Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."

90 days to fix

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

Re:90 days to fix

[plover]

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

It's no big deal. I'm posting this from my Windows 8.1 box, and nothing bad has happened. ... @LizardMafia RULEZ!1! d0wn with S0NY!!11!

Re: 90 days to fix

[O('_')O_Bush]

That really isn't Google or our problem. Attackers aren't going to politely wait for Microsoft to fix issues like this, and Microsoft won't fix issues like this unless they are pressed to. And this brings up the glaring flaw with closed source products. If a third party flagged an issue in an open source product, any user that is concerned enough could potentially fix it or patch their own systems themselves. With closed source, we have to wring our hands and wait for someone at Microsoft to care enough to fix it.

Re:90 days to fix

So you think Microsoft should be forced to provide security updates for all of their products in perpetuity?

Have you really thought about the economic ramifications of that?

Re:90 days to fix

It is a user escalation vulnerability. These sort of vulnerabilities sometimes exist in Linux for months or years as well. They are generally considered less urgent to fix.

Re: 90 days to fix

[The+Fifth+Man]

If only there were a way to communicate such bugs discovered in an open source piece of software to lots and lots of people. That way, many sets of eyes would surely see and then fix the issue and, in turn, communicate the fix and maybe distribute a binary for patching.

Re:90 days to fix

[Charliemopps]

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

You've never been through regression testing have you?

Re:90 days to fix

[hawguy]

I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.

No one is "forced" to continue using MS products -- unless they signed a support contract for extended support, MS can't be held responsible for supporting legacy systems indefinitely. If you don't want to be stuck with a system running an unsupported operating system, then you can sign (and pay for) a long-term support contract throughout the life of your product, you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself, or you can plan on upgrading your product hardware/software to stay with currently supported software.

I fail to see how Microsoft has any responsibility to support software for a hardware product that a manufacturer has decided not to keep current enough to run supported software. If the old HVAC system in your building relies on Windows 3.1 to keep it running, then maybe you ought to go after the vendor that sold it to you, if a replacement for the fan motor in your HVAC system is no longer available, you'd either retrofit to accept a current motor, or just upgrade the entire system, which is what you should do when the computer that controls it is no longer supported by current software.

Re: 90 days to fix

[kenshin33]

can't they -the user- hire "a true überwizard " to do it?

Re: 90 days to fix

[guruevi]

Really? Any coder able to find issues like this should be able to fix issues like this if they have the proper source code. Most issues are trivial to fix, substituting an unsafe call with a safe(r) call (eg. strcpy vs strncpy) is often enough to fix most issues.

Sure there will be some side cases where it is really hard or there may be better solutions than your patch (eg. I recently found a bug in the MariaDB optimizer which leads to bad data being returned) but then at least if the product on top of it (CiviCRM and Drupal in my case) is also open source, at least I can modify the query to fit my needs even though both Drupal and CiviCRM people say 'not our problem'.

Re:90 days to fix

[gweihir]

I agree. Even a second-rated software shop should have no trouble meeting that deadline. It appears that MS is still third-rate. The only thing that will help is making them fully responsible for any and all damage caused by their inaction.

Re: 90 days to fix

[gweihir]

Actually, for FOSS projects a single user that fixes it and submits a patch is enough for all users to have a patch. This is much more powerful and the reason fix-times are often measured in hours for well-done FOSS projects.

Re: 90 days to fix

[gweihir]

Indeed. But since it is FOSS, a single "true überwizard" that then submits a patch is enough for all to have a patch. In the closed-source case, some mediocre, underpaid and unmotivated corporate slave has to take an interest and manage to fix it, and that takes far longer in most cases. 90 days is completely unacceptable though.

Re:90 days to fix

[drinkypoo]

you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself

Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.

Re:90 days to fix

[hawguy]

you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself

Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.

Then you haven't applied enough money and/or pressure.

I worked for a large VAR years ago that had access to the Windows source... I don't think they had the whole source tree, they couldn't do a full build, but they could get access to any module they needed.

I worked for a another company that was the largest and most well known customer of an up and coming database company, they used our name heavily in marketing - we wanted source code escrow in case the DB company went under and we had to support it ourselves. after months of negotiation we couldn't come to an agreement, so we told them we were moving to a different product and engineering was actively porting over to the other product. In less than a month, that company capitulated and we had full access to their source code (not just escrow, we had live access to their source code repository).

If you don't have enough money and/or pressure to get access to the source code, then you're accepting Microsoft's limited support window and shouldn't cry foul when Microsoft stops supporting your product.

Re:90 days to fix

[Stan92057]

Really? They had 90 days to fix this. That is plenty of time.

Really? says who? YOU? Anonymous coward says so?

I just thinking out loud here but if everyones PC gets infected by someone using the knowledge given by this asshole, everyone who gets exploited and has there credit card exploited or there debit cards exploited PC exploited should sue Google. Its not thee right to make Windows/any OS users open to scum criminal hackers. IMO this is nothing more then criminal blackmail. they cant beat MS with an open market so they help hackers take them down.

Re: 90 days to fix

[Stan92057]

umm why would it be his responsibility to take interest? Since hes a slave, underpaid,unmotivated coder, doesn't he have to be told what bugs to fix by some corporate overpaid, under motivated, drone MS manager?

Re:90 days to fix

[bkcallahan]

Either that or stop using it.

Re: 90 days to fix

[gweihir]

Depends on the set-up, but usually it works like this: Engineer escalates to PHB -> PHB makes clueless decision -> engineer implements clueless decision. Done right, the engineer is reasonably senior, makes his own decision and just consults with a more senior or equally senior engineer for plausibility. Management only sets policy in that case. Of course, it is possible that MS has a "fix only if there is outside-pressure" policy for their engineers.

Re:90 days to fix

[RingDev]

From the looks of things, this vulnerability only allows the would-be exploiter to circumvent UAC.

They still need valid credentials for a user with Admin rights to do anything significant (the demo just attempts to launch Calculator).

Which, given your post would imply that you are logged into your Windows 8.1 PC as a user with Admin rights. And if you are perusing Slashdot while logged in as an Admin, you are doing something far worse than Google disclosing the vulnerability :P

-Rick

Grammar police alert

Undisclosed?

Re:Grammar police alert

[NoNonAlphaCharsHere]

I do not think that word means what you think it means.

Re:Grammar police alert

[ceoyoyo]

Google inadvertently reveals they have captured enough of the Internet to erase things from it.

Re:Grammar police alert

[franblets]

It is like a double positive... Yeah, right.

Re:Grammar police alert

[marciot]

So this is good. This vulnerability was previously disclosed, but they undisclosed it. The undisclosure was done by the NSA using their version of the neuralizer, the existence of which was disclosed by Snowden last year, but has since been undisclosed (which is why you don't know about it).

Re: Grammar police alert

[GrantRobertson]

Haven't they already proven it is impossible to "UNdisclose" anything on the internet. Once it is disclosed, it's out there forever.

"Can't stop the signal, Mal."

Re:Grammar police alert

[ndogg]

I think they meant non-undisclosed, which is a perfectly cromulent word. Irregardless, we should all be carefuller with grammar.

Re:Grammar police alert

[Maritz]

Yeah. Personally if I was writing a summary for a news site, I'd check what the fuck I was saying makes sense before posting it.

How Long?

Is a reasonable amount of time to let a company sit on a known vulnerability? I feel like 90 days is pretty reasonable. There's still that Apple root pipe thing that's floating around that they haven't fixed and hasn't been fully disclosed.

Re:How Long?

[gweihir]

90 days is plenty if they are actually prepared to maintain their stuff. It seems MS is not.

Ha ha ha

[drinkypoo]

The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.

Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.

Re:Ha ha ha

The problem is that it's likely that at that point most of the scumbags will also learn from the vulnerability for the first time.

Re:Ha ha ha

[nobuddy]

People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.

Re:Ha ha ha

[Dutch+Gun]

Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority. They've taken reported security exploits seriously for a very long time now, and disclosing any vulnerability before a patch is deployed is absolutely irresponsible. It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.

Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people... much more so than security issues that may not have even been seen in the wild yet (I saw no indication in the linked article that this was the case) - but now probably will since the attack is known. If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

Sorry if I sound like an MS shill, but Google is really starting to piss me off with their high-handed attitude on stuff like this lately.

Re:Ha ha ha

[robi5]

I've been laughing, reading your tongue-in-cheek humor until your last sentence... then realized that maybe you actually meant what you wrote...

Re:Ha ha ha

[gweihir]

If software manufacturers actually cared to fix things fast, there would be no need. But as fixing bugs costs money and there is _zero_ penalty for not doing so, most do not bother unless forced to. 90 days is plenty. Things not fixed in 90 days will never be fixed, unless there is at the very least a risk of bad press.

Re:Ha ha ha

[strikethree]

Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority.

ROFLMAO. I could go on and on for hours about how pathetic Microsoft Security is but instead, I will not bore you and just talk about the one that is the largest pain in my rear right now: It is titled Windows Credential Theft.

Yes, the geniuses at Microsoft decided that leaving Domain Admin credentials laying about on any average workstation is not a huge problem. It is not like just anyone has access to the computer after all and it is not like having your entire domain compromised is a huge deal...

Seriously. Caching Domain Admin credentials. On a workstation... Serious about security? It is to laugh. These clowns would not know security if it walked up and introduced itself.

Re:Ha ha ha

[drinkypoo]

Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people

So, get to the part where it's google's fault that Microsoft is too incompetent to take security seriously?

Re:Ha ha ha

[Dutch+Gun]

Ok, people are getting distracted by my statement that MS is "taking security seriously". Let's put aside how *effectively* they're "taking security seriously" for now, because that's entirely besides the point. What my point was is this: MS has well-established machinery and procedures in place for accepting bug reports and getting them fixed. This is indisputable; a lot of bugs has been responsibly reported to them in confidence and subsequently fixed. We see them every month on Patch Tuesday. Did the machinery fail here, or is it just a back-burner bug that's taking a long time to fix? It's hard to say. Did Google make any attempt to contact MS before this went public?

More importantly, is Google justified in releasing details of an exploit that hasn't been fixed yet? In the security world, this is typically considered black hat behavior, not white hat. 90 days is an annoyingly long time for MS to get a bug fixed, true, but I haven't seen any indication that this is a high-priority fix either - that is, like it's currently being exploited in the wild and is a critical security breach.

Sorry, but I'm just having a hard time justifying Google's behavior here. It seems pretty irresponsible to set up a system to automatically push out bug details after 90 days automatically, regardless of whether or not it's been fixed. This seems more like a political move against MS to embarrass them (and yeah, they probably should be embarrassed that it's taking them so long). What I don't understand is why people think this is acceptable, regardless of how you feel about MS.

Re:Ha ha ha

[Kirth]

> It's arrogant as hell for Google to decide that 90 days is long enough, thank you.

Totally ridiculous. I've witnessed the "responsible disclosure" discussions a few years back, and even then, 4 weeks was considered generous. I'd say it's totally egotist of you to expect google to keep even quiet for more than 30 days.

I'd given them two weeks and gone out with it. And there's some researchers with a lot more clout than me, who would have given them exactly ZERO days: http://www.securityfocus.com/a...

A victim of applications and history

[Junta]

This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

Re:A victim of applications and history

[cnettel]

This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

While impersonation and other techniques is used a lot more and including larger portions of the API, impersonation itself has been along since NT 3.1. Are you a file server process serving a request from a client? Just create an impersonation context for the user who sent the request and pass that along to the file system. You only need to make sure that you create the right context and tell other services on whose behalf you are doing this. This is not identical to setuid and similar, most importantly because a single thread can keep many impersonation contexts.

