Slashdot Mirror
Microsoft Unveils Open Source Exploit Finder
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
LOL
Damn you microsoft! For the next few months I won't be able to read the "not" operator without giggling.
'hellfrozeover' tag in 3... 2... 1...
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
I want to delete my account but Slashdot doesn't allow it.
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx
They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.
Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...
OK, so the source is viewable, but does it qualify as free software as in freedom?
Or is that a senseless question anyway since it runs under Windows?
Your comment loses all credibility not so much because of your lack of evidence but because of your use of "M$."
Also, your suicide joke wasn't funny.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
But it almost sounds to me like the users are supposed to run this and then report their findings.
Do the people that run it get a paycheck? Or is that the part that's open source?
Aren't there other programs that also do this? If so(I really can't imagine that MS are the first to release something like this), then how is this news?
Some people are only alive because it's against the law for me to hunt them down and kill them.
-- derby
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
It's called Turing's halting problem.
File under 'M' for 'Manic ranting'
Comment removed based on user account deletion
http://www.penny-arcade.com/images/2002/20020722h.gif
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Just wait till people get to see the code for this thing, then we'll see the true colors of their idea of security
Well, that's a nice idea, but it takes a finite nonzero amount of time to do so. And, during that time, if you already have a product which is out (as many people do), people may be exploiting it, and so the bugs they are most likely to exploit are probably worthy of being deemed more urgent to fix, and what bugs are more likely to be exploited than the ones you can find using automated tools?
The World Wide Web is dying. Soon, we shall have only the Internet.
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I would be more impressed if they released a free and open static code analyzer to include for their compilers that may also compile to native code (e.g. Visual C++).
That said, I'll be nice and applaud this effort. But if anywhere possible, use managed code (scripting or a secure VM) instead of relying on this kind of analysis. With this rate, it will take centuries to get rid of all the buffer overflows and other rather inexcusable code out there. I would be very amazed if this tool would (help to) remove all those kind of vulnerabilities.
This article scores an 11 on the inflammatory headline, shame on the editors for letting this get through. Slashdot seems to be getting worse (which is certainly kind of amazing).
How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?
Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?
And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
Are you sure, Coward?
http://www.opensource.org/licenses/ms-pl.html
Or you say it won't be released under ms-pl?
Patents Drive Free Software as Hurricanes Drive Construction Industry
Or maybe you're an educated user and know what you're doing and know how to safely use the the internet and install programs. I haven't had any malware or viruses either, because I know not to install questionable programs and go to questionable sites.
That which does not kill me only postpones the inevitable.
Thousands of bugs? They must have tested it against their office suite :)
But seriously, Microsoft must have loads of legacy code lying around, so thousands of bugs are to be expected. Office just happens one of them (and the number of Word related crashes on my office computer is just about hopeless).
http://bugspy.net/ do this already- It gatheres tens of thousands of bugs.
Shipping a large project with 1,000 bugs might be a perfectly valid decision
Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision
I don't ship crap.
And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
I still can remember back to the days when "version one-point-oh" didn't always have to mean "train wreck, we'll start seriously fixing bugs around 2.5". Today's translation works as follows: Today's 1.0 is yesterday's early beta. Today's 2.0 is yesterday's Still Beta. Today's 3.0 is yesterday's 1.0.
Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use.
I work for the Department of Redundancy Department.
N still, they dont use that in Win?! lol
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
I forgot to address this. Yes, early adopters and capturing your market are important. I can see where "version 1" could be considered beta for the purposes of getting your foot in the door. I don't think anyone expects a polished product on 1.0. But I'm talking about things that have gotten a ways. I mean, Windows SEVEN? Come on, by now everyone expects you to have your act together. You should already have your market carved out. Nobody is "early adopting" Windows anymore. Releases should be solid by 3. There is no excuse for a product's major releases 3+ years after initial release to be crutching themselves up on the notion of "early adopters" and "capturing market".
I work for the Department of Redundancy Department.
So...let me get this straight...they're open sourcing their Windows code base?
I'm here all week. The veal is amazing!
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.
Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.
As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.
Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.
Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.
I wish i could mod you up.. i'm not sure what high horse the OP was on, but i'd like some of what he is smoking!
This tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". So we then decide whether to fix the crash or not based on whether the crash is exploitable? Anyone that buys this idea is fired.
more cowbell
MS have to keep the legacy bugs in there for compatibility reasons.
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I don't care why you're posting AC
While I agree that people could do better, your overall attitude of EVERY BUG MUST GO BEFORE WE RELEASE is probably why you have to say "if I had a big project" rather than "the big project I'm on now..."
"Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use."
