforms now instead of just being a linux only thing as it was.

That said - depite the initial silly politics and name calling and a couple of poor design decisions gnome grew into a very useful environment with only a few little quirks that make it lock up occasionally in a networked environment (still doesn't handle windows from other hosts well, which means the entire point of X windows has still been missed by some people there). The ideological opposition to man pages is something I still can't understand and I put it down to people coming from the MS Windows environment where you are expected to be able to do things without decent documentation.

Re:Microsoft employee-wannabe

[ciggieposeur]

Even the Microsoft CLI is more friendly than Unix, what with the "help" command.


~$ help
GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled. ...


The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit...KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time... Unfortunately, [Unix] only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

I disagree. Windows never had selection buffer, virtual desktops, or remote desktop, items I absolutely require to be reasonably productive on X. KDE/GNOME brought us unified widget sets and control panels, and both were certainly inspired by both Windows and MacOS, but they go so far beyond Windows in overall functionality it's not even funny.

Re:Microsoft employee-wannabe

6. All of those are standards, and are supported out-of-the-box on Linux (except DVD for *some* distros). Install a bare-bones Windows system and try to play DVD/MP3, or try to SSH. Oh wait, you can't without installing software originally written for Unix or paying out the nose for native Windows apps.

7. Of course the registry is part of the Windows desktop experience. It comes up all the time when one needs to tweak something that ought to be exposed but wasn't, or when one has registry corruption and part or all of the system fails to come up. I won't defend gconf as a good design decision, but no one in their right mind can defend the Windows registry or pretend it doesn't adversely impact users.

Re:Microsoft employee-wannabe

[adolfojp]

The MSFT-employee-wannabe that you speak of is the father of the GNOME desktop. Without GNOME, QT might not have been open sourced in the first place. Without a man like Miguel to give GNOME a forward direction, we might still be using Motif. When your contributions to the open source movement become a tenth of what Miguel has done then your rant might have more merit.

If there is one Microsoft technology that deserves admiration is the .NET framework. If there is one man who has the objectivity to look beyond the zealotry to see technologies for their merits is Miguel. MONO is an excellent development environment for Linux. It bridges the gap between high performance but difficult to use languages like C++ and low performance high RAD languages like Python.

Re:Microsoft employee-wannabe

[i.of.the.storm]

Not only that, but their zip folders implementation blows compared to any 3rd party app. It's neat that they open in Explorer, but when you try to unzip any file of some significant size (>20MB or so) it takes upwards of half an hour to unzip. I've never actually timed it, but it seems that way. WinRar or 7-Zip are both orders of magnitude faster.

Re:Microsoft employee-wannabe

[e2d2]

He's probably done more for open source before noon then you've done in your whole life. Prove me wrong and I'll take it back.

Re:Microsoft employee-wannabe

Often times it fails to unzip files that were zipped using Mac's default compressor. Which is quite amazing considering that Apple's implementation is pretty simple. Makes me wonder if this was the "feature" which MS was willing to compromise performance for. Anyway, I think 7-Zip has a pretty poor UI and performance, but I use it anyway because the MS alternative is incredibly slow even on my multiprocessor, 2GB memory workstation.

Re:Microsoft employee-wannabe

[Jay+Carlson]

My favorite thing to bash Linux bigots with:

OLE Automation.

(Or whatever they're calling it these days; I think it was absorbed into the ActiveX branding.)

Just about every Unix vendor had this dream of turning their entire desktop environment into a sea of programmable objects.[1] The one I got to laugh at was Sun, with DOE, although you formerly-MacOS-bigots got to see it replayed in AppleScript and OpenDoc.[2]

Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code.

It's really amazing what you can script this way. OK, yes, there's a reason I'm typing this on a Linux box, and why I have cygwin installed on any Win32 box I care about. But through marketing muscle and a desire to create opportunities for small VARs, Microsoft let little software authors poke around inside big applications. And created some nice tools for those little authors to write code with.

Shame it breaks in such obscure ways.

[1]: ARexx doesn't count. That's just DDE.

[2]: Obligatory joke about whether "the" is optional at some point in hypercard syntax here. Apple has been getting better, though.

Re:Microsoft employee-wannabe

[andreyw]

Uh, bullshit. You can store >2GB files on NTFS volumes just fine.

Re:Microsoft employee-wannabe

[andreyw]

1. C-c and C-v. You can enable quick edit in cmd.exe (which is the only place where you might care anyway). 2. Wtf? 3. WSF and Monad. 4. Care to elaborate? Nothing crappy about it. Its system pervasive, too. 5. no comment 6. Mp3, DVD, NFS not supported? What drugs are you on? Plus what do the rest have to do with the OS? Core Linux OS doesn't include GS or a PDF viewer either... 7. Yes, but not for the reasons you think.

Re:Microsoft employee-wannabe

[jonbryce]

You could read your email using the supplied Outlook Express if you were really desparate. Otherwise, Mozilla Thunderbird is free.

Nevertheless, the lack of decent email clients for windows is a big problem.

Re:Microsoft employee-wannabe

[killjoe]

Why does .net deserve admiration? It's just another VM. There are lots of them out there. It's not even that great of a VM.

Sure the fanbois love it because it's better then the crap they are used to but it's nothing remarkable. Just a ripoff of java with a couple of additions. Yawn. Who cares.

Re:Microsoft employee-wannabe

[killjoe]

"Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code."

You could do this with linux. Not with word docs of course which have propritary formats but with OO docs you can. Hell you could probably do it on a command line with sed and wget.

Re:Microsoft employee-wannabe

[dskoll]

At the Ottawa Linux Symposium in 1999 or 2000, Miguel had a series of slides about why UNIX sucks. Those were his words. Check it out yourself.

As for why MSFT didn't get the desktop right, I'm not really qualified to answer, because in my entire career, I've used Windows only for a hellish 5-month stint back in 1996 (Win95). The things I hated about the Win95 desktop:

• No window manager. If an application hung, there was no way to move its window temporarily, because applications had to cooperate to move or close windows.
• Cumbersome cut-n-paste compared to X.
• No decent command-line tool. (My perfect desktop is a wall of xterms. :-))
• Hideous complexity under the hood. Edit some magic mumble-mumble registry key if you want to do X...
• Totally useless error messages, so when something inevitably goes wrong, you haven't a clue how to fix it.

I'm not sure if MSFT has fixed the desktop. Somehow, I doubt it.

Unfortunately, the two big Linux desktops (GNOME and KDE) are showing symptoms of Windozification, which is why I don't use them. XFCE is just perfect, IMO.

Re:Microsoft employee-wannabe

[CoolVibe]

OLE Automation.

KDE kio-slaves, KParts and language agnostic DCOP scripting from KDE. Works even better than MS-OLE.

Re:Microsoft employee-wannabe

Tell that to all those idiots that are pushing Gnome crap in the Linux desktop. My only comfort is that one day they will all regret deeply the money they've thrown and wasted into that pit.

Re:Microsoft employee-wannabe

[adolfojp]

Would you care to enlighten me as of why is .NET a "not even that great of a VM"?

C# is Java with the power of hindsight. Java is Smalltalk with the syntax of C. Guido Van Rossum has stated that Python owes a lot to ABC. Every computer language has borrowed features from others. It is the way that computer language development work. If you can make a better product by taking features from another and adding and improving then you should do it.

Re:Microsoft employee-wannabe

[killjoe]

"Would you care to enlighten me as of why is .NET a "not even that great of a VM"?"

Because it doesn't support multiple inheritance like the python VM does.

"If you can make a better product by taking features from another and adding and improving then you should do it."

Yes but that doesn't make it admirable does it.

Re:Microsoft employee-wannabe

[dskoll]

I've written the following open-source programs:

rp-pppoe

mimedefang

remind

I have no doubt Miguel has done more than me, but what's your point?

Re:Microsoft employee-wannabe

[dedazo]

Miguel had a series of slides about why UNIX sucks.

Yes... can you quote a single thing there that is false? Are you using that as "proof" of the "Unix sucks" thing? Are you serious?

because in my entire career, I've used Windows only for a hellish 5-month stint back in 1996 (Win95) [...] I'm not sure if MSFT has fixed the desktop

No, it's still the same. Windows hasn't changed at all since 1996, so don't worry about it.

Re:Microsoft employee-wannabe

[e2d2]

I had the same point that you did, none at all..

You basically attacked him with baseless comments. If he wanted to work for Microsoft then why isn't he? Do you think they wouldn't love to have him in their camp? His admiration from everything I've read has been for their ability to unify the desktop and offer superior toolsets. But you made it seem like he's a shill because he has these opinions.

Ceasing support after a year is a valid excuse?

[Richard_at_work]

Maybe there is some validity in saying they (Port 25) are untrusted, but what excuse is it that Redhat ceased updates for v9 in 2004, a mere year after the product was released (March 31 2003). Seriously, is a single year of updates good enough? I think they actually have a valid point on that one at least, a year isnt long enough to even be considered stable server software in my book.

Re:Ceasing support after a year is a valid excuse?

[dhasenan]

Consumers were expected to move to Fedora, which replaced the free version of Redhat. RHEL continued its five-year support arrangement, so for enterprise customers, there was no change.

What's the big deal? If yours is a small business, you can get basic support for $350. Larger, $2500 gets you a full contract. That's hardly taxing to a company that also has the option of running an unsupported RHEL, or an alternative of choosing another support company.

Re:Ceasing support after a year is a valid excuse?

[InsaneGeek]

But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money (since RHEL was basically 9 with minor changes), or to goto something else that will require another huge developer investment. That is unacceptable, and Microsoft has every reason to bash them over the head for it. Bad business practice, if anything Redhat should have said 9 was the last release and we will support our paid customers who made an investment in it for longer than 1 year and do good by them.

Re:Ceasing support after a year is a valid excuse?

Well, if you are going to all that trouble in the first place to standardize on RHEL, then you would be a fool not go ahead and pay for enterprise support.

Re:Ceasing support after a year is a valid excuse?

[InsaneGeek]

You might want to re-read the post standardize upon Redhat 9, which then had it support cut a year later.

Re:Ceasing support after a year is a valid excuse?

[drinkypoo]

Consumers were expected to move to Fedora, which replaced the free version of Redhat.

I think you got that wrong. It should read "Consumers were expected to become unpaid beta testers of RHEL on all of their desktop systems."

It's not like they're the minions of satan or anything, but Redhat pulled a classic bait-and-switch on the Linux community and I for one am astounded at how many people are willing to make apologies for them.

Re:Ceasing support after a year is a valid excuse?

[Moofie]

"That is unacceptable, and Microsoft has every reason to bash them over the head for it"

Microsoft? Bashing Red Hat over licensing? Wow. That's rich. I wonder where they find salesdroids with absolutely no ability whatsoever to think critically, so they can spout this stuff with a straight face.

Re:Ceasing support after a year is a valid excuse?

[Vellmont]

But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money

If someone did that I guess they made a really dumb decision putting all that money into a product that never had any support guarantees in it. You should have ponied up the few extra bucks and standardized on RHEL 2.1, or even the previous "Redhat Advanced Server".

(since RHEL was basically 9 with minor changes)

Actually RHEL 2.1 was based on Redhat 7.2. RHEL 3 was based on Redhat 9. One of the "minor changes" was the level of support that was offered.

Redhat should have said 9 was the last release and we will support our paid customers who made an investment in it for longer than 1 year and do good by them

Like I said, there was never any support contract for RH9, and by that time if you wanted guaranteed support you should have picked a RHEL product. I'm still running a RH9 box. It works great with the updates from Fedora Legacy, and I certainly don't blame RH for getting out of that game.

Re:Ceasing support after a year is a valid excuse?

[darkonc]

Well, given that RH9 never really had a strong support regime (commercial customers who wanted long-term support were pointed at RHEL), I don't think that this would have been a big shock... This is more like getting people who downloaded the Vista Betas being pissed off that they're expected to actually install and ooooh! pay for the commercial version when it comes out in 200[678].

Re:Ceasing support after a year is a valid excuse?

[NineNine]

Like I said, there was never any support contract for RH9, and by that time if you wanted guaranteed support you should have picked a RHEL product.

That's a crock. What if you were to buy a shiny new car, and the next year, the manufacturer stopped selling replacement parts for it. "Hey, you only had a one year warranty!" Hell, I play the same games for longer than a year. Red Hat really blew it on this one, and that move made me positive that I wasn't going to trust any of my business stuff to Red Hat.

Re:Ceasing support after a year is a valid excuse?

[charlesnw]

HAHA LOL Oh man thats good. I needed a good laugh. Whew.

Re:Ceasing support after a year is a valid excuse?

[Moofie]

Please, for the love of Dog, stop with the car analogies. They just. Don't. Work.

Re:Ceasing support after a year is a valid excuse?

[subsolar2]

That's a crock. What if you were to buy a shiny new car, and the next year, the manufacturer stopped selling replacement parts for it. "Hey, you only had a one year warranty!" Hell, I play the same games for longer than a year. Red Hat really blew it on this one, and that move made me positive that I wasn't going to trust any of my business stuff to Red Hat

Your an espcially dumb car buyer if you get upset at support ending after a year. Because the company had annouced that the model 9 car would only be supported for one year before you bought it and that if you wanted parts for more than a year you should buy Truck model 2.1.

Re:Ceasing support after a year is a valid excuse?

You'd be an idiot, RH9 was free... It was the free version, and not the Enterprise version.

Besides that, making your software run on RHEL after RH9 would have been a snap. Very little changed..

related links

[porkThreeWays]

I was reading the death of red hat support slashdot comments from a few years ago. I think it's interesting that so many people thought that would be the death of red hat. In fact, they are stronger than ever. Even with strong competition from large corporate entities that weren't in the linux game a few years ago, red hat remains the market leader.

Updated Summary for you

Blog of gate 25 of Microsoft, of voice of the laboratories of MRS Linux and of unexpected advantage of MRS some blog 9, an interview with Miguel de Icaza has, where they discuss mono gnomes and the projects. It is a nice change of the step to go seeing to from of Microsoft to to take Novell and Linux with the Interview of an employee from Novell over a system of the office from Linux into attack. Gate 25 concerned a certain fire, there it not to be always formed can confidence. Gate 25 has occasionally for enteindre FUD such as Microsoft marks more to state, in order to improve security, and a leader of security the red hat tackling the each possible other supplier, around updates of security for the red hat v9 despite this support for order of not placing by red hat after 2004 terminated. They also released a Daemon of the Synchrounisierung of the password for the red hat, AIX, the HPUX and Solaris, like root to work must and demand several strcpy() on (that the guidelines of Microsoft hurts to form around blocked coding).

Re: Article Text

[Mongoose+Disciple]

From the article:

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

I'd be curious to hear what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD, and what kind of metrics/data support this. Amount of exploits patched? Amount of money spent on security?

I mean, even if you think Windows is one giant yawning security hole, that really only says that they have the most room for improvement. I'd be surprised if they're not patching the most holes, affecting the largest number of users, and spending the most money on security -- even if the results are often sad.

Speaking of FUD...

[Future+Man+3000]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

Which vendors are doing more to improve their security?

Given what they had to start with, I think it's very difficult to claim anybody's done what they've accomplished between 95 and XP SP2. You tell me one other vendor that's gone so far as using tools like authentication and WGA to combat the worst offenders of security -- the users themselves? Linux users, Mac users, even the *BSD user is free to boot their operating systems without the slightest arbitrary challenge to their right to do so and from there go on to face any number of potential security issues; but with Windows, you need only upgrade your CD drive emulator a handful of times or use Windows Update as directed to find yourself relieved of the concerns users of lesser operating systems face.

They had the most potential with regards to security and they've finally met it, and I say kudos.

Re:Speaking of FUD...

[jd]

Which vendors are doing more to improve their security?

Well, I can say for certain that Microsoft are doing more than Gemini is doing for GEMSOS. But that's only because GEMSOS has been proven free of security flaws, so there's really not much to improve.

Re:Speaking of FUD...

[WilliamSChips]

Wow, you're good. I can't tell if you're trolling or not!

Right, whatever

It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a ...

Microsoft platform, implemented under the name Mono.

What a surprise.

Why would you trust Port 25?

[jd]

At the very least, they should be using Port 465 (SMTP over SSL/TLS). It's no wonder they feel insecure, using plain-test. Honestly!

Re:Why would you trust Port 25?

[giggls]

STARTTLS does exist for years now, so 25 is all you need!

Sven

Re:Why would you trust Port 25?

[Professor_UNIX]

STARTTLS does exist for years now, so 25 is all you need!

Most bigger ISPs block port 25 due to spam concerns these days so port 587 is all you need for SMTP TLS message submission.

Re:Why would you trust Port 25?

[giggls]

587 is OK, but the OP was talking about 465 which I consider to be obsolet now.

Sven

Re:Why would you trust Port 25?

Just proves that you're so deep in security babble that you can't think straight. What's the word for that - Ah paranoid. If "port 25" were encrypted would you be able to read it? Read some more on Security Usability and then open your mouth again.

Re: Article Text

[theantix]

Exactly. You don't usually hand the MVP and the Most Improved trophies to the same person...

Why Port 25

[a.d.trick]

On of the POP or IMAP prottocols would have seemed much more friendly. Using the SMTP port seems like all they want is to tell us what to think and couldn't care less about us. Probably a Freudian slip. Seriously, someone at Microsoft must have at least had some clue as to what this meant. Then again, mabye not.

Re:Why Port 25

[AlXtreme]

I don't know if you get SMTP yourself. You receive email via SMTP (port 25). So actually, if they were to see themselves as 'Port 25' then they see it as a means to get feedback and thus listen to us. Exactly as MS meant.

Oh, and please hand in your geek card at the door.

Anyone using Red Hat 9?

[also-rr]

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

Re:Anyone using Red Hat 9?

[grammar+fascist]

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

One of two things comes to mind:

1) Yes. There's a 30% discount for anyone who doesn't install Windows on any machine.

2) Yes. RMS will personally throw money at you if you use GPL 3.0.

Re:Anyone using Red Hat 9?

[kfg]

RMS will personally throw money at you if you use GPL 3.0.

But he'll use coins and throw them really, really hard.

If he makes an alliance with Rick Jay I'd even be worried about paper money. Cash cards would be right out.

KFG

Re: Are You Serious?

[mpapet]

what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD

Just about every linux/bsd distro and probably apple too on the desktop.

and what kind of metrics/data support this. Amount of exploits patched?
The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox style. As a matter of principal I don't think it's okay. At all.

Amount of money spent on security?
If I were Warren Buffet I could spend two hundred million dollars on security for a fundamentally insecure OS by buying advertisement and story space telling people it's really secure. And they would believe it. I could set up a site called port23 and look like I'm reaching out to the IT pro. Meanwhile BSD and *nix security is insanely robust at pennies (tenths of pennies?) on the dollar with code that everyone can see and test.

Enlighten me

[BlueScreenOfTOM]

Can someone explain to me why strcpy is insecure? No sarcasm here, I really would like to know.

Re:Enlighten me

[dyamkovoy]

strcpy copies one string into a location without caring about how much space there actually is. Meaning a hacker (or careless programmer) can write too much into that location and overwrite important data (such as the stack). See Buffer Overflow.

Re:Enlighten me

[tankbob]

strcpy works by reading the source string and copying to the destination until it encounters a null character.

If the source string is longer than the allocated destination buffer then data can overflow into your program code. This could be exploited to execute arbitary code.

strncpy should be used instead as it allows you to specify the maximum number of chars to copy.

Re:Enlighten me

[WWWWolf]

C language doesn't do string bounds checking. If you have char foo[123] and you say "foo[542] = 'b';", you're writing to part of memory that's somewhere after the space allocated for foo.

strcpy() basically does this: It copies, byte by byte, things from source string to destination string. If source has more bytes than destination string has, boom - you just overwrote the memory that follows the destination string.

The correct solution is to use strncpy(), with which you can specify the maximum size of the destination string.

Re:Enlighten me

[BlueScreenOfTOM]

But, if you didn't own (so to speak) the memory beyond the end of the destination string and you try to write to it, wouldn't it seg fault?