That this is part of the application compatibility cache service is almost coincidental, the real problem is in the fact that impersonation services are used, but used incorrectly. Impersonation was part of the original NT design, and for relatively good reason.

Re:A victim of applications and history

[ceoyoyo]

You should type "man sudo" sometime.

Re:Poor choices to use proprietary cause this!

[halivar]

While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.

Re:Poor choices to use proprietary cause this!

[plover]

Let's see how that plays out in the Open Source world:
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
Step 5: wait for it ...
Step 6: enjoy your now-patched system.

I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.

Re:Poor choices to use proprietary cause this!

[jones_supa]

While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Re:Let's be honest

[gatkinso]

For a long time I thought that... then I actually tried Windows 8.1.

It is not bad actually, and far better than 7 in every way that I can tell.

Re:Poor choices to use proprietary cause this!

[gatkinso]

I think the "at least the end-user isn't restricted from fixing bugs when they occur" part is what the rejoinder was referring to.

Re:Poor choices to use proprietary cause this!

[jones_supa]

Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to.

Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.

Re:Poor choices to use proprietary cause this!

[buchanmilne]

Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.

No, the original claim was:
"at least the end-user isn't restricted from fixing bugs when they occur."

Paying/getting a different party to fix the bug is a valid application of "not being restricted from fixing the bug". In the case of proprietary software, if the original vendor doesn't fix it, you're stuck with the choice of being vulnerable or making significant changes (switching to a different proprietary software).

Re:Poor choices to use proprietary cause this!

[ruir]

I already fixed kernel bugs. And probably many others. At least there is the choice and the possibility of doing it. Could we do the same in Windows?? Think about it.

Re:Poor choices to use proprietary cause this!

[jones_supa]

That's true.

Re:Poor choices to use proprietary cause this!

[halivar]

Unused variables are warnings and not errors because their use is detected only heuristically and not conclusively. I'm not saying that's the case in the Linux kernel; only that it's a possibility.

Re:Poor choices to use proprietary cause this!

[chipschap]

But the real point, I think, is that even if everyone/most users can't fix a bug in open source code (similar to the prior poster, I've also fixed small and medium ones, but waited for fixes on complex stuff), there are people who can, and will, and do. Even though, for the really obscure things, that group may be small, there is no absolute dependence on some group that has access to closed source code. This seems like rather an advantage for open source.

Re:Poor choices to use proprietary cause this!

[ancientt]

Why are you bringing up the average user when he was talking about the end user who has a strong reason to keep something patched? That's comparing a Mint home user to someone running the distribution upgrade servers.

If you are in charge of managing an important system or network, then you can either fix the problem yourself, have your programming team fix it and commit the fix back to the upstream vendor or you can potentially hire the work out. Even if you are an average end user, you could actually fix it if you were willing to put in the work, however unlikely that scenario might be.

Re:Poor choices to use proprietary cause this!

[pr0fessor]

I'm surprised more people haven't responded that they already have contributed, given the way anything about a particular language turns into an argument.

I'm not a professional developer, but I have on occasion been the fresh pair of eyes that has spotted something that turned out to be an easy fix. On many more occasions I have found bugs that were out of my league.

Re:Poor choices to use proprietary cause this!

[unrtst]

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Trolls that keep posting crap like this should eat their own dogfood - try it yourself before extolling the horrors, and try it with both the closed source product and the competing open source one. I've done this. IME, you're full of shit.

It's also worth noting that the bug was reported over 90 days ago. "proper fix takes ages"... results will vary wildly depending on the product, the bug report, and the bug, but the majority would be addressable well within that time frame. In most cases, you won't have to do anything as the maintainers will handle it, just like (a good) closed source maintainer would.

Re:Poor choices to use proprietary cause this!

[nobuddy]

Sorry you got lost. Tumblr is three doors down, on the right.

kthx, bye.