Agreed, we're not talking about bugs that prevent use of the software here. Your inability to distinguish possibly hinders you professionally.
Has Microsoft run Crash Analyzer on Crash Analyzer?
Most people don't get why the integral of "e to the x" is so funny. Most math majors don't have a sense of humor.
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
1. Fork the project
2. Change the name
You're saying you ship a product with so many crashes that you can't possible fix them all quickly? We are not just talking bugs. To quote the original post the tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". You're fired.
more cowbell
So, why doesn't Microsoft produce these tools for Windows
The tool in question is a debugger extension for WinDbg. I'm not sure how many people are debugging their Unix/Linux applications with WinDbg, but I'm guessing it's not a large number.
Not that this is important, but was it really pronounced "bang exploitable" when it started its life? It sounds to me like some top brass (or a journalist) wanted to show off that they know how "!" was pronounced in old UNIX speak, but without a real understanding of what it meant. You know, as in, "I am one of you, but I have no idea what the hell I am talking about".
End anonymous moderation and posting on
Not all software is a product for sale, and in the real world there are deadlines and budgets. Users can deal with bugs, business owners can't deal with late, over-budget projects.
Here's a better idea... Fix all the bugs and then you're sure you've fixed all the big bugs.
Well, that's a nice idea, but it takes a finite nonzero amount of time to do so.
You both make good points. MS's security culture is fairly awful in that when developers find bugs that are potential security issues, they have to fight the system to get them prioritized for fixes and most are considered "low risk" and ignored. Anything that helps prioritize bug fixes is good, provided it is not used a an automated way to ignore a huge number of bugs in an effort to produce a mediocre and "good enough" product in terms of security.
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
If you don't connect your computer to the net it does not count :)
Alternatively, it's a bit like a poker game, if you don't know who the idiot is, it's you. In other words, the chances are big that you were at some point virused, trojanned or malwared but you did not detect it.
When adaware first came out I ran it on the machines of some friends and it was quite surprising how much crap there was on these so-called clean machines.
Probably you install very little software on your machines, that alone would be a big factor in your favour. If you have kids around the house browsing the net with those pc's then kudos to whoever set up your AV.
MP3 Search Engine
I don't ship crap. And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
There's a balance, there are also those people that think that perfect software can be created in some kind of bubble and you might be one of them, I think. In a large project I can assure, with 100% certainty, that between the start of the project and the final release the requirements have changed. A lot. It does not matter if you design up a perfect software development method, not that I think such a thing exists, because people are very poor at specifying in an abstract specification what it is they want to do. Sometimes they don't even know exactly how, even if you could hire a telepath at the start of the project. And thinking that all code is written after one master plan is unlikely, more likely you've bought up functionality from other companies or migrated it from legacy products and it's patchwork under the hood.
Releasing early and getting feedback is usually the only way to get the design right. It's much better to hear "yeah umm, but that's not the way we work" or "yeah umm, but that doesn't solve our challenge" before everything's set in stone. If you get told at the very end to rip out that well tested and well integrated piece of code then all that effort is really wasted. In large development projects these kinds of communication problems are very real. You could accept lots of small issues like a house where they said "that light fixture doesn't work, but it'll get fixed in the next release". What you couldn't accept is "the foundation is quicksand, the drainage is shot and the pillars rotten". In computer terms things like "the solution can't scale, it's crashing often and we have major data loss".
Seriously, think of all the trivial things that can be considered bugs. Typos are bugs. A non-working shortcut is a bug. I think the most trivial bug I've seen is that you have a list. A to Z will jump you to the first item starting with that letter. But Æ, Ø and Å will not. Workaround? Scroll and pick. It's a genuine bug, but like hell if it's something that should hold up a software release. On the admin side I'm more like "if there's a dark voodoo way of doing it then fine" because I'm much more interested in them fixing bugs affecting a thousand people than me. Software delivers value and bugs detract from value, but this is important - a bugfree but useless application also has no value. Something that isn't used where they put it in an Excel spreadsheet instead has no value. Developers need to be working on the right things first, then they can do them right. Sounds easy and obvious but damn how hard that is.
Live today, because you never know what tomorrow brings
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker". It's really just an irrelevant and off-topic device unless the conversation is specifically about cost of software.
It would be like constantly referring to RMS as "The Great Unwashed Guru" in a discussion that had nothing to do with personal hygiene or delusions of Godhood.
Did anyone else misread this (before reading the summary) as Microsoft is working on an automated program to find *security exploits in open-source projects*?
Man, I had to readjust my tinfoil hat for a second there.
--
Toro
Could somebody please mod this clown down? He couldn't be more wrong.
Or, in short:
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits?
This tool is for Windows you dumbshit.
Comment of the year
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Jean-Francois Im's blog
why there aren't any erotic references to ! "bang" in the comments is beyond me. /.?
Am I on
You speak London? I speak London very best.
One of the CS professors here is working on a research project that seems to have a similar use, except it relies on binary analysis. http://bitblaze.cs.berkeley.edu/ They also made a tool to automatically generate exploits based on Microsoft patches, and I guess they're just hoping that that capability doesn't fall into the wrong hands... Professor Song is scary.
All your base are belong to Wii.
I don't generally use "M$" but I wanted to tell you how I see it. I see it as a way to separate the petty members of the audience who cannot overlook a small and harmless "transgression" (even that word is too strong for it) from those who are less superficial. I prefer to directly deal with wrong responses so this does not tempt me, but this is something that I wish more people understood. If I wanted to apply a self-maintaining "filter" to the audience, then I would deliberately do things like this. Then they would do all of the filtering work and categorize themselves for me because the people who balk at seeing "M$" will either decide not to respond or will soon make their objection known. Either way, they filter themselves so I would not have to, thus I could quickly move on to a post that answers whatever point I was making. They would actually self-select and assist me with disregarding them (this is the important part) no matter what their actual intentions were.
What I described above is a very basic and simple example of strategy. There is a certain mindlessness to merely re-acting to what other people do. It allows their actions to determine your behavior. Just about any predictable response that you have which can be operated in such a push-button fashion can be used against you. Now, I think that's appropriate only for an adversary who cannot be reasoned with, because other human beings are not toys and it is wrong to treat them as such (even with their active assistance). However, you can bet that your politicians and advertisers and public relations types have no such moral qualms. There are far more malicious uses of this process than having people unwittingly filter your Slashdot responses for you.
It is a miracle that curiosity survives formal education. - Einstein
MODS: how is this flamebait?
It can validly be considered flamebait because it starts with, "Are you retarded?" This is unfortunate because, it is factual and corrects the misconceptions of a highly modded post that is, well a little retarded. That's a harsh way to phrase it as well as offensive. In truth the original poster was not retarded, just uninformed and "ranty".
This is Dan.
OK, my DNS bug took two days to find, and six months to fix. I'm not sure what universe you're in; in mine, we have to actually test.
You don't ship *anything*.
Also, !exploitable can check for bugs in beta software. And it can check for bugs in internal builds. You do *not* need to have released to get bug reports on major projects -- testers, fellow developers, and even yourself can run into bugs to investigate later.
Firefox 3.5 is supposed to have fixed over 1000 bugs so far in its release cycle, and that was supposed to be a short-cycle release -- and there are still bugs that are WONTFIX or even still active from years and years ago.
Not to mention that anything with any sort of plugin architecture (like most browsers and operating systems) is bound to have a tonne of crashes that you can do literally nothing to prevent but you do have to filter to see if there are ones that you could prevent.
How do you know? What tool do you use that automatically detects every rootkit ever invented? I've seen Linux boxes owned, I've seen SGI boxes owned, and I've seen Windows boxes owned. It happens to everyone: even OSX. In fact, given that every OS has had security problems, if your box hasn't been owned, it's because you were lucky enough to not have your box targeted at the crucial moment.
Every time I hear anyone using any system say, "I've never had a virus or trojan or malware," I always think, "there is a guy who doesn't know how to detect malware on his machine." And it's usually true.
I'm not saying you don't know how, but you said a genuinely stupid thing right there. It's possible that right now you're computer has been rooted, covered up, and you don't even know it. Because Microsoft sure wasn't protecting you for the last 20 years.
Qxe4
Who said we were talking about MS and Windows? You just brought that up, right now. I don't think it proves anything, one way or another, that one company has a crappy process.
Honestly, it seems like you just tried to "move the goalposts", redefining the terms of an argument you were losing so you can feel like you're winning.
That's lame, and I'm calling you out on it.
I can only tell you the truth.
A linux box I inherited as sysadmin was owned one time.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Perhaps you didn't take a moment to read the article.
The tool they developed is an exploit finder, and they made it open source.
This is not an exploit finder for open source Linux software, OMGWTFBBQ, the sky is falling, and MS is up to their old shit again.
Now, Microsoft wants to help secure third-party applications that run on top of Windows. Last year, the company released a threat-modeling tool and other resources designed to help software developers kick-start secure development lifecycle programs in their organizations. The idea was to package the security experience Microsoft has attained so it can serve as a sort of template for other companies.
