I really would be interested to know this too. It's a fairly big coincidence that Chinese hackers should happen to be using the same exploit as was in the MS security queue. The two likely explanations that occur to me are:
China has access to the exploits to fix queue and has used that to develop their zero day exploits.
The White hat hacker got the exploit from watching an attack
either thing sounds quite bad for Microsoft. The first means their queue security is inadequate and that's a really big problem for the policy of responsible disclosure they try to encourage. The second thing is more serious because it means Microsoft failed to fix or inform about an hole which was actively being exploited. In this case the question is whether the white hat declared to Microsoft how he came about his exploit.
Anyone have a better explanation which doesn't involve such a coinicidence?
It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program
It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.
- it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).
I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places. Then China started threatening to use Linux and the source code access was set up specifically for them. It's not an accident that they were first in. It was their deliberate choice to get a head start.
Make good the things they have stolen. Show contrition and remorse.
Give back the Browser market to Mozilla by cancelling all future development of IE and giving a 2 year end of life notice (Netscape is no more; still they should pay compensation to the shareholders).
Give back the operating system market; announce that Windows will be GPLed, compensate the owners of DRDos OS2. Pay back money to all consumers who would have bought
Cancel all future development of the.doc/.docx "standard"; agree to only stick to registered features of ODF. Compensate the shareholders of Wordperfect.
Donate 50% future profits to a charity to pay for victims of computer viruses. Donate a further 25% of future profits to pay for the education of children who were denied access to OLPC laptops by their actions. Remaining 25% left for victims I haven't thought of right now.
I'm sure there's quite a bit more, but that's a beginning.
You and so many people that forget how Microsoft got here. Any other search engine as garbage as MSN would have been forgotten by now. Microsoft has driven their search engines through many generations each of which was terrible. If there was real competition in the IT market, other search companies than MS would be able to compete with Google.
The thing to remember is that Bing is great at everything except actually delivering search results. In your search results you want something you can trust and understand, but as we've discussed before. Even today, when Microsoft has tried to hide these problems, when you search for "Why is Microsoft Windows so expensive?" you'll find that on Microsoft's results the page "Why are Macs so expensive?" is high in the top ten whilst doing the same search on Google manages to find plenty more on topic material.
Microsoft amnesia is astounding. Take the last example; Microsoft has biased results, they get caught; they change their results to hide the bias better. Within days we have postings all over the internet denying they were ever biased.
Changing the GPL is just going to make companies like Tivo stop using FOSS, they'll just move to a project that has licensing that fits their needs better.
I think you're right and I think that's one of the greatest benefits. One of the main causes of failure in BSD style projects is breaches of solidarity with the rest of the project by programmers involved. Once someone goes and sets up a new proprietary use of a project, programmers have a "prisoners dilemma". If they go quickly to the proprietary company they get benefit and money. If they stick with their project, they know many of the others will go to the other project and their project will lose value since it can't continue to grow as well and has lost some of it's best support knowledge.
I think we can see that problem for Linux with Android already. The Android and Chrome OS user space is deliberately different from the normal Linux one. If Linux had been GPLv3 licensed then normal Linux user space would be usable on Android and would compete with Android user space fairly. The benefits of the existing software would allow it to find it's place. As it is, because Android is on the GPLv2, Google can create an artificial market place, where they control entry. They then use that to ensure that only the features they wish to see which support their commercial interests go into the OS. Developers will now be split between Android/Linux and normal GNU/Linux (or GNU/XOrg/Gnome/KDE/BSD/Linux if you wish) in the same way as there was a split in the community of UNIX developers between SUN/HP etc.
Linus should really seriously think about GPLv3 relicensing if he doesn't want his project "stolen" from under him.
you are thinking of trademarks. Those are not related to patents. There are various limitations on their ability to demand damages for past actions that they didn't act about, but their patent won't become invalid through lack of use.
I get the same as you if I turn of javascript with noscript. However, as long as I have it on, the link defaults to looking like direct, but when you click it or do properties you see that it actually goes through a google redirect.
I find this almost as intimidating as the fact that google maps never opens on your home location (which e.g. bing does) even though google targets local ads at you so clearly could. You really begin to think about how stupid people must be if they Google is managing to fool them with this stuff.
