Slashdot Mirror
Hackers Find Use for Google Code Search
An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday.
"
Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.
Duped fucking post!
Do not even bother with this flamebait shit.
Tools can be used for evil purposes! News at 11!
Someone has done pretty well out of the normal Google engine for this kind of "research".
Slashdot readers beat 'em to it!
The previous story /. precipitated comments that did exactly that.
Since it is easier for everybody to find bugs and vulnerabilities, it is now easier to fix them. Relying on the fact that your source code hides in some corner of a CVS repository where nobody really wants to casually go is just a lesser form of security by obfuscation. Would you rather have truly secure software or software that only seems to be secure?
Every repost is a repost of a repost. Go and eat your copypasta elsewhere.
"This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already."
Micrososft agrees with you.
Is there no bayesian spam-filter available to filter /.'s comments through and get rid of this crap?
- Google launches a search tool, which makes it easier to search through every piece of code posted on the internet.
- Some retarded news reporter sees the launch, and figures "this is an easy way to make a frontpage headliner"
- Bingo you have your frontpage story "Hackers Find Use for Google Code Search"
In short, why is this even news ? Wouldn't every hacker, from the guy sitting in his basement hacking on some *BSD code to the guy in his million dollar house hacking on some Linux code, find a tool like this usefull, when looking for some code that isn't satisfactory. I guess the news in it, is that someone also found out google code search makes the comments and examples in the code available...only to those whose "security" in reality consists of not much - or even nothing - more than obscurity.
:%s/Open Source/Free Software/g
YTARY!
How is searching for something misuse of the search engine? I'd say that the Internet was misused by those who made the information public in the first place.
Is there no bayesian spam-filter available to filter /.'s comments through and get rid of this crap?
Given the numerous unresolved problems in slashcode, would you trust Taco&Co to write something like this that worked properly?
If you accidentally put something publicly available on a web page, it can be found, manually or by a search engine. This is really no different from how it has always been with text, images and anything else that you can put on the web.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The only job these people have is profitting from the poor coding ability of most programmers, despicable.
"Powered by phpBB" in order to find phpBB boards that were vulnerable to an exploit to hack. This isn't exactly a new technique. Well ok I know it's not exactly the same thing but the idea is still the same.
The article talks about how easy it is to use Google Codesearch and goes further to suggest that the regular search can't be used to find code.
B.S.!
I've used Google search to find all sorts of code snippets over the years, particularly #define's for constants that Microsoft don't actually define anywhere on MSDN.
What else can one say, but DUH. If someone is stupid enough to leave their confidential files on a fucking web server, they won't be confidential for long. Google didn't create the problem. malicious hackers would probably have found them anyway, just now everyone else can.
16: my $self = shift;
# XXX a hole you could drive a fucking bus through
my $method = $self->cgi->param('method') || 'hello';
Yeah, I'm sure no malicious mind ever knew about grep and had to wait on Google.
I think previous posters got it wrong. They say the cracker access to the code is just as easy as anyone else's who can fix it. But a developer looks only for the code he's involved to, while the cracker is looking for any exploitable program. That, and although coders eventually search for security holes, he's goal is to build features. So, it indeed is making it easier for the crackers.
Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.
factor 966971: 966971
This whole thing smells really badly. Meaning: we know our products suck, people know what we tell them, and it's good for us this way. If somebody makes them possible with some tools to find out anything about what we don't want to tell them, that's bad for us. Even if they could find out these things without using those tools, it's good for us they have those tools since now we have somebody to blame. Either way, we win.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
I know my way around code pretty well. While poring through some source code I discover a code snippet with a particular vulnerability that I can exploit. Now if only I had a way to see if this same snippet appeared in other applications. I guess I'll have to wait for Google to introduce a source code search mechanism before I can figure that out. Bummer.
The more you regulate a company, the worse its products become.
People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences.
The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.
In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.
(The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)
I work for the Department of Redundancy Department.
A lot of people are skeptical about the security risks of this. The general claim is that if it's up on the web, a) it can be found anyhow, and b) you should know that it's secure (or insecure).
True, however here is another way of looking at it.
Lets say I buy a brand of lock for my house, which is later to be defective. Perhaps I don't know about this defect, or I don't have the time or expertise to fix it quickly.
Then someone develops a technology that alerts burglars to which houses have that specific brand of lock.
Wouldn't that be cause for some concern?