They took a tool that they used internally for their own apps, tweaked it to work with third-party Windows apps, and made it open-source.
-David
I appreciate seeing anyone who is willing to call things what they are. It's a pleasing thing to see. It's a shame that more people don't understand the difference between discernment and judgment. The way I often hear it explained is that discernment plus resentment equals judgment. It's as good of an explanation as any until you can see the dynamics of it for yourself (I know that you yourself can do this; that was for anyone not familiar with it).
If you think they put a premium on a low UID, they really put a premium on posting non-AC. Really though, I find that anyone who sees my six-digit UID (or anything else, for that matter) and thinks that this entitles them to make personal assumptions about me is coming from such an extreme position of weakness that I can make short work of them. I have had people do things like this when I correctly used certain "key words" -- I intended their standard meaning as found in a dictionary while they assumed that I must be just like other people who use similar words. You'll notice that some people are very desperate to find a way to dismiss you or write you off or make you (in their minds) like something they have dealt with before and to which they feel superior.
That's usually because they dislike what you say but are aware that they don't have what it takes to properly explain why they disagree with it. Maybe they are afraid of losing an argument. Maybe someone who is secure in what they believe represents a challenge to why they are not. Maybe they know you are right and still don't like it. Whatever their reason may be, they are judgmental, reactive, quick to try to make things personal, and they lack a solid foundation of self-evident truth for their beliefs. All of these things mean that they are cowardly and you have nothing to fear from them.
If anyone acted this way towards me because of my relatively high UID, they never admitted it. I never felt that UID had much to do with it in my case. I think it's more that they don't really know how to deal with someone who isn't trying to win their approval (ego) and won't cave in to their various forms of pressure (control), because most of the world does both of those things. It's as though they see something different and are not very discerning so they need to test it. Thus, they turn up the pressure to see if you will react the way that they would, i.e by doing back to them what they have done to you.
If you do, then you lose your real brightness. Then they can rest assured because the challenge you didn't know you posed to them has been eliminated. Then they can continue to feel superior to you and judge you because you crumbled under their pressure. If you do not succumb to their attempts to belittle or degrade or intimidate or pressure, then you reveal what sort of person they really are and at the same time show them a living example of a higher standard. It makes their tactics backfire and they actually experience the upset that they intended to i
It is a miracle that curiosity survives formal education. - Einstein
So... You're a perfectionist who will hold a project hostage until YOU decide, on your terms, that it's not "crap"? And anybody who disagrees with your assessment of costs versus benefits is a "pinhead"?
Remind me to hire you, really. I love programmers who sneer at business concerns, refuse to compromise with their teams, and are so inexperienced that they believe that any business can get done that way.
Man, if I had a whole team of guys like you, I'd be able to... Hmm. People like you actually detract from the productivity of a team. With enough of your clones running around bragging about how big their dicks are, business would grind to a halt. Hell, with a whole company of you, we could probably put global software productivity into reverse, it would be so bad.
"...if I had a really large project..."
I think this says it, right here, folks. If you ever you DO get on a large project, give me a call. Maybe you'll have learned enough to hire you.
If Slashdot would be capable of more than ancient 7 bit ASCII, you could even write Google with a Euro sign.
Want to hear the voice of GOD? cat
Yeah. Sometimes it's obvious when a box is owned, sometimes it's not. As far as I know, I've never had a virus on any of my machines either, but then again, it could be these words I'm typing are being intercepted by a keylogger that I don't know about. I've seen smarter people than me have their boxes get viruses, so I can't say it is something special I did to prevent it. I've just gotten lucky, or it's been hidden so well I've been unaware. As at this time I may also be.
Qxe4
That were my thoughts exactly. They reinvented valgrind ... poorly. Nothing to see here.
Want to hear the voice of GOD? cat
This is probably under one of Microsoft's "Permissive" Licenses, which is a shame, but still, this is way better than WebKit.
Microsoft: 1, Apple: 23
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in upgrading to Ubuntu.
Heh heh... my favorite Linux distro. :-)
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
#ifdef WIN32
fprintf(stderr, "Your system is not secure\n");
#else
fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
#endif
return 0;
}
it is only after a long journey that you know the strength of the horse.
It's interesting to read how you so clearly hate the idea of someone else having control, and at the same time you want that exact same control all to yourself above the devs. That's the most common problem with the middle-management level of development, they're in charge and they're going to have it their way, all other factors be damned.
What the development team as a whole needs is balance. I'm not saying for either side to hold things hostage, I'm just saying don't let the PHB's decide when it's "ready" based solely on a trade show date. (with props to Dilbert)
You're almost certainly going to have to let it out the door with some issues, the trick is to get everyone together early to draw the line, and hold your ground when someone barges in with an eraser.
