Firefox Security Head Says Microsoft Obscures OS Holes

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

Well Duh!

[suso]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

Re:Well Duh!

[j.sanchez1]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

So do you agree with them in their belief that their stockholders are more important than their paying customers?

Re:Well Duh!

[suso]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

No I don't. I think that's a major flaw with publicly traded companies and is one reason why I never want my own company to go public.

This is also one great thing about OSS, it doesn't have to appease to money for the most part. The other half for open source is probably reputation, but its the status quo to release vulnerabilities so its not as big of a deal.

Re:Well Duh!

[rolfc]

Of course they are. The idea of the company is to make money, not to make happy customers.

Re:Well Duh!

[rudy_wayne]

"The idea of the company is to make money, not to make happy customers."

Too many people forget that without customers, there is no money and there is no company.

Re:Well Duh!

[j.sanchez1]

Of course they are. The idea of the company is to make money, not to make happy customers.

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

Re:Well Duh!

[suso]

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

I think you'd have a hard time convincing a company that has $40 billion in cash of that principle. Discount the Zune? Heck, they could just give away the Zune to everyone in America and still have cash left.

Re:Well Duh!

[j.sanchez1]

Discount the Zune? Heck, they could just give away the Zune to everyone in America and still have cash left.

I don't know if I'd expect them to go that far, but maybe they should think about their (existing)paying customers when dealing with bugs, firmware, licensing, pricing, etc...

Re:Well Duh!

Not a very long view to take on customers, but then Microsoft has billions to throw away don't they?

Angry_Larry911@hotmail.com

Re:Well Duh!

[rolfc]

That is not correct for monopolists, scammers and others. Happy customers is one way to make money, but it is not the only one, and certainly not the most lucrative.

Re:Well Duh!

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

No, as long as unhappy customers keep paying, because either: 1. They believe the alternatives are too hard to learn, or 2. Their games only run on Windows, having more happy customers won't change a thing.

It's not like happy customers pay more for Vista than unhappy customers.

Re:Well Duh!

[ePhil_One]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched? Its already believed the unsavory element reverse engineers MS patches looking for ways to exploit vulnerable unpatched systems, how does MS flagging a patch as "fixes unreleased security vulnerability X" help anyone, including linux users? By increasing the size of botnets?

The problem isn't MS hiding its vulnerabilities, its a fundamentally flawed analysis. No proprietary software company airs its dirty laundry the way open source does, there's no benefit to it. The comparison was apples and oranges.

Re:Well Duh!

[damaki]

Reality does not matter as long as customers feel secure.

Re:Well Duh!

[j.sanchez1]

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched?

Transparency in things like security would go a long way in bettering Microsoft's reputation. Techies give their opinion to Joe Sixpack when asked, and I bet most of the opinions about Microsoft's security is lacking. One can only imagine what they haven't disclosed when it comes to security vulnerabilities. Maybe that is the way it has to be with closed-source, but it makes you wonder.

Re:Well Duh!

[morgan_greywolf]

This is also one great thing about OSS, it doesn't have to appease to money for the most part. I'm sorry. Anyone looking at my post history, personal link, etc., will notice that I'm an open source author in particular and a big advocate of Free/Libre/Open Source Software in general. But this statement just doesn't make much sense.

When companies invest money, features get added -- features that benefit the company investing the money. For example, there's Google's Summer of Code. And the money that Google invests in the Mozilla Foundation. What's the default search engine in Firefox? Oh, right, Google. What page does Firefox go to by default? A special Google/Firefox start page. What searches are in the default bookmarks? Google's.

And then there's the fact the open source software authors sometimes work for companies that demand certain things get added...like Andrew Tridgell of Samba who works for IBM's storage division. There's lots of stuff in Samba for IBM's NAS solutions.

Yes, open source authors definitely listen to their users...but they also know which side of their bread gets buttered.

Re:Well Duh!

Even monopolists such as microsoft will one day have to answer to their customers. Only scammers dodge this: there will always be stupid people.

Re:Well Duh!

[cheater512]

The point of TFA was that these hidden security flaws are only released to the public in service packs in big but rare packages.

Re:Well Duh!

[hpavc]

Works for safety flaws in other industries ... "5 star safety rating" "top in its class for safety".

Re:Well Duh!

The problem isn't MS hiding its vulnerabilities, its a fundamentally flawed analysis. No proprietary software company airs its dirty laundry the way open source does, there's no benefit to it.

I can see four immediate problems with that:

#1 unknown bugs that blackhats are exploiting. The script kiddies are far less dangerous than targeted attacks - and attack vectors of targeted attacks go unnoticed far longer than script kiddie activities. So Microsoft is helping black hats by not disclosing the true nature of their software updates.

#2 by not disclosing the vulnerabilities a customer might skip a critical update that was flagged by Microsoft as non-critical. This may result in financial loss (or worse) for that customer.

#3 by hiding their dirty laundry, MS is playing russian roulette with their customer's security infrastructure - for their own profit and enrichening. They disclose the true risks so that customers can adopt accordingly.

#4 they are also hurting future/new customers by lying about their security track record, and hence enaging in deceptive advertising. If a customer selects a Microsoft product based on the disclosed statistics and gets intruded due to the vastly inferior objective security that Microsoft products have, MS has inflicted real financial damage without owing up to it.

So this practice is harmful all around - it's good that an (ex-)insider has finally aired this dirty little secret of Microsoft.

If this practice continues then we the people might have to legislate laws that force commercial companies to let security agencies audit their source code for bugs that pose a risk to the public (and audit changes to that code as well) - just like security agencies are actively monitoring other critical pieces of our infrastructure. The war on terror must not stop at the gates of Microsoft, due to petty commercial interests.

Re:Well Duh!

[Calinous]

As AT&T answered to their customers? Or take any other monopolist, and see how they one day answered to their customers.

      Monopols answer only to the government, and in these times the US government doesn't seem to want answers from Microsoft

Re:Well Duh!

[ConceptJunkie]

Even monopolists such as microsoft will one day have to answer to their customers.

And how many billions of dollars will be swindled, how many thousands of companies will be destroyed, how many millions of customers will be abused, before this happens? Does the average person still have any idea that there is an alternative to Microsoft? I doubt it.

The definition of "monopoly" is that your position in the market is that you can pretty much call all the shots, regardless of what customers or competitors, (or the government in Microsoft's case), tries to do. Is the whole world going to stop using computers, or suddenly switch to Linux or OSX? We wish. Certainly the latter option is happening, but it could easily be a decade or more before there is significant erosion to Microsoft's supremacy, and how much damage can they do in the meantime?
How much deceptive marketing? How much bullying and strongarming of OEMs? How much flat-out buying of Congress (who should simply print a price list on the doors of the capitol building and stop pretending they aren't for sale)? When you can throw 11 figures into something, you are going to go a long, long way regardless of anything else. Who's going to stop that? Linus? RMS? Hardly.

I'm not trying to bash OSS and its advocates. I am a huge supporter of OSS and use it whenever possible. The Evil Empire is showing serious cracks, but it is hardly crumbling, and it has many, many tools with which to fight back, of which technology is probably not even in the Top 5. The fight is worth it, and battles are being won, but like the "War on Terror" it is going to be a long, slow battle with no end in sight... yet.

In a sense, the battle of OSS against Microsoft is a mirror of the battle of individual freedoms against the tyranny of domination for "the public good" that is going on the U.S. and elsewhere. Right now, the good guys are losing, IMO. But they are not down and far from out.

Re:Well Duh!

The moment you add government regulation to anything, you create lobbyists and other agents of "influence". Its a very bad idea. The only solution is a truly free market economy without the FED and other allied stupidity.

Re:Well Duh!

You could replace Microsoft in the above paragraph with any major corporate. They are simply doing what they can to maximize revenue and market share. Gee, I thought those things were good for a company. I don't get how becoming a monopoly is bad? isn't that what *every* freaking company wants to do? Doesn't Linux wants to be the #1 Desktop OS, doesnt Mozilla/Firefox want 100% market share?

If you're talking about the slimy stuff that businesses do then its got nothing to do with being a monopoly. Given sufficient motivation and opportunity a lot of public businesses would jump at the opportunity to undercut the competition, strong arm suppliers, etc. If you think every business should "play nice/fair" then you're on the wrong planet. You're way of thinking is with the minority in Corporate America.

Re:Well Duh!

[BVis]

The problem is that Joe Sixpack doesn't understand the problem and/or doesn't care. In theory we've paid Microsoft for an OS that *should* have security as a core competency. Microsoft claims to provide a safe, secure OS, such that Joe Sixpack shouldn't have to worry about security holes. At the very least they're guilty of leaving open security holes that they KNOW about and COULD fix in a security patch, but deliberately don't in order to make their product look better (since the number of security patches put out on Patch Tuesday is something Joe Sixpack can understand, being that more patches = less secure is the only understanding needed.)

There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

This should end up being a class action. Normally I'm not crazy about lawsuits, but there are far too many people and enterprises affected by this issue, and a multi-billion dollar settlement will definitely get everyone's attention. When the stockholders end up making less money as a result of the one-time charge, they'll demand that MS do something to keep it from happening again. Money is all they care about, and they'll scream bloody murder.

Hmm, maybe the stockholders (read: the fund managers) should sue. There's certainly precedent for them to do so.

Re:Well Duh!

[CastrTroy]

What's the difference between Microsoft and a scammer? They keep on spouting lies, and the majority of people keep on falling for them.

Re:Well Duh!

[GodfatherofSoul]

The grandparent is absolutely correct. And, too many people follow the non sequitur that companies can only make money by satisfying their customers. Collusion, monopolies, FUD, vendor lock-in; some examples of ways that companies make money while delivering an inferior product. Also, IMO why the whole Libertarian "free market" argument is hogwash.

Re:Well Duh!

Their existing customers already gave them/are giving them money, why should they work to keep them when most don't see a reason to change?

Re:Well Duh!

[drew]

I doubt Microsoft, or many other publicly traded companies, really care more about their shareholders than their paying customers, seeing as the shareholder value is almost always directly related to the number of paying customers, and how much they pay. Doing anything that decreases either of the latter is sure to decrease the former as well.

In this case, the stock doesn't go down just because they had too many security holes, the stock goes down because too many security holes make their products harder to sell.

Re:Well Duh!

[jmac1492]

Works for safety flaws in other industries ... "5 star safety rating" "top in its class for safety".
The Auto industry can do that because by law, all cars have to be put through a standardized set of crash tests. The car with the highest scores in its class can say that in its ads because "this car is safer than all others" was tested. Firefox and IE don't get put through the same set of tests from by the same people, so looking at tests boils down to finding out who paid for the tests, and finding out whether you trust that company. Since you wouldn't use the browser if you didn't like the company in the first place, the test is useless. By contrast, all auto manufacturers pay the same amount to the same group to have their cars tested, so you're not taking the auto manufacturers at their word, you're trusting the laboratory.

Re:Well Duh!

[d'fim]

". . . for the most part." -vs- "But this statement just doesn't make much sense."

Your rebuttal agrees with your opponent's point.

Weasel words: they're not just for breakfast any more.

Re:Well Duh!

[mpe]

The idea of the company is to make money, not to make happy customers.

Without customers there is no way a company is going to make any money. Happy customers tends to mean more money, through repeat business and positive word of mouth; unhappy customers tends to mean less money, due to negative word of mouth. Of course this only works when there is actual competition...

Re:Well Duh!

[Sancho]

There are two reasons for delaying patches that, if they aren't "good", are at least debatably good.

One is testing. You don't want to issue a patch that breaks critical functionality. Since we're talking about the OS, that means that you don't want to break anything. Who knows what people out there might be relying on?

The other is business, Microsoft's core clientele. Businesses want to test patches with their installation, then deploy them, and they want to do it on a predictable schedule. Patch Tuesday works for businesses. Releasing patches to everyone else earlier would simply give the bad guys information to attack the businesses that aren't getting the patches until later.

It's not black-and-white. Anyone who claims that it is probably just hates Microsoft and is looking for more fuel to drive that hatred.

Re:Well Duh!

[yo_tuco]

"So do you agree with them in their belief that their stockholders are more important than their paying customers?"

There is no belief to it. It is a legal requirement that a corporation must put the interest of its shareholders above all else. The question that should be asked is who is #2. The company or its customers?

Re:Well Duh!

[Sancho]

In this case, the stock doesn't go down just because they had too many security holes, the stock goes down because too many security holes make their products harder to sell. Except that in this case, they don't, because Microsoft is a monopoly.

Re:Well Duh!

[Vexorian]

Their customers would probably pay them regardless of what MS does, so they have no reason to care. Sometimes monopoly is the consumer's fault.

Re:Well Duh!

[cHiphead]

Ron Paul and the anonymous Libertarians strike again!

A truly free market economy only lets a "country" which is run by "government" (be it of the people or not), flourish if those taking part in it pay all of their taxes. But taxes are contrary to a lib view of freedom. All of the arguments end up in one big clusterfuck, the only way you can have an free economy is to find the middle ground where regulation balances excess of greed based capitalist economics, as we currently have (in theory). Lobbyists are an issue because we allow corporations to exist in the first place, which is essentially a way to isolate the rich from their business practices.

Cheers.

Re:Well Duh!

Shareholders have been more important than employees for years, why not customers also?

Re:Well Duh!

[Evil+Adrian]

That is quite the assumption you are making. In fact, I would challenge you to back that statement up with some fact.

Re:Well Duh!

[MobileTatsu-NJG]

"Does the average person still have any idea that there is an alternative to Microsoft? I doubt it."

The average user hasn't heard of a Mac? Bullshit.

"In a sense, the battle of OSS against Microsoft is a mirror of the battle of individual freedoms against the tyranny of domination for "the public good" that is going on the U.S. and elsewhere. Right now, the good guys are losing, IMO. But they are not down and far from out."

If OSS really is 'losing' a battle against Microsoft, you might want to let them know they're actually fighting it.

Re:Well Duh!

Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.

Ah yes, so that means they should disclose the security holes they've found today... so they can be exploited today. Um, yeah. Now we know why MS fired this guy: he has no brain, and no understanding of security concerns.

There are millions of security holes in Mozilla which aren't disclosed publicly. Heck, the thing is still based on the horribly buggy Netscape code which caused users to run to IE in the first place.

Netscape continues to live in a cycle. They deny there are any memory leaks, then they issue a patch which fixes some memory leaks. Then they deny there are security holes, then issue a patch fixing security holes. Rinse and repeat ad nauseum.

Re:Well Duh!

I don't think he was commenting on the delay of a few weeks so a security fix is released on Patch Tuesday. I think he's talking about delays of months or years until a security fix is released as part of a service pack.

Re:Well Duh!

[Sancho]

Then s/he shouldn't have said:

There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

Re:Well Duh!

While I also like OSS, and use a lot of it, I don't expect it to ever take over the world to the extent that we don't need to try to fix the problems with publicly traded companies.

More OSS and more honest and accountable publicly traded companies, both in the software and other industries would be ideal. The problem is - how do you legislate honesty? There need to be sufficient penalties for dishonesty (and willingness to actually enforce them) to avoid the race to the bottom it will create otherwise...I'm not sure what kind of regulations and penalties would work, but the free market currently certainly doesn't; while it prevents extremely egregious abuses, it's quite clear that PR and marketing are far from honest.

Re:Well Duh!

If they released too many security holes, their stock would go down. So they have to find a happy medium.

Yes, because we all know the main revenue stream of Micro$oft is thru the hight volume and hight price of I.E. more than any other MS product, be it software or hardware.
Too many flaws in I.E. would immediately be reflected in stock price.
Hell, if they stop selling I.E. altogether or God forbid give it away for free, the would close shop within the next few days.

Re:Well Duh!

[pax01]

"not to make happy customers"
"without customers, there is no money"

That doesn't mean they have to be happy customers, just paying ones.

Re:Well Duh!

[innerweb]

Absolutely correct.

Thank you for pointing out the often overlooked/ignored fundamental reality of capitalism and any form of government regulation.

InnerWeb

Re:Well Duh!

[BlueStraggler]

If *I* had 50 billion dollars in cash in the bank, I'm pretty sure I could make scads of money without a single customer.

And given my experience running a business that depends on happy customers, if I could tell my customers to f*ck off, and yet still make unbelievable amounts of money off my $50bil in cash, I probably would.

Re:Well Duh!

[TheVelvetFlamebait]

Duh. The stockholders are the owners. They get iron-fist rule over the company. We can only hope that the stockholders want what we want.

Re:Well Duh!

Ah yes, so that means they should disclose the security holes they've found today... so they can be exploited today. Um, yeah. Now we know why MS fired this guy: he has no brain, and no understanding of security concerns.

Window Snyder is a woman. And although I don't know if she was fired or left on her own, I don't think you know either and are just saying shit. As for disclosing security holes, I ask if you're proud of your ability to, again, just start saying shit? Not very thoughtful, are you? Patches from Microsoft are reverse engineered and the exploits they attempt to patch are then exploited. The means of disallowing security flaws to be publically known is to ignore them. In comparison to Microsoft's approach, Mozilla's approach disadvantages no one.

There are millions of security holes in Mozilla which aren't disclosed publicly. Heck, the thing is still based on the horribly buggy Netscape code which caused users to run to IE in the first place.

Again, you demonstrate your affinity to just fucking talk, with no regard to logic or facts to actually back you up. Millions of undisclosed security holes? Really? Where is this statistic from, and how can it even possibly be presented? If no one lived to tell the story, how is it told? Concerning your second statement about migration to Internet Explorer, the inferiority of Netscape is a separate thing to debate, which ultimately only results in the account for human opinion and preference anyway. Even still, you are wrong. The Netscape that was largely abandoned by users was not the Netscape Mozilla is based upon today.

Netscape continues to live in a cycle. They deny there are any memory leaks, then they issue a patch which fixes some memory leaks.

Unsurprisingly you are wrong again. No one denies there are memory leaks.

Then they deny there are security holes, then issue a patch fixing security holes. Rinse and repeat ad nauseum.

Unlike the "Mozilla denies they have memory leaks" cry, which is often heard (but still wrong), your argument here is not something I've encountered. Where the fuck is this coming from?

Your post would probably be quite the sharp blow if there existed an entity that behaved in action and approach in the way the fiction that is your post bemoans it. However, since the majority of your bitching is unfuckingsubstantiated, a sharp blow it is not.

Re:Well Duh!

[PhxBlue]

Yes, open source authors definitely listen to their users...but they also know which side of their bread gets buttered.

... which is inevitably the side that's predestined to fall face-down on the floor.

Re:Well Duh!

[Allador]

A truly free market economy only lets a "country" which is run by "government" (be it of the people or not), flourish if those taking part in it pay all of their taxes. Where in the heck do you get that?

What do governments and taxes have to do with a free market?

I think you're mixing several subjects there inappropriately.

Re:Well Duh!

[Allador]

Give me a break. We're talking about voluntary purchasing of software products here.

No one has to buy them. No one has to buy Microsoft versions of them.

Free market or lack of monopolies doesnt mean that people make the choices YOU think are smart. It doesnt even mean they make good choices (however you define good).

It just means other options are available.

Right now, for the majority of consumers and businesses, the perceived pain of switching is less than the perceived cost of staying.

Thats it ... no swindling ... no death and destruction.

Re:Well Duh!

[Allador]

Don't you think that more happy customers would mean more money to Microsoft's bottom line? Only if it actually does. It may not. It's entirely possible that more, happy customers, but at a lower price, would result in less net profits.

I'm sure the smart folks over at MS feel that they understand the numbers, and that their price point is the right one. They may be wrong, but its a more or less free market, and they can set their prices however they want. As they set them higher, fewer people buy.

Mind you, the OS market is less price elastic than some other markets, but its not completely inelastic.

Re:Well Duh!

[drew]

...in which case the stock price wouldn't go down, either. When it all boils down to it, a companies stock price is primarily the result of two things- how much money they are currently making, and their investors and potential investors faith in their ability to continue to make money.

Keeping that in mind, maybe I should expand on my previous statement. (At least in this particular case,) Microsoft is not making their decisions based on their shareholders' interests over their customers' interests. If the stock price were to go down due to the number of security holes, it would not be due directly to the security holes, but rather due to the fact that the security holes make windows harder to sell. On the other hand, if investors didn't expect the number of security flaws disclosed to affect the future sales of Windows, then Microsoft's stock price wouldn't go down because of them, either. Either way, the primary focus is on doing what they have to do to sell more product (or make more money per product), and the stock price and shareholder value are only derivatives of that, rather than, as so many people seem to think these days, the one and only decision making factor in a company's existence.

(I'll admit that what is in the customer's best interest does not necessarily align with what makes the company the most money, but in that sense publicly traded companies are no different than privately held companies.)

Re:Well Duh!

[JohnBailey]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium. A third option is to stop releasing misleading press statements about security and other issues where Microsoft only ever comes out top when they have paid for the report.

Does this advance their reputation as a stable strong company, or make them look like they are on the defensive?

Re:Well Duh!

[Sancho]

The question is whether or not the perception of the strength of the company would go down due to increased security flaw reporting. Being a monopoly, Microsoft doesn't have to worry too much about selling copies of Windows. Their biggest and most important customers are businesses, who want business solutions. Right now, Microsoft has a stranglehold on that market. Apple just doesn't have enterprisey solutions for a lot of things like large-scale e-mail, caldenraring, workstation management, profile management etc. Linux can do these things, but I haven't seen a company make a Linux product that does it as easily and in a way that scales as Microsoft. They've basically got a monopoly on this market, and it is in part because they actually do good work in this area.

No large business is going to switch their desktops from Microsoft. A combination of enterprisey stuff above, familiarity, and application compatibility would be enough, but throw in the cost of migration (which includes no small amount of training and infrastructure modifications) and it's truly a lock.

Of course, most of that is actually irrelevant for stock. Stocks rise and fall because of publicity and press. Watch sometime--when a negative story hits the mainstream, stock will slip a bit. When a good story does, it rises. It doesn't matter if the story has nothing to do with sales or the status of the company--the CEO can be caught having an affair, and people will sell.

Apply that to Microsoft. If Microsoft published vulnerabilities that were found in-house, it could lead to a slip in their stock. It almost certainly wouldn't be huge, but when you're a company worth as much as Microsoft is, tenths of a percent can represent millions of dollars. And the problem is that whether the publications would even cause the slip is an unknown, but since it's almost certainly not going to increase faith in the company, it's best to not report it.

Knowledge is power, and corporations tend to realize this. The more you can keep a secret, unless you're going to receive some benefit, the better.

I could accept that publishing vulnerabilities might lead to a drop in sales if there were easy replacements for Microsoft's enterprise solutions. Enough bad press really might make some companies think about switching. As it stands, though, I just don't see it happening.

Re:Well Duh!

[Almahtar]

This is also one great thing about OSS, it doesn't have to appease to money for the most part. vs.

This is also one great thing about OSS, it doesn't tend to appease to money for the most part. Big difference. I think you responded to the latter, not the former. Yes, money impacts open source, but the difference is that open source projects can always choose not to listen to the money -- or get forked. You can't just fork Microsoft the moment their shareholders get annoying.

Re:Well Duh!

[Ilgaz]

I must be pessimist these days but how does this compare to Mozilla foundations close ties to their number 1 "donator" Google Inc. and breach of user privacy planned for Firefox 3 by the excuse of "protecting user from threats"?

Firefox, if they don't give up insisting... Will send every single URL user visits to Google Inc. to prevent "phishing" by DEFAULT. See: http://yro.slashdot.org/yro/07/09/25/1622229.shtml

There are 2 dozens of comparable services from other companies including completely open, community based OpenDNS "phishtank".

For MS or even Apple, for a company, their stockholders good is more important than their paying customers. Do you think Apple thinks about their "Users" while making Google search default on Safari 3 for example? Along with referrer? You can't even change the search engine without hacking Safari resources.

I am more interested in "non profit organizations" who tries to make favor to their large donators on every chance they find along with "we are protecting user" excuse.

Re:Well Duh!

[ConceptJunkie]

We're talking about voluntary purchasing of software products here.

Until recently you practically couldn't buy a system without paying for bundled copy of Windows, and even now your choices are extremely limited. Microsoft has a long history of strongarming OEM into bundling Windows and not allowing them to bundle software from competitors.

Right now, for the majority of consumers and businesses, the perceived pain of switching is less than the perceived cost of staying.

And again, Microsoft has a long history of preventing people from creating competing software (especially back in the Windows 3.0 days), doing everything in their power to lock people in to Microsoft products today (undocumented and constantly changing file formats, claiming to follow standards, but deliberately breaking them in subtle ways), and spreading ridiculously bald-faced lies about competing software.

Microsoft won't compete fairly because they can't compete fairly. The market suffers because of this. Innovation falters, and a lot of people are stuck with software that is just plain awful.

Re:Well Duh!

[cHiphead]

I think you aren't connecting what is needed for the existence of a 'free market' in modern times. The world started as a 'free market' in which 'market forces' almost always ended up being the guys that can bash the other guys heads in the best and take all their stuff. Thats the very essence of a free market. With such a case, where are the limits on power and monopolization of services? Thats when you need a government, for regulation, like it or not. Governments throughout known history have relied on taxes to exist (I will agree its one big protection racket scam, but we don't have the technology to get past the need for taxes et al just yet.). Using the US as our example, without the government, there is no standard time zone, no 'standard' units of measurement, no firemen to put out fires, no PUBLIC EDUCATION (this is perhaps the most important of anything), no building standards, no standards for building roads, no public transportation systems, so on and so forth.

There is a direct correlation between this new age 'free market' bullshit and the need for a functional government to police it and keep it 'free'. Then again, I'm talking free as in speech, not free as in beer. For the free as in beer market you would need a communist/utopian form of government.

touche...

[advocate_one]

Game, Set, Match... well, I think that's that argument well and truly settled... Microsoft will never dare to use that FUD again...

It's Probably Also Interesting to Note...

[explosivejared]

...that the study in question was done in collaboration with the Texas Department of Science Education. The department was called in when MS had concerns over the factual rigor that the test would be subjected to.

Re:Anybody surprised?

Well, you get what you pay for Rubbish!

I paid $1000 at my local dodgy computer dealer for a CD of OpenOffice. I reckon it was only worth $100!!!

Window S.

[xtracto]

Funny for WindowS (working at Mozilla) to tell us that Microsoft software is buggier than Open Source :)

Re:Window S.

What might be funnier is that she used to work for Microsoft!

Re:Window S.

[zish]

Even better still, her first name begins with 'M'. Her name is M.WindowS. Still, the Blue Screen of Death looks much better on her though.

More vulnerabilities fixed != worse sw

[redscare2k4]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.

Re:More vulnerabilities fixed != worse sw

[jollyreaper]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS. The American cattle industry has very few occurrences of Mad Cow Disease compared with British firms. American firms also test as little as possible but that's just because our cows are so damn clean. By extrapolation, Microsoft must have clean cows.

Re:More vulnerabilities fixed != worse sw

[secPM_MS]

The analysis is lacking a component. If MS fixes an issue in a bulletin, it knows that it has started the attack on that issue because the vast majority of attackers use bindif-type tools to reverse engineer the issue. Frequently, they will have exploits available within hours of the patch release. Thus, if MS is aware of an issue but monitoring tools do not report circulating exploits, it is better for the customer, to wait until either exploits start against the issue or a larger release is available to carry the fix. Exploits will start immediately after a release. Thus, SP's may fix a vast array of undocumented issues that could lead to future problems.

Microsoft's responsibility is to the vast majority of its customers, who typically take some time to implement updates. Microsoft learned a long timed ago that customers do not like a continual stream of fixes. Hence, patch Tuesday, with occasional releases for serious issues that are being exploited and constitute a particular customer threat. It is actually a reasonable balance. Is it ideal for everybody, no, but nothing is.

Re:More vulnerabilities fixed != worse sw

[msuarezalvarez]

While that may be reasonable, it is not that they do not include it as a factor in their "we have less bugs than they do" analyses...

Re:More vulnerabilities fixed != worse sw

[99BottlesOfBeerInMyF]

Microsoft's responsibility is to the vast majority of its customers...

And they serve those customers by deceiving them and claiming to have fewer holes because they keep a lot of their holes secret even after they are fixed? You're also ignoring the number of holes MS finds that they don't fix. I know some people who used to work at MS and even after they started their security drive, the majority of bugs with security implications were not prioritized high enough to be fixed... ever. Sorry, but MS tried to deceive people by pretending holes they did not publicly acknowledge, don't exist and that is just a load of horse shit.

Re:More vulnerabilities fixed != worse sw

[vsync64]

Microsoft's responsibility is to the vast majority of its customers, who typically take some time to implement updates. Microsoft learned a long timed ago that customers do not like a continual stream of fixes. Hence, patch Tuesday

Batching fixes and releasing them on a particular day of the week is entirely reasonable. Sitting on known issues until they start getting exploited is not.

If I understand you are saying Microsoft bears greater responsibility toward customers that ignore patches for unreasonable lengths of time than toward customers who responsibly evaluate security fixes and either work around or patch affected systems. That view is wrong and harmful.

Not the first time...

[Bert64]

Microsoft have frequently used biased methods for "security comparisons"...

They have compared the published vulnerabilities between windows and various linux distributions, when the same applies as discussed in this article - issues found internally may or may not be fixed, but are not disclosed to the public.

Also many linux distributions typically include a massively larger set of packages than windows does, a distribution such as debian or gentoo supports more packages than microsoft do across their entire product line.

Re:Not the first time...

[ThirdPrize]

How many IE vulnerabilities are actually in IE and how many are the OS? It is two distinct bits of source code and all the low level bugs probably belong to the OS rather than the browser. I am just saying there are lies, damn lies and statistics.

Re:Not the first time...

[BlueStrat]

How many IE vulnerabilities are actually in IE and how many are the OS? It is two distinct bits of source code and all the low level bugs probably belong to the OS rather than the browser. I am just saying there are lies, damn lies and statistics.

But, remember..according to MS, IE *IS* a part of the OS.

Cheers!

Strat

Re:Not the first time...

[RobertM1968]

Microsoft have frequently used biased methods for "security comparisons"...

The sad thing is it's legal. MS is very smart at how they do these things. If they do a study (or pay for one that is intended to come up with the results that they want), then all they need to do is get some journalist to read it and publish an article about it. The journalist isn't even required to quote their sources... but even if they do, it still give no indication that the "source" (whatever firm that MS paid to do the "research") was actually a company that MS paid to find those results.

In advertising, things are just barely different. A company can make almost any claim they want - as long as there is a small, barely readable disclaimer someplace. Much like weight loss ads: BIG "I lost 800 pounds in 10 minutes!" Small: "Not typical results. Avg weight loss is 1 pound a month".

A wonderful example of this is Verizon. I am sure everyone has heard Verizon's claims of having "the nation's most reliable wireless voice and data network" - how many people have read the really tiny, flashed on the screen almost too briefly to read disclaimer that says (paraphrased) "Based on Verizon's own study and Verizon's calling options"?

The added beauty (for Verizon and other companies) is that tons of websites cite Verizon's claim - without the disclaimer that it is Verizon, through their own "study" that thinks they are the most reliable. Very misleading (and sadly legal).

Until laws are changed to hold companies more accountable for their (often ridiculous) claims - and/or requiring companies to only use unbiased third party studies when releasing (on the web, to the press, etc) or making such claims, the situation will remain the same. :-(

Re:Anybody surprised?

[dave420]

"Well, you get what you pay for" - did you mean to write that?

Whole section of the report not covered

[ta+bu+shi+da+yu]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

Re:Whole section of the report not covered

[MelloDawg]

He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. s/He/She/

Re:Whole section of the report not covered

[-noefordeg-]

I don't agree.

Since you don't pay for FireFox, there is really no reason not to upgrade.
With MS you have to pay for EVERY new version which is released. In my world that is kind of a huge difference. And if you are just talking about IE, well, you really shouldn't be using old versions anyway... :)

Re:Whole section of the report not covered

[Cozminsky]

But why do you need to maintain the older versions? Sure in the situation of IE6 and Windows 2000 et. al. being the last release of IE for that platform you have a situation where the older release needs to have security updates applied. This isn't the case for mozilla's browsers though, the latest version of firefox will run on everything since windows 98.

Re:Whole section of the report not covered

That is because Microsoft does not have new product to support, not because they care about their customers.

Re:Whole section of the report not covered

[Tim+C]

With MS you have to pay for EVERY new version which is released. In my world that is kind of a huge difference. And if you are just talking about IE, well, you really shouldn't be using old versions anyway... :)

Of course he's just talking about IE - unless the Mozilla Foundation released an OS recently that I hadn't heard about...

Besides, it's not as easy as "you shouldn't be using old versions". Some third parties develop software targeted specifically at a given version of IE. If they won't fix their software when a new version comes out (I'm looking at you Tridion, amongst many, many others) then you have the choice to either replace that software or stay with the old version of IE. Replacing may be prohibitive in terms of cost, even if you upgrade to the vendor's latest version.

So no, you shouldn't be using old software, but sometimes you have to. And yes yes, if you were using open source you could fix it yourself - except that *that* may be too costly too, even if a suitable OSS application existed (they usually do, but by no means always).

Re:Whole section of the report not covered

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

One could easily counter that MS' release cycle is much slower than Mozilla's. MS is presently on a 3-4 year release cycle to push out major updates to their products. Mozilla rolls out major updates at least twice as fast.

Mozilla moves more quickly but supports products for a shorter period of time. MS moves more slowly but supports their existing product for a long time. I'd say the two are a wash...

Re:Whole section of the report not covered

[kryten_nl]

... because you're still waiting for those security patches for Phoenix 0.1?

Re:Whole section of the report not covered

[mpe]

Since you don't pay for FireFox, there is really no reason not to upgrade.

An upgrade may break an extension/addon. Though the Open Source nature of the software means that such things tend to get fixed PDQ.

With MS you have to pay for EVERY new version which is released.

Typically you don't. IIRC Windows XP originally shipped with IE5. At least in terms of money. The problem is more along the lines that upgrading MSIE tends to come bundled with all sorts of updates to Windows. Whereas Firefox tends to keep itself well organised and in a few places.

Re:Whole section of the report not covered

[mpe]

Besides, it's not as easy as "you shouldn't be using old versions". Some third parties develop software targeted specifically at a given version of IE. If they won't fix their software when a new version comes out (I'm looking at you Tridion, amongst many, many others) then you have the choice to either replace that software or stay with the old version of IE.

It isn't that easy to have multiple versions of MSIE on one Windows machine either. As well as the utter stupidity of software which insists that the browser it wants is set as the default browser because the programmer couldn't be bothered to write a tiny piece of code.

Replacing may be prohibitive in terms of cost, even if you upgrade to the vendor's latest version.

Assuming there is a suitable replacement. It's perfectly possible that the later version of the whatever is unsuitable for your needs.

Re:Whole section of the report not covered

The difference is you don't have to pay for the next version of Firefox, I know technically you don't pay for internet explorer but you do have to have a recent copy of windows to get the latest version.

Microsoft (as a company) will never do anything that they don't have to if they can get away with it, whereas i trust Mozilla to do something that makes Firefox better if they can (and there giving it away COMPLETELY free, for just about every operating system under the sun).

so are we back to the standard slashdot Micro$oft = evil crapware and anything to do with open source is wonderful yet? :P

Re:Whole section of the report not covered

[ArtDent]

The simple answer would have been that even Firefox's major versions are non-disruptive. Microsoft seemingly can't deliver a new version of IE without changing the way they think the Internet should work.

I work at a large corporation with two standard supported browsers: IE and Firefox. When IE 7 was released, we received an e-mail warning us not to upgrade, as doing so would break critical applications. Similar thing with XP SP2. New releases of Firefox just get pushed out without problem.

Re:Whole section of the report not covered

[asa]

First, Window Snyder is a she, not a he.

Second, it takes us about 4 or 5 days to automatically update 90+% of our users and with a couple of week's time, we get about 99% of them moved forward. Because there's no cost to updating, and because it's automatic, we don't need to support older versions for years and years.

Ask Microsoft what their updated percentages are across their various releases. My guess is they won't tell you. And even if they did, I'm sure they'd be just as misleading about this as about their IE bug counting.

Public stats show that uptake of IE7, a security update for IE 6 in dozens of important ways, has been abysmal over the last year. At best, they've been able to move between 25% and 35% of their users from the insecure IE 6 to the more secure IE 7 and to get that they had to stop doing the Windows piracy check. Compare that with Firefox 1.5 -> Firefox 2 where approximately 98% have moved forward in the year since Firefox 2 became available.

- A

Re:Whole section of the report not covered

[RebelWebmaster]

Wrong. Windows XP has always included IE6 from the initial gold release to the forthcoming SP3.

Re:Whole section of the report not covered

[99BottlesOfBeerInMyF]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

The earliest version of IE you can get support for is 5.0, released in 1998. InfoSpan, the leading company providing Firefox support, will do phone support for version 0.9, released in 1999. So IE has about a year on them. However, MS will not actually do bug fixes to IE 5, which in my mind is a critical part of support. With Firefox, you can not only get bug fixes to any version, you can take bids on the fix from multiple vendors or use internal resources. Not only that, but the cost is often not even very high, seeing as most fixes you'd want are already publicly available in a later version of Firefox, so you can just pull in the fix; unlike IE where the code is closed.

I don't really see how you can categorize IE as winning in the support category, let alone being "far ahead."

Re:Whole section of the report not covered

[ArsonSmith]

I think it is more incremental due to the quick release cycle of Firefox.

To construct my own strawman: If you do a small change every day for a year it wont be very disruptive, but if you release 365 changes on Dec. 31st that will be rather disruptive.

Re:Whole section of the report not covered

[ta+bu+shi+da+yu]

What, the support companies are still patching Firefox 0.9 code?

Re:Whole section of the report not covered

[99BottlesOfBeerInMyF]

If you pay them, sure... although I suspect very few people have no moved on to a newer version by now. As I mentioned, InfoSpan, the leading provider of Firefox support, officially lists 0.9 as one of their supported versions. Without any prior relationship you can call them today for phone support for Firefox 0.9 and while they'll bill you for each call, they'll try to solve your problem.

Re:Whole section of the report not covered

[Kelson]

The earliest version of IE you can get support for is 5.0, released in 1998. InfoSpan, the leading company providing Firefox support, will do phone support for version 0.9, released in 1999. So IE has about a year on them.

Firefox 0.9 only goes back to 2004. Even Mozilla 0.9 only goes back as far as 2001.

Re:Whole section of the report not covered

[vsync64]

I agree with you. However, keep in mind that Firefox 3 will not run on DOS-based Windows environments (Windows 98). So users on those platforms will be forced to upgrade their OS or stop upgrading the real browser.

The real question, since we're doing comparisons, is does Microsoft still support those OSes?

One other fact to throw in there is that if some user or organization really desperately needs to have Windows 98 systems with a recent Firefox, there's nothing stopping them from paying for a contract for some firm to backport security fixes.

Re:Whole section of the report not covered

[Blakey+Rat]

With MS you have to pay for EVERY new version which is released.

Of IE? I've never paid for any new version of IE in my entire career. What are you doing wrong?

Re:Whole section of the report not covered

[fatphil]

"Since you don't pay for FireFox, there is really no reason not to upgrade."

You've never worked in an enterprise environment, have you? Rolling out a new version company wise simply because a new version is available and free is a great way for needing an IT department 10 times larger than if you were sane, and didn't do such crazy things. And of course that costs, so your "don't pay" argument is completely blown out of the water.

"Don't upgrade until you have to" is the more sensible and more common enterprise procedure. (Which is mostly security threats that can't be stopped at the various firewalls.)

Pot, kettle, black

I'd accept this from anyone but a Firefox security head. Firefox is well-known for not fixing long standing bugs and issues (including some security holes) for years. Don't believe me? Just check Bugzilla.

Re:Pot, kettle, black

[ozmanjusri]

I'd accept this from anyone but a Firefox security head.

Accept it from vulnerability-scanning company Qualys then.

Study: 'Huge jump' in Microsoft flaws since last year
"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007 http://news.zdnet.com/2424-9595_22-178018.html

Re:Pot, kettle, black

[Actually,+I+do+RTFA]

Study: 'Huge jump' in Microsoft flaws since last year "We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007

It seems unfair to claim that there is a 300 percent vulnerability increase between two versions (fairly dramatic differences) without mentioning that as the cause. Further, Office != IE, anymore than OpenOffice's problems can be laid at FireFox's feet (or an OSS project that expressly produces malware).

Re:Pot, kettle, black

[secPM_MS]

It is not so much that there has been an increase in the vulnerabilities of Office products, but that as the OS has been progressively hardened, the low hanging fruit is now the applications. Office 2003 was designed for feature richness, not withstanding spearfishing attacks. Office 2007 is the first Office release where the SDL was applied and has far fewer vulnerabilities. In my opinion, despite the change in UI, the upgrade from Office 2003 to 2007 is justified on security grounds alone. There is reasonable ground to believe that Office 2007 is considerably less vulnerable than Open Office. If you want to see user application vulnerabilities, look at QuickTime. Apple does NOT get security, they are still in their features and ease of use over everything (where MS was 5 years ago).

Re:Pot, kettle, black

[UnknowingFool]

There's a difference. Firefox acknowledges flaws but may not fix them right away. When Firefox does fix the flaw, it discloses that fact. MS does not disclose some flaws and MAY fix later. When they do fix them, they may not disclose that they did. One process is in the open. The other is kept hidden.

Re:Pot, kettle, black

I wouldn't really buy it coming from a vulnerability-scanning company either. The more vulnerabilities they can come up with the better they seem.

Sorry, I'll only accept it from an independently wealthy, blind, mute living in the middle of nowhere with nothing better to do who runs all Operating Systems at once.

Title

Who read: Firefox Security Head Entered Microsoft Obscures OS Holes

Obviously MS is just covering their OS...

[kiscica]

... what a bunch of OS-holes.

Microsoft wants what's best for you

[El+Yanqui]

Firefox is spyware. At least according to Microsoft. http://img405.imageshack.us/my.php?image=msasmfph6.gif

Remove it immediately to prevent harm to your computer and protect your privacy!

Re:Microsoft wants what's best for you

theres already enough reasons to laugh at microsoft without you having to invent some

Re:Microsoft wants what's best for you

[BlueStrat]

Firefox is spyware. At least according to Microsoft. http://img405.imageshack.us/my.php?image=msasmfph6.gif [imageshack.us]

Remove it immediately to prevent harm to your computer and protect your privacy!

A convicted monopolists' anti-spyware program marking the competitions' web browser as spyware/a security risk? Wow. They just have no fear, do they?. If they have the Justice Department and the politicians that well-bought that they feel they can get away with things like this, one has to wonder how long it'll be until they simply have their lapdogs in government mandate their software as the only 'legal' option.

Cheers!

Strat

Re:Microsoft wants what's best for you

[recoiledsnake]

Relax. It's a doctored screenshot.

Re:Microsoft wants what's best for you

[BlueStrat]

Relax. It's a doctored screenshot.

D'OHH!!!

Re:Anybody surprised?

[mh1997]

MS products never were the best on the market. They just convinced enough people to buy cheap at a cruical time.

I don't think MS ever tried to be best in their software. I think they just wanted to be the standard in software.

Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking. There were 10 or so major players in the word processing market, preventing organizations from sharing documents from one sector to another, not to mention different companies. They, and other companies, ripped of visi-calc and the desk-top graphical user interface, but none were compatible with other brands.

MS came along and everyone could talk, and thanks to IBM, run the same programs on any brand of computer.

I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's.

Where are all those retarded jokes?

he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee.

Wherever there is an entity where a former Microsoft employee is the "Head Security Strategist" there are dozens of jokes flying on Slashdot about how insecure any products such an entity produces must be. Now this happens to be the Mozilla Corporation and I see no jokes... What changed? Is Microsoft ok now?

Re:Where are all those retarded jokes?

[Kelson]

Now this happens to be the Mozilla Corporation and I see no jokes... What changed? Is Microsoft ok now?

I think /. just exhausted all the jokes back when they announced they were hiring her.

Ah, the wonder of Slashdot moderation

[Sockatume]

So, you've been modded +3 Informative for what is obviously a joke on the first reading, and is even more obviously a joke on closer examination. How's that feel?

Re:Ah, the wonder of Slashdot moderation

[explosivejared]

It scares the life out of me. I hope to god that no one actually took that seriously. I sincerely hope that that informative mod was a sardonic joke in and of its self.

Re:Ah, the wonder of Slashdot moderation

[pintpusher]

How are we supposed to keep this all straight? Either the mods are on crack or the mods are geniuses of sardonic delayed humor or the mods... oh wait, I've got mod points!! d'oh!

Their Stockholders ARE the customers

[tbg58]

The people and companies who actually purchase software are just revenue units. Their real customers are the stockholders. That's who they're beholden to. The folks who buy software have been commoditized. We haven't been the customer for some time, and this inevitably leads to crass disregard of the purchaser of the good or service of a company in favor of the stockholder. This is a fundamental economic shift -- commoditization of purchasers and re-identification of "the customer" as the stockholder, and it has predictable consequences in the attitude of a publicly traded company toward the people who spend money for whatever they sell. It's also one reason why many publicly traded companies, M$ among them, may well be dinosaurs.

Firefox and Windows

[tristian_was_here]

So basically I have to be running Windows to get the full use of security holes? Why can't my "Free" OS be like Windows?

Re:Anybody surprised?

[miffo.swe]

"Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking."

No, there wasnt prior to MS. The several flavours came about after MS started selling DOS. Most of the other flavours was much better than MS Dos. NCR Dos 3.2 was the best DOS version of them all because of all the bughunt NCR did on it. MS-DOS was a dead dog in comparison, funny thing was all MS apps ran much better on other DOS versions than their own. Hence the need for artificially make win not work on any other DOS than MS-Dos wich sucked big from day one up until it was dropped.

Sharing documents was no problem, anything external was sent in .txt mode. Formatting was for when you printed the document, not for just reading it as it has become today.

MS came along and anyone who had MS-DOS, Microsoft Word (the same version as the one communicating with had) could communicate. Thats not an improvement, its just a defacto standard.

Its a big insult to McDonalds to compare them with Microsoft. Should McDonalds be anything like MS i wouldnt dare to eat there ever. Actually McDonalds has very strict Q&A and an extremely well functioning organization.

Captain Obvious reporting

[jollyreaper]

Microsoft obscures security holes. In other breaking news, people lie about their personal information on dating sites, water is wet, and Republicans closeted freaks for gay sex. Back to you, Tom.

Because they can make informed decisions

[shis-ka-bob]

how do paying customers benefit when MS reveals unknown ...

Central to any theory of efficient markets is the assumption that both consumers and producers can make informed decisions free of coercion. If the consumers do not have information, they cannot make an informed decision. Companies are not generally obliged to share all information about their products, but they are prohibited from intentionally deceiving customers. Cigarette makers were not sued because cigarettes cause cancers, but because they had determined internally that cigarettes caused cancers and they then made claims to the contrary. That is, they intentionally deceived both the consumer and the regularly agencies.

By analogy, Microsoft can say 'we build secure software' all day long. But if they claim, 'we develop more secure software than our competitors' they open themselves up for liability IF it is determined that they are making claims that they know to be false. In this case this seems to be hypothetical. But it is a testable hypothesis. And after reading the internal memos made public in Combs v. Microsoft, it is a quite plausible hypothesis.

Re:Because they can make informed decisions

[Wylfing]

What are these "informed decisions" you speak of? Consumers not having information? Wha?

Capitalism works like this:

• Large monopoly or cartel decides how consumers will act.
• Government passes laws to back up these mandates and criminalize dissenters.

The monopolies and cartels already have all the information they need to decide how they want consumers to behave. I can't see what sort of "information" we as consumers need except to do what we're told.

Re:Because they can make informed decisions

[BlueStraggler]

Sorry can you please explain what this "capitalism" thing you speak of has to do with the free market?

Re:Anybody surprised?

[jollyreaper]

I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's. Gates looks like Hamburgler, dunno who Ronald would be. Balmer is Grimace, of course. And I guess Mayor McCheese will be whichever politician has sucked the most Microsoft cock that year.

Aha!

[A+nonymous+Coward]

The only solution is a truly free market economy without the FED and other allied stupidity.

Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

But monopolies are just as bad on the business side as they are on the government side, and there has to be some way to prevent them and break them up. Rather than have a government monopoly to break up business monopolies, I would have some way for citizen lawsuits to do the trick. You have to prevent market domination via rackets like those practiced by Microsoft, or the old AT&T, Standard Oil, etc., or you no longer have a free market.

Re:Aha!

[mpe]

Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

Also once this happens it is difficult for a free market to re-assert itself.

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

Sometimes such regulation is actually used to protect the interests of established businesses in a market, far more than any intent of protecting customers.

Re:Aha!

[Archangel+Michael]

Monopolies are only temporary. I'm not so sure that having a monopoly is a bad thing, long term. In the short term perhaps it make things difficult, but that only opens to door for new opportunities. Before you mod me flamebait, wait.

Let us look at the result of breaking Big Oil (aka Standard Oil) apart, from today's perspective. We have Iran, Iraq and general instability in the middle east. We have global warming (or so they say). We have cities built for cars, and not pedestrian or mass transit. We have a built in dependency upon a dwindling natural resource.

What if I suggest that all of these problem wouldn't be a problem, or wouldn't be as much a problem as it is today, had we let natural course of the monopoly take place. What if I told you that today, we could have a robust renuewable energy platform (alcohol / biodiesel) and better mass transit (electric) but we don't because we broke up Big Oil to get a nice low price fuel.

What if I told you that we have Linux today as a viable alternative to Windows because of the Monopoly of Microsoft. Meaning that part of the reason for Linux's success can be placed upon Microsoft, and its monopoly.

You see, the nature of the free (uninhibited) commerce is that the market is much like the Net is today, it will route around inefficiencies, and actually weed them out. Monopolies are artificial inefficiency, and eventually will be corrected by the marketplace. We just don't tend to be patient enough.

I'm a firm believer in the law of unintended consequences.

Re:Aha!

[mOdQuArK!]

I've started thinking that there should be some kind of limit on how big any single company can get.

The "free market" works best when you've got a decent number of smaller vendors competing for customers. Limiting the max size of companies would also make the labor market more of a "free market", where workers would have choices about where they could work.

Layoff decisions at any particular company wouldn't have such a major effect on the job market & economy. Similarly, criminal activities such as fraud or dumping pollutants would be limited in scope per each company due to the max size of the company (plus the companies wouldn't have such overwhelming legal resources to crush valid lawsuits against them).

The major disadvantage, of course, is dealing with projects that require economies of scale. That could probably be taken care of by having specialized "logistics" companies, whose sole purpose is to organize the efforts of a large # of smaller companies via contract.

Re:Aha!

[gaspyy]

It's not just monopolies.
The free market model operates on several key principles:

• a very large number of sellers;
• a very large number of buyers;
• completely transparent and complete information;
• all agents (buyers and sellers) act independently

It's not difficult to demonstrate that in the real world, these things don't happen.
You have monopoly or monopsony (look it up) situations; Very rarely the buyers are informed; cartels and herd-like behaviours further alter the model.

In the end, the free-market model, which is based on the supply-demand equilibrium, is all fine and dandy on paper. In reality, a completely deregulated market is an utopia, just like the communist ideal was an utopia.

I know there are many libertarians on Slash, which is mostly an American thing; not being an American, my view may seem unpopular...

Re:Aha!

[A+nonymous+Coward]

I know what you mean; no monopoly lasts forever. If they really are truly bad, they will suffocate themselves. If I really believe in a free market, then trying to prevent one aspect of that (monopolies) by fiat is unnecessary. That's why I don't want the government trying to regulate them -- you get politics and special interests involved and they find all sorts of excuses to justify new regulations to expand their bureaucratic territories.

But corporations themselves are a government creation. Not allowing corporations seems like a big loss to any economy. Some projects need big companies. I can't imagine the awful inefficiences if manufacturers could not grow beyond a certain size due to not having corporations.

Since people can sue businesses for fraud, what if you were to consider the ill-effects of a monopoly to be fraud? What if people could sue Microsoft for its special deals with Dell, or AT&T for its shenanigans, or Standard Oil for its evil effects?

I think that would solve the problems of monopolies. Ron Paul likes to say that if people could sue polluters for sending the pollution into their backyards, literally, that would replace the EPA. I am doubtful, but maybe such an approach would work with simpler concerns like a monopoly having so much power that it distorts the marketplace in easily identified ways.

Re:Aha!

[Znork]

"Sometimes such regulation is actually used to protect the interests of established businesses in a market"

Such as copyright. Which is the fundamental anti-free-market regulation that supports Microsofts market control and monopoly (and would support any other non-FOSS replacement just as well).

Re:Aha!

[SL+Baur]

What if I told you that we have Linux today as a viable alternative to Windows because of the Monopoly of Microsoft. Meaning that part of the reason for Linux's success can be placed upon Microsoft, and its monopoly. I call you on that. Unix, the predecessor of Linux, won the war of ideas long before Microsoft had anything remotely resembling an operating system. Preferential pricing (an order of magnitude difference in cost between MS-anything and Unix versions of the same program) and then enforced preloading overcame that.

Personally, the reason why I started work on software that eventually made it into Linux had *nothing* to do with Microsoft, because then as now, I just don't care. Microsoft doesn't make anything I remotely care about.

Re:Aha!

"Let us look at the result of breaking Big Oil (aka Standard Oil) apart, from today's perspective."

Let us imagine if Standard Oil was not broken up.

Standard Oil would control all of the gas and oil pipelines, and would prevent you from using them if you didn't abide by there terms on other issues.
Standard Oil would expand into the refinery business, and would prevent anyone from competing.
Standard Oil would expand into the oil-and-gas exploration and drilling business, and would prevent anyone from competing.
Standard Oil would expand into the petro-chemical business, and would would prevent anyone from competiting.
Standard Oil would expand into the plastics business, and would would prevent anyone from competing.
Standard Oil would control all of the railroads, and would prevent from using them if you didn't agree to their terms on other issues.
Standard Oil would expand into the trucking business, and would prevent from using them if you didn't agree to their terms on other issues.
Standard Oil would expand into the automobile business, and would prevent anyone from competing.
etc.
etc.
etc.
.
.
.
etc.
etc.
etc.
Standard Oil would expand into the software business, and would prevent anyone from competing, and finally slashdotters would complain.

Re:Aha!

OK, The USA is already one of the most litigious countries in the world. Obstetricians, for instance, are increasingly rare and expensive because malpractice insurance is so expensive. People sue obstetricians for any problem with delivery even if there was little the obstetrician could have done with the hope that a jury will feel their plight when presented with a damaged baby to help pay for its care.

The US already has a problem with nuisance lawsuits and excessive damage awards, to the extent that some Republican candidates push tort reforms to limit this. One of the major attacks the Republicans used against Democrat VP candidate John Edwards was his work in securing large awards against companies for his clients. But these are the people you are willing to let demolish safety oversight organizations in exchange for a promise of better litigation opportunities?

It will take a lot more inefficiencies in government safety departments before their employees will cost more than lawyers paid 5 times as much. And if you think you'll need less lawyers than bureaucrats, think about how long big tobacco successfully fought off lawsuits and what resources it finally took to cut them down. Now consider that if you're in an industry with a poor safety record (good luck to all the coal miners and construction workers in your utopia, BTW), if one member of that industry routinely allows or encourages safety violations to save money, most of their competitors will have to do the same to remain competitive. So unlike now where a few cheat and endanger workers or customers (lead paint toys anyone?) everybody in the industry will be taking those risks and fighting off lawsuits.

And finally, companies could tie up cases in courts for 10 or 20 years. That's the lifetime of most top-tier executives, so what incentive would they have for behaving ethically if the repercussions wouldn't be felt by the company until after they've made their bundle and have retired? And if you think Enron and Worldcom were bad, what do you think would happen to trust in the stock market without an exchange commission to investigate abuses? After all the SEC is just a red-tape bureaucracy like OSHA, the EPA and so on. No need to enforce that, just let stockholders and their lawyers enforce things through lawsuits, right? It's too bad if a lot of people lose their life savings and spend their retirement years eating cat food while their lawyers fight to recuperate what they can, just as long as companies aren't overburdened with red tape.

The lawyers will be happy though. Especially for the first ten years as the increased demand and limited supply makes their income go through the roof.

Re:Aha!

[innerweb]

For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants;

I work in the food industry, as a manager (one of two lines of work I do). I do not want an unregulated food industry. Do you have any idea how many people would get sick and/or die form bad food products or unsafe environments? Do you have any idea how many have in the past? I also have worked closely with the health care side in many projects involving pathogens. Do you remember the issue with China sending us poisonous toothpaste? Do you remember the problems with tainted beef, or vegetables just this year? Do you know how fast bacteria grow in food? Have you ever inspected a small upstart's kitchen who does not understand food safety - a vast majority of people do not!

Do you know why it is not safe to drink the water in many countries? Or eat the food? Do you know why so many countries without regulations have so many health issues relating to flu-like symptoms, diarrhea, and other issues relating to food born illness?

Do you realize how little the average person knows about food safety, and communicable disease? Read this link to learn more different potential diseases, pathogens and toxins in food.

Even if disease were not a problem, the nature of people to do things (like toxic toothpaste because it is cheaper) still should be a gigantic red flag. Maybe the inspectors are a little overzealous at times (I have dealt with those), but I would prefer an overzealous inspector to a lax one anytime. BTW, I have never had a red and only a couple of yellows on an inspection - both yellows were quickly corrected and never repeated. Almost nothing but greens, even from the most picky of inspectors I have had to deal with. The people who work for me may think I am demanding, but we are not just talking about food quality, we are talking about food safety and the health and lives of people who probably do not want to run a risk of kidney failure, liver damage or worse because some uncaring twit decided their laziness or comfort was more important than the safety and quality of the food and environment we serve it in. I have often read about how doctors are the first line of exposure in an epidemic. I disagree, restaurants and food providers. Why? because we are exposed to the public and all it has to offer every day many hundreds of times to thousands of times more than a doctor is. A doctor only sees a patient when they are aware of the symptoms they will have. We see them in our restaurants and stores first. We touch the surfaces they have touched, the money they have handled, and get sneezed at, coughed on and believe it or not sprayed with their saliva (ever taken an order form a sprayer?) If we do not practice the best of health care and food care, we become the carriers and the source of diseases. We (food industry) have to know what is out their and what to look for. We have to be aware of our hand washing, surface cleaning (de-contaminating) and food safety. If we let a situation develop, then you wind up with an outbreak. It has happened many times. It might be flu, or a new Legionnaires Disease. It might be indigestion or a trip to the emergency room. So few people I have met in the food industry are actually aware of the realities that they do things that are unsafe and spread disease. Lets face it, the average person in the food industry is not a doctor. Most barely have a high school education and many are more worried about their next house payment than washing their hands. Some out and out just do not care. I have caught people in restaurants picking their nose, using the restroom, coughing and sneezing into their hands and then not washing their hands. I have caught people leaving meat out on the counter to thaw (very dangerous), trying to serve unwashed vegetables, not keeping counter food up to temperature - sometimes as low as 110 degrees - perfect

Re:Aha!

[kimchimofo]

I think it's common for people to romanticize about the possibility that a "free market" could actually exist, but beyond the econ 101 textbook there is the real world and judging by our history humans usually seem to "cry foul" when the invisible hand threatens their security and call for socially-motivated programs (like the new deal) to help protect them from the market deciding that certain people have lower value to the marketplace than they themselves are prepared to accept.

The free market is a nice dream that might even work quite well if it didn't have human psychology to contend with, which seems to demand that once we organize ourselves in to a group called society, that it is "civilized" and "decent" to offer protection to those who once contributed to the market and were later tossed out either because they couldn't adapt or support themselves.

That is not to say that I support price controls or antitrust laws, or even don't support the (always failing) social security program. I'm actually pretty neutral on economic matters provided I have the freedom to make my own financial decisions and the money in the bank to take care of myself when the market shifts. I only comment because I often hear people spout off about Adam Smith, and when I do it often sounds quite naive given the broad spectrum of market forces competing with the invisible hand.

Re:Aha!

[A+nonymous+Coward]

How many of those problems you cite were caught by the regulators you espouse?

Each little step of regulation has a noble purpose, but the combined weight slows down the economy so much that we would be better off without the regulation. I would rather have restaurants brag about the inspection company they hire on their own than have the government force one bureaucracy on everybody.

Do you ever eat at friends' houses? How about a neighbor you hardly know? How about a potluck at school or church or work or even a block party?

Do you ever ask any of them for a health inspection report?

Government health inspections do almost nothing except tie up thousands of people in a bureaucracy, and the people who run those bureaucracies have no interest in food safety, only in keeping control of their bureaucracy and expanding its writ. I am not a big fan of greedy profit driven motivation, except it's like democracy as quoted by Winston Churchill: it's the worst way of doing things except for all the others.

The invisible hand of Adam Smith says that when people have information and choice, their selfish choices work together for the best overall good. The trick is to make sure people have the information and choices they need, and having one government bureaucracy is not a choice, especially when that bureaucracy only releases information when it helps the bureaucrats control their turf by punishing those who oppose them and by favoring those who help them. Private bureaucracies might have those same thoughts, but the profit motive brings them back in line -- as long as there is competition and people have the information to differentiate and choose, which is exactly the opposite of what empire building bureaucrats want.

Here's an example of how things would work if inspections were voluntary and run by businesses: right now inspections are done by guys with clipboards, thermometers, and subjective opinions, right? If the inspectors cared about profit, I believe that by now we would have automated real time inspection systems possible, where sensors in kitchens would monitor for rats, roaches, warm refrigerators, cold meat, etc. That would be a much better health regulator than unannounced once a year inspections by inspectors susceptible to bribes and favoritism. No government bureaucrat would ever put up with such a system, as it would reduce the size of his empire. Profit driven businesses would, for it would reduce their employee count, increase their profits, lower their prices, enhance their reputation with the public, and grow their business. All those laid off inspectors would now be available for productive work.

Liek I said, regulations have noble intent, but that paves the road to hell. Regulations freeze conditions, they are the enemy of advances and innovation, and they are perfectly suited to slow moving bureaucracies who don't want anything to upset their apple cart. They are the last resort of those who don't want to ever do anything differently.

Re:Aha!

[A+nonymous+Coward]

I only comment because I often hear people spout off about Adam Smith, and when I do it often sounds quite naive given the broad spectrum of market forces competing with the invisible hand.

That' why I said there has to be more more opportunity for individual people to enforce freedom of choice and availability of information. One of the problems with government monopolies is that they enforce their monopoly status by superior firepower. Lawsuits and a litigious society suck, but they suck less than rule by fiat and gun.

Re:Aha!

[innerweb]

As the post above you, thank you for pointing out the overlooked/ignored obvious realities of capitalism.

I am an American (USA variety), and I get sick and tired of the ignorance espoused by people who think the system will just work. It is so much like listening to some gibbering idiot go on about their perpetual motion device, or unlimited free energy device (or to date, flying cars). People seem to want to totally gloss over the greed, corruption, collusion, laziness, theft, graft, bribery and other broken aspects for the system we currently live in. It is as if they believe that their own faults do not exist (let alone the faults of others). All of us are fallible, greedy, etc to some extent. Unbridled free market is just an excuse to be allowed to do anything you want without repercussions, or at least an answer that can never be dealt with directly, as society would break down long before you achieved the model they offer up.

InnerWeb

Re:Aha!

[A+nonymous+Coward]

Exactly, and my point is that when a single government monopoly run by bureaucrats is the only defense against corporate bureaucracies, the situation is ripe for corruption and favoritism and plain old politics. If monopolies are evil, why should the government be the only one able to bring charges against monopolies, or any other corporate malfeasance which restricts choice and information? That's one point of weakness. I'd rather treat citizens as intelligent enough to take care of their own lives, and not take away the tools they need to do so.

Adam Smith requires choices and information. Those are the natural enemies of bureaucracies.

Re:Aha!

[Archangel+Michael]

Unix == Linux

Unix lost the war because of pricing and lack unified desktop environment. Linux is winning the long war by taking the best of Unix, offering it free (beer and speech) and having usable desktop GUI (Gnome/KDE).

Unix lost a war it could have won, Linux is winning the war for Unix like OSes, along with Apple for the BSDs.

Re:Aha!

[Logic+and+Reason]

The free market model operates on several key principles:

• a very large number of sellers;
• a very large number of buyers;
• completely transparent and complete information;
• all agents (buyers and sellers) act independently

It would be more correct to say that the free market operates "better" the more buyers and sellers there are, and the better the available information is. Your bullet points are not absolute requirements for the market to function. Furthermore, things like monopolies and uninformed market participants only distort a naive, simplistic analysis of the free market (of which many libertarians are no doubt guilty). They do not hamper the operation of the market itself; in fact they are completely normal and healthy components of it.

Take monopolies, for example: laissez-faire economists do not claim that monopolies cannot exist in a free market. Instead, they claim that the free market tends to eliminate monopolies, and does so more efficiently than government regulations can do, since regulations always introduce their own inefficiencies.

Just as it is naive to assume an idealized free market, it is also naive to point out certain inefficiencies in the free market and then blithely assume the existence of a similarly idealized form of government intervention to "fix" these inefficiencies. All government actions distort the market, and as a result they often do not achieve their stated ends; but many laissez-faire opponents ignore this.

Re:Aha!

[hyades1]

And your feeling on oligopolies?

Re:Aha!

[TheVelvetFlamebait]

But monopolies are just as bad on the business side as they are on the government side

Or quite a bit worse. Each monopoly answers to its shareholders, and we are the government's shareholders. Which is more likely to respond to public outcry? The government, of course.

Re:Aha!

[A+nonymous+Coward]

Which is more likely to respond to public outcry? The government, of course.

You must be joking. The government has too many shareholders and none of them have any alternative. It is controlled by bureaucrats who are in more danger of losing their jobs from doing something -- anything -- than doing the wrong thing. Compare that to multiple companies, where not only are the bureaucrats capable of being fired, whether for doing the wrong thing or for any other reason, but if the complainer doesn't like the response, they have an alternative. The alternatives may not be much better, but at least they exist, and that competition is more likely to make for responsive companies than any government bureaucracy ever will be.

Re:Aha!

[TheVelvetFlamebait]

The government has too many shareholders and none of them have any alternative. It is controlled by bureaucrats who are in more danger of losing their jobs from doing something -- anything -- than doing the wrong thing

... like, for example, not responding to public outcry?

Compare that to multiple companies, where not only are the bureaucrats capable of being fired, whether for doing the wrong thing or for any other reason

What makes you think the government bureaucrats don't get fired? If we think they're doing a bad job, we elect them out! In fact, I would argue that the government jobs are, on average, less secure than the bureaucrats in monopolies, because the people aren't always rational about little misdemeanours in the way a seasoned businessman is.

but if the complainer doesn't like the response, they have an alternative.

Yeah, like alternative political parties. In the case of private monopolies, well, they wouldn't be a private monopoly if there were any viable alternatives.

Re:Aha!

[A+nonymous+Coward]

The bureaucrats which count are not the few elected ones but the vast civil service. There aren't enough elected ones to handle the complaints generated by the number of citizens. Contrast the US's 545 elected national reps with any company which has a far smaller audience. The elected reps only care about those complaints which could make them look good when they raise the issue, and they have almost no effect on getting them re-elected; those complaints are nto where the bulk of votes come from.

As for alternative political parties, not in the US. The two which count are so similar in their quest for power that they are not useful alternatives.

You must really be living in some kind of fantasy world to think the government actually cares about you and your petty complaints. You are one out of 300 million and probably don't give squat to election campaigns. I can't imagine what kind of upbringing would mislead someone as you have been.

Re:Aha!

[TheVelvetFlamebait]

The bureaucrats which count are not the few elected ones but the vast civil service.

OK, finally some specifics on the government side. But who are we referring to on the business side? On the business side, the bureaucrats are more akin to the elected officials. The civil servants are like the smaller companies contracted to perform certain jobs for the business, and their accountability is similarly indirect. However, if a civil servant or a contracted company majorly fucks up (like, for example, a teacher sleeping with one of their students), then no amount of indirectness in their accountability will protect them. If the people want blood, they will have it.

However, if you're expecting some major and expensive reshuffling over a minor (but widespread) issue that comparatively few people care about, or even acknowledge the existence of, then you're expecting far too much from the government. That's the way I want things to work. No, sorry, I'm mistaken. I really want the government to obey me, and do whatever I tell it to, but I acknowledge that will not happen, so I'm happy to settle with it catering to the will of the people equally.

As for alternative political parties, not in the US. The two which count are so similar in their quest for power that they are not useful alternatives.

It's true. We have two parties who are so adept at their jobs that they can essentially pre-empt what the people want, and stop the search for any alternatives. The political game, like any game, has individual strategies that will work best in different circumstances. Since the circumstances are essentially the same for both parties, so too will be their policies.

You must really be living in some kind of fantasy world to think the government actually cares about you and your petty complaints.

Not really. It's just that you happen to live in the hell of liberal paranoia and electoral fringes. You have beliefs that the mainstream do not share, which means that, unless you be really proactive, you are doomed to be oppressed by the majority. It's just the way the system works. In a population that contains diametrically opposing views on a variety of subjects, someone always has to miss out, and it just happens to be you. Don't worry though, there are alternative governments out there who are possibly more in line with your ideology.

I can't imagine what kind of upbringing would mislead someone as you have been.

Oh, you know, white middle class, caring, left wing environmentalist parents, constantly worrying about the local government's development of the local coastline. I grew up with my fair share of government hatred, which I shared for a while. That is, until I heard some famous, intelligent woman (I can't remember who) on the radio. In response to some question about the unhappiness of some people with their elected government, she responded by saying she always had believed that a people must take responsibility for their government. It took me a while to realise what she meant, but a couple of months later, it hit me out of the blue. We are responsible for our government! Even if we don't vote for the people in power, even if the system isn't responding to the cries of the people, we are responsible. It is our responsibility to make our voices heard, if we so wish to do so. We don't have just one vote, we have the unlimited power to influence others into thinking the same way. We have the right to fight other people's ideals with our own ideals. The flipside is, however, that the people also have a right not to agree with or even listen to you.

Re:Aha!

[Allador]

It is absolutely not a requirement of a Free Market that there be large numbers of buyers and sellers.

You can have a free market with 2 suppliers, as long as the barriers to entry for new competitors are low. Then if the 2 form up to price fix or something similar, then new businesses will be formed to offers the product/service at a lower price or higher quality, and the market naturally re-balances.

I think what you mean is that markets are often more efficient with large numbers of sellers.

Even that is arguable, at least in some cases. Too many players dividing up the available potential income can dilute the market, such that no company has the income to re-invest or improve, because margins are so thin.

Re:Aha!

[Allador]

Huh? How does copyright law support Microsoft?

Microsoft doesnt have a dominant market position because of copyrights. It does so through lots of (legit) savvy business sense, along with some less than legitimate behavior (supply manipulation of OEMs).

Copyrights do not cause the market to be insensitive to price gouging.

Copyrights do not stop others from entering the market.

The only conceivable argument that copyrights stop effective competition is because of switching costs (ie, compatibility), as MS copyrights its protocols. But this falls short in a number of areas.

1. These protocols have all been reverse engineered successfully, without invoking copyright litigation.

2. People are still able to switch, even without having fully documented protocols and specs. It may be more inconvenient and costly, but there's no law that says businesses have to make it easy to switch away from them (at least in this market, in some markets there are such laws).

Now I'm not saying that copyright law is good. And I'm not saying that Microsoft has been good for every aspect of the industry. But tying the two together is not logical. You need to deal with the MS problems where they are, and it has nothing to do with copyright.

I realize that if you're a FOSS fan or zealot, you think that all information should be free. I would argue that all information will be free eventually, despite barriers such as proprietary protocols and specs.

If there's a market for them, then someone will provide a product.

Re:Aha!

[Allador]

The government has too many shareholders and none of them have any alternative. Thank you!!!

Government is an example of an area where there is NOT a free market, and the competitors use violence to enforce their territories. I dont have a choice as to what government I pay for services, I'm forced to deal with the US government because of where I was born.

And this 'no competition within my territory' means that over time all the governments tend to look alike, as there is no competition, and they all tend to evolve towards maximum extraction of energy from the system that is sustainable.

Anyway, didnt mean to preach to the choir there, but I sometimes wish people would put a little more thought towards the biggest monopoly of all.

Re:Aha!

[A+nonymous+Coward]

And thank you!

Yes indeedy. People who claim to like competition in business want a monolithic government. There are so many things in government hands that don't need to be. My favorite is schools. You have two huge bureaucracies, the school boards and the teachers unions, both competing to control the bureaucracy, both plotting to spend as much money as possible on themselves, neither cares an iota about the students or the parents. Why school vouchers haven't taken off I do not know, but maybe none of them come close to matching the cost of even the public schools. Vouchers, or even letting parents and kids pick among the public schools, won't fix schools by themselves, but they would sure put the bureaucrats and teachers on notice that bad performance won't be acceptable any more, and that is the fire they need lit under their lazy asses. Not that all teachers and admins are lazy and incompetent, but there is no way to get rid of those who are, and for that they must all share the blame.

Re:Aha!

[A+nonymous+Coward]

What a load of angst.

The problem is simple. A bureaucracy is a centralized economy. It work if society were static and bureaucrats had years and years to fine tune the allocation of workers. So many workers for this steel factory, so many for this car plant, so many potato farmers. You could optimize the holy heck out of the workers, keep everyone happy, everything humming smoothly. No excess capacity going to waste, no workers over- or under-worked.

Then a work retires, or gets sick, or dies. Where do you get the replacement? Well, I guess you could have a pool of replacement workers ready, ie, unemployed, but they'd need training. So everyone else on that shift of that section has to fill in while the replacement is found and trained.

What happens if the plant suffers a breakdown, or a tornado, hurricane, flood, etc, strikes? Well, now no steel, so you better have some excess capacity in other steel plants, but how much?

What happens if someone invents a better way to make steel? Each shift needs 3 fewer workers and less coal to produce the same amount. Now not only do you have a few workers with nothing to do, you need fewer coal miners, fewer barges and railroad cars transporting it.

A centralized economy simply doesn't deal with stresses like that. Static conditions do not exist.

That's what is wrong with bureaucracies: they are only good at dealing with static conditions.

Why the heck do people want competition and choice in everything except government? What makes people think a government bureaucracy is the answer to anything when they can't even handle the DMV or post office? What is this fear of the free market in the last bastion of bureaucrats run amuck?

Re:Aha!

[TheVelvetFlamebait]

What makes people think a government bureaucracy is the answer to anything when they can't even handle the DMV or post office? What is this fear of the free market in the last bastion of bureaucrats run amuck?

Oh, I never said it was preferable in every (or even most) situations. I was originally contesting your statement that the government is no better than a private monopoly. All I was saying was that the government does have the potential advantage of being accountable to us, rather than the shareholders. If we all cared about our public sector as much as the average shareholder cares about his company, believe me, these inefficiencies would go quick-smart. The difference is that we are not true shareholders, and we are generally happy as long as we have basic public services, and our choice between other services from the private sector.

Why the heck do people want competition and choice in everything except government?

People don't generally want competition or choice, but a government that represents them personally. Choice and competition happen to be a tried and true way to obtain a government that is tune with its people. If there is consistently two choices between good and similarly good, then there is little need for other choices, which is how and why two party systems continue to exist.

What a load of angst.

What, trusting the government somewhat is suddenly considered angst, whereas being paranoid of any concentration of power, no matter how fragile, is not? What is this? Doublespeak?

Re:Aha!

[10101001+10101001]

Your bullet points are not absolute requirements for the market to function.

You're right. The GP's bullet points include more elements than necessary. And it leaves out the need of buyers/sellers to be rational.

Furthermore, things like monopolies and uninformed market participants only distort a naive, simplistic analysis of the free market (of which many libertarians are no doubt guilty).

Natural monopolies are, well, natural monopolies; so, they can't be said to distort the market--that doesn't mean they're "fair" by many standards. But, uninformed markets includes things like fraud. And fraud can very drastically distort the market.

They do not hamper the operation of the market itself; in fact they are completely normal and healthy components of it.

"Healthy"? They might be a byproduct of the market. That doesn't make them "healthy".

Take monopolies, for example: laissez-faire economists do not claim that monopolies cannot exist in a free market. Instead, they claim that the free market tends to eliminate monopolies, and does so more efficiently than government regulations can do, since regulations always introduce their own inefficiencies.

Close, but not entirely correct. You forget natural monopolies, for which barriers to entry hamper the ability of other companies to compete. In a real free market, people would be informed enough that they could counter attempts by a natural monopolist to hurt them by boycotting. But, in laissez-faire, there is too much disinformation available and too much disorganization of the people to be able to adequately counter the "unfairness" of pricing.

Just as it is naive to assume an idealized free market, it is also naive to point out certain inefficiencies in the free market and then blithely assume the existence of a similarly idealized form of government intervention to "fix" these inefficiencies.

Um, the GP never made mention of any "idealized form of government intervention". So, this is a strawman argument. While I can't speak for the GP, I would point out that the inefficiencies of less than ideal government intervention can be less than the inefficiencies of a laissez-faire system. One has to look no farther than markets where rampant fraud (because there is little government intervention) causes few people to invest into companies, thereby crippling the market.

All government actions distort the market, and as a result they often do not achieve their stated ends; but many laissez-faire opponents ignore this.

Certainly, not all government intervention has the intended effect. And government intervention certainly isn't always the best approach to resolve inadequacies of a laissez-faire system. But, that doesn't mean there's never a place for government intervention; ie, one can't reasonably treat government intervention as some sort of tabboo to avoid discussing what the "best" thing to do is.

Re:Aha!

[thirdrock68]

How many of those problems you cite were caught by the regulators you espouse?

I would estimate about 100,000 presenting cases of gastic distress per 6 million people, because that's how many the laissez-faire Hong Kong government does not catch per year through their non-intervention.

Here's an example of how things would work if inspections were voluntary and run by businesses: right now inspections are done by guys with clipboards, thermometers, and subjective opinions, right? If the inspectors cared about profit, I believe that by now we would have automated real time inspection systems possible, where sensors in kitchens would monitor for rats, roaches, warm refrigerators, cold meat, etc. That would be a much better health regulator than unannounced once a year inspections by inspectors susceptible to bribes and favoritism.

Great, you just raised the barrier to entry for the restaurant business by 50K. Well done genius, now only large corporations can supply food service. Or were you suggesting that the taxpayer pick up the bill for all your sensors?

No government bureaucrat would ever put up with such a system, as it would reduce the size of his empire. Profit driven businesses would, for it would reduce their employee count, increase their profits, lower their prices, enhance their reputation with the public, and grow their business.

Bollocks. Employees are cheap, capital is expensive. How would taking on another 50K of debt per restaurant increase profits? Or lower prices? How would the public know what goes on in the kitchen? They don't now.

All those laid off inspectors would now be available for productive work.

Maybe they could go and work in the hospitals dispensing treatments for diarrhea, gastroenteritis and food poisoning. Or working for the pharmaceautical companies that make these treatments?

Do me a favour pal, keep your fucking stupid ideas out of my city OK? I like eating out at restaurants.

Re:Aha!

[jafac]

The problem is; while Monopolies would naturally break themselves - in a perfect theoretical system, the reality is, a Monopolist gains political influence and power; yes, we have Linux BECAUSE of Microsoft's dominance. We also have stupid crap like the DMCA, CALEA, and whatever attrocities the lobbyists haven't come up with.

They've TRIED to outlaw Linux, for various reasons. They tried to outlaw it as a "tool for hackers" - they've tried to outlaw it as a threat to their "intellectual property", and they'll probably try to outlaw it as a "Chinese Information Warfare" weapon next.

At the same time, we have this bullshit patent abuse to wipe out VOIP as a potential competitor to POTS. So you can count THAT baby as being knifed as well.

The law is a tool - that is there. It is a reality, and it is a fact. It can be wielded by the people, or it can be wielded by Monopolists. Being afraid of the unintended consequences of how it is wielded, and desiring to ban it altogether (Law and/or Government) is all fine and dandy. But it is a UNILATERAL DISARMAMENT. If the People put down their only defense and weapon, do not assume that the Monopolists will.

Monopolies can not be tolerated or left alone. They MUST be broken up and destroyed, as must ALL concentrations of power.

Re:Aha!

[totally+bogus+dude]

While your points are valid, you need to consider the harm that is done while the monopoly is let to run its course before it is eventually "routed around".

An extreme example: do we let the impoverished people in third world nations die of starvation on the theory that eventually the population will decrease to match the available food supply, and therefore resolve itself?

Obviously a monopoly isn't as detrimental to people as starving to death, but the point is that just letting it play out until it resolves itself results in people "suffering" for a period of time. Worse, the people "abusing" the market profit mightily during the period, which only serves to encourage others to do the same if at all possible.

The inevitable downfall of a monopoly isn't disincentive enough to discourage people. Microsoft's monopoly may only last 10 years, but during that 10 years the directors have made an absolute crapload of money, and there's a lot of people who dearly want to emulate Microsoft's "success". If the government (or whomever) regularly intervened before such behaviour become hugely profitable, then it would greatly decrease the incentives for others to follow suit.

On the other hand, I do agree that when people start to meddle to try to make things "better", it tends to make things worse more often than it makes it better. But it's probably also worth pondering whether Microsoft has actually held back on their monopolisation for fear of upsetting the government watchdogs. If there really was zero threat of government regulation interfering with them, would they have bought far more of their competitors than they have? Would they be pushing out patches via Windows Update that prevent Firefox and Opera from running on Windows? Would they make MSIE refuse to navigate to their websites altogether?

Re:Aha!

[Lunzo]

Off topic, but anyway...

There was a recent article in choice magazine (an Australian consumer watchdog sort of mag) about restaurant health inspections.
There are inspections here but the results aren't published and restaurants which don't comply only need to pay a small fine or are given months to fix problems.

Choice argued that for consumers to make an informed decision about where they eat, they need to be able to compare the hygiene standards of different restaurants and factor that in to their decision making. An earlier poster pointed out the need for informed choices being important for a free market so I won't repeat it here.

Interestingly enough the Choice article claimed that the "bureaucracy" you deride in your post actually has a financial benefit for restaurants. It cited some cities in the USA, UK and Europe where restaurants have to post the results of health inspections (Green = Pass, Yellow = Warning, Red = Fail) on their front door. Those in the green had higher profits compared with restaurants in cities without the scheme, IIRC around 10% better, and those in the yellow had profits going up by 1%.

I guess the relevance to TFA is the free market ain't free without information people need to make informed decisions and for some information government regulations, studies and inspections *are* the best way to get it.

N.B. No link to article because I think you have to pay to read them on the choice website.

Re:Aha!

[A+nonymous+Coward]

That's an intelligent reply. All that cussing really validates your thoughts well.

Hong Kong, the US, there's a great worthwhile comparison. Who says they have anywhere near the same cultural standards, standard of living, crowding, etc? Let's compare, oh, Lagos next. Or any other random city somewhere on the world.

Who said that tech would cost $50K? Who said the current inspection regime has no cost? Again you compare apples and oranges.

You think capital is expensive, you're right. But cameras are cheap. Try pricing them before spouting garbage which only shows how little you know. Consider that fancy restaurants would take up the new tech first and the tech would spread on down as it matured. Stop living in the stone age from which your corruptible human inspectors come from.

No employee has a right to keep their job when it becomes obsolete. It sounds like you are palsy with your inspector friends and want them guaranteed lifetime jobs at taxpayer expense -- or did you think taxpayer jobs were paid for from thin air? When they can be replaced, they will be freed up for more productive jobs. If you don't like that, go find a planned centralized economy with jobs guaranteed for life. Oh wait -- those economies went bust. Dang. Too bad for you and the other layabouts who want guaranteed public taxpaying jobs. Must suck to have no skills other than carrying a clipboard and counting rat feces and taking bribes.

Re:Aha!

[A+nonymous+Coward]

for some information government regulations, studies and inspections *are* the best way to get it.

There is no correlation between information availability and government regulators. Private companies which do inspections could post the results just as easily. It would quickly become apparent that restaurants without posted results either had no inspections or were too embarrassed to post them, and it would also quickly become apparent which inspectors did a good job. With one source of inspections (the government), you and the restaurants have zero choice of inspectors. What if the expensive restaurants want daily inspections, or weekly? What if they want more detail in the posted results? if anything, the fancy restaurants posting more detail more frequently will shame the cheaper restaurants into getting more and better inspections.

There is almost nothing the government does that can't be done just as well as y private companies, and as long as there are multiple private companies doing it, they will do it better. About the only exceptions are the court system and national defense.

Re:Aha!

[jhol13]

You forgot one principle: sellers and (especially) buyers act rationally. Though arguably it could be fused into "complete information", but I just wanted to point it out.

Re:Aha!

[jhol13]

free market tends to eliminate monopolies, and does so more efficiently than government regulations can do, since regulations always introduce their own inefficiencies. Take AT&T. Show me how and why free market would have eliminated the monopoly more "efficiently" than the government intervention did.

Take Standard Oil. Show ... But, please, do not do circular reasoning by defining "efficiently" to be what free marked does.

The free economists always ignore every example from history (yeah, I know, they have to, otherwise the "religion" would collapse).

The "opponents", OTOH, do not think government is (or can be) some "super entity" - they admit it has it's own (sometimes big) problems. The point is that in some cases government can just work hugely better than free market.

Take education. At least the country I live in (Finland) cannot afford to "lose" poor and smart(ish) people.

Take social security - at least I am willing to keep the "safety net". My morality just cannot let people rot in the gutters (not that government can *completely* avoid this).

OTOH government should not interfere with working economy/market. I fully agree that in practice governments sometimes do interfere too much. It does not mean living without one would be better.

Re:Aha!

[SL+Baur]

Unix lost the war because of pricing and lack unified desktop environment. Two words - CDE sucks. I think it sucks less than Microsoft Windows, but obviously I'm in the minority on that.

The pricing issue had to do with external vendors pricing equivalent software double or triple or higher for Unix platforms than Microsoft platforms.

Unix lost a war it could have won, Unix lost a war is should have won

Corrected you on that. Indeed, we killed VMS but weren't looking the other direction.

Stupid marketing (I was once told At&T couldn't market eternal life successfully, and I agree) and bad 3rd party software pricing was most unfortunate. That and a misunderstanding of Moore's law - microcomputers would (very) soon become the equivalent of mini-computers was most tragic. Right now, the VMS guys who had their system defeated by Unix are having the last laugh.

Re:Aha!

[orasio]

I think it's common for people to romanticize about the possibility that a "free market" could actually exist, but beyond the econ 101 textbook there is the real world and judging by our history humans usually seem to "cry foul" when the invisible hand threatens their security and call for socially-motivated programs (like the new deal) to help protect them from the market deciding that certain people have lower value to the marketplace than they themselves are prepared to accept.

The free market is a nice dream that might even work quite well if it didn't have human psychology to contend with, which seems to demand that once we organize ourselves in to a group called society, that it is "civilized" and "decent" to offer protection to those who once contributed to the market and were later tossed out either because they couldn't adapt or support themselves.

That is not to say that I support price controls or antitrust laws, or even don't support the (always failing) social security program. I'm actually pretty neutral on economic matters provided I have the freedom to make my own financial decisions and the money in the bank to take care of myself when the market shifts. I only comment because I often hear people spout off about Adam Smith, and when I do it often sounds quite naive given the broad spectrum of market forces competing with the invisible hand. It's funny to see peoplefrom the US repeat the free market doctrine. It makes me remember an old propaganda cartoon, where an american mouse invited a russian mouse home, and showed him the marvels of capitalism, where TV sets magically replicated and stuff.

Communism, at least in the soviet flavor, doesn't work in practice, because people have values that differ with the ideology. The proof is that no communist country has passed the authoritarian phase.

Free market, or whatever doctrine the US stands for, doesn't work in practice either. because people have values that differ with the ideology. The proof is that no "free market" country has ever sustained itself without betraying the "free market" principle. At least they don't need authoritarian governments. The US sustains itself thanks to lots of central planning, sustitution of imports, barriers to trade, artificial valuation of the currency through diplomacy backed by warfare. And all those things happen because big economic interests use their power to get those regulations. That is a consequence of trying to follow the free market doctrine in the past, corporations get as much power as they can get, not as much as the government lets them. The fact that they use it to legislate is just a consequence.

What I mean exactly, is that doctrine should not be used to lead a country, and isn't. The free market is not some magic tool that fixes everything, the same way that Marx is not an old grandpa that will take care of you. You should know about them, use them to understand the world, but try not to be blinded by doctrine. Economics is a difficult discipline, recipes don't just work.

Re:Aha!

[thirdrock68]

That's an intelligent reply. All that cussing really validates your thoughts well.

Don't it just, dagnabbit!

Hong Kong, the US, there's a great worthwhile comparison.

Yeah, no one has ever compared Hong Kong and the USA before I did yesterday.

Who said that tech would cost $50K?

I did. Have you got hard numbers that prove otherwise?

Who said the current inspection regime has no cost?

Not me. I don't mind my taxes being spent on Health Inspectors. I certainly don't trust a corporation to be looking out for my health.

Again you compare apples and oranges.

You really don't know what that phrase means do you.

You think capital is expensive, you're right. But cameras are cheap.

Who monitors the cameras? Fluffy the robot?

Consider that fancy restaurants would take up the new tech first and the tech would spread on down as it matured.

Have you actually worked in a kitchen? I can assure you that 'fancy restaurants' already keep their kitchens clean and hygienic without you having to impose your cameras and sensors on them. Not that any quality Chef would work in a kitchen where s/he was monitored by invasive surveilance cameras.

Stop living in the stone age from which your corruptible human inspectors come from.

Wow, sounds like someone has an axe to grind.

No employee has a right to keep their job when it becomes obsolete. It sounds like you are palsy with your inspector friends and want them guaranteed lifetime jobs at taxpayer expense -- or did you think taxpayer jobs were paid for from thin air? When they can be replaced, they will be freed up for more productive jobs. If you don't like that, go find a planned centralized economy with jobs guaranteed for life. Oh wait -- those economies went bust. Dang. Too bad for you and the other layabouts who want guaranteed public taxpaying jobs. Must suck to have no skills other than carrying a clipboard and counting rat feces and taking bribes.

Hmmm, I have never worked for the public service, and I never intend to. I agree that governments are corrupt and ineffecient, but my experience is that laissez-faire goverments that do not police restaurants (letting the free market do the policing), end up paying for it dearly from the ill health that ensues as a result of their non-intervention.

Your claim that a corportation would 'self-police' itself in this matter is not supported by any historical evidence of corporations giving a shit who they killed/put in the hospital in their quest for profit. Not that I object to corporations or businesses pursuing profits, I just don't want it to be at the expense of my health/life.

Must suck to have no skills other than carrying a clipboard and counting rat feces and taking bribes.

I imagine that this is a cultural practice of the USA. Probably the result of making money your god. Maybe if you gave a rat's faeces about anyone other than yourself you could build a system where public health is the concern of everyone in the community. Unfortunately, your cult of the individual means that you don't actually have a community.

And why Microsoft wins...

[Computershack]

"That's a lot of time for an attacker to identify the same issue and exploit it to hurt users."

One thing that worries me about Firefox being open sourced is that hackers are basically "gifted" with the information about the security holes in previous versions meaning that anyone running the previous versions is more vulnerable until they update which may be never - especially as there's plenty of people still running Firefox 1.x. , not all Linux distros have an auto-update and earlier versions of FF didn't auto-update either. In this respect, for me, closed source is more secure. I'm not claiming that it means IE is more secure, merely that the hackers have to put a fair bit of effort in to find the holes instead of Firefox's "We've fixed the bug that's in version 2.xx - here it is."

Re:And why Microsoft wins...

[msuarezalvarez]

Never add a link to this comment to your CV if you intend to work on security...

Re:And why Microsoft wins...

[basotl]

I think Firefox users are still more likely to perform those updates along the way. The majority of Firefox early adopters tend to have a high enough technical knowledge to perform updates. I would imagine that share of users using outdated Firefox versions are very small. Regarding your point about Linux users, if they aren't updating their systems regularly, the problem is between the keyboard and chair.

But I would also like to apply your point to IE users. I've run into tons of people that still use IE6 with no security updates. With the tons of security exploits out there for that, I would say they are more vulnerable. I would say there are more users of outdated IE versions than there are of older Firefox versions and that makes the IE users a juicier target for attackers.

Re:And why Microsoft wins...

[asa]

One thing that worries me about Firefox being open sourced is that hackers are basically "gifted" with the information about the security holes in previous versions meaning that anyone running the previous versions is more vulnerable until they update which may be never - especially as there's plenty of people still running Firefox 1.x. , not all Linux distros have an auto-update and earlier versions of FF didn't auto-update either. In this respect, for me, closed source is more secure.

Actually, Firefox is pretty darn up to date. Our stats show less than 2% of Firefox users are still on 1.5. If your linux distro doesn't do updates, I suggest getting a new linux distro or getting Firefox directly from Mozilla so we can keep you up to date.

The number of Firefox users who aren't up to date is so tiny compared to the number of IE users who aren't up to date as to be mostly ignored by hackers -- remember that hacking today is a financial enterprise. It's not script kiddies trying to impress their friends, it's organized and profitable crime and targeting a few hundred thousand hard to identify Firefox users wouldn't make any sense to those people.

We're always working to keep our users up to date and I think our record is extremely good. Our security updates reach 90+% of our users in a matter of days 99% of our users in a matter of weeks. Our major updates, like from 1.5 to 2 reached 98% of our users in less than a year. How many users are still on IE6 when 7 offers so much more security? Public stats from web analysts put that number between 65 and 75%. If you were building a serious criminal endeavor online, would you target hundreds of thousands of users or hundreds of millions?

- A

Re:And why Microsoft wins...

[Kelson]

One thing that worries me about Firefox being open sourced is that hackers are basically "gifted" with the information about the security holes in previous versions ... In this respect, for me, closed source is more secure. I'm not claiming that it means IE is more secure, merely that the hackers have to put a fair bit of effort in to find the holes instead of Firefox's "We've fixed the bug that's in version 2.xx - here it is."

It's not a significant advantage, though. If you look at the most high-profile attacks over the last few years, a lot of them weren't developed by bad guys looking at source code or even by messing around with the program itself. They were developed after Microsoft released a patch, and the bad guys looked at it to see what the patch changed and reverse-engineer what was vulnerable about the previous version.

That tactic will work with any program, whether the source is available or not, and the hackers are quite willing to expend the effort. It seems like within days of any patch announcement, someone has come up with an exploit for it. So whether the source is open or closed, users of old versions are going to be more vulnerable after the fix is released than they were before.

As far as updating goes, many users seem just as bad at updating their closed-source software as they are at updating their open-source software (if they have any). Even when auto-update is available, as in Windows, Mac OS X, or Adobe Reader, many people leave it off or skip it.

My Vote

[artgeeq]

It seems like the number of times I have had to restart Firefox lately because of patches is increasing. Does this make it more secure? Or does it mean that some programmer cannot get it right the first time (or the second time, or the tenth time)? Besides, all the Firefox patches lately have become really irritating.

Re:My Vote

[msuarezalvarez]

You are free to use any other browser. Btw, if patches annoy you, you may be interested in MS's IE, which, from what I hear, does not get patched that often...

Re:My Vote

[artgeeq]

Yes, I am -- we all are, and that's the point, isn't it? I hate to see a great, open source browser take a slide downward. The IE patches come with the OS patches, and so these are effectively mandatory.

Re:My Vote

Stupidest comment ever.

Its not a downward slide when the browsers vulnerabilities get patched. It would be a downward slide if they did not!!!

>Or does it mean that some programmer cannot get it right the first time (or the second time, or the tenth time)?
Right, because you've been walking since you were a baby, but after tripping for the first (or the second time, or the tenth time) you do not do that anymore.

When you apply IE patches you have to restart an entire OS. And it nags to you to restart it. With Firefox you can press "Later" button and it won't bug you till you restart it.

Re:My Vote

Besides, all the Firefox patches lately have become really irritating.

Irritating? You want irritating?

I just had to scrub my girlfriend's computer down to bedrock and reinstall! And I gave her the link to a drive-by download! I use Firefox at work (company policy) and the links didn't even cause a warning, let alone an infection. But one look at the site in IE and BLAMMO! her computer was so infected; no warning of download, just downloaded the spyware and it invited all its spyware buddies in.

True story... verified by doing it one more time in Firefox (no problem) and IE (BLAMMO).

It depends...

[Lonewolf666]

Good point about software that needs a particular version of IE, but there are more reasons:

-Standardization in large user groups. If you are an IT department that supports a few thousand users, you probably want the same (tested in advance) set of applications on all PCs so you can cut down on the complexity of your support issues.

-Regulatory requirements in safety critical applications:
If you do stuff like medical devices, the above becomes mandatory because you have to show a validation of the software configuration you send out. Each software upgrade will trigger a new round of tests and cause costs.
Of course, one might argue against using a general purpose OS on these at all, especially Windows ;-)

OSholes??

[xtracto]

So what? does Firefox illuminates their Oossholes?

*rimshot*

Thank you thank you

The problem with buggy security patches...

[Effugas]

...is that people stop installing the patches at all.

You really only get to screw up a few times, before the risk of broken patches exceeds the risk of getting hit by a non-public vulnerability. Then, people won't install patches, even when the exploit is public!

One real problem is that this entire engineering model is very, very new. The rules of physics do not change, day to day, but what's happening on the Internet transforms remarkably, moment to moment. It really is a war out there, and the bad guys learn quick.

It is important to realize that the web, for all its warts (and I've been findin' em) is a remarkably secure place, given what it really is. It's our first actual success at mobile code. Wrap your mind around that -- it's really terrifying, and yet, we use it every day. Cool!

Still, everyone's got a lot of work to do, and it is indeed unfair to judge Firefox v. IE based on publicly known vulnerabilities alone. The metrics are guaranteed to be skewed -- Mozilla just doesn't have the freedom to test (due to their NDA-less development model) like Microsoft does.

(Disclosure: I've known Window for years, and I consult at Microsoft on security matters.)

Mozilla aslo sits on critical internal bugs

If a critical bug is discovered internally or externally and the reporter does not leak the info, Mozilla will not push the update sometimes for up to 2-3 months. This is not much different from MS policy and gives according to the blog "a lot of time for an attacker to identify the same issue and exploit it to hurt users".

Re:Anybody surprised?

> NCR Dos 3.2 was the best DOS version of them all because of all the bughunt NCR did on it.

Where did you get this idea? All of those companies - Compaq, Eagle, NCR, AT&T, etc - licensed DOS from Microsoft. They didn't get the source, they couldn't modify it. I'm sure they reported bugs back to MS, but then all clients got the benefit.

deserved reputation ...

[tiananmen+tank+man]

True or not, this is the reputation the Texas Department of Science Education has given itself.

Re:Anybody surprised?

[howlingmadhowie]

no, no, no. microsoft came along and there was one more voice speaking its own language for anything other than ascii. people began to be able to talk when the internet took off.

Use Opera

[cyofee]

Still more secure then FF or IE.

Re:Anybody surprised?

[holyspidoo]

And if you use nothing but MS software for 30 days, your computer becomes bloated! And agreeing to install live toolbar with MSN, that sounds like supersizing to me...

But at the cost of reduced functionality.

[sid0]

As usual, a tradeoff. Opera doesn't have extensions (and no, UserJS doesn't count).

Re:But at the cost of reduced functionality.

[whitehatlurker]

This is the main point that Firefox users bring up, and I concede that it is technically true. However, there is additional functionality built into Opera that is only brought into Ff via add-ons.

Opera has built-in - doesn't need:
UserJavaScript - greasemonkey
content blocker - ADBlock
site level script manager - NoScript
mouse gestures - Mouse Gestures
per site CSS manager - Stylish
per site user-agent masquerading - User Agent Switcher
tab level image control - ?? (I know there's something out there - help on the name, please)
tab level CSS - ?(does stylish do this?)

All competitors need something to distinguish themselves from each other, if Firefox users wish to focus on the inclusion of add-ons, fine. Opera users could use the better security record of Opera as their competitive highlight.

I know there are Ff users reading this - anyone know of a BlockFall replacement that works with Ff 2.x? It stopped working for me around Firefox 1.5 or so.

And in other news...

[butterwise]

Microsoft CEO throws chair at Firefox security head.

private companies can have shareholders

[brokeninside]

The same pressures that exist on publically traded companies also exist for private firms. The difference is usally a matter of the number of shareholders and the market capitalization rather than the fact some firms are private and some are public. But even then, some very large firms are privately held. For example, Chrysler Corps. is now a privately held company.

Ok, so you're an OS HOLE.

[VinB]

There, I said it.

Re: apples, oranges and tighty-whities

OSS Guy: Dude, our tighty-whities come with racing stripes.
Bill Gates: Oh yeah? Show 'em, Steve!

[Ballmer drops his drawers.]

[Awkward silence.]

OSS Guy: Ok, you win. Just don't ever do that again in public.
Bill Gates: Noted.

Prove It

[ThinkFr33ly]

He offers no evidence to back up his claims.

Attacks on other software packages, including Office and Firefox, have risen dramatically. If Windows and IE were still so easy to exploit, why would that be the case?

What this suggests is that hackers are having a harder and harder time exploiting these more traditional attack vectors. If there was such a huge library of holes that Microsoft patches silently, one would think that those would continue to be a great attack vector, and hackers wouldn't bother researching other vectors.

One could surmise that the bad guys just don't happen to know about these stealth-patched holes, and that's why they're turning to other attack vectors.

But guess what: if the bad guys don't know about them, they do no damage. Security through obscurity works great if the holes stay hidden. And, as I mentioned before, it appears that they are staying hidden, if they exist it all.

This guy has great motivation to make shit up, as does Microsoft. I know virtually everybody here will assume he is telling the truth, but that's an assumption. There is no evidence to back it up.

Re:Prove It

[LordMorgul]

You conveniently neglect the fact that the available pool of attackers, and users, and sites that may play host to exploits... is increasing at an astounding rate. The fact that Opera and Firefox attacks is increasing cannot be proven as correlated with the relative security of FF/IE/Opera. The number of attacks and security flaws identified will *naturally increase* as the community of computer users expands around the world.

Re:Prove It

[ThinkFr33ly]

If that were true, that the number of attacks on IE/Windows would ALSO increase, proportionally.

But that's not what is happening.

Re:Anybody surprised?

[gweihir]

Yes. Refers to the ''cheap'' in the sentence before.

Third world

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

Throw out all business licenses, healthcare inspections, etc.?
That's not a recipe for a happier, healthier economy; that's the recipe for turning the U.S. into a Third World country.

Please explain

[A+nonymous+Coward]

Please contribute facts or reasoning to back up your assertion. Blind assertions of faith don't make for a discussion. I have given my reasoning, that I think bureaucrats working for a monopoly (the government) are more interested in keeping their empire intact and even expanding than doing a good job, and that the recent food news was not discovered by government health inspectors. Now it's your turn to say something useful.

Ms. Windows

[Grampaw+Willie]

promiscuous is the word for her, I think.

who is Ms. Windows REAL customer

[Grampaw+Willie]

advertising

So firefox never fixes bugs internally?

[microbee]

Do they publish all the bugs that got found internally?

Re:So firefox never fixes bugs internally?

[Kelson]

Do they publish all the bugs that got found internally?

Have you considered reading the article?

At Mozilla we fix our bugs openly. When you count Mozilla security bugs you are seeing not just those that are reported externally, but also the ones that would be considered internal if we acted like most other software vendors.

In other words, yes, they fix bugs internally and publish them.

Deep security issues.

The big problems with worms and viruses actually mask and hide the real problem with windows security. The main problem is not the worms and viruses. It is having secure information on a system and having that system broken into and the information taken without you ever knowing. Or having your system broken into at home and then the system being used to ride into your companies network with VPN. The crackers use custom hacking tools that they share with nobody and that don't show up in any virus or malware scans, because they only infect the few dozen machines in the entire world that the hacker is carefully targeting. Microsoft has had severe vulnerabilities in their systems that have lasted for years and never been fixed. Some of these have even existed across multiple versions of windows due to code reuse. A few of them can only be described as an intentional back door into your windows system.

Re:Anybody surprised?

[whitehatlurker]

How much did you pay for your last browser? (Was it worth it?)

I'm in a happy mood.

[pravuil]

I love you guys/gals at Firefox, hell all of you in the OSS community. Without you the world would be less exciting. I started reading the posts and realized that after getting through the first 20, everyone talks about citizen responsibility within the market. At times, I give up hope thinking people don't care about their world around them, they only care about themselves and profit. Profit and selfishness isn't bad but too much really chaps my hide. I end up on /. and what do I see, the same crazy wound up cats I'm so very proud to be a part of.

Re:Anybody surprised?

[gweihir]

$35 if I remember correctly. And, yes, Opera was well worth it.

Re:Anybody surprised?

[whitehatlurker]

chuckle ... touché

Re:Anybody surprised?

"Well, you get what you pay for" - did you mean to write that?

I'll bet he did!

"Hey, I paid extra money to have this software pre-installed and I damned sure don't want anybody enjoying viruses/spyware I can't get!"