I think you really hit a nail on the head here. The trick is that "a business" has one product. If you go to ford you expect to get a car. They are "customer oriented" I'm sure, but if you ask for a pizza, you won't get it; or, if you do, they'll charge two thousand bucks and get a car designer to deliver it to you.
IT can't work like that. We also went to the "faceless ticketing system" and now our IT managers run around worrying about "submerged IT"; or basically business people doing it themselves. That's obviously going to happen if the IT people aren't involved in doing what is actually needed for the business.
If the old model has security flaws, those should be fixed too. Making a new models, with it's own inevitable flaws, will not reduce the number of flaws.
"Better" is a terrible way of looking at it, the new interface comes with a different set of trade-offs than the old. Supposedly, the new widgets will be easier to develop and maintain (which is better by any reasonable definition), but not as powerful (which isn't better).
The point is that there is a fundamental duplication going on here. From the articles it's clear that the new mechanism can achieve most, but not all of the stuff that the old mechanism achieves. That will lead to needless breakage on both sides and complex interactions since one extension will do something one way and another the other way.
If everything was about different trade offs then I might understand. However, normally in software we can make different structures. E.g. we could implement the old interface in terms of the new or we could implement the new in terms of the old.
If we are making a more limited, but more futureproof interface, then the latter makes sense. We provide a more limited set of APIs which can be mixed with the old ones. We allow the programmers of old extensions to migrate where they can and continue where they can't.
Car Analogy: You currently have a pickup truck. The dealer shows you a fancy car that gets great gas mileage and doesn't require much maintenance. You say "I can't haul as much stuff in that, it's a piece of crap."
Your car analogy misses that Firefox is the car. The extension mechanisms are just trailer attachments at the back. Definitely a truck has a different trailer attachment from a car. However, just because it's easier to attach a caravan to a car doesn't mean that all trucks should have caravan attachments and stop having truck attachments (depreciate the interface). Instead, you either buy an adapter or just put the caravan on top of an existing trailer.
With this functionality removed I would have no reason left to stick with Firefox.
You are so right. If they really did do this then they would lose so many of their users. This is so perfectly Netscape of them and as such I'd like to link to a suitable story from Netscape's past in the hope to god that the Mozilla people can learn from the past.
Dear Mozilla people:
if you are defining a new plugin interface only use it if it's better
if it is better; then implement the old interface using the new one. If you can't then it isn't better.
prove that you can refactor the plugins so that 95% or more of old plugins (and 100% of popular ones) work in the new system
Until you get 90% of old plugins working, don't let the new system anywhere near production.
Make it the responsibility of the people with the new interface to get the refactoring working for those 90% of plugins.
It's so simple. The new should not be allowed to break the old. If the new has to do that, then it's design is bad.
" 'the most important part of the experience of a book is knowing that it can be owned.'"
That you put it in quotes when I didn't actually say it is a good sign that it's a straw man. However I know what you are getting at so I'll try to answer you.
given the choice between a book containing the ramblings of a kindergarten student that you could OWN, and the best book you've ever read by your favorite author that has DRM, the obvious choice would be the one written by the kindergartener
you've missed my point in exactly the same way as the original parent. I'm not talking about content, I'm talking about what you do with content. Skiing; saving your hamster; learning finance; runing an international bank etc. If you, even partially, control those actions then you have much potential to make money. The kindergarten book won't be used for anything so doesn't have any value.
And here I was thinking the content of the book was the most important part.
To be frank, you've missed the point. The content is just something that you use to achieve something. To be happy, to be sad, to share something with your friends. To fix your car; any time you want. To know what is wrong with your pet hamster and how to heal it. To learn to ski better. Up till now it has also been used to achieve richer authors but with very specific limits.
The aim here is to use control of the content to be able to tax your ability to do all those things I mentioned above and more. When you remember something from your hamster book about a strange rare disease, you'll have to buy the same book all over again because now Amazoid E-Reader IV doesn't support the books you bought for your now broken kindle. Even if your book reader is still working, your key to the content will have long ago expired. If you are really unlucky, they may force you to buy the upgraded new edition.
by working out which group your uniform is based on (in this case, I guess security guard) you can guess what they are saying about social status.
If you're one of the sad and deluded individuals who judge a person based on his job, sure.
a) you can certainly guess some things about a person from his job (if he's a fast food waiter, he likely wasn't a great success at harvard law school) not everything though (that doesn't mean he's a bad person; it also may not means he's lazy; if for example he's come from a bad background.
b) those "sad and deluded individuals" make up 95% of the population, including many groups with influence over your life (e.g. girls wanting sex; co-workers deciding who to go to lunch with etc.). Getting the right uniform is like having the right car. It shouldn't matter. It's totally stupid. But it does.
It's the fact that surgeons don't wear scrubs when meeting patients which shows exactly what the difference is here
and airline pilots (who have to wear uniforms)
More interesting, but these are quite specifically officers uniforms. Uniforms often have specific meaning and represent power only through authority. Approximately as follows:
cleaner / fast food attendant / security guard / soldier / nurse / policeman / fireman / doctor(?) / officer / judge
by working out which group your uniform is based on (in this case, I guess security guard) you can guess what they are saying about social status.
Lets put it like this. There are two other groups in his office wearing uniforms. a) the cleaners b) the security guards. If he's being put on a level with them, do you think key's being paid enough to wear a uniform.
I however agree. I would also wear a clown suit (more or less) whatever they paid me.:-)
I can see your point complicating his life. However, he was asking for advice and I'm assuming now he's realised he had a problem. If he can find one, a good security/consulting person should be able to tell him he has to do the things listed above anyway, so that should be sufficient to act as justification. Lack of resources can always be a blocker. I'll admit that what I said is what he should do if he can. Not what he will be able to do.
Hmm... and confirmed deployment of Microsoft Windows outside of Africa, Asia, Americas, Europe and Australasia is - for practical purposes - insignificant. C'mon. if you exclude the main places where a system has been deployed, of course you don't find that many deployments. The summary you point to says 1.3 million and directly supports the grandparent. I find it very significant that Uraguy, the first deployer, seems to keep ordering. Presumably this shows that the XO was a good product and greater deployment has only been stopped by Intel/Microsoft marketing people who managed to stop it even getting to teachers to learn about and test.
Slashdot Mirror
either thing sounds quite bad for Microsoft. The first means their queue security is inadequate and that's a really big problem for the policy of responsible disclosure they try to encourage. The second thing is more serious because it means Microsoft failed to fix or inform about an hole which was actively being exploited. In this case the question is whether the white hat declared to Microsoft how he came about his exploit.
Anyone have a better explanation which doesn't involve such a coinicidence?
It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program
It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.
- it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).
I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places. Then China started threatening to use Linux and the source code access was set up specifically for them. It's not an accident that they were first in. It was their deliberate choice to get a head start.
Not sufficiently painful. Not sufficiently drawn out. Suicide in this case would just be a case of escaping your duities. :-)
Microsoft has given the Chinese government preferential access to the Windows Source code. They even set up a lab of security researchers to look for vulnerabilities in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.
What should Microsoft do to regain your respect?
Make good the things they have stolen. Show contrition and remorse.
Give back the Browser market to Mozilla by cancelling all future development of IE and giving a 2 year end of life notice (Netscape is no more; still they should pay compensation to the shareholders).
Give back the operating system market; announce that Windows will be GPLed, compensate the owners of DRDos OS2. Pay back money to all consumers who would have bought
Cancel all future development of the .doc/.docx "standard"; agree to only stick to registered features of ODF. Compensate the shareholders of Wordperfect.
Donate 50% future profits to a charity to pay for victims of computer viruses. Donate a further 25% of future profits to pay for the education of children who were denied access to OLPC laptops by their actions. Remaining 25% left for victims I haven't thought of right now.
I'm sure there's quite a bit more, but that's a beginning.
If I had moderator points, I would mod you up.
You and so many people that forget how Microsoft got here. Any other search engine as garbage as MSN would have been forgotten by now. Microsoft has driven their search engines through many generations each of which was terrible. If there was real competition in the IT market, other search companies than MS would be able to compete with Google.
The thing to remember is that Bing is great at everything except actually delivering search results. In your search results you want something you can trust and understand, but as we've discussed before. Even today, when Microsoft has tried to hide these problems, when you search for "Why is Microsoft Windows so expensive?" you'll find that on Microsoft's results the page "Why are Macs so expensive?" is high in the top ten whilst doing the same search on Google manages to find plenty more on topic material.