I work for the Department of Redundancy Department.
To be fair, any discussion where RMS is mentioned would have to be at least tangetially about personal hygiene or delusions of Godhood, you would think.
So projects should be managed on the whims of the developers? I really hope I don't get hooked up with whatever failshop you work for.
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
I am sure you have had to deal with the effects of viruses/trojans/malwares with your friends/family/workmates using Microsoft OSes ... or do you have another peculiarly anomalous anecdote?
Happy moony
I've never seen it demonstrated that a puerile character is the one and only reason why anyone would ever use an epithet like "M$". That would be a very difficult thing to prove and just one exception would destroy the proof. It may be a common reason but if so we have a word for that, which is "stereotype", and the problems with basing decisions on them, especially character judgments, are well known. Assuming that there is absolutely no other reason (and it is an assumption) is a convenient way to look down on someone or to dismiss what they say without ever having to show why their argument was wrong. That's about the only "useful" purpose it serves. I've never felt like those tactics were necessary or appropriate if you really are right and they really are wrong. If you're skilled, you can "win" arguments whether you are actually right or not; that is done with tactics like this.
Finding a personal trait that you find distasteful (justifiably or not) and then thinking it provides a valid reason to disagree with an argument without showing the reasoning which led you to do so is the definition of "ad hominem attack." It amounts to "I don't like you, so you must be wrong". If someone is sidestepping an issue, by all means call them on it. However, identifying that doesn't depend on the way they spell a company's name. It's so easy to identify, in fact, that using such a heuristic could only hinder you.
I believe that most of the attempts to disparage or characterize Microsoft, including this one, come from a general frustration with their strong-arm tactics and ruthless dominance of this market. Indeed that frustration is wrong, and if you want to do something about it, why not do something that has a chance of addressing the root problem? The root problem is that people see the undesirable things that Microsoft does and then they make the mistake of resenting them for it. It comes out in the language and epithets that they use and it's easy to detect. Microsoft is not exactly an angel so this wrong way of dealing with them is easy and tempting.
If you feel any sort of anger or forms of anger like frustration or resentment, know that it is always preceded by a judgment. If not for judgment, then you could watch the wrong that others do and call it what it is without being affected by it. When you see Slashdotters deal with Microsoft in this wrong way and then judge them for it, you are actually doing the same thing. You are repeating with them the error that they made with Microsoft. Describing your objection with more sophisticated or neutral language does not change this. That's actually what anger does; it makes you replicate wrong. It cannot be otherwise because it is a negative energy. Just like those people, you feel justified. Effectively, this means you are following their lead while protesting what they are doing. Thus, they won't feel a need to listen to you because this process makes you just as wrong as they are. They can sense that whether or not they are consciously aware of it (most are not).
That's what judgment is; it's the wrong way of being right. You can repeat the post you just made until you every last Slashdotter has read it. It would either change nothing or it would make a few people change for the wrong reason: not because they learned anything or became stronger people, but because they want to win the approval and agreement of others. The better way is to show them what I am trying to show you, that their frustration is part of the problem. That won't give you the "satisfaction" of judging the person, but all that ever did was to make a mockery of real satisfaction.
I'm trying to give you
It is a miracle that curiosity survives formal education. - Einstein
Assuming it's something I actually want to start with (aka it does something not done before on my platform of choice, or does it better then any alternatives) a program with bugs I can use now is better then one with no bugs due to be released "sometime". Obviously there's a point where bugs make it unusable, or inferior to it's more mature competitors.
I've yet to see a single program (that actually accomplished a sophisticated task), whether its been in development for a month or 10 years, that didn't have some form of bugs. Software that never gets released, or gets released after it is obsolete, is no good to anyone. Accurately identifying and prioritizing bugs that serious show stoppers is a great tool.
Do the tinfoil hats come with the enrolling package in the Microsoft funny-boys club, or you've to build them by yourself?
Have you flown on any modern commercial airliner? I can guarantee that the software, even the critical software, has bugs. The thing is, if you go to the FAA to certify some software and you tell them that there are no open problem reports, they are going to have some serious questions about your software verification process.
Now, for every one of your open problem reports, someone has to review them, analyze them, and come up with a justification of why it's OK not to fix them. In many cases, it's better to leave a well understood bug than to try to rush in a fix at the last minute.
The thing to keep in mind is that not all bugs are created equally.
un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
Except $ourceforge (LNUX). Cos... ya know.... they seem to be more about losing money ;)
3laws: No freebies, no backsies, GTFO.