I think code-searching for vulnerabilities is mildly concerning, even far beyond the usual methods that exist without code search. Note I said mildly. This isn't going to cause the catastrophic collapse of the Internet. It's just one more thing for people to be aware of and (hopefully) take action on.
What do you mean, "inadvertently"? :)
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
http://google.com/codesearch?hl=en&lr=&q=mysql_con nect%5C(%22%5B%5E1%5D%5B0-9%5D%7B1%2C2%7D
Bonus points if you can find the one with 35 million AOL addresses in it!
So Robert McMillan of IDG digs up a small competitor to Google Code, who says actually publishing open source is bad. Of course, the point of open source is that anyone, not just motivated attackers, can inspect the source to reveal problems, and even fix them ourselves.
Fortify doesn't seem to offer GPL or any other open source for its own product. But it does seem to publish its own version of Google Code's results. Which any worthwhile reporter would have learned, if they wanted to tell us a story about the risks of open source, rather than a competitor's story of how "Google is Evil".
--
make install -not war
This is a fact of the information age.
Today's "hacks" mostly go for widely spread software. Why? Simple. For maximum impact. There are, of course, still targetted attacks, but those targets tend to be machines and nets of high interest for the hackers. If you use insecure software there, you earned that hack well.
So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.
Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?
I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is a pointless article only if you assume that "anyone" is spending the same time and effort looking for flaws as the hackers, let alone fixing them.
Are you that confident that such efforts are taking place?
"Ask not what your country can do for you." --John F. Kennedy
Reh. It's a dupe post. Every once in a while this one shows up.
You know, forget for a second that Synaptic has been around for a while, and is usually labeled 'Find new software' in most good distros.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
Both Krugle and Koders already offered open source search services. Google isn't offering anything new.
"i plug in a USB wireless card and nothing happens, i plug in a USB printer, nothing happens, i plug in a USB stick nothing happens,"
First: true for most cases. Linux Wifi support IS horribly lacking, but blame it on the vendors; we have to reverse engineer every chip that comes out, or use the windows driver.
Second: Patently not true for modern distros. Lite distros, that don't feel like adding the CURL drivers in, maybe, but I believe I've had an issue with exactly one printer on my laptop.
Third: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it. You must've been playing with a complete shit distro. Or you're just lying through your ass. Either way, I call FUD.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
I plug a USB mass storage device into a friend's WinBox. It doesn' "just work". Not only that, the way everything is set up it's next to impossible to figure out WHY it doesn't "just work".
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
So if Linux gets user friendly, it will drop to a 1% market share? Sounds like a reason to keep it not being user friendly!
It's unfortunately a self-perpetuating windows monopoly. However, with your wireless problem, ndiswrapper is probably your friend. I like the new ubuntu (6.06) because it supports almost everything (I took a quick look at synaptic and it turns out that ndis is bundled in, with large amounts of wireless drivers, so you're set).
"Hello 911? I just tried to toast some bread, and the toaster grew an arm and stabbed me in the face!"
When I read this article, I went to code.google.com and tried it out for myself.
It seems to me that they are just indexing open source projects and presenting a rather nice interface for it. In my opinion, it seems more like a meta sourceforge that finds OSS projects from all over the web by searching for projects that make their VCS publicly available. If a closed source company has its VCS publicly accessible, then they've already done their own damage.
I've recently been searching high-and-low for a decent open-source knowledge base application that I can implement for our IT department at work. This search has been complicated by the fact that so many open source projects have a knowledge base about their products, so I get a lot of false positives in my searches. As code.google.com indexes more and more projects, I am hoping it might just be of help in that particular task, since it is indexing the project descriptions specifically.
Like any other tool, code.google.com is not evil, but its manner of usage may make it so. Do we ban hammers and kitchen knives because they can be used to injure or kill? I think not. Anyway, "code.google.com makes it easier for an attacker to find a bug or exploit" is only true for small values of "easier". Think about it... if someone has the knowledge to review source code and find the bugs and create an exploit, then they were already probably smart enough to use existing google (and other search engine) tools to find what they needed. Your average script kiddie is going to be looking for an exploit handed to them on a silver platter, not to actually have to figure out an exploit on their own.
Just my $0.02
The Digital Sorceress
I can't read code - it means absolutely nothing to me. So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me. Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which. All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.
So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.
Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.
As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
We're living in a world were obscurity will become more and more invalid method of cheating, securing, confusing, misrepresenting, lying, disinforming, profiting, whatever.