Microsoft amnesia is astounding. Take the last example; Microsoft has biased results, they get caught; they change their results to hide the bias better. Within days we have postings all over the internet denying they were ever biased.
Changing the GPL is just going to make companies like Tivo stop using FOSS, they'll just move to a project that has licensing that fits their needs better.
I think you're right and I think that's one of the greatest benefits. One of the main causes of failure in BSD style projects is breaches of solidarity with the rest of the project by programmers involved. Once someone goes and sets up a new proprietary use of a project, programmers have a "prisoners dilemma". If they go quickly to the proprietary company they get benefit and money. If they stick with their project, they know many of the others will go to the other project and their project will lose value since it can't continue to grow as well and has lost some of it's best support knowledge.
I think we can see that problem for Linux with Android already. The Android and Chrome OS user space is deliberately different from the normal Linux one. If Linux had been GPLv3 licensed then normal Linux user space would be usable on Android and would compete with Android user space fairly. The benefits of the existing software would allow it to find it's place. As it is, because Android is on the GPLv2, Google can create an artificial market place, where they control entry. They then use that to ensure that only the features they wish to see which support their commercial interests go into the OS. Developers will now be split between Android/Linux and normal GNU/Linux (or GNU/XOrg/Gnome/KDE/BSD/Linux if you wish) in the same way as there was a split in the community of UNIX developers between SUN/HP etc.
Linus should really seriously think about GPLv3 relicensing if he doesn't want his project "stolen" from under him.
you are thinking of trademarks. Those are not related to patents. There are various limitations on their ability to demand damages for past actions that they didn't act about, but their patent won't become invalid through lack of use.
I get the same as you if I turn of javascript with noscript. However, as long as I have it on, the link defaults to looking like direct, but when you click it or do properties you see that it actually goes through a google redirect.
I find this almost as intimidating as the fact that google maps never opens on your home location (which e.g. bing does) even though google targets local ads at you so clearly could. You really begin to think about how stupid people must be if they Google is managing to fool them with this stuff.
I think you really hit a nail on the head here. The trick is that "a business" has one product. If you go to ford you expect to get a car. They are "customer oriented" I'm sure, but if you ask for a pizza, you won't get it; or, if you do, they'll charge two thousand bucks and get a car designer to deliver it to you.
IT can't work like that. We also went to the "faceless ticketing system" and now our IT managers run around worrying about "submerged IT"; or basically business people doing it themselves. That's obviously going to happen if the IT people aren't involved in doing what is actually needed for the business.
If the old model has security flaws, those should be fixed too. Making a new models, with it's own inevitable flaws, will not reduce the number of flaws.
"Better" is a terrible way of looking at it, the new interface comes with a different set of trade-offs than the old. Supposedly, the new widgets will be easier to develop and maintain (which is better by any reasonable definition), but not as powerful (which isn't better).
The point is that there is a fundamental duplication going on here. From the articles it's clear that the new mechanism can achieve most, but not all of the stuff that the old mechanism achieves. That will lead to needless breakage on both sides and complex interactions since one extension will do something one way and another the other way.
If everything was about different trade offs then I might understand. However, normally in software we can make different structures. E.g. we could implement the old interface in terms of the new or we could implement the new in terms of the old.
If we are making a more limited, but more futureproof interface, then the latter makes sense. We provide a more limited set of APIs which can be mixed with the old ones. We allow the programmers of old extensions to migrate where they can and continue where they can't.
Car Analogy: You currently have a pickup truck. The dealer shows you a fancy car that gets great gas mileage and doesn't require much maintenance. You say "I can't haul as much stuff in that, it's a piece of crap."
Your car analogy misses that Firefox is the car. The extension mechanisms are just trailer attachments at the back. Definitely a truck has a different trailer attachment from a car. However, just because it's easier to attach a caravan to a car doesn't mean that all trucks should have caravan attachments and stop having truck attachments (depreciate the interface). Instead, you either buy an adapter or just put the caravan on top of an existing trailer.
With this functionality removed I would have no reason left to stick with Firefox.
You are so right. If they really did do this then they would lose so many of their users. This is so perfectly Netscape of them and as such I'd like to link to a suitable story from Netscape's past in the hope to god that the Mozilla people can learn from the past.