"...hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Yea, because who would want to fix EVERY Bug before release? Certainly not Microsoft, that's for Service Packs are for!
If i had one dollar for every brain you dont have, i would have $1.
Most malware infections are thanks to the vulnerability between the keyboard and the chair.
So no, we won't see less infections with a securer Windows.
No, it's twitter. He always does that.
You probably wont believe this, but he posts anonymously because Anonymous Coward has a starting score (0) higher than all of his 15-20 other Slashdot accounts.
Personally, I strongly disagree with the whole FLOSS vs Commercial debate (I also disagree with describing FLOSS as "free", but that's another story and mostly related to my pedantic usage of proper English). If something that's "free-libre" happens to do the job you want it for better than commercial alternatives, do it. If something commercial is better, use that.
Why don't the zealots just let us use whatever the fuck we want? I happen to like Windows. I also like Mac OS. Hell, I even like Linux. Of course, because I said I happen to like Windows, people like twitter would have you believe that I am paid by Microsoft. Hell, I wish I were - they'd pay more than my real employer.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
You know, that argument has always annoyed me.
You say that because you've never seen a virus or trojan on your PC, it's just because you didn't detect it.
Why does this particular perspective only apply to Windows? Why is it never said that if you've never seen a virus or trojan on Linux that it's because you never detected it?
(Actually, quite amusingly, the comment below me says exactly that. Go him or her!)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I don't think you can lay the "twitterism" on too thick. He's pretty "thick" as it is (and I am not referring to his intelligence, merely that I don't think you can get any more twitter-like than he is)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
It goes both ways. I'm irritated that `$' is being used as an intended insult. It's supposed to be a symbol of _earned_ wealth, which is never a bad thing in my book.
I had a lot more fun irritating a former roommate expanding MS to Multiple Sclerosis. At the time, it was the more recognized expansion of MS.
I don't mind using stock symbols as abbreviations either. I even recently proposed that when the CSC namespace runs out for Cisco bugids (we've been as wasteful as the IPV4 guys were) we use CSCO to identify an expanded namespace.
Personally, I think using "M$" as an abbreviation for Microsoft just identifies the user as an idiot. Same as if one would write "Ci$co". The abbreviation that *really* pisses me off is abbreviating Microsoft Windows as "win". "Win" has unfortunate and untrue connotations when applied to Microsoft Windows.
I guess I'll just be more fastidious and always write the names out in full, instead of occasionally using the stock symbol as an abbreviation.
(I'm glad you got modded up to +5 by the time I saw this)
If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
Hear, hear!
If one must troll or lay down flame bait, one should at least be clever about it. Simple sarcasm merely goes over the head of many moderators and should tend be avoided. Name calling is always boring.
If you can see that I wrote all of the above without ever thinking that I'm any better than you just because I know of a better way (a way that I did not invent), then you will understand where I'm coming from.
I don't understand where you're coming from. You present an extraordinarily literate argument[1] though. Anyone who can write like you do has utterly no business defending `M$', justifiable anger or not. IMO.
[1] And one which is going to fly over the heads of 99.99%, as a rough guess, of the folks here.
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker".
You don't agree that text in bold is HIS opinion? I don't agree with your disagreement :P
+Raider of the lost BBS
A tool to find exploits of open source software? That is so evil.
He's not defending the use of "M$" in place of "Microsoft;" he's saying it doesn't affect the validity of the argument. It's not even about "M$" in particular, but about people refusing to use their brains whenever they encounter presentation they don't like.
That's a fine thing to say Mr. Anonymous Coward. If you _really_ believe that, you could at least have taken the time to log in and attach a name to those words.
Name calling (and ad hominem attacks in general) are indicative to me of being part of a weak argument. I do not think I've ever seen an argument strengthened by usage of such. I've followed 'net discussions in various settings for over 20 years and US (first, Asian later) politics for much longer than that. Sociology is fascinating.
Perhaps I am just disgusted with "The Politics of Personal Destruction", a phrase popularized by the man who brought its application to a high art form.
Now, pop quiz, do the first two sentences in this response make me look good and strengthen what I have to say, or weaken it? (Actually I'm hoping someone will flame me over that before reading the rest of the post, thus making my point).
It'd be like someone saying, "That mathematical proof must be invalid because it's printed in an ugly font."
It's more along the lines of 99.9% of erroneous mathematical proofs use that font and unless I see something obviously interesting and very quickly, I'm going to ignore it. Guilt by association.
What! You mean they Open Sourced Windows!??!
"Flyin' in just a sweet place,
Never been known to fail..."
I don't ship crap.
Bender, is that you?
Why don't you RTFA?