'IT' just makes it easier to find what is already out there. I'd say good for Google, another good step to their goal of "indexing the world".
There are other code search engines: krugle.com and koders.com
You're new to the computer biz, aren't you?
Nobody gives a shit about security or correctness. Not even open-source projects like Linux care that much. OpenBSD does, and maybe a few others, but they're far and few between. Business entities plain just don't give a shit.
Koders and even Krugle guys precede Google's code search, but they are going to have a hard time attracting more developers' eyeballs - check this.
Too bad one can't get Google code search on there, too, but you can imagine how far that graph curve would be.
Simpy
... don't post them on the internet in the first place.
Allowing anyone to find the bugs is the whole point of OSS. But why is there any "password information and even proprietary code"?
Lovely, just lovely. I just searched for my name (full name, and UNIX first-initial-lastname form) and even though I've only really contributed to two tiny OSS projects in extremely trivial ways, my email address (current and a few previous ones) all appear in plaintext in the search results. Spammers just got another way to harvest, without having to download entire files even.
I have a hammer. I can build a house with it. Or I can kill someone with it. Does that make the hammer bad? Should we restrict the availability of hammers? Should we start requiring FBI background checks at Walmart in order to purchase a hammer? If we make it illegal to own a hammer, only criminals will have hammers.
Seriously, any "tool" is like this. You can do wonderful creative things with it. Or you can do nefarious evil with it. That doesn't make the availability of the tool wrong or undesireable.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Q: Why is beginning a comment in the Subject: line annoying?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Thanks! I was wondering how to get Q3 running on Linux.
I ran into a situation at work recently where we (note, we're statisticians, not programmers) discovered firsthand the value of having the source code to a piece of software. A proprietary program we purchased was calculating a value incorrectly because it wasn't taking a certain factor into account that most people don't need, and there was no way to get it to do that. My boss' comment: "And we can't fix it because we don't have the code."
Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.
When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too.
However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
Really? Ever use a Tivo? Ever go to a web site? How about Google? How about wikipedia? Do you have any idea how much BSD licensed code (math libraries, for example) might be running on your cell phone, your car stereo, etc?
People don't know it but open source is everywhere and it works great. Sure, you're not using an OSS spreadsheet or word processor, but that doesn't mean you don't rely on OSS a zillion times a day without even realizing it.
Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.
Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Disclaimer: I work for a closed-source software vendor, but we try very hard to meet the needs of all of our customers, so if they identify a critical issue we generally try to either find an acceptable work-around, or patch the code when possible. And (ideally) that would be done in such a way that you won't lose that fix when you upgrade. If you custom-fix your OSS solution, you either have to never upgrade, or patch every version that comes out; that seems to be a lot of long-term hassle.
Customer satisfaction is a big part of being a software vendor -- sure, you may be a small customer, but if my company is responsive to your needs then that builds good relations with you, and you may be an excellent referral source for us later (or become a larger customer yourself). That's a strong motivation for businesses that really care about their customers. And for professional-type products, buyers are more likely to pay extra for that good service.
From TFA: Code Search is "another tool that makes it a tad easier for the attacker,"
Like gcc and perl. Gee, those pesky tools. What do you know, personal computers are another tool that makes it a tad easer for the attacker too.
Obviously developers concerned with security should take note of any new and current tools available, but to create a tone like Google is providing a date rape drug for crackers is just raw fud propaganda.
i\hbar\dot{\psi}=\hat{H}\psi
First off, comparing the costs of hiring a programmer to make software to be used by one person with commercial software that is used by millions is silly. Commercial software costs millions of dollars to write, and they sell it for a 100 dollars per person to millions of customers. Custom software costs thousands of dollars to write, and the developers charge thousands of dollars to their 1 customer.
Secondly, there is a common misconception that open source software is suppose to be directly modified by end users, and this is why it is so 'wonderful'. Open source software is beneficial because it allows many smaller developers to work together to produce a quality of software they couldn't possible produce on their own. The end users benefit indirectly from OSS, not directly.
If you like Firefox, Google, using the Internet (most web servers and such are OSS), OS X, and even Windows (which uses OSS code, such as the TCP/IP stack, from Free BSD), then thank OSS. All end users should do is use the best software for the best price for their particular needs. Let the developers worry about things like OSS. This way, wether OSS or commercial, the best bubbles to the top; which is as it should be.
http://tickletux.wordpress.com/2006/10/07/google-c ode-search-a-vulnerability-hunters-dream/
Powerful tools can be used for good or ill!