Might not be serious by itself.

[140Mandak262Jamuna]

It does not appear to be a serious hole by itself. Microsoft claims you need a valid log-on to exploit this, In reality all you need to do is to get your code run in a machine with the privilege of ordinary user. There are ways and other vulnerabilities to do it. There are numerous holes where the browser executes supplied malware from the net, without admin privileges. These two holes, when combined forms a serious threat.

Re:Poor choices to use proprietary cause this!

[Dishevel]

Linus is an ass. He never seemed racist or filled with hate for women.

Maybe you just spend too much time pulling statements out of your ass?

Re:Poor choices to use proprietary cause this!

[Dishevel]

WOW! I have mod points quite often. Rarely have I wanted them more than now.

Gratz. You sir are a thinking and evolving being.

Re:Let's be honest

[gatkinso]

Boots faster. Is more stable. Uses less memory resources. Windows networking seems to work better. Seemless integration with the kids XBox.

I seem to have much more luck developing drivers on 8.1 as well - far less error check screens (more a function of me learning the DDK), also at the user level ETW seems rather more robust. Windbg also seems to be more stable when running on 8.1.

Also, I like the UI better (on the desktop) - I largely ignore the metro screen or whatever it is called.

Re: Let's be honest

What was asked for was a single way.
That's two ways.
FAIL.
(Couldn't resist.)

Re:Poor choices to use proprietary cause this!

[gatkinso]

>> the linux kernel source code is riddled with unused variables...

One would think that the linker would eliminate most of this. Not sure about the unspecified "unfixed and seemingly minor issues which collectively represent security vulnerabilities."

As far was the warnings go - most of those that I see are in the modules, not the kernel itself.

undisclosed

[bug1]

"Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability"

"undisclosed
adjective
1. not made known or revealed: an undisclosed sum"

From that description i assume google has a database of recent security vulnerabilities (from the last 90 days).
Vulnerabilities are immediately public information, then after 90 days they are removed from the list as they arent recent, and assumed to be patched ?

OR

Its the opposite and the person writing the description for the story should have said disclosed instead of undisclosed.

(sarcastic comment about reundisclosing the vulnerability so they can redisclose it in another 90 days)

Re:Poor choices to use proprietary cause this!

[strikethree]

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Hm. Back when I decided to build my own Linux based computer from source code, I did a lot of tweaking to the sources for a lot of the software that I decided to run. It was not terribly hard and it made the entire user experience amazingly awesome.

Now I am just pissed off. What with the removal of the ability to ctl-alt-backspace out of X (yes, i can add it back in) and "systemD integration" (yes, I can currently avoid it entirely) and other such nonsense like Gnome going off the deep end (nothing I can do about that but fork it), why even bother with Linux anymore? There is way too much to tweak and fix now. Stuff that should NOT NEED to be tweaked and fixed when it was already working.

Re:Let's be honest

[drinkypoo]

Seemless integration with the kids XBox.

Yeah, guess what? The kid's Xbox would integrate with Windows 7 or even XP just fine. But it still wouldn't play MKVs without PS3MediaServer or similar.

Re:Poor choices to use proprietary cause this!

[Dagger2]

Because FOSS still doesn't place some arbitrary BS restriction on fixing stuff.

Yes, it's true that a lot of users won't have the knowledge to do it, or won't be competent enough. Heck, even the people who can fix bugs won't have the time to fix every bug they encounter. But at least FOSS doesn't just outright ban you from doing it.

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

[slashdotwannabe]

WE MUST NEVER CENSOR TROLLS! Because, umm, wait. Why must we never censor trolls?

Re:Let's be honest

[gatkinso]

Try it on 8. Mo betta.

Re: GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS

[The+Fifth+Man]

So why does /. censor posts in gender politics threads? They do selectively run a script in some threads. In the case I'm talking about, it will ghost posts that use ess jay doubleyew (social justice warrior). They DO censor. This isn't hypothetical.