Has it been run on itself?
Will subsequent versions exploit the exploits, setup botnets, send spam etc?
If Microsoft entered the armor business, would they also supply arms to the other side?
But seriously, Microsoft put a ton of research into finding their security holes, including embedding the acquired techniques in tools. They're useful tools, and have been critically useful to them. Why not release them? My only worry is that it is not in their fighter-nature to help their competitors, and of course the tool can also be used by crackers.
"It's interesting to read how you so clearly hate the idea of someone else having control, and at the same time you want that exact same control all to yourself above the devs. That's the most common problem with the middle-management level of development, they're in charge and they're going to have it their way, all other factors be damned."
I AM a dev, you idiot. Back when I was fresh and new and guileless, like you, I thought a lot like you. Everything I knew about development had come from two sources, CS assignments and Slashdot--I didn't even know how little I knew.
Most of that got that beat out of me, eventually--not by management, but by other engineers who just didn't have the patience for my snotty, immature attitude.
"What the development team as a whole needs is balance. I'm not saying for either side to hold things hostage, I'm just saying don't let the PHB's decide when it's "ready" based solely on a trade show date."
And now you're just redefining your side of the argument because I burned it out from under you, in my previous comment. Changing your tune, now, cannot erase your previous comments. YHL, HAND.
Of course, you all know there's a difference between open source and Microsoft's opened source. Microsoft's offerings don't qualify as open source. It isn't free of restriction to use and reuse and it isn't free of the restrictions of the OS.
There's no word for open source in Microsoft's vocabulary. It is opened source which is simply an opportunity to view the source but you can't use it outside of your closed project and can only be used under Windows.
You can lead a man with reason but you can't make him think.
Microsoft + OSS = LOVE ????
Shipping a large project with 1,000 bugs might be a perfectly valid decision
A large project... like a car?
I can't remember the last time I had to take my car to the dealer to fix a factory defect. You people in the software industry should be ashamed of yourselves. Real engineers laugh at the likes of you guys.
About fifteen years ago I bought a new lawnmower. My elderly next door naighbor saw it, liked it, and bought an identical one a week later. It lasted two years (twice the warrantee), and then died from a broken piece.
A week later my neighbor's lawnmower died from the exact same fault. Now THAT'S engineering!
Free Martian Whores!
Ha! Finally he admits it! We always knew you'd written that backdoor into DNS.
Very clever of you given your age at the time, and the way you got someone else to front the code as their own...
(Hmm. Now I'm wondering. You're possibly young enough that the code predates you. Now that _is_ clever!)
Have you tested your software on .Net CLR1 and CLR2
- Windows XP Pro, no service packs
- XP Home, none
- Pro/home/Media Center edition, service pack 1
- SP2, 3, etc
- Vista, etc
- Win XP MCE SP2 with IE8
- Win XP Home SP1 with
I've skipped around 782 permutations, any of which may cause a crash that will not occur on another combination.
Release software to enough users and they'll let you know when it fails. If one customer in 10,000 suffers a crash once ever then you have a lot of very happy customers, and on a 100m install base you also have 10,000 crash reports to sift through.
Which crash do you spend the 8 man-months trying to replicate so you can fix it?
Paradoxically, it's much easier to understand than it is to explain. It's one of those things that is not so complex that few people could understand it, but rather, it is so simple that almost everyone overlooks it. I certainly overlooked it for a long time. Because of that, please excuse the length of this post.
If your respect for my arguments or my ability as a writer were genuine, you would perhaps be puzzled by my perceived defense of "M$" and may ask me about it but you would not presume to tell me what is or is not my business. That's tantamount to telling me what I should or should not say, or how I should or should not feel about an issue. I strongly doubt you would go along with someone else doing this to you; you seem far too independent and free-thinking for that. It's alright, for I think being so easily offended is a serious weakness, but you should know that it won't work.
I wasn't actually pronouncing the use of "M$" to be right and good. I was accepting the reality that people are going to use it whether or not I enjoy it. The least-understood quality of human beings is that they always feel like what they do is right, or at least necessary. That's true no matter how wrong they actually are. This has an interesting effect because human beings also have egos.
There is nothing to which ego is more sensitive than anger and its various manifestations, such as frustration or resentment. When you tell them "you're wrong", not because you see that they are misguided and want something better for them, but because what they did has offended you or caused you to resent or condemn or judge them, you stimulate their ego. Now it's no longer about whether you had a point. Now it's about who's going to yield to whom, who's going to win the contest in which you are now engaged. That's if they are inclined to contests. If they are not, they'll just write you off by judging you as "unpleasant" etc. and ignoring you. Then nothing changes.
