Nope. Software distributed in binary form whose source includes BSD-licensed source code is not required to be licensed for the purpose of making derivative works.
The BSD license only affects the source code, not the compiled binary.
At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.
This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.
Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.
OK, so the installer could bypass the opt-in mechanism. That's a given, for conventional operating systems at least. But this would be an obviously malicious action, which I'm sure would generate bad PR from day one, and could easily lead to a lawsuit. By comparison, the current situation (mainstream application developers choosing to install global add-ons rather than per-user add-ons) is perfectly reasonable to many people and has been happening for years with almost no fuss.
For most folks, having to install a browser add-on separately after you've already installed the application that provides the underlying service is an annoying and seemingly unnecessary step. (Not to mention the number of people that would just say "oh, it doesn't work" and give up.)
I don't believe mainstream software developers would. I think they're currently providing global rather than per-user plugins primarily because that's easier on the average user. For example, most people would find it counter-intuitive to install, say, Adobe Reader, but then have to also separately download and install a plugin for Firefox in order to use it on the web.
In any case, deliberately bypassing an opt-in mechanism would be obviously malicious behavior, and would be stomped on immediately - whereas global plugins have been used for years and this is the first time I've seen anyone complain about the practice (as opposed to certain specific instances of it).
Most of (all of?) these plugins don't "mess with" the Mozilla files. They simply create a registry key, as documented by Mozilla, to ask Firefox to load an available plugin from the associated application. I don't see that they're doing anything wrong, from a technical standpoint at least.
I don't recall Mozilla's documentation suggesting that the global add-on functionality was intended only for sysadmins. Do you have a reference? Are there even instructions for how a sysadmin can use this functionality to globally install an add-on that was designed for individual installation? I thought it was up to the developer to choose between individual installation and global installation.
Use the command line instead of the GUI. That eliminates all four issues at once. Also, you won't be changing the permissions on the file as a side-effect.
This is a perfectly ordinary elevation-of-privilege vulnerability. Just like every other elevation of privilege vulnerability it also happens to be capable of bypassing UAC's split-token protection, but the vulnerability itself isn't related to UAC in any way.
In particular, if the workaround suggested in the article is correct, this vulnerability can't be used to escape from Internet Explorer Protected Mode (the other major function of UAC).
That (the Comcast plan) doesn't sound so good. Wouldn't every device in your network (requiring internet connectivity) need to be reconfigured every time the dynamic assignment changes? Even if they acquire addresses automatically, how would they know when they needed to switch address?
As well as allowing multiple devices to use a single IP address, NAT also allows devices to use static internal addresses even when the global address is dynamic. I'd more or less taken it for granted that IPv6 users would always be given static global address ranges, because after all there's plenty of address space to go around, so this wouldn't be necessary - but perhaps I underestimated the stupidity of ISPs.:-)
Actually, I do need to know my workstation's address - and the address of various servers - for troubleshooting. If, on a particular device, I can't ping my workstation by host name, is that because the network is down, or because DNS isn't working?
According to my understanding of BitTorrent, the client needs to be able to accept incoming connections as well as outgoing ones. See for example Brian's BitTorrent FAQ and Guide.
Also, we use a proxy server for outgoing requests from all of our teaching labs, and we have no trouble downloading stuff. The proxy server is perfectly capable of keeping up with our internet connection. It's not as though it has to do any hard work, all it does is relay data from an incoming TCP connection to an outgoing one.
I gather BitTorrent can't be easily used from behind a firewall, which makes it of limited use in corporate settings at present. As well as built-in support from the major web clients, we'd also need support from the major http proxy servers.
You're missing the point - Asperger's doesn't justify his crime, but it may make him unfit to stand trial, particularly if he is removed from his home and taken to a foreign nation he sees as hostile.
Microsoft already put a great deal of effort into checking for vulnerabilities. Fuzz testing, static and dynamic analysis, all the good stuff. If you follow the MS security bulletins I think you'll find that a reasonable proportion of the vulnerabilities are discovered in-house.
Of course there are still more researchers outside of Microsoft than inside. I suppose Microsoft could afford to hire thousands of people as full-time security researchers in order to improve the in-house/out-house discovery ratio, but I'm not sure this would be sensible. Money aside, there is, perhaps, more important work those minds could be doing.
To the best of my knowledge, none of these apply to this particular case.
Also, remember that the majority of people won't know about a vulnerability even if it has been announced. The average user isn't subscribed to the full-disclosure mailing list and doesn't read Slashdot!
Finally, there's no need to protect yourself against a vulnerability that the black hats don't know about yet.
So... what exactly is an "inferred employer" when it's at home?:-)
As I understand it, Tavis is indeed employed by Google. I'm hard pressed to see how Microsoft can be blamed for mentioning this fact.
Suppose a MS employee were to "fully disclose" a vulnerability in Firefox. Does anybody suppose that Microsoft would escape mention, even if (s)he was acting in a private capacity at the time?
No, they *didn't* try that. Microsoft don't ignore vulnerability reports, and if the bad guys knew about a particular exploit they'd be using it already. (It isn't unknown for two people to independently discover the same exploit, but it isn't common either. Odds are that most exploits discovered by researchers are *not* known by the bad guys.)
This is nonsense. If MS are ignoring everybody's security reports, why are there so many monthly updates? Do you think they're making up the attributions?
Slashdot Mirror
Nope. Software distributed in binary form whose source includes BSD-licensed source code is not required to be licensed for the purpose of making derivative works.
The BSD license only affects the source code, not the compiled binary.
At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.
This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.
Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.
OK, so the installer could bypass the opt-in mechanism. That's a given, for conventional operating systems at least. But this would be an obviously malicious action, which I'm sure would generate bad PR from day one, and could easily lead to a lawsuit. By comparison, the current situation (mainstream application developers choosing to install global add-ons rather than per-user add-ons) is perfectly reasonable to many people and has been happening for years with almost no fuss.
For most folks, having to install a browser add-on separately after you've already installed the application that provides the underlying service is an annoying and seemingly unnecessary step. (Not to mention the number of people that would just say "oh, it doesn't work" and give up.)
They are using a documented mechanism provided by Mozilla to install global add-ons. They aren't circumventing anything.
That has a very simple follow up question.
Why can these companies do that?
Because Mozilla deliberately created a mechanism for them to use to do so, because it's easier on the end user.
I don't believe mainstream software developers would. I think they're currently providing global rather than per-user plugins primarily because that's easier on the average user. For example, most people would find it counter-intuitive to install, say, Adobe Reader, but then have to also separately download and install a plugin for Firefox in order to use it on the web.
In any case, deliberately bypassing an opt-in mechanism would be obviously malicious behavior, and would be stomped on immediately - whereas global plugins have been used for years and this is the first time I've seen anyone complain about the practice (as opposed to certain specific instances of it).
Most of (all of?) these plugins don't "mess with" the Mozilla files. They simply create a registry key, as documented by Mozilla, to ask Firefox to load an available plugin from the associated application. I don't see that they're doing anything wrong, from a technical standpoint at least.
I don't recall Mozilla's documentation suggesting that the global add-on functionality was intended only for sysadmins. Do you have a reference? Are there even instructions for how a sysadmin can use this functionality to globally install an add-on that was designed for individual installation? I thought it was up to the developer to choose between individual installation and global installation.
Use the command line instead of the GUI. That eliminates all four issues at once. Also, you won't be changing the permissions on the file as a side-effect.
This is a perfectly ordinary elevation-of-privilege vulnerability. Just like every other elevation of privilege vulnerability it also happens to be capable of bypassing UAC's split-token protection, but the vulnerability itself isn't related to UAC in any way.
In particular, if the workaround suggested in the article is correct, this vulnerability can't be used to escape from Internet Explorer Protected Mode (the other major function of UAC).
I've been replaying it lately - it runs reasonably well in DOSBox. A remake could be dreadful, but it could also be great.
That (the Comcast plan) doesn't sound so good. Wouldn't every device in your network (requiring internet connectivity) need to be reconfigured every time the dynamic assignment changes? Even if they acquire addresses automatically, how would they know when they needed to switch address?
As well as allowing multiple devices to use a single IP address, NAT also allows devices to use static internal addresses even when the global address is dynamic. I'd more or less taken it for granted that IPv6 users would always be given static global address ranges, because after all there's plenty of address space to go around, so this wouldn't be necessary - but perhaps I underestimated the stupidity of ISPs. :-)
Actually, I do need to know my workstation's address - and the address of various servers - for troubleshooting. If, on a particular device, I can't ping my workstation by host name, is that because the network is down, or because DNS isn't working?
According to my understanding of BitTorrent, the client needs to be able to accept incoming connections as well as outgoing ones. See for example Brian's BitTorrent FAQ and Guide.
Also, we use a proxy server for outgoing requests from all of our teaching labs, and we have no trouble downloading stuff. The proxy server is perfectly capable of keeping up with our internet connection. It's not as though it has to do any hard work, all it does is relay data from an incoming TCP connection to an outgoing one.
I gather BitTorrent can't be easily used from behind a firewall, which makes it of limited use in corporate settings at present. As well as built-in support from the major web clients, we'd also need support from the major http proxy servers.
Ask Terry Childs.
You're missing the point - Asperger's doesn't justify his crime, but it may make him unfit to stand trial, particularly if he is removed from his home and taken to a foreign nation he sees as hostile.
Of course he should stand trial. In the UK.
Microsoft already put a great deal of effort into checking for vulnerabilities. Fuzz testing, static and dynamic analysis, all the good stuff. If you follow the MS security bulletins I think you'll find that a reasonable proportion of the vulnerabilities are discovered in-house.
Of course there are still more researchers outside of Microsoft than inside. I suppose Microsoft could afford to hire thousands of people as full-time security researchers in order to improve the in-house/out-house discovery ratio, but I'm not sure this would be sensible. Money aside, there is, perhaps, more important work those minds could be doing.
To the best of my knowledge, none of these apply to this particular case.
Also, remember that the majority of people won't know about a vulnerability even if it has been announced. The average user isn't subscribed to the full-disclosure mailing list and doesn't read Slashdot!
Finally, there's no need to protect yourself against a vulnerability that the black hats don't know about yet.
Those of us who read Slashdot or other technical news sites may be able to, yes.
The average public ... not so much.
So ... what exactly is an "inferred employer" when it's at home? :-)
As I understand it, Tavis is indeed employed by Google. I'm hard pressed to see how Microsoft can be blamed for mentioning this fact.
Suppose a MS employee were to "fully disclose" a vulnerability in Firefox. Does anybody suppose that Microsoft would escape mention, even if (s)he was acting in a private capacity at the time?
Yes, MS has a reputation for this. A completely unjustified one, but hey, this is Slashdot. Whatever.
Some bad guys knowing about a vulnerability = some attacks.
Lots of bad guys knowing about a vulnerability = lots of attacks.
Besides, the odds that the bad guys already know about any *particular* vulnerability is probably pretty low in most cases.
No, they *didn't* try that. Microsoft don't ignore vulnerability reports, and if the bad guys knew about a particular exploit they'd be using it already. (It isn't unknown for two people to independently discover the same exploit, but it isn't common either. Odds are that most exploits discovered by researchers are *not* known by the bad guys.)
This is nonsense. If MS are ignoring everybody's security reports, why are there so many monthly updates? Do you think they're making up the attributions?