Re:Enlighten me

[caseih]

No bounds checking. Instead, always use strncpy.

Re:Enlighten me

[dyamkovoy]

Yes it would, but if you _do_ own that bit of memory, you just corrupted your data without realizing it.

Re:Enlighten me

[dtfinch]

If the string is on the stack, then overflowing it could easuly and predictably overwrite the return address to the calling function. By overwriting it it an address within the overflowed string on the stack, they could cause it to execute code in the string when the current function returns.

Re:Enlighten me

[cortana]

Yes, and that's not such a serious problem--only a Denial of Service attack. But consider the case where your memory is arranged like this:

char foo[10]  int authenticated
[            ][                 ]

Memory boxes not to scale. Or maybe sizeof(int) on this platform is really large. ;)

Anyway, if you screw up and copy an 11-byte string over foo, the final byte will be written into authenticated. Now imagine that authenticated is a flag which stores whether the user is permitted to perform a priviliged operation.

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Re:Enlighten me

[spitzak]

As others said, there very likely is another allocated piece of memory right there, so you will just overwrite that, and not get an error.

Even if those memory locations are not allocated, memory protection is not per byte, but per page, so you won't get an error. Also many memory allocators will put information (such as how much memory is free and available here and where is the next free block) into the "unallocated" memory, so writing over it will cause the memory allocator to crash.

Re:Enlighten me

[chris_eineke]

The C Standard Library function strcpy copies strings, which simply are arrays of characters terminated with a binary zero (NULL, NUL, \0). Strcpy doesn't check if there's enough space in the destination buffer, so depending where and how big your destination buffer is, strcpy will happily overwrite precious data. This flaw can be used for several severe attacks against OS security. An alternative to strcpy is strncpy, which relies on the programmer to provide the size of the destination buffer so that it knows when to stop copying/overwriting data.

Re:Enlighten me

To be fair, in very limited circumstances strcpy can be safe. e.g. if you are making a copy of one of a fixed set of constant or otherwise heavily constrained strings which are all shorter than your target buffer, you could use strcpy. Of course, the slightly improved performance only matters if you are doing this many, many times, and if the code ever changes to use non-constant strings or worse, unverified user input, problems can arise, so often it is a good idea to forego strcpy anyway.

Please let us know when it's video.

[drinkypoo]

Please let us know, in the summary, when an interview is a video file. Some of us don't have time at work to watch videos (today, actually, I've been busy watching specific videos for work, and trying to clean them up so they don't look like crap, at which I have failed) and would like to know before we have to click down into them - especially when you can't just click the link, and have to visit the site, because the primary article link is malformed.

This is one of the crappiest story submissions I've seen in a long time.

Re:Please let us know when it's video.

Hej, this is /. They need to insert the poison against MS at any possibly oportunity.

not FUD

[McGiraf]

"claiming Microsoft is doing more to improve security than any other vendor"

That is not FUD, they started so far behind everybody else that they have to do more than anybody else just to keep Windows running

Doing more for security?

[Caine]

I'm working with Microsoft right now, and I don't think I've ever met a firm that takes security so seriously as they do when it comes to "normal" software, especially in the field I work in. So that claim might not be as much FUD as some would like it to be.

Re:Doing more for security?

I don't think I've ever met a firm that takes security so seriously as they do

The sheer number of vulnerabilities found in Microsoft software is not a matter of opinion, and seems to contradict you. The only way both can be true is if Microsoft are also the most incompetent software developer on the face of the planet. How else do you explain the fact that they take security more seriously than any other firm, and yet also have an abysmal track record for security?

strcpy ok sometimes

[KidSock]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

    char buf[6];
    strcpy(buf, "hello");

In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

Re:strcpy ok sometimes

[Savage-Rabbit]

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

<rant>
Programmers are human and they screw up. It is easier to simply outlaw 'strcpy' in favor of 'strncpy' or 'strlcpy' than it is to re-educate the programmers. If you place the code that guarantees the string length does not exceed your predefined maximum buffer size and the code where you do the actual 'strcpy' in different places the chance of a screw up are greater than if you do what the 'strcpy' man page (more or less) recommends:

strlcpy(buf, input, sizeof(buf));

This is much less failure prone and there is much less chance of buffer overflow and the resulting string is NUL terminated. It does have portability issues but even if that is an issue 'strncpy' still beats 'strcpy' since there is at least no buffer overflow as long as your remember to NUL terminate explicitly which a lot of people don't remember to do which is where 'strlcpy' came from. That being said you are right many developers do a a lot less input authentication (which is what I assume you mean by input parser) than they should.
</rant>

Re:strcpy ok sometimes

You're an idiot who doesn't understand the concept of defensive programming.

Where do you work? I'd like to tell your boss that he's employing a known fuckwit and that his systems are vastly more likely to be 0wned. And anyone who modded up this mong should be ashamed.

Re:strcpy ok sometimes

No he doesn't. The buffer is 6 bytes, "hello" is 5, and the null terminator is 1.

Re:strcpy ok sometimes

[hab136]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else.

Because variables never get overwritten with garbage, either intentionally or not. Also, only one programmer ever works on a piece of code, and would never change the length of either the buffer or the input, let alone the content. /sarcasm

In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To save a few characters?

Yes, it is important to know why strcpy should not be used. And then you should never use it, even when it's "safe", because it's a bad habit. Humans are much more habitual than logical, even programmers. Especially programmers at 2am after they've been on a caffiene-induced all-night coding session.

Re:strcpy ok sometimes

"helllo" is 6 bytes + 1 null-terminator!

Re:strcpy ok sometimes

You are correct in saying that "helllo" is six characters. "alkjdg" is also six characters. Neither has any relation to the original post.

Re:strcpy ok sometimes

And I laugh at you because you can't count. And have displayed your ignorance in front of thousands of people. I don't know, maybe sizeable fractions of a million.
Oh my freaking word, you suck.
I guess you had better kill yourself before it gets worse... As, looking at your contribution to society, it surely will.

Re:strcpy ok sometimes

[mrsbrisby]

In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To save a few characters?

Yes, it is important to know why strcpy should not be used. And then you should never use it, even when it's "safe", because it's a bad habit. Humans are much more habitual than logical, even programmers. Especially programmers at 2am after they've been on a caffiene-induced all-night coding session.

I disagree with this- that somehow just enough good habits would solve all the security problems. It's plainly not true.

Instead, I find it much better to get yourself in the habit of knowing you're going to fuck it all up sooner or later and make sure that when you fuck things up, you still haven't created a security hole.

Believe it or not, this is much easier than memorizing which system calls are reentrant, and therefore safe to use in a signal handler, or whether mkdir("/") returns EISDIR or EEXIST. By admitting you are at least at one point, going to be completely incompetant (probably at 2am), you can engineer a better design.

