I might be in a minority here, but I think this leak might ultimately prove to be a "good thing" in the medium/long term, for both consumers and Microsoft alike.
As frequent as Windows bugs seem to materialise nowadays I find it hard to conceive that the partial source release is going to contribute to a complete collapse of security and faith in the Windows operating system. The code might offer up a few previously unknown buffer overflow bugs, but the way some people are talking every single file has a vulnerability of sorts.
Perceptually if the worst happened and, say 50 critical vulnerabilities were found (complete random number) - once MS patch these, and have a more robust OS as a result, they're home dry. People aren't going to stop using Windows at home or in their offices - and if I were in MS' shoes I would much rather weather one particularly bleak storm, than hundreds of seperate ones. Every unique vulnerability that has been discovered recently has merited a brand new glossy editorial on most of the news sites - in PR terms they would look a lot better if they just fixed a large number of vulnerabilities in one go, then ended up bug-free for several months (as unlikely as that sounds).
Also, because of the proliferation of Windows and the sheer number of people who - particularly if anti-MS - will be aggressively looking for vulnerabilities, MS has essentially just got themselves a huge pool of free dev resource, some/most of which will probably respect their disclosure policy, to identify bugs in their OS.
Their only concern in my opinion is that of code theft, but Windows is so entrenched in consumer/business environments now that I'm not sure anything can realistically displace it.
They missed the obvious 6th reason, SCO UNIX(R) will be a valuable piece of memorabilia in a few years time after the company itself has long since buried itself both commercially and perceptually.
I actually think blocking the wider IP ranges of the ISP is a positive thing, and I'm sysadmin for one, and I've been involved in a similar dispute in the past with SPEWS. To be fair in our case we were actually caught in the collateral damage and weren't even hosting the spammer in question.
The point is, blocking a sizeable portion of the ISPs IP range inconveniences them and their non-spammy customers. It encourages them (if nothing else) to take responsibility instead of going for the cheap buck. If blocking wide-ranging ISP IP ranges means that they wake up and stop hosting spammers (or implement stricter controls) then surely that's a good thing in the grand scheme of things.
I'm curious - how can it be determined without the benefit of source code for ES5 that the exploit isn't just a horrendous oversight instead of a malicious pre-meditated function of the software?
If it is malicious it seems odd that they would make it possible for ANYONE to delete someone elses files through crafted search strings, thus significantly increasing the chance of their nefarious plans being uncovered.
If it were me, and I was secretly working for the RIAA, I'd just code in a simple client/server protocol that the RIAA could use to delete people's files, entirely seperate from the normal operation of the program itself. This would be much harder to identify as malicious code.
Sorry, but this just looks to me like a bad "failure to chroot()" bug and not the big conspiracy theory its purported to be...
Where will the power come from to illuminate these wonderous paperlike display devices?
I would've thought one of the major attractions of a book (besides the obvious) is that it can be used in circumstances where AC/DC power is unavailable - e.g. camping, travelling in most forms of transport (e.g. cars, planes, etc). It's a form of "entertainment" with zero technological requirements.
If you make something like this require power from a wall socket, or require the user to lug around a Li-Ion battery everywhere they go (for 1 hour of uninterrupted reading before it requires a recharge) isn't the technology effectively largely redundant before it gets off the ground?
It's worth noting also, in keeping with the main thrust of this article, is that SWG has its own severe economy issues.
Duping resources (particularly credits) has become an almost overnight cancer. Whereas until recently the methods for duping was known only by a select few, now they are widely known (and even posted on Ebay). There are people running around in the game with upwards of 200 million credits, some have 500-900 million spread stashed away. And if its not being stashed, its being sold everywhere on Ebay.
To give some kind of context - a large *house* is typically sold in game for around 75,000 - 150,000 credits. Right now, since the loot system is entirely different to EQ and suchlike (i.e. there is no "uber" loot - the game is engineered in such a way that player-crafted items are always better than any looted item) - a large house is about the most money you could spend on a single item.
The sad fact is, whichever way you look at it, with an economy so skewed by artificial duped wealth when the developers come to think about suitable prices for starships in the upcoming Space expansion pack, they're going to see a completely disjointed wealth median, and price ships accordingly.
(You think I'm overexaggerating? They [the Devs] expressed concern recently that an overwhelming majority of the players were pistol users. Guess what weapon you start with when you create a character.. yup, a pistol. Hardly a leap of faith to assume that this is what most people would naturally start to level up in)
The danger with what Verisign has done is not only limited to SPAM filtering, etc but also in corporate thinking.
I have seen a number of ISPs that have already started subtituting Verisign's wildcard unregistered domain catcher with their own branded page, often disparaging Verisign's stance. However, whilst at the moment these pages and the motivation for creating them are altruistic - I would be surprised if a number of ISPs don't suddenly recognise this as a viable revenue stream (e.g. redirecting customers to a branded search engine, or "Customers who purchased leased lines also bought..", etc
We could find a number of ISPs adopt this wildcard scheme now that Verisign have shown the way.
Slashdot Mirror
I might be in a minority here, but I think this leak might ultimately prove to be a "good thing" in the medium/long term, for both consumers and Microsoft alike.
As frequent as Windows bugs seem to materialise nowadays I find it hard to conceive that the partial source release is going to contribute to a complete collapse of security and faith in the Windows operating system. The code might offer up a few previously unknown buffer overflow bugs, but the way some people are talking every single file has a vulnerability of sorts.
Perceptually if the worst happened and, say 50 critical vulnerabilities were found (complete random number) - once MS patch these, and have a more robust OS as a result, they're home dry. People aren't going to stop using Windows at home or in their offices - and if I were in MS' shoes I would much rather weather one particularly bleak storm, than hundreds of seperate ones. Every unique vulnerability that has been discovered recently has merited a brand new glossy editorial on most of the news sites - in PR terms they would look a lot better if they just fixed a large number of vulnerabilities in one go, then ended up bug-free for several months (as unlikely as that sounds).
Also, because of the proliferation of Windows and the sheer number of people who - particularly if anti-MS - will be aggressively looking for vulnerabilities, MS has essentially just got themselves a huge pool of free dev resource, some/most of which will probably respect their disclosure policy, to identify bugs in their OS.
Their only concern in my opinion is that of code theft, but Windows is so entrenched in consumer/business environments now that I'm not sure anything can realistically displace it.
They missed the obvious 6th reason, SCO UNIX(R) will be a valuable piece of memorabilia in a few years time after the company itself has long since buried itself both commercially and perceptually.
I've been seeing this also. I've recorded connection attempts on this "unknown" port at almost the same frequency as TCP port 1080 connections.
I actually think blocking the wider IP ranges of the ISP is a positive thing, and I'm sysadmin for one, and I've been involved in a similar dispute in the past with SPEWS. To be fair in our case we were actually caught in the collateral damage and weren't even hosting the spammer in question.
The point is, blocking a sizeable portