Slashdot Mirror
Few of OOXML's Flaws Have Been Addressed
I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."
Why fix flaws when you can buy voters?
Friends don't help friends install M$ junk.
Do any of these flaws exist in Office 2007?
If not, why are they in the OOXML proposed standard. If the standard does not describe the OOXML format used by Microsoft, then what does it describe?
Why can't they just document the format that they use and get this over with? Or are they doing all this for show, and there is no real substance in OOXML?
I can't remember that guy's name , but it just occurred to me that Microsoft could have paid him big $$$ to say that. Think about it... a highly respected member of the open source community says that OOXML is a superb standard! What a great way to garner support! Think it's not possible? We know that Microsoft heavily bribed all the banana republics that joined ISO as voting members.
Left 404: Why the RIGHT is WRONG
Ballmer is that you?
This may be off topic but why exactly are there database connection strings in a document format?
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
I doubt it - the poster repeated "blah" only one time.
They're stored in plaintext.
So what?
http://developer.pidgin.im/wiki/PlainTextPasswords
The fact that it's plaintext is meaningless. If the computer is encrypting them and can decrypt them for use, they're as good as plaintext anyway.
There isn't even security through obscurity. Seriously.
Does the poster have a chair?
A 100% ad hominem attack on Slashdot gets modded up unquestioned. Who would have thought?
how long will it take people to shrug off this death grip of MS and realize that it's costing billions in productivity? I received an XLS file of contacts yesterday and I figured I'd try using Outlook to import it into an address book so I could then sync to other things like Gmail. Outlook choked and recommended assigning values to the columns using another MS product - MS Excel. SO, I saved the file as CSV, and imported using Thunderbird which gave me an easy dialog to match up name,email, phone, website..and so on. Worked great! then I used thunderbird to open the second file and it remembered the previous adjustments and everything was already lined up! Awesome stuff and I wasn't prompted to buy any other products!
I'm seriously considering wiping all the PC's in my office and advising the staff to just learn Ubuntu to avoid this whole MS deathgrip. None of the staff are advanced users except my web guy who codes in a text editor anyhow. FMS.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Sucks that you can't read the article and assess the level of the bias he displays for yourself.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Everyone has a bias but if he gives you the information that he used to form his opinion about something then you can read what he says and what he did and form your own opinions. He is giving detailed examples of what he found. He isn't just say "Everything is fine" or "They have WMD", he is giving how he comes to his opinion and showing you the facts.
Yes his company maybe bias in not wanting the format approved, but does that make what he says less true? The facts speak the truth.
Just because there's no love between MS and IBM as corporations doesn't mean that an IBM employee can't do an unbiased assessment. Also, it isn't like IBM is trying to compete directly with OOXML or something. So what's the basis for this suggestion of bias?
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
As I understand it, Microsoft isn't going to follow this standard. If Microsoft isn't going to follow this standard, then it is useless for OpenOffice, NeoOffice, KOffice, etc. to follow this standard. Or is this going to be for Office 2k10 or something?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
failed
Sucks that you can't read the article and assess the level of the bias he displays for yourself.
I did. He's not shy about his hatred and utter contempt for OOXML and all things Microsoft.
Which, fine, he's entitled to his opinion, but I'm not dumb enough to think that his pseudo-scientific Nth post about why OOXML is trash is less biased than the (N-1)th post.
So what's the basis for this suggestion of bias?
Spend five minutes looking at the article and the page it's on. To his credit, it's not something he tries to hide.
Exhibit A: a link in his sidebar to an article which refers to OOXML as "the document format from Hell."
Anyone who claims that it's more secure to obscure the password in a well known and trivially reversible way instead of simply storing it in plain text is not someone I trust to analyze security.
Man, I'm really getting sick and tired of people abusing the "ad hominem" charge. Ad hom refers specifically to an attack on ones character which is used to discredit an argument. Simply questioning a persons motives and biases is not necessarily an ad hominem attack. It is important to make any potential biases clear. Though in this particular case, I'm not seeing it.
Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack. It might just mean I think the person is an asshole. It is a valid opinion. It just isn't relevant to any logical argument.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
So you won't verify anything, or even check, but rather you feel that the exact same thing from someone else would be more true. Essentially, despite the facts, you don't feel the truthiness is sufficient.
By your logic, you may well be right, but you may also just be a shill for Microsoft. I'd be more inclined to believe someone else who didn't have a corporate interesting in picking data points to disparage the argument you'd like to make. Or maybe if you had an argument to make not based on a well-known informal fallacy.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
It adds complexity, which is generally bad for security, and makes the format harder to understand, which is also bad.
The word that comes to mind is "dumbass".
I do hope there is an option to have an "ask the user" password. (not stored in file)
Did we learn nothing from the 80s and early 90s? If you write the standard first, you're going to get the kitchen sink. Engineer a good system, then standardize it. Nothing sands the sharp edges like the real world.
In Capitalist America, bank robs you!
"Does the poster have a chair?"
Not any more.....
Did the poster say something like, e.g.:
... ... ... ...
"Rob Weir made the following mistakes in his methodology:
a)
b)
c)
"
Nope. He based his 'argument' on his perception of Rob Weir.
No sig today...
During the BRM is has been shown that MSOOXML is not up to the quality for an international standard.
The only reason that this thing is considered in ISO is because Microsoft is being so bullish, trying to defend the monopoly.
Yet a lot of people treat them that way like this Slash Dot commenter: "He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw." Just why is that rated a 5? It is NOT about belief, but more about science--either the facts and peer review support Mr. Weir or they don't. Apparently they do and in Spades. The majority of "yes" votes on this "standard" are by Microsoft partners who have a vested interest in a dingle vendor, single application (the only full implementation read and write) solution they sell products and services for and can lock in business. Sure IBM is a commercial organization with a checkered past, but they don't own completely open ODF so they aren't doing this for gain. they jsut want a level playing field for formats. And it is a great idea.
I think you're missing something important. The document format should not store this information at all -- it's the job of the keyring password manager. The document may define an alias for the database connection string, but it shouldn't provide the actual connection details since that would be a security hole.
Look at it from another angle. Imagine that I need to connect to the database using the connection string, a@mycompany.com:mypass. I send you the document, but you're on another network. You don't see my database, but you do see a proxy database that maps to my database, so the proper connection string would be: b@proxyserver:mypass2. If we send each other the document, we'll be in an edit war. Every time you get the document, you'll want to change it to your password and every time I get it, I'll change it to mine. If however, we leave it up to the keyring manager, there's no problem.
He was simply pointing out a potential source of bias. I didn't even really see an argument either. Just an expressed opinion about how much the OP trust the author.
There are much better examples of ad hominem attacks. For example, if the OP had said "Rob Weir is an asshole and can't possibly be right". THAT would be a perfect example of ad hominem
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Can you read?
"He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw."
translated ,
"His argument may be valid, but I am doubting it because of who he is."
No, he is doubting it because of what he is.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Heck, isn't just about everything stored in ISO 8859? I actually thought it was the same as ASCII until reading this: http://kb.iu.edu/data/ahfr.html.
... right ...
There's your ISO right there! Oh, format
The world is made by those who show up for the job.
OOXML's Flaws Have Been Addressed
:-)
"IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw [...] there were no mistakes on [...] the [...] pages he reviewed."
There. Doesn't that sound better?
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.
Nobody is asking you to "believe" anything. Bias does not change facts, and it is a fallacy to suggest that he should be a perfectly impartial critic if he is to be taken seriously. If he makes observations of deficiencies in the format they are just as valid as if they were made by Bill Gates himself.
When I was a kid, we only had one Darth.
One example given by wikipedia is:
Just replace the relevant references with words like IBM, OOXML, etc. and it's basically the same.
You started to get it right, but then you fell by the wayside. The entire phrase is argumentum ad hominem which means "argument to the man." It includes any attempt to discredit an argument based on characteristics of the person advancing the argument. In the instant case, the argument goes something like--OOXML should be rejected if it's a bad standard. OOXML is a bad standard because it has many shortcomings that haven't been addressed. Therefore OOXML should be rejected. Mongoose Disciple chose not to dispute any of the premisses of the argument or the inference, but rather to claim that Rob Weir stands to gain if the conclusion is accepted. Thus Mongoose Disciple presented us with an excellent example of an argumentum ad hominem.
Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack.
Completely correct. However, it's irrelevant to the instant argument.
-Loyal
I aim to misbehave.
Not a bad idea but now you need to graft a standard interface to a keyring password manager in the standard. Is it worth it ? Like has been mentionned in other posts, it is very possible to attain more security trough relying on Kerberos or Active Directory for authentication and that's trivially implemented with a custom connection string. My point is merely that I consider it a 'less secure but more practical option for the little guy', not a security vulnerability. It's a viable option when your data's not exactly national secrets.
Remember Peter Torr? He wrote a blog post not long after Firefox hit 1.0 where he questioned why the Firefox installer was not digitally signed. What he said was completely true - so true in fact that not long after that Mozilla started signing the installer. That didn't prevent few thousand raving lunatics from descending on his blog and calling him a shill and an idiot. To paraphrase you, yes his company maybe bias in not wanting the [browser to succeed], but does that make what he says less true? The facts speak the truth.
So essentially we have situations where the source of income and ulterior motives of one person should not be questioned because the topic is unpopular and everybody knows he must be right. On the other hand we have people whose motives *must* be automatically questioned solely because of their source of income and ulterior motives.
The truth is that Weir should have recused himself from all this a long time ago. That he hasn't done that tells you a lot about him and his employers.
You might argue that Microsoft had all this coming. You might argue that OOXML is not a good standard. You might argue a lot of things, but none of them make IBM's conduct in all this (including the whole ISO thing) any less dishonest.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Ah, but can you prove it via induction? :)
Sam ty sig.
If that kind of statement is drawn from a detailed review of the documentation,
than his "bias" will reflect quality of OOXML format very well.
If something is garbage, it should be said loud and clear.
What's wrong with publicly stating the religious body backing OOXML development? Microsoft is very fortunate to have so much support from Hell. Why, if they had to supply their own evil or go through commercial channels, the global evil reserves would dry up overnight.
Sam ty sig.
In the same way, his calling OOXML names has no bearing on the logical validity or lack thereof of his arguments.
You mean like the slur made by a Microsoft employee against a Standards New Zealand representative?
Am I the only person who's wondering WTF a database connection string is doing in a word processing document?
I'm starting to understand why the spec is 6000 pages long.
This is why so many people look down on philosophy: it runs counter to common sense.
Following this train of logic, when I'm buying a new car I should ignore that the salesman only makes money if he sells me a car. So when he's busy telling me that the 1982 Volkswagon he's trying to sell me could out-accelerate a Porsche, I should just treat it as an impartial opinion
The poster is completely correct in pointing out that an IBM representative has an inherent bias against a Microsoft standard and it's wrong to label his post as a flame.
How the hell would YOU store passwords? With an encrypted text using a fixed key? Or with a randomly generated key stored in the file (key union ciphertext == plaintext)? Or maybe use an NTLMv2 hash that connects ONLY to a proprietary database (MSSQL) with a proprietary setting, which you can happily replay (we call this a secondary password...)? The only solution is to password-lock the file and use the password to encrypt a master key that encrypts A) the whole file; or B) a master password list embedded in the file. Neither of these will satisfy point-and-click easy access requirements; and if you implement (B) the password becomes common knowledge among many individuals (bad).
Support my political activism on Patreon.
see title.
I sure wish "Overrated" mods had to face meta-moderation. It's not "-1, Disagree", and I'm not posting anything that isn't completely obvious to anyone who RTFA.
Cowardice around here isn't always limited to posting anonymously, I guess.
Take a few minutes off of Slashdotting to look here. IMHO, Dennis Byron is a one-man Microsoft promotion machine, specializing in OOXML. He sometimes writes on the same blog as "Research 2.0", going so far as occasional visits to the make-believe world of SCO.
Even though none of the substantial problems have been addressed, NIST has approved OOXML.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
The article says that the data was randomly selected, right? So if you want to suggest selection bias, a first step would be to show that the page umbers were indeed not random.
You're putting words in his mouth. He never recommended obfuscation as a "fix" for this issue, now did he? That was YOUR idea.
Personally, I would require the user to supply the password, or else I would create something where the document was signed cryptographically and presented itself to the database for authentication. I'm sure there are other, better ways of doing this than just "who cares? store it in plain text because we're lazy and don't care!"
Everything has deficiencies. You present the deficiencies and ignore all positive points and now your factual analysis is worthless because it doesn't lead to any reasonable conclusion.
I wouldn't blame this one on the discipline of philosophy, as it is an informal fallacy. I would put this more into the area of rhetoric.
I do see the point though, since just claiming potential bias is not enough to discredit a source. A potentially biased, or vested, individual can tell the truth as well. To turn your analogy around; a Porsche dealer tells you that this new Porsche is faster than you '68 Bug.
That said, I don't think the g-g-parent was off the mark, nor guilty of committing this informal fallacy. Pointing out potential bias isn't the same as discrediting someone for the same potential bias. The contested statement basically said "we should pay a wee more attention than we would, because IBM has a history of collaborating with Microsoft", this is not discrediting IBM, but just warranting caution in accord with inductive reasoning (it has been often previously observed that).
A patriot must always be ready to defend his country against his government. -edward abbey
Your post, in lolcat form:
"lol biased man is biased" (insert kitteh picture here)
Why on earth would you think you *deserve* to be highly rated for your post? If it's completely obvious, it's (-1, Redundant). Also, it's a tangent that ignores the facts of the matter, thus (-1, Offtopic). Not to mention, you seem to be taking Microsoft's side, which would be (-1, Flamebait). The only appropriate mod that addresses all the problems with the post you graced us all with is (-1, Overrated).
Here's the difference, though. You're assuming the OP said:
"Rob Weir can't be trusted because it's in his best interest for OOXML to fail."
But the spirit of what the OP said was actually closer to this:
"I don't trust Rob Weir, because it's in his best interest for OOXML to fail."
It's actually a pretty big difference. The first statement is a logical fallacy, but the second one is just explaining his personal bias. And keep in mind that the OP specifically stated that Rob Weir "might well be right".
The details are trivial and useless; The reasons, as always, purely human ones.
[Main page] http://mindprod.com/jgloss/unmain.html
I'd only got as far as item 3 on Rob Weir's list, "... The allowed values of this type express the measurement units to be used: Auto, Twentieths of a point, Nil (no width), Fiftieths of a percent. I find these choices to be capricious and not based on any sound engineering principle..." and from the HowTo, in the section on Coding Obfuscation, item 6: "Foolish Consistency Is the Hobgoblin of Little Minds When you need a character constant, use many different formats: ' ', 32, 0x20, 040..."
Is this resemblance coincidence? I doubt it.
[Coding Obfuscation section] http://mindprod.com/jgloss/unmainobfuscation.html
Arguments should be accepted based on their validity and their accuracy. What if Einstein (or any other scientist, for that matter) were not allowed to defend his own theories?
Any sufficiently simple magic can be passed off as mere advanced technology.
Yeah, except that's Wikipedia and I just wrote that entire thing myself on a guess...
or did I? Do you really know?
Riiight. We should have one of the few people willing and able to examine the standard for flaws just not do it. That's an excellent idea.
At what point has IBM been dishonest? Rob Weir is an employee of IBM. They have a distinct interest in making sure that whatever format is approved, they are able to implement it. Therefore, it is in their best interest to make sure it is a good standard. As they have determined that it isn't a good standard, what should they do? Not talk about it?
The fact that his bias is out in the open is perfectly fine, as is the example you give from Peter Torr. That allows people to judge their statements, and account for possible bias.
The problem with Weir recusing himself is this: nobody else seems to be doing this. Nobody else is standing up to a corrupted process, where the intended and stated results are sidelined for political expediency. If it takes one corrupt company to stand up to another corrupt company, then so be it. At least they are standing up to a corrupt company. (Yes, I'd prefer if neither were corrupt.)
Microsoft is to software what Budweiser is to beer.
As well as with the original article. First thing - you can't really say "few flaws have been fixed" when the original article (and the post blurb) specifically say that no fixed flaws where actually found in the testing sample.
On the other hand, the statistics used by Rob Weir are shoddy according to my local statistics semi-expert (my girlfriend who finished 2nd year BA stats A. with a perfect 100 score). Specifically his sample is incredibly small: 25 random pages out of a random selection of 200 pages out of 5220 pages of the original standard document, out of 6045 pages actually in the original document (not the amended document), of which he doesn't know how many defects where actually reported against each page (we know how many were reported totally, but we don't know what is their percentage in the first sampling or subsequent sampling), and as Rob Weir found new defects that were not reported to Microsoft in time for the BRM, he has no idea what is the actual density of (pre-BRM) reported defects in the total "defect population" (defects discovered before BRM, after BRM and defects that are yet undiscovered).
As such a confidence interval of 1.5% +-3% (i.e. at worst 4.5%, which is not what the post reports) seems highly suspect. To clarify for non-statistics students, a confidence interval of 1.5% +-3% in a result of 0 hits out of a random sample, means that Rob Weir is at worst 95.5% confident and at best 100% confident that there were no defects addressed by Microsoft.
This is awfully presumptuous, even if its Microsoft that we are talking about.
when I drop by Slashdot is, if I'm lucky, people will have a good argument *about* arguing. What the hell was this post about anyway? I can't remember.
It says, "Post Comment", not "Bicker Indefinitely".
Considering they provide the email address and phone number of their media contact in that announcement.
