Microsoft Port 25 interviews Miguel de Icaza

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Worthless drivel

What the fuck kind of insane summary is that? Even for Slashdot, that steps over the line.

Re:Worthless drivel

[Fearless+Freep]

More a slam on Port 25 than a summary of the interview

revelaed

miguel is the liebermann of open source

Re:revelaed

[sproketboy]

"It even helps them"... Yes it does since apparently a growing number of morons out there delude themselves into thinking that they can go cross-platform with mono. --- mono is a disease - Java is the cure.

Link to interview doesn't work.

[RingDev]

Just goto http://port25.technet.com/ and click the link on the front page.

-Rick

Re:Link to interview doesn't work.

[RingDev]

The -- (two hyphens) is resolving to %E2%80%94

The link should be: http://port25.technet.com/archive/2006/08/11/Let_2 700_s-talk-Mono_3A00_--Sam-interviews-Miguel-de-Ic aza.aspx

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

-Rick

Re:Link to interview doesn't work.

[prockcore]

word resolves -- to it's funky double wide hyphen character.

By "funky double wide hyphen character" you mean industry standard UTF-8 representation of em-dash?

Re:Link to interview doesn't work.

[cortana]

You mean, the fault of the idiot web developer who didn't mark the page as being encoded in windows-125x.

There's nothing inherantly wrong with the Windows character sets, they're just an encoding!

Server Error in '/' Application.

Server Error in '/' Application.

They forgot to put a '.' after the '/' !

Microsoft employee-wannabe

[dskoll]

Miguel makes no secret of his admiration for Microsoft and is really a MSFT-employee-wannabe. All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Yawn...

Re:Microsoft employee-wannabe

[mspohr]

I'm not a Linux expert but have installed Ubuntu Linux on about 10 machines (desktops and laptops) over the past two years. I haven't had to do any "wrestling". They all pretty much "just worked" with the full application suite. Even WiFi just works... and printers... etc. Full install is an hour or so.

In contrast, I have had to re-install Windows on various machines about 5 times in the past year due to viruses, spyware, etc. (two college daughters...) and each time it was a full day marathon of install, patch, drivers, application install, patch, firewall, anti-virus, etc. with many reboots... PITA!

I don't know what you are doing that you need to wrestle Linux but it certainly sounds like you could use some help from "clippy".

Re:Microsoft employee-wannabe

[Planeflux]

Sorry to rain on your parade, but your own lack of competence with linux installations is a silly excuse for stating that "Microsoft has made the better desktop". Obviously various linux distros have their own quirks and issues, but if you can handle those, a linux system makes a great general-purpose desktop environment and is, in my opinion, way ahead of anything Microsoft has to offer at the moment. I am not biased or trying to stab Microsoft here, I just choose the best tool to get the work done. That said, it is far from perfect, and if Microsoft would come up with a better alternative, I'd gladly use that.

Re:Microsoft employee-wannabe

[Burz]

And he takes abuse from MS too:

http://linux.sys-con.com/read/124218.htm

Interesting bit of history there. It really disturbs me that Miguel is leading a column of FOSS enthusiasts into the maw of MS patent enforcement, especially when he could have used his talent on something unencumbered like Parrot.

Re:Microsoft employee-wannabe

...but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

1. No select->middle-click->paste buffer.

2. Ctrl-C/V/X behave inconsistently (it is entirely too easy to lose everything on the clipboard).

3. No tools out of the box to automate user tasks like bash or perl.

4. Crappy handling of file types.

5. No virtual desktops. (The powertoy hack called MSVDM doesn't actually work.)

6. Lack of support for standards: PostScript, PDF, MP3, DVD, NFS, SSH, SCP.

7. The Registry.

Re:Microsoft employee-wannabe

[larry+bagina]

Considering his track record, that's actually an improvement. C#/.NET is at least somewhat standardized and thought out. GNOME is a complete mess. Had that effort gone into GNUStep (which is standardized and thought out), OS X users would be envious of Linux.

Re:Microsoft employee-wannabe

[ciggieposeur]

Even the Microsoft CLI is more friendly than Unix, what with the "help" command.


~$ help
GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled. ...


The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit...KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time... Unfortunately, [Unix] only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

I disagree. Windows never had selection buffer, virtual desktops, or remote desktop, items I absolutely require to be reasonably productive on X. KDE/GNOME brought us unified widget sets and control panels, and both were certainly inspired by both Windows and MacOS, but they go so far beyond Windows in overall functionality it's not even funny.

Re:Microsoft employee-wannabe

[adolfojp]

The MSFT-employee-wannabe that you speak of is the father of the GNOME desktop. Without GNOME, QT might not have been open sourced in the first place. Without a man like Miguel to give GNOME a forward direction, we might still be using Motif. When your contributions to the open source movement become a tenth of what Miguel has done then your rant might have more merit.

If there is one Microsoft technology that deserves admiration is the .NET framework. If there is one man who has the objectivity to look beyond the zealotry to see technologies for their merits is Miguel. MONO is an excellent development environment for Linux. It bridges the gap between high performance but difficult to use languages like C++ and low performance high RAD languages like Python.

Re:Microsoft employee-wannabe

[e2d2]

He's probably done more for open source before noon then you've done in your whole life. Prove me wrong and I'll take it back.

Re:Microsoft employee-wannabe

[Jay+Carlson]

My favorite thing to bash Linux bigots with:

OLE Automation.

(Or whatever they're calling it these days; I think it was absorbed into the ActiveX branding.)

Just about every Unix vendor had this dream of turning their entire desktop environment into a sea of programmable objects.[1] The one I got to laugh at was Sun, with DOE, although you formerly-MacOS-bigots got to see it replayed in AppleScript and OpenDoc.[2]

Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code.

It's really amazing what you can script this way. OK, yes, there's a reason I'm typing this on a Linux box, and why I have cygwin installed on any Win32 box I care about. But through marketing muscle and a desire to create opportunities for small VARs, Microsoft let little software authors poke around inside big applications. And created some nice tools for those little authors to write code with.

Shame it breaks in such obscure ways.

[1]: ARexx doesn't count. That's just DDE.

[2]: Obligatory joke about whether "the" is optional at some point in hypercard syntax here. Apple has been getting better, though.

Ceasing support after a year is a valid excuse?

[Richard_at_work]

Maybe there is some validity in saying they (Port 25) are untrusted, but what excuse is it that Redhat ceased updates for v9 in 2004, a mere year after the product was released (March 31 2003). Seriously, is a single year of updates good enough? I think they actually have a valid point on that one at least, a year isnt long enough to even be considered stable server software in my book.

Re:Ceasing support after a year is a valid excuse?

[Moofie]

"That is unacceptable, and Microsoft has every reason to bash them over the head for it"

Microsoft? Bashing Red Hat over licensing? Wow. That's rich. I wonder where they find salesdroids with absolutely no ability whatsoever to think critically, so they can spout this stuff with a straight face.

Re: Article Text

[Mongoose+Disciple]

From the article:

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

I'd be curious to hear what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD, and what kind of metrics/data support this. Amount of exploits patched? Amount of money spent on security?

I mean, even if you think Windows is one giant yawning security hole, that really only says that they have the most room for improvement. I'd be surprised if they're not patching the most holes, affecting the largest number of users, and spending the most money on security -- even if the results are often sad.

Speaking of FUD...

[Future+Man+3000]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

Which vendors are doing more to improve their security?

Given what they had to start with, I think it's very difficult to claim anybody's done what they've accomplished between 95 and XP SP2. You tell me one other vendor that's gone so far as using tools like authentication and WGA to combat the worst offenders of security -- the users themselves? Linux users, Mac users, even the *BSD user is free to boot their operating systems without the slightest arbitrary challenge to their right to do so and from there go on to face any number of potential security issues; but with Windows, you need only upgrade your CD drive emulator a handful of times or use Windows Update as directed to find yourself relieved of the concerns users of lesser operating systems face.

They had the most potential with regards to security and they've finally met it, and I say kudos.

Why would you trust Port 25?

[jd]

At the very least, they should be using Port 465 (SMTP over SSL/TLS). It's no wonder they feel insecure, using plain-test. Honestly!

Anyone using Red Hat 9?

[also-rr]

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

Enlighten me

[BlueScreenOfTOM]

Can someone explain to me why strcpy is insecure? No sarcasm here, I really would like to know.

Re:Enlighten me

[dyamkovoy]

strcpy copies one string into a location without caring about how much space there actually is. Meaning a hacker (or careless programmer) can write too much into that location and overwrite important data (such as the stack). See Buffer Overflow.

Re:Enlighten me

[tankbob]

strcpy works by reading the source string and copying to the destination until it encounters a null character.

If the source string is longer than the allocated destination buffer then data can overflow into your program code. This could be exploited to execute arbitary code.

strncpy should be used instead as it allows you to specify the maximum number of chars to copy.

Re:Enlighten me

[cortana]

Yes, and that's not such a serious problem--only a Denial of Service attack. But consider the case where your memory is arranged like this:

char foo[10]  int authenticated
[            ][                 ]

Memory boxes not to scale. Or maybe sizeof(int) on this platform is really large. ;)

Anyway, if you screw up and copy an 11-byte string over foo, the final byte will be written into authenticated. Now imagine that authenticated is a flag which stores whether the user is permitted to perform a priviliged operation.

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Please let us know when it's video.

[drinkypoo]

Please let us know, in the summary, when an interview is a video file. Some of us don't have time at work to watch videos (today, actually, I've been busy watching specific videos for work, and trying to clean them up so they don't look like crap, at which I have failed) and would like to know before we have to click down into them - especially when you can't just click the link, and have to visit the site, because the primary article link is malformed.

This is one of the crappiest story submissions I've seen in a long time.

not FUD

[McGiraf]

"claiming Microsoft is doing more to improve security than any other vendor"

That is not FUD, they started so far behind everybody else that they have to do more than anybody else just to keep Windows running

Doing more for security?

[Caine]

I'm working with Microsoft right now, and I don't think I've ever met a firm that takes security so seriously as they do when it comes to "normal" software, especially in the field I work in. So that claim might not be as much FUD as some would like it to be.

strcpy ok sometimes

[KidSock]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

    char buf[6];
    strcpy(buf, "hello");

In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

strcpy?

[ENOENT]

Can you think of a sillier thing to criticize MSFT about? Really?

I looked at (some) of the code. They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo. THERE IS NO VOODOO MAGIC IN STRNCPY TO MAKE IT SAFER IN THIS SITUATION.

Really. There isn't.

FUD?

[Pedrito]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and...

I'm sorry, how does this qualify as "fear", "uncertainty" or "doubt?" Maybe FUD means something else to you? That sounds more like CCS, "calming", "certainty", and "surety" than FUD. I'm not saying their statements are true, simply that it's not FUD.

Re:FUD?

[WilliamSChips]

It's implicit FUD. Saying that Windows is doing the most about security is saying that everyone else is doing less and therefore is less secure. This isn't even Alanis FUD and you're complaining!

Interesting - used MP3 encoding

[xtaski]

found it interesting Microsoft is using MP3 encoding for this and not Windows Media... hmm...