Dear Mozilla people:
It's so simple. The new should not be allowed to break the old. If the new has to do that, then it's design is bad.
Of an argument nobody made? hmm..
" 'the most important part of the experience of a book is knowing that it can be owned.'"
That you put it in quotes when I didn't actually say it is a good sign that it's a straw man. However I know what you are getting at so I'll try to answer you.
given the choice between a book containing the ramblings of a kindergarten student that you could OWN, and the best book you've ever read by your favorite author that has DRM, the obvious choice would be the one written by the kindergartener
you've missed my point in exactly the same way as the original parent. I'm not talking about content, I'm talking about what you do with content. Skiing; saving your hamster; learning finance; runing an international bank etc. If you, even partially, control those actions then you have much potential to make money. The kindergarten book won't be used for anything so doesn't have any value.
Stallman's essay with even more recent updates is here
And here I was thinking the content of the book was the most important part.
To be frank, you've missed the point. The content is just something that you use to achieve something. To be happy, to be sad, to share something with your friends. To fix your car; any time you want. To know what is wrong with your pet hamster and how to heal it. To learn to ski better. Up till now it has also been used to achieve richer authors but with very specific limits.
The aim here is to use control of the content to be able to tax your ability to do all those things I mentioned above and more. When you remember something from your hamster book about a strange rare disease, you'll have to buy the same book all over again because now Amazoid E-Reader IV doesn't support the books you bought for your now broken kindle. Even if your book reader is still working, your key to the content will have long ago expired. If you are really unlucky, they may force you to buy the upgraded new edition.
Russian scientists.
Well spotted. He only promised that everything
"will be done according to the laws of physics."
this time. It's pretty clear that behind our backs they also feel absolutely free to break the laws of physics with impunity.
If you're one of the sad and deluded individuals who judge a person based on his job, sure.
a) you can certainly guess some things about a person from his job (if he's a fast food waiter, he likely wasn't a great success at harvard law school) not everything though (that doesn't mean he's a bad person; it also may not means he's lazy; if for example he's come from a bad background.
b) those "sad and deluded individuals" make up 95% of the population, including many groups with influence over your life (e.g. girls wanting sex; co-workers deciding who to go to lunch with etc.). Getting the right uniform is like having the right car. It shouldn't matter. It's totally stupid. But it does.
Are surgeons (who have to wear scrubs)
It's the fact that surgeons don't wear scrubs when meeting patients which shows exactly what the difference is here
and airline pilots (who have to wear uniforms)
More interesting, but these are quite specifically officers uniforms. Uniforms often have specific meaning and represent power only through authority. Approximately as follows: cleaner / fast food attendant / security guard / soldier / nurse / policeman / fireman / doctor(?) / officer / judge
by working out which group your uniform is based on (in this case, I guess security guard) you can guess what they are saying about social status.
Y"Hey Bozo, my internet is doing that weird thing again. Can you come fix it?"
"oh sure. Just stand on the big black X here on the floor."
I would wear a clown suit for what they pay me.
Lets put it like this. There are two other groups in his office wearing uniforms. a) the cleaners b) the security guards. If he's being put on a level with them, do you think key's being paid enough to wear a uniform.
I however agree. I would also wear a clown suit (more or less) whatever they paid me. :-)
I can see your point complicating his life. However, he was asking for advice and I'm assuming now he's realised he had a problem. If he can find one, a good security/consulting person should be able to tell him he has to do the things listed above anyway, so that should be sufficient to act as justification. Lack of resources can always be a blocker. I'll admit that what I said is what he should do if he can. Not what he will be able to do.
Hmm... and confirmed deployment of Microsoft Windows outside of Africa, Asia, Americas, Europe and Australasia is - for practical purposes - insignificant. C'mon. if you exclude the main places where a system has been deployed, of course you don't find that many deployments. The summary you point to says 1.3 million and directly supports the grandparent. I find it very significant that Uraguy, the first deployer, seems to keep ordering. Presumably this shows that the XO was a good product and greater deployment has only been stopped by Intel/Microsoft marketing people who managed to stop it even getting to teachers to learn about and test.
More like the reef structure built up by the coral maybe?