Take a second look at those knives, fellas! Monitor the internet! Be aware before pushing on that gas pedal! Think twice with that plutonium, kid!
Yes, BB guns are fun--but you'll shoot your eye out if you're not careful!
!!!!!!
Tenemus pyrobolos atqui jacimus cognitiones.
About customer relations: I have heard it said that your most important customers are your current ones, so keep 'em happy, because they've already overcome the first hurdle between their money and your pocket: they decided to choose your product [or service] instead of another.
...]. They'd rather stick with you if you're keeping them happy. Plus, of course, your product is satisfying them, so that's the main reason they'd stick around, right?
If you keep them happy, they are more likely to be repeat customers than to shop elsewhere, I'm told, because shopping is, itself, a cost to them [time, effort, risk
Of course this depends a bit on the product... Music sellers know that music fans are fickle, and some businesses thrive on variety of choice [clothing?*], but software and computer gear vendors probably benefit more from maintaining current customers than marketing to find new ones to replace them.
In the context of your company, then, this advice suggests that you should keep them happy and make the changes they want, if it seems cost effective, taking into account the potential cost of replacing that customer.
In other words, it's not just the chance of referrals that make customers worth keeping. Even users whose needs are met can be pretty bitchy about software -- we can all relate to being angry at our tools -- so referrals might not be the best reason to value your current clients.
But since they are more likely to buy again from you, and since you don't have to spend marketing dollars to get them to make that first purchase decision, they are valuable for those reasons.
*I use the question mark because, as a computer geek and gearhead, I don't really know or care much about clothes.
Have you ever participated in any of these FOSS programs that you found lacking? Have you ever joined the mailing list? Ever just asked for a feature or explained a bug? The first time I did and it was implemented, I was surprised; the second time (Different project), I was gratified; the third time (Different project again), it cemented in my mind why I will always stick with FOSS projects, even those that aren't nearly as polished as their Shareware or Closed counterparts.
I am a programmer and a system administrator, and I could have eventually fixed it on my own, after digging through someone else's style of coding in a language I may or may not be familiar with. However all I had to do was ask and participate a little in the project and now those features exist and those bugs are fixed. I'm not batting a thousand in asking for features or bug-fixing by mailing list, but it's still better luck than I've had with any sort of closed-code program.
... And so it comes to this.
http://www.corecodec.com/index.php?option=com_smf& Itemid=29&topic=3204.msg18973;topicseen#msg18973
is a hacked site. only goes to show, if you mess with gpl, you get gpl. they use gpl code in the comm. products.
It's designed to be of use to hackers! It's the crackers I would be worried about!
When I first saw the link about google code, I was in the process of attempting to find software that used a certain function that is vulnerable in a popular scripting language. This was remarkably difficult using just 'regular' google, even though it really shouldn't have been. However, then google code came out and poof I used it to look for code using the vulnerable function, and I found a lot.
Hmmm. So what's your social security number?
BTW no one's mentioned that this can be used to find GPL violators.
Grandparent: i plug in a USB stick nothing happens,
Parent: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it.
I just wanted to chime in that parent is correct. Recently a friend's laptop's main hard drive started to fail, so they put a new drive into it, but bought a USB enclosure for their original hard drive so they could get the data off of it. Interestingly, it refused all attempts to make it work correctly under WinXP (it kept complaining about some error and froze the OS), but it worked beautifully from a LiveCD of Kubuntu.
BeaEss
The first thing you are suppose to learn Net wise is if you don't want it cracked, stolen, or downright abused... Don't put it on the Internet in the first place.
It'd probably have a lot of false positives with all the "I'll probably get modded down for this but..." and "I for one welcome our ... overlords".
Actually... false positives? false?
NEWSFLASH: Maps can be used for evil
It has been reported that a recent new invention of google corp. by the name of 'maps' can be used for evil purposes.
These new 'maps' show information about a given area so terrorists can find new targets to bomb.
George Bush is putting a bill through very soon to ban this evil invention.
*YAWN*
NEWSFLASH: Knives can be used to kill people.
Its all a double-edged sword whatever you do I guess.
Hear, hear. You have probably stumbled across one of the true secrets of computer programming.
It is hard work.
Lots of people don't get that at all. Lots of management types assume that because person A wrote this code in a week that person B should be able to fix it in a week. Not true at all.