Jií Kosek, the Czech Republic's expert, disagrees. He has switched from NO to YES due to OOXML's fixes, and he's unbiased (quite unlike Rob Weir). Here's what he has to say on the matter:
http://xmlguru.cz/2008/01/ecma-response-to-czech-ooxml-comments
Read that post and you see that nearly every one of the Czech Republic's objections has been addressed (the only one not satisfactorily addressed was the Czech Republic's complaint that part of the spec has redundant info). Let me quote:
Rob Weir is not an objective source, period. Cite an objective source if you want your criticisms to carry any weight outside of the "I Hate Microsoft" crowd.
-- "I never gave these stories much credence." - HAL 9000
Hi ozbird, I'm not a Standards NZ representative. I am part of the NZ Open Source Society (NZOSS) and a techy on Docvert. I am part of the advisory group formed by Standards NZ for this process but like all others in the group I'm not paid and I'm basically an independent who gets invited to meetings every so often to debate OOXML, and stuff like that.
-Docvert converts MSWord to OpenDocument, clean HTML
Hey Matthew - care to name the Microsoft employee who slandered you? Grant Thomas's reply just says
To: [name]@microsoft.com
--- Hot Shot City is particularly good.
Stop twisting reality so much, it makes my head hurt.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Or IBM is another tobacco company saying MS tobacco is bad for your health, but not the already accepted IBM tobacco.
Heh, well the short answer is "no".
The long answer is that if I post the contact then it will get out of my control and it's likely that the Microsoft person could get disgusting or threatening emails which, quite honestly, I don't want. As much as I find this Microsoft persons' behaviour as quite repugnant I'm going via the official channels. If I get a satisfactory result via that then I'll be happy. As of yet however I have not received anything that would constitute a sincere apology.
In the meantime, I'm asking everyone this favour, I'm the guy involved in this and these are my wishes (feel free to email me on anything at holloway.co.nz if anyone doesn't think that this account is me): please don't hunt this Microsoft person down. I'm on-top of this one, I assure you. I won't let this behaviour go without a response and if I don't get a satisfactory result here I am considering forwarding these details to the European Commission investigations into OOXML (if they don't already know).
-Docvert converts MSWord to OpenDocument, clean HTML
Fair enough. I'm sure we'll be kept abreast of progress by Groklaw and the like.
:)
Oh yeah, and thanks for Docvert
--- Hot Shot City is particularly good.
You're missing the point, really..
:)
There should be *NO* passwords in documents. Period. What you should do is make personalized user accounts in the database for all users that actually require access to this data, then have that username automatically filled in from the logged on user, then prompt the user to type in their own password.
This provides a solid authentication model, will deny all users who have nothing to do with this data to access it, and will also create a personal audit trail.
ps. This is my 256th post! Weeh!
Coz eternity my friend, is a long *ing time.
As to the anti-OOXML side, I would recommend you look at: http://www.noooxml.org/ this site does an excellent job at detailing numerous flaws in the OOXML standard, and numerous irregularities in the ISO OOXML acceptance process.
But it is only fair to understand Microsoft's point of view as well: http://www.microsoft.com/interop/letters/ChrisCapOpenLetter.mspx
I have considered both viewpoints. IMO: the OOXML standard is just another msft scam. Msft is continuing to abuse its monopoloy position, and aggressively fighting to maintain and extend its monolopy position.
But, that is just my opinion. Please consider both sides of the arguement, and come to your own conclusions.
I couldn't explain in a better way why, on real life, you can't blindly trust logics.
See, we can't stop to verify every testimony of every person that MS buy. We simply don't have the time, nor all the facts.
Rethinking email
Oh and just to clarify, I'm not saying that people are trying to hunt anyone down, or that there would be any "disgusting or threatening" communications (I have no reason to think that and I certainly people haven't been behaving that way).
-Docvert converts MSWord to OpenDocument, clean HTML
Another one: this time in India.
Theocrat corporate whore politicians sell themselves. Are they worthwhile?
I hereby promise to donate $5 to the Steve A. Ballmer Memorial Whoopee Cushion Fund provided that a) others match funds until a sufficiency for a really good one is reached, and b) a volunteer or volunteers come forward with credible plans to permanently affix same to SteveB's chair and/or pants at the next shareholder's meeting. Since the stock has been performing so well, and since the company has turned into such a good corporate citizen, let's let Steve know how much we really appreciate (or otherwise) him.
I mean, seriously....Bozo the Clown could be a more effective CEO. We've really had enough of his Evil Twin. And, if I recall correctly, Good Bozo actually catches chairs.