Love it or hate it, every person who mutters about setuid, strcpy or gets should have to read the qmail source code, beginning to end. It's an excellent design that should be used as a model for how to write secure software: by partioning the risky bits away such that you can audit them completely.

As long as people keep this function q is dangerous attitude, they're going to make the big mistakes- the design mistakes that aren't really fixable: Like postfix using a world-writable queue directory and the restriction that "important files can't look like postfix queue entries", or why window messages on Win32 automatically mean the window owner is succeptable to a buffer overrun.

Re:strcpy ok sometimes

[uid8472]

As long as people keep this function q is dangerous attitude, they're going to make the big mistakes- the design mistakes that aren't really fixable: Like postfix using a world-writable queue directory [...]

The only thing in a Postfix spool writable by other than the Postfix user is the maildrop queue, which is group-writable and owned by the group that postdrop is setgid to. So, whatever problems it may have had in the past that way, they've clearly been fixed.

Re:strcpy ok sometimes

[njchick]

Just wait until "hello" is translated.

Re:strcpy ok sometimes

[Tom+Veil]

Still, in large software projects or ones that might be maintained for years, it's best to avoid it entirely. You never know when the size of the array or size of the data will be carelessly changed, especially when the project is collaborative. It might seem like overkill in some cases -- such as when one line directly folows another as in your example -- but it certainly doesn't hurt to avoid strcpy.

        #define BUF_SIZE 6
        char buf[BUF_SIZE];
        strmcpy(buf, "hello", BUF_SIZE);

Re:strcpy ok sometimes

Lone programmers might be okay with this attitude, but not large software development companies. If strcpy is misused 99% of the time, and there's a perfectly suitable replacement for the 1% of the time it's used properly, it's a better idea to ban its use completely because that way you know that if you see strcpy, somebody's fucked up. And you can easily detect fuckups with grep instead of having a code review.

Re:strcpy ok sometimes

[pipo]

Kind of true, but what about maintenance ? You basically don't put any safeguard against future errors...

Also, ensuring strings are properly terminated is one thing, but you still have to check against your buffer's size.

By using strncpy correctly you close the door to future problems; if this is really a major source of slowness in your
app, that should be apparent during profiling, and you can optimize _then_: Do not trade security for "maybe speed" :p

Here's an interesting paper by Todd Miller and Theo de Raddt on ~ the subject:
http://www.courtesan.com/todd/papers/strlcpy.html

Re:strcpy ok sometimes

[mrsbrisby]

The only thing in a Postfix spool writable by other than the Postfix user is the maildrop queue, which is group-writable and owned by the group that postdrop is setgid to. So, whatever problems it may have had in the past that way, they've clearly been fixed.

``No Postfix program is set-uid. Introducing the concept was the biggest mistake made in UNIX history. Set-uid (and its weaker cousin, set-gid) causes more trouble than it is worth.'' -Wietse Venema

This just demonstrates my point- Wietse used to think, like parent thinks (and as I assume you think, by defending him), that a function q is bad, and it must never be used.

I think, and I hope Wietse now thinks (I'm taking your word on it now- he made quite a stink about this vulnerability, and TMK, never actually acknoledged its seriousness, or his wrong-edness), that it's the programmer that is stupid.

Since the programmer is stupid, the programmer must use those few bouts of lucidity where he/she is aware of this to insulate themselves from their own stupidity. ... which is of course, exactly what insecure and buggy programs are: the stupidity of the programmer. Perpetuating this myth that insecure and buggy programs are somehow the fault of the language, or some set of unsafe library functions, is a good way to hide the stupidness of all programmers: It lets Microsoft pretend they're making security important, and it lets Wietse think he's unstoppable, and maybe, these things confuse the users of these software.

Unfortunately, that just makes another myth all the easier to spread: That it isn't possible to resist attacks from evildoers, and that security can never be absolute so why bother/cry about it.

Miguel is the savior of .NET

It's worth pointing out that Mono is very important to Microsoft's C# strategy.

Note that Mono has better cross-platform support and a cross-platform roadmap that Microsoft totally lacks.

• With Sparc, S390, and Power support, Mono is more promising than Microsoft's CLI implementation for high-end computing platforms.
• And with ARM available now and MIPS soon to come, Mono is more promising than Microsoft's for embedded devices.

High-end servers and embedded systems are areas where Microsoft simply doesn't have the experience to do well. If they want C# to have a chance against C and Java in these areas, they need Mono.

Re:Miguel is the savior of .NET

It's worth pointing out that

No, it wasn't. But I'll humour you, because there are more important things to establish.

Mono is very important to Microsoft's C# strategy.

No. Sorry, but they couldn't care less. Mono is cute, but it makes no difference whatever to Microsoft's bottom line.

Note that

Is that an order?

Mono has better cross-platform support

That Microsoft doesn't give a shit about, and if they did, it's trivial to add new platforms. (Microsoft's stuff works almost everywhere it *matters*, and the 'almost' will only reduce with time [if necessary])

and a cross-platform roadmap that Microsoft totally lacks.

You think Microsoft flail about in some sort of random walk? Ah, bless. A newbie to the Microsoft flaming game, I guess. A tip: do as well as Microsoft in the long term and then come back and lecture us about their roadmap.

With Sparc, S390, and Power support, Mono is more promising than Microsoft's CLI implementation for high-end computing platforms.

Wow. I'm so excited for those tens of people who will benefit from that. Awesome. High end computing platforms, eh? Excuse me while I crap myself laughing.

And with ARM available now and MIPS soon to come, Mono is more promising than Microsoft's for embedded devices.

Because that's competition for Microsoft's bottom line. Yeah.

High-end servers and embedded systems are areas where Microsoft simply doesn't have the experience to do well.

Right because Microsoft's website is never in the top ten most visited websites in the world. And they don't have Windows Mobile running on 'phones all over the place. No sir, no experience there. Pure amateurs, I guess.

If they want C# to have a chance against C and Java in these areas, they need Mono.

C#?
C# is like the tip of an iceberg that has already sunk every fucking last thing you believe in.
C? The early 70s called, they want their language back.
Java? Game over man. People are deserting that sinking ship like ... like there are snakes on the muthafucka.

Yeah, idiots like you need Mono. Even smart people who are not into Microsoft stuff are going to need Mono, or something like it, eventually. The CLI/R is winning. Unix / anti-MS lost. Get over it.

Re:Miguel is the savior of .NET

[SanityInAnarchy]

Mono has better cross-platform support

That Microsoft doesn't give a shit about,

So why the fuck are they doing a bytecode language?

The rest of your post is equally trollish, but I just thought there was a point to be made there.

Re:Miguel is the savior of .NET

[sproketboy]

"So why the fuck are they doing a bytecode language?" Er, cause they want to pretend they're Java? Fact is since M$ hasn't bothered to provide a .net runtime even for the Mac (Ok i understand not porting VS) indicates to me that they're not bothering to compete with Java since they lost anyway.

Re:Miguel is the savior of .NET

Auh, did somebody call your baby ugly? I guess *nothing* is successful, according to your view, unless it is financially successful. You may be impressed with their financial power and wide-spread deployment but I, for one, am not impressed. Yes, they have a good development suite but that is only a part of the whole. But to each his own.

Re:Miguel is the savior of .NET

[Ilgaz]

There is .NET runtime/framework for Mac but nobody has a clue what they will use it for.

At least me...

Re:Miguel is the savior of .NET

Nice selective quoting, why don't you go back and read the whole line?

Re:Miguel is the savior of .NET

[SanityInAnarchy]

Why does it matter that they can, if they won't? In open source, it would matter, that's why we like Mono. In proprietary stuff, all that matters is what they want to do, not what they can do that they won't and we can't.

And you still haven't answered my question.

Re:Miguel is the savior of .NET

[SanityInAnarchy]

There's Mono, and then there's Rotor. I don't know about the Shared Source licensing on Rotor, and Mono still has rough edges.

But certainly, Microsoft isn't planning to release it for the Mac.

Re:Miguel is the savior of .NET

[Ilgaz]

So even a non developer end user like me laughs to claims that .NET will crush Java. I mean come on, it even runs Opera Mini my cellphone right now.

I have read some military mags and I got completely amazed at Java's success there too. I mean targeting, radar systems all run java etc.

port23? no...

[mr_mischief]

If you're going to convince people you're all about security, you don't do "port23". You do "port22".

If anyone's confused, take a look at /etc/services on your local *nix. Failing that, take a look at the IANA assigned port numbers reference.

It's not what you say...

[MarkByers]

It's not what you say, it's the way you say it. The statement may be true but it's misleading. It's like saying that 25% of companies would not consider using Linux. Sounds bad for Linux, right? But really it means 75% of companies would considering using Linux. So even though their statement is true, it's still a deliberate attempt at FUD.

Re:It's not what you say...

No it doesn't. It means that 75% of companies either don't know if they would consider Linux OR would consider using Linux. It could be at 25% would not consider Linux, 33% don't know what Linux is, 30% don't know if they would consider it or not, and 2% would consider using Linux. Its not FUD.

Re:.NET & Mono

Getting modded Flamebait was a little harsh, but I think you're not seeing the bigger picture if you think the main benefit of programming in .NET is easy interop with the Windows API. Web applications, even large ones will typically make little use of the Windows API. Now imagine that you, a developer that works under you, a developer friend, etc. has developed such a web application in .NET. How sweet is it that you can run this application on Linux without significant effort?

If Linux's popularity grows as is continually predicted this migration ability might become very valuable indeed.

Re:Enlighten me -- strcpy insecurities

strcpy() will blindly copy source string until it reaches a null character. It will ignore the amount of memory allocated for the destination to store the string. This has contributed to some of the buffer overflow security vulnerablities that have occured over the years.

Taken from http://cis.stvincent.edu/swd/professional.html:

What aspect of coding makes buffer overflow possible? The usual culprit is strcpy, a function that these web pages have used extensively whenever we needed to copy a character array type of string. The strcpy function is simple to understand and use, but it does not do any bounds checking. It just copies characters from the source string to the destination until it reaches a NULL character in the source string. It will overflow the destination if the destination variable (buffer) is not large enough to hold the data. Note that the strcat function also has the same problem. However, the strncpy function can be a reasonable alternative to strcpy (if used wisely) as it only copies up to a fixed number of characters. (If you decide to try strncpy, read the documentation on it carefully. Make sure that strncpy is copying no more data than will fit in your buffer. Since strncpy doesn't always append a NULL in the destination string you may have to do so manually. Be sure that you have saved space in the buffer for this NULL as well.)

Re: Article Text

[5937]

I imagine those infinite apes running in circles and shouting "patch! patch! patch!". Seems you would count that as doing *a lot* to improve security, even if the result is not improved at all?

strcpy?

[ENOENT]

Can you think of a sillier thing to criticize MSFT about? Really?

I looked at (some) of the code. They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo. THERE IS NO VOODOO MAGIC IN STRNCPY TO MAKE IT SAFER IN THIS SITUATION.

Really. There isn't.

Re:strcpy?

> They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo.

So, does anyone else see the potential buffer overflow here? How long is foo? How do you know that you don't end up with an integer overflow at this point? You really need to see more of the code to know if foo is actually terminated in EVERY case. Otherwise you can end up with the condition where malloc does succeed, but there really isn't room for the strcpy to do the right thing.

Also, some people forget that strncpy doesn't terminate the copied string in every case.

Re:strcpy?

[Quantam]

And don't forget this!

(meant to be mildly humorous in a nerdy sort of way)

Re:strcpy?

[miro+f]

erm, if the malloc succeeds then it DOES mean that there is enough room for the copy. if there isn't enough room then malloc will fail.

Re:strcpy?

[Myria]

An integer overflow would imply that the string is the size of the address space minus 1. Where's the code that's executing the strcpy? =)

(Yes, this is theoretically possible in DOS and Win16...)

I hope "foo" is not direct user input from an insecure context, or its size is limited. Allocating hundreds of megabytes is bad even if it doesn't leave to a buffer overflow.

Melissa

The Windows CLI

All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Well, if you're looking at usability, then he's right on both counts. If you're looking at reliability, then he's full of shit.

Let's not generalize to much, that depends entirely on the flavor of UNIX/Linux you are talking about. OS.X for example is a UNIX flavor and if anything it's desktop environment is even more idiot proof than Windows and there are a few Linux distributions out there that do a pretty good job at shielding the user from having to use his/her brain.

Even the Microsoft CLI is more friendly than Unix, what with the "help" command. Yes, that is an irrelevant thing to you and me, but not to the teeming masses. And, it might be added, there are things that we still must go to the GUI to do on both.

The teeming masses don't even know the Windows CLI exists and those that do are scared to death of it and that includes a frightening proportion of Microsoft's legions of MCSE ninjas.

Re: Are You Serious?

[Mongoose+Disciple]

The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox style. As a matter of principal I don't think it's okay. At all.

The problem with your mindset is that it's only correct if security is always the most important thing. It's not. The world doesn't work that way.

Microsoft always plays a losing game of catch-up to *nix in the security department, and *nix damn near always plays a losing game of catch-up to MS in the usability department. (There are, of course, many more considerations besides those two.) There are things the open source paradigm consistently does better, and there are things the commercial closed-source paradigm consistently does better. That's reality.

slight misspelling...

[absurdist]

They had the most potential with regards to security and they've finally met it, and I say kudos.

I believe it's spelled Kodos.

More FUD

[MarkByers]

"It could be at 25% would not consider Linux, 33% don't know what Linux is, 30% don't know if they would consider it or not, and 2% would consider using Linux."

Why would only 2% consider Linux? I think that's just more FUD. It's higher than that. You are just making an example but disguising it as a fact and hoping people won't notice. You could have picked any number. Why 2%?

FUD, FUD, FUD! Even Anonymous Coward is FUDing. Slashdot is really going downhill...

Slashdot has too much FUD. 99.999% of people wouldn't consider reading Slashdot.

There is a podcast (MP3) version as well...

I am not sure if this makes a difference for you but there is a podcast of the interview:

http://port25.technet.com/videos/podcasts/miguelde icaza.mp3

MS Linux Labs?

[cunina]

Isn't that like "Jews for Jesus," "Rock Against Drugs," or "McDonald's New Healthy Menu?"

Re:MS Linux Labs?

[WilliamSChips]

Indeed, Daniel Jackson.

FUD?

[Pedrito]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and...

I'm sorry, how does this qualify as "fear", "uncertainty" or "doubt?" Maybe FUD means something else to you? That sounds more like CCS, "calming", "certainty", and "surety" than FUD. I'm not saying their statements are true, simply that it's not FUD.

Re:FUD?

[WilliamSChips]

It's implicit FUD. Saying that Windows is doing the most about security is saying that everyone else is doing less and therefore is less secure. This isn't even Alanis FUD and you're complaining!

Re:FUD?

To me, FUD means

  Fear
  Uncertanty
  Derision

  Doubt is nowhere strong enough.

  There is a famous quote by Gandhi which describes the relationship the M$ has with the rest of the world perfrctly.

  M$ normally derides everything that was not copied (perhaps illegally) in Redmond.

Or do it my even better way!

strncpy(buf, input, strlen(input));

Re:Or do it my even better way!

[sholden]

So all the negatives of strncpy with none of the positives.

It might be better to restrict the length copied to match the destination rather than the source...

Even if you did that right, you didn't null terminate after the call, and even if you added that extra bit of code you'd be wasting time setting chunks of bytes to 0 because strncpy is retarded.

Re:Or do it my even better way!

Yup, that works as long as you remember to do this afterwards:

buf[sizeof(buf) - 1] = '\0';

Otherwise you might get an overflow when you try to copy the unterminated buffer again.

Re:Or do it my even better way!

[david.given]

strncpy(buf, input, strlen(input));

Or even:

char buf[6] = "hello";

(works in the original coder's example because he declares buf in the same basic block).

Not only does this approach avoid calling any functions and may well produce faster code, but if your string is longer than your buffer, it'll zero-fill it for you automatically. One caveat: if your buffer is exactly the length of the string, it won't get zero-terminated and the compiler won't warn you, but habits like:

char buf[6] = "hello\0";

...will warn you of that.

Re:Or do it my even better way!

[KidSock]

I think he is being sarcastic guys. Strlen(input) is an overrun in itself.

strcpy_s not MS specific

[Kunta+Kinte]

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Unless I am mistaken, strcpy_s() and the other 'safe' variants are part of and ISO standard. Check out https://buildsecurityin.us-cert.gov/daisy/bsi/arti cles/knowledge/coding/314.html

The thing is even the wiki article gets this wrong.

I think Bill is waiting for an apology for your rant :)

Re:strcpy_s not MS specific

[cortana]

Part of a (very recently published) ISO standard they may be, but for now they are still annoying, Windows-specific warts. Judging by the speed with which the C99 standard is being implemented, I think this situation will continue for many years.

Re: MS Single Sign-On vs. Security

It looks like the issues with MS Single Sign-On daemon has been simplifed for purposes of the summary.

The problems I see with MS ssod for *nix is:

1) They state that StrSafe and other coding practices *MUST* be used for Windows related products and then violate those rules for their *nix based code

2) They run *ALL* of the ssod code as root despite the fact that some would work in a priviledge sepration style enviroment

3) They run all the code with *FULL* root priviledge and never call libcap

4) They never call chroot (which goes along with never dropping root priviledges)

5) They claim "all rights reserved" so no one else can try to apply priviledge sepration or other security coding methods with this code

While your example does show some care in the specific case toward trying to address security, are you sure enough about all the rest of the code that trying to apply other security methods to it is unwarrented?

Interesting - used MP3 encoding

[xtaski]

found it interesting Microsoft is using MP3 encoding for this and not Windows Media... hmm...

Re:Interesting - used MP3 encoding

[Ilgaz]

Because there is no windows media player for Linux. Mplayer doesn't count. It is third party.

Windows Media Player for OS X is half dead too. What they did is acquire global license of a great small companies product, telestream flip4mac and they distribute it as "windows media components for quicktime". While it works better than Wmedia for OS X (surprise!) can't be counted as a true dedicated player.

I wrote these details to show another minor proof that MS didn't change. If they have changed, let them release windows media player for Linux. Setting up a geek , lame named "port 25" and interviewing with Icaza doesn't change anything. I can't find the slashdot story but they didn't invite those Mono guys to some conference I remember.

not much to see here ...

Is a shorter than short article like this one worth a headline/argument/troll on /. ? Well, Miguel doesn't seem happy with having a conference in a hallway, I can understand that. What else ?

Have a nice day.

Re: Are You Serious?

Microsoft always plays a losing game of catch-up to *nix in the security department, and *nix damn near always plays a losing game of catch-up to MS in the usability department.

The exception being OS X, which is more usable and more secure.

Re: Article Text

Statements must be assumed to be false unless there is evidence that they are true--that evidence should then be examined to see if it proves the statement or not. The burden of evidence is on Microsoft/Port25/you, not everyone else.

That reminds me of talking about Iraq with my uncle. I said "There's not one shred of evidence that Iraq was involved in 9/11" to which he responded, "Oh yeah? Can you prove to me that they weren't?" My point about there not being any evidence that Canada wasn't involved either went totally over his head.

You can't prove the negative, folks. The burden of proof is always on the affirmative statement. If Port 25 made bold, unsubstantiated statements about Microsoft's security compared to other vendors (or statements substantiated by documents they fabricated themselves with the intent of supporting this conclusion, regardless of the facts), then they are indeed the Colin Powell of the software world. That's all there is to it.

RH9 (non) support no big deal.

[darkonc]

There are a few reasons why Redhat not continuing support for RH9 isn't a big deal...

1. Linux is open source. That means that, if there's a problem that's a show stopper for somebody, a company can (or a group of them can get together to) take the (available) source code, and put in the fix themselves... If there's actually a large body of companies that are using RH9 for important applications, then all sorts of company can (and will) pop up to provide that support (as happend when 7.3 lost support -- One friend of mine that still has a machine or two running 7.3 still has a choice of companies to get support from.)

   I would note that, while people who were using 7.3, way back when they still have access to third party support, while people who paid good money for windows ME and 2000 are gonna be completely SOL if they need something done, and Microsoft refuses to do it.

   There's been a coupl of times when I dug out the sources to a Red Hat RPM, added functionality that dealt with a problem that a customer was having, and offered the changes back to Red Hat. Anybody can do that.... Unlike Israel who almost had to go to war to get Microsoft to (ahem) 'graciously offer' to fix the Hebrew support in Microsoft's OSX version of Office.

Re:RH9 (non) support no big deal.

[Quantam]

Holy crap. Do you actually expect somebody to buy that? Well, if anybody is going to, it will be the "power users" like you and me, who have very little on the line, in terms of money. I don't know what planet you think you're on, but here, when the executives at a company find out that they're gonna have to write their own fixes for critical bugs in a piece of software they already paid for (or, alternately, have to rely on fixes written by someone they don't even know, or simply pay again for the same software), everyone who recommended using said software (and probably lots of people who didn't have a say in the matter, but had to work on the transition anyway) is gonna be looking for a new job.

useless websites

Why is it that every site these days has to post things as sound files or movies?? I want to read my news, damnit!

Ignore that beast

Some people change their minds others dont. Some companies learn others dont. Some never will.

Full interview

[Rob+Kaper]

helo
501 Syntactically invalid HELO argument(s)
hello
500 unrecognized command
hey gnome boy
500 unrecognized command
sod off
500-unrecognized command
500 Too many syntax or protocol errors
Connection closed by foreign host.

Text version

[MobyDisk]

Does someone have a link to a transcription?

Re:Text version

Does someone have a link to a transcription?

Here ya go:

http://www.tmtprn.com/

Ahh .NET in action

[sproketboy]

Server Error in '/' Application. The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested Url: /archive/2006/08/11/Let_2700_s-talk-Mono_3A00_--Sa m-interviews-Miguel-de-Icaza.aspx Version Information: Microsoft .NET Framework Version:1.1.4322.2300; ASP.NET Version:1.1.4322.2300

Re:Ahh .NET in action

[jpardey]

...Microsoft Windows NT version 5.5; Microsoft Toaster version 4.5; BSD network stack version 0.5b; gnuutils version 2.1; Microsoft Bob sp3 version 2.356287; Screensaver directory C:/Windahz/; ADMINISTRATOR password: rock0u7; BZFlag version 2.1; VirtualDancer version 2.4b; stupid troll jpardey version 1.2; PHP.NET version 1.2.867.5309...

Let me enlighten you some more

You already got the explanation to your question.

SO here is Microsoft going to contribute to *nix with NO LESS than a password synchronization daemon and write an exploitable buffer overflow dead in the fucking code.

Well oooops, me bad!

Can these dickheads even help themselves OR are they just trying to drag *nix down to their level?

"Never ascribe to malice that which can be adequately explained by incompetence"

Lets just make the defining statement now and be done with it:

"Any and all Microsoft code shall be quarantined until inspected, disected and tested in its entirety by experts in every applicable field not in the employ of Microsoft"

It would be easier and certainly safer to not use ANY Microsoft code AT ALL.

That is my recommendation and I will sleep well having made it.

Microsoft should go back to what they do best; litigation and fucking their own customers.

Triumph?

Doesn't Michael sound like Triumph the Insult dog?

It's a decent interview but, I couldn't help but laugh out loud with him sounding so much like the dog.

interview != commenting and rambling

[tolonuga]

doing an interview is about asking questions and letting the person you interview talk.
I get annoyed a lot by stuff like this where the interviewer comments all the time or
talks about his own agenda rather than giving the spotlight to the person interviewed.

Microsoft employee-wannabe-Sneering.

"Without GNOME, QT might not have been open sourced in the first place. "

Ummm, no. I'd say it was the usual incessant whining of the GPLers which you still see to this day (Waaa Tivo!) Most KDErs (the only ones in direct competition) hold Gnome in contempt.

Re:.NET & Mono

So, your "big picture" for Mono is that it facilitates migration of web app from Windows to Linux? The migration will still have to jump through several hurdles: migration of any native hookup, version/implementation differences between Mono and .Net, and any surrounding services (DBMS, messaging, transaction, etc.). Except for the simplest cases, it's likely easier to re-implement the app in Java (or other similar OO system) using services better supported on the target platform. Besides, Java *already* provides a *better* portability between Windows and Linux (and Mac), especially for web app.

All that work to replicate .Net on linux, and that only partially, for the unusual cases where you need to migrate some web apps from Windows to Linux, and the work may not even save much/any work vs. alternative porting methods in the end, is a waste.

Re: Are You Serious?

[gbjbaanb]

I wouldn't agree that Linux is insanely robust - today I'm upgrading my kernel becuase of security flaws in the one I'm currently running. Again. Then, almost every time I type "yum upgrade" I get updated packages with security fixes in them. So linux is insanely secure? no way, just stop with the bigoted posts ok.

Back to the article comment - they said MS was doing th emost to improve security. Well, fair enough - they have made great inroads on fixing loads of stuff, it is not a big priority at MS, so yes, I think I can safely say that "MS is doing more to improve security than any other company out there", simply becuase they're improving their product the most (you could say Linux doesn't need to be improved very much)

Anecdotes trump all!

Yay anecdotal evidence. That trumps all!

Java's a disease as well

[WilliamSChips]

Java's just a less virulent disease. The cure is Python.

Re:Java's a disease as well

Python's syntax makes my brain bleed. How about we all agree that the solution is C++?

Re:Java's a disease as well

[WilliamSChips]

Because C++ is a lose in every possible way.

Re:Java's a disease as well

Except for speed, stability, and ownage, right? Really, you kids these days. You do realize that all these toy languages are resulting in us having systems dozens of times more powerful than just a few years ago and getting SLOWER performance out of them, right?

Re:Java's a disease as well

[WilliamSChips]

You do realize that if you want "speed" you go for C and not the bastardization that is C++ right? You do realize that people insisting on low-level langs like C and C++ is the reason we have so many fucking buffer overflow problems, right?

Re:Java's a disease as well

I realize that python has the crappiest syntax ever produced, sure.

Re:Java's a disease as well

[WilliamSChips]

You are an AC. I am a registered user. Who do you think is more trustworthy?

Use it, but use something like PREfast

[Myria]

Microsoft's PREfast stuff lets you mark up code to say how the parameters to functions work. If you accidentally put a "5" instead of "6" as your array size, the compiler would notice a violation of the rules and issue a warning. It won't pick up everything (see "halting problem") but at least it'll find the obvious things.

There are performance reasons to use strcpy.

I personally feel that strcpy on a buffer allocated by the same function is okay, but doing this across functions is bad because someone else (or you years from now) modifying your code won't know to do that.

Melissa

GNUStep!

[Burz]

Yes, you are absolutely right IMO.

GNUStep is definately one of those frameworks where on several occasions I've looked at it and thought "Oh, what could have been."

Qt4 has drawn my interest, but I fell flat on my behind trying to get it compiled on OS X.