Sometimes it takes person B a week (or a month) to figure out what in the heck person A was doing. Open source is not immune to this. Hiring someone that was not involved in the original development of some random open-source project of moderate complexity can be an exercise in training the person in the coding style and knowledge of the original developer. Having the source is not understanding the source, or even being able to fix problems in it. As a general rule, if you don't know what you are doing trying to "fix" something is far more likely to cause problems than it is to actually fix the original problem.
Thank you, Google Desktop users, for giving google the contents of your hard drives, to make it easier to search through your code for hacks!
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Yes, and they are good implications. If a company lets proprietary, bug-infested source code leak onto the web, then they should have to deal with the consequences.
I'm not sure if she has contacted the author or not. I think she was going to, but now that I think about it, she might've forgotten (we're incredibly busy, and there are much bigger issues we tackle every day).
I think I'll shoot them an email when I get back to work Tuesday; it can't hurt to try. It's a small company, so they may be very responsive.
I like to relate open source software to the car industry. If a new car company was established that sold its car for a few thousand dollars less then everyone else, but the catch was the hood was locked shut and the only people with the key to it was the dealership themselves. Thus forcing ALL maintenance and repairs to be carried out by the original dealer at a premium. Do you think this company would survive? Would YOU buy a car from them?
Most people would say, HELL NO! Even though MOST people don't have a clue about car maintenance. Most people will never even change their own oil, but still they have the common sense not to purchase a car knowing they are going to get bent over the barrel for repair costs.
I believe open source is similar. Sure, most people aren't programmers, most have no clue what it takes to develop a piece of software. But MOST people have used a piece of software in the past that had a bug, or that lacked a certain feature they really need. If they had access to the source code at least they could ATTEMPT to get the bug fixed, or feature added. Just like they attempt to take their car to the local garage to get the oil changed and the weird engine sound fixed. It doesn't always work out that way, but at least they have the option. Not every garage you take your car to is going to do quality work, just like not every programmer you hire is going to get the job you request done. The bottom line though is you at least have OPTIONS.
Regarding your statement about open source programmers being more "nimble" and the community being able to implement bug fixes/features faster then commercial companies. You need to keep in mind that open source programmers and the community itself aren't paid. Just because some John Doe requests a feature that might suit him doesn't mean the programmer is going to call in sick to his day job to implement it for you. Try donating to the project FIRST, then requesting something back second and you might get better results. Your donation doesn't have to be money either, donate documentation, donate testing and feedback, donate any service you may have to offer and after that I bet any requests you have will be less likely to fall on deaf ears. The community is what drives open source, so become part of that community and everyone wins.
Open Source Time and Attendance, Job Costing a
Oh, and you forgot 'TODO', and possibly "Don't look at this, it will make you go blind"
"It doesn't cost enough, and it makes too much sense."
You make some very good points -- keeping your existing customers is an important goal in and of itself. And that's actually what my job is where I work: I work directly with our customers to provide technical guidance and programming support when they encounter a situation that doesn't work with our standard features / options. Basically, my job is all about keeping our existing customers happy, both to keep them and to provide good referrals & recommendations for our products to other potential customers.
:-)
Thankfully I'm not directly involved in sales / marketing -- just not my gig
Google's search changes little but the speed with which one searches. The same criticism could be leveled at a new, more efficient Library index. Yes, "bad" people can find things easier... but so can the much, much larger body of "good" people. Nothing is changed but speed of access. The ratios remain the same.
No, actually, most operating systems have less than 1% market share. Amiga, BeOS, NextStep, Minix, HURD, FreeDOS, Windows 3.1, etc. etc. etc....
The only difference for google code search and normal code search is that you can search for special characters that one normally cannot in google standard search. but thousands of people have already used google for searching code by just trying to limit their search by using words like "int long public" etc so nothing is new here, except that we now can search using e.g. php $variables, wheras the $-sign is ignored unless you use google code search.
Wifi support is brilliant actually.
Every wifi card (PCMCIA and USB) I've gotten my hands on works fine.
I know there is a couple which dont work but they arent the rule.
D-Link actually tells you what driver to use for each of their products.
I can see you've never wrestled with a Palm Lifedrive in drive mode (allows you to use it like a flash stick) on Windows.
Works fine on Linux. Who would have guessed.
Your not using a standard *Desktop* distro. Before you make a fool of yourself go download Knoppix or something.
"When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too."
There's several small facts that seems to be lost in these discussions.
One. Not every company/customer relationship is a hostile one, even thought slashdot regularly casts them as such. "Oh she could leave you, and take the kids. Don't trust her."
Two. Not every business model is the same.
Two-'A'. Some companies release source code to paying customers. Not to share with the world, but to give the customer more flexability.
Two-'B" In turn the companies in their self-interest release some of their changes back, as well give advice.
Three. Commercial companies usually do those jobs that don't scratch some individual's fickle "itch".
Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks.
Unfortunately not all closed source vendors are as helpful to their customers as your company. I once dealt with a problem in a closed-source accounting package, which could not handle a fairly simple way of grouping items together to be sold (selling a specified set of items as a "kit" at a reduced price). I contacted the firm that developed the software and asked them if they were planning on adding this feature - no. Would they consider adding it for us for a fee - no. "Not for any amount of money?" I asked. "No." That was the end of the conversation.
Ford is bragging how they boosted the EPA gas mileage of the Ford Focus by 10 percent (actually the highway rating of the manual transmission model -- the mileage improvement on other models and for the city rating was less) by updating the software in the ECM. Not only does the 2007 Focus have this improvement, but they are flashing the memories of 2006 models to get the same effect.
Now try making mods to your ECM for any purpose -- to boost gas mileage, to tweak performance. There are people who do this (mainly for performance), but it probably involves some hacking and reverse engineering.
One: Huh? I used the phrase "potential problems", not "always going to beat you over the head problems."
Two: Actually, see above. Same answer.
The issue we encountered is the type of problem that CAN arise without source code. The manufacturer may be willing to fix it. But if they aren't (or can't, if they're out of business or something), the source code would allow us to get the code fixed. Without source, we're entirely dependent upon the company fixing this problem for us; if they choose not to, then the software isn't going to help us as much as we'd hoped.
Three: Yes, they do. Unfortunately, the software, as it currently stands, isn't scratching the itch we paid for it to scratch. I ended up writing code in SAS that would do a similar job, but it doesn't have the features and flexibility of this package (it could, but I don't have the time to write it).
I'm not anti-commercial software. I'm not anti-companies making money. I'm just pointing out that the potential problems of closed-source software are becoming more apparent to the general public - and in the end, that can only be a good thing, even if it just forces the closed-source companies to improve their product.
..seems to work as well
"People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences."
I agree. Let's not blame DRM and trusted computing and the people who create them. Let's blame those who pirate on one side, and those who engage in self-defense on the other. Now let's see how far we get with THAT. Too far to the left? How about PC for this forum? Let's blame those satan loving, freedom crushing, demons amoungst men, "middlemen" companies disturbing the peaceful, sun-shining, halo-glowing, flute-blowing, "customers" just trying to live a "can't we all just get along now give me a hug" life?
One solutions is to have a divide between "applications programs" and "systems programs". Back in the day applications were written in Fortran while system programs were all in assembler -- today the application program could be in Matlab or any of a number of things while the systems program is most likely in C or perhaps C++. That way the scientist/engineer/accountant could get into the programming just deeply enough to solve problems in a particular domain, but the low-level high-performance library modules would be written in C and walled off.
Again, enabling the writing of applications programs through some application-specific language -- Matlab, PHP, Visual Basic -- often gets programmer types all agitated because it enables non-programmers to write programs badly. On the other hand, anything but the most non-trivial use of a software package is a kind of programming, and there is a trend to make such tools more Turing complete.
Back in the day, if you wanted a chart of some data for a publication manuscript, you wrote a Fortran program and called the Plot10 library to drive a pen plotter. Later on, you had the numbers in a text file, and you used a plot package to generate the figure. These days a lot of people are using the plot library and figure window UI in Matlab to generate figures and save them in EPS files. While a plot package may seem to not involve programming, it can sometimes take a lot of banging one's head against the wall to get a plot package to generate the figure the way you want, while it may be more direct to write a Matlab script.
I think for a while there was a kind of view in the Unix community -- not the same as the Open Source community, but a lot of overlayp-- that you had C and you had Shell, one compiled and the other interpreted with a command executive, and between the two you had everything you needed. Since systems were programmed in a high-level language (i.e. C), you didn't need to have a separate applications program language -- applications programming was a matter of having the right libraries. I think that with Perl, Python, Ruby and others -- the scripting languages -- there is a reemergence of the concept of an application programming language and the recognition that C may not be the one tool for every job.
I also see that with scripting languages we may see a return to the Fortran/Plot10 model instead of the plot package model -- you have the power and flexibility of a more Turing-complete programming language to specify what you want rather than relying on a particular software package having the features you need. I am starting to see Open Source Python-based packages coming out the national laboratories to do a lot of what Matlab does.
Thanks for the info
Yes, it can be dangerous, in the sense that may help us to find flaws in Open Source software, as the the common Google Search does or even "grep".
But, anyway, the tool can be used in order to spend a good short while.
A: Because it breaks the flow of a message.
Q: Why is top posting annoying?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The problem is that you're at the mercy of the vendor. Some are very good. Some don't care. Some may care, but for whatever reason (layoffs, turnover, old code, 3rd-party binary libraries) can't fix your problem.
I've had at least one case where I was able to strace a vendor library, figure out the problem, send them a detailed description of the problem and solution--it was an obvious problem in the arguments to bind(2), which basically narrowed it down to 1 line of code for them and they _should_ have been able to fix it in seconds with that info.
It was like dealing with a black hole. Luckily it was a simple enough problem that an LD_PRELOAD hack could work around it, but when the vendor won't help you can be royally screwed.
So the lesson is to pick your vendors carefully, and always have an exit strategy if things change (they get bought out, discontinue the product line, etc). At least make sure you have a way to get at your data to move to a new system if necessary.
rage, rage against the dying of the light
Analogies don't equal equalities, they are merely somewhat analogous.
What distro? What USB wifi adapter? Because after a long battle trying to get a Linux box to network wirelessly with no sucess, I went back to Windows. In the end, the wireless connectivity was more important the the OS....since my wife won't let me string CAT 5 cable at will:-)
And just because it's closed source, the developers will never fix any bugs in it? Ever?
That's just silly.
I use Gentoo personally.
:)
I use two usb wireless adaptors extensively. Both are 802.11b.
D-Link DWL-120 (linux-wlan-ng driver)
Some cheap Belkin adaptor (at76c503 driver)
When I bought them I wasnt expecting to use them on Linux either.
Two random adaptors and they work nicely.
I've come to believe that open source works if you're a programmer, but for the rest of the world the promises fall flat.
You haven't looking very far. Open source is used in millions of products.
I can't read code - it means absolutely nothing to me.
So what? It's the whole market that matters, not just you.
So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me.
It applies to anybody in a functioning free market who wants third parties to verify something that is core to their work. "Trust me" from a vendor is not good enough, as I have found to my regret many times.
Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which.
So what? There are millions of third parties who can.
All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.
Irrelevant. It's third parties doing it for you.
So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.
Nonsense. People pay for software modification all the time. And when you paid for a closed source package you benefited only yourself, not potentially millions of others.
Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.
Depends on the developer. Just like closed source. In my experience closed source vendors are far worse because there's little profit in fixing problems. Brush offs are far cheaper.
As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
You haven't looked very far. You also have a very blinkered viewpoint. Sometimes it's sensible to accept short term sacrifices (higher cost to get what you want) for long term gain (more control over your destiny and a functioning free market).
Also, you claim to be a scientist. If your work is not open, and cannot be reproduced without dependence on hidden closed source tools that may have bugs that your results depend upon, then you are a poor scientist.
---
Astroturfing "marketers" are liars, fraudulently misrepresenting company propaganda as objective third party opinion.
Hunting rifle used to kill man. Details at 7.
4: some companies go out of business. not many of them contact all their customers and say "by the way, so that you aren't stuck with our dead code, here is the source". i know of lots of people that rely on old unsupported programs, and the data is in a format they can't convert to any modern equivalent.
> Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Yes. I had just this sort of problem with a vendor-hosted application my employer used (I'll call it VOMIT here as that's what spellcheck changes its name to).
I saw that VOMIT's login page was vulnerable to SQL injection. We immediately contacted the company (someone important enough to resolve the problem) and let them know exactly how to fix their application. Their response was that VOMIT had been reviewed by security 'experts' and that VOMIT has [several paragraphs of technobabble] that prevents such attacks.
We then made a screen shot of the 'admin' page which was accessible using the exploit. After some scrabbling and backpedalling, they then 'fixed' the problem. Their 'fix' consisted of a couple lines of javascript to give an error message if quotes were put in one of the login input fields. I then disabled javascript in my browser, and made another screen shot of the same problem. They then (finally) made the changes we had originally suggested.
So instead of a five minute fix (to correct an obvious problem that should never have been allowed to begin with), we ended up with numerous meetings with our security people, their VP, and God knows who else. All too many vendors seem too willing to engage in obfuscation and denial rather even when the solution is handed to them on silver platter.
Ken ') or 2=2 --
Customer satisfaction is a big part of being a software vendor
I, and hundreds of others, have contacted ATI about their software, drivers, not working properly on Linux. The OSS drivers march quickly towards fixing the problem with no information from ATI. However, ATI is slow and seemingly uninterested in fixing the problems we tell them about.
Having to work for a living is the root of all evil.
GNOME has the autoplay-type functionality these days as well, the CD burning stuff in the filemanager, etc etc.
I'll have to take a look at KDE again soon just so I can retch at the stupid configuration dialogs... but I understand both major environments have come a long way.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Only developers who cannot figure out how to use the normal windows install process for drivers have to resort to stupid yellow stickers.
it is possible to make Windows install your driver to any hardware without a driver which supports it once the driver is installed. Some drivers I have installed have done this for me automatically.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Analogies don't equal equalities, they are merely somewhat analogous.
Thanks...maybe if I get some down time I'll try Gentoo....I've already been through SuSe and Mandrake (just before it became Mandriva). Having used Unix at work over the years, felt I was well prepared for the home Linux experience. I wasn't:-)
Well, let me give the long form. You buy hardare. windows has no driver. You connect hardware. windows tells you to go fuck yourself. You put in the CD. You install the driver. Now, one of two things happens. either you have to disconnect/reconnect the device or otherwise kickstart the driver install (perhaps doing it manually from device mangler.) Or, if the people who wrote/packaged the driver are one bit clueful, the driver install is kicked off for you automatically, without having to do anything else.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Your later post says that this is true in Gentoo.
I realize that WiFi *drivers* exist and work well for Linux (not to mention the lovely ndiswrapper for unsupported cards). What I'm saying is that a very few distros handle WiFi in a nice, easy, card-agnostic plug-and-play GUI-spanking manner - which is what I mean by 'support'.
IE: Power users don't need support, they just need to know that it Can Be Done and access to Google. Normal users need the base system to handle it for them, and if it doesn't, they spread rumors about the immaturity of the OS.
It's unfortunate that more of us aren't power users, but that's the way it crumbles.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
If you want to learn about Linux then Gentoo is the way to go even if you dont use it. Just install it and you'll learn a awful lot. Dont use the pussy GUI. Keep in mind that the at76c503 driver is in the kernel and every distro will have the linux-wlan-ng package. It just varies from distro to distro how you get it working.
Linux is at the tipping point atm. You'll find it difficult to find hardware which wont work.
Linux just needs it to work easily.
Once we have it working smoothly then MS is in a *lot* of trouble.
So if I buy a device for GNU/Linux I have to look up on the web if it will work, but if I buy one for Windows it's as simple as making sure that the people who made the driver knew what they did?
Analogies don't equal equalities, they are merely somewhat analogous.
You can read code. You don't want to learn how. That's fine, but don't play the martyr card.
It will almost always be more expensive to hire someone to build you something than it would be to buy something already built. The prepackaged solution has already been paid for, and the developer is hoping that enough people will want to buy in to make them a profit. This is a good model for problems multiple people have. It doesn't work very well for individual issues.
A contractor doesn't care about how many people need a solution, only whether they're willing to pay for it or not. If you hang out lowball offers, most contractors will simply ignore you. You might get a few bites from hungry, desperate contractors, but they're probably desperate for a reason.
This is why I believe that hosted applications - software as a service - is the logical, commercial answer to OSS intrusion.
You don't want to hire a software firm, you don't want to have the source, particularly. You want/need feature NNN. And that's where hosted software shines. It all comes down to motivation.
If you BUY software, there's little incentive for the developers to fix bugs in it - there's no money in it. But a hosted application has a very different dynamic - if they fix the bugs that are troubling you, you'll continue using their software. It shifts power back towards the consumer, in a way that doesn't leave the consumer in charge of the codebase!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
... "all your base"
I plug a USB mass storage device into a friend's WinBox. It doesn' "just work"
Let me guess: Media Center?
"Well kids, you tried your best, and you failed. The lesson is, never try."