The simple fact is, you cannot convince anyone of anything without their consent. Get them on their high horse and they will make it a point to prove that to you. The way you were attempting to correct "M$" was from one ego to another, yours to theirs, which is why it must fail. It will fail or it will succeed for the wrong reason by appealing to the people-pleasers who should not be so concerned with whether you approve of them. Either way, no one learns anything and no one becomes a stronger person.
It does not have to be that way, of course. There can be compassionate understanding instead. I'll sum up the true problem for you, the obstacle of obstacles, the one cause of all of the ignorance in the world. People are leaves in the wind. They are products of their environments with no real self-hood who better resemble automatons than independent, free-thinking human beings. They can be this way while still clinging to the idea that their beliefs and impulses are their own. Modern education and mass media only encourage these things because both are heavily invested in them. If you properly see this, then you realize that these people are like slaves and don't know it. You realize that they are far less free than you are and that they suffer in many ways because of it.
If you yourself have not been too compromised, then you cannot see this without wishing that they be more free, that they not suffer so needlessly. You'll understand that any problem you could have with them comes from their slave status because only free people can truly understand and only free people can truly love. If they had real understanding and if they loved other people, then any "problem" you could have would not be a problem. You a
It is a miracle that curiosity survives formal education. - Einstein
In other words, "I'm not a human being; I am a prize. Reaching me is the same as winning the prize. If you want to win that prize, you will submit to my control and play the game according to my rules. If not, you lose the game before you even started playing."
The people-pleasers love this kind of invitation because then you can praise them for being "good" and agreeable. They go along to get along. It's the only "goodness" they will know because they are addicted to the approval of others. That addiction is what you exploit when you set yourself up to be some sort of prize. Hypothetically, it's like telling a crack whore that you'll give her some crack if she'll perform some sexual favors for you, except that doing it the way you do it allows you to believe that it's somehow noble. The crack whore has no such delusions, nor do her clientele, because in her case it is easy to call things what they are. In your case, the easy excuses that lead to a belief that you are doing anything other than attempting to control is an obstacle to calling this what it is. The belief in this sort of control and that it is ever legitimate leads to all sorts of perversions of the idea of authority. On the personal or family level, it leads to "do as I say, not as I do." On a national level, it's one of the forces that turns democratic nations into totalitarian states with increasingly authoritarian policies.
It's an attempt to cause people to do what they would not otherwise do in order to please you and avoid your judgment of guilt, by association or otherwise. You won't be able to truly respect anyone who submits to this sort of coercion, so even if you get what you want, it is tainted. That is a proper result because this is one of the more subtle, less in-your-face ways to bully people (there are many such ways, some of them even look quite agreeable on the surface). No bully ever respects the weak people who submit to him, nor could he. Likewise, no bully respects the weak people who want to be an even bigger bully, which is why seeing the wrong of this does not tempt me to condemn you or insult you for it, not even in my mind.
Of course the real flaw in the first paragraph is that you are in fact a human being. Control of others isn't worth reducing that status to a mere prize. The price is too high. Further, if you had a pure intent and were seeking knowledge, you would navigate the obstacles (real or perceived) like incorrect presentation and would not allow them to stop you from examining that knowledge. You would need no heuristic to replace or complement the process of evaluating the knowledge and applying whatever tests of truth you think are appropriate. That's why this is about control and can only be about control. I can tell that you are intelligent. If you really wanted to know something, it would probably be difficult to hide it from you. That's why this stumbling block is artificial.
The alternative is childishly simple. It consists of accepting that people will often do things you don't like and realizing that they may feel the same way when they look at you, and then appreciating that the vast majority of those things don't matter. They don't matter unless they materially determine the truth or the falsehood of any claims that are made, facts that are presented, or reasoning that is elucidated. Things like the choice of a font or the spelling of a name fail this test. It cannot be otherwise. The actual truth or falsehood of an argument can only be determined on a case-by-case basis, so statistical comparisons based on the aesthetic choices of others cannot help.
It is a miracle that curiosity survives formal education. - Einstein
How do you know I was intending to be offensive? Perhaps I was literally asking him if he had some kind of learning disability, which would make sense considering his completely incorrect reading of the post and/or article. :)
Hey, if Obama can get away with it...
well yes, I've cleared loads of em off but been lucky in myself
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
You can't say that on $lashdot.
coffee | nose > keyboard
Hehe first time to be called everything. I didn't Windows was any good. I'm a FOSS user and advocate but I don't like lies and FUD.
Hehe shill, that's going to keep me smiling. Just a shame you're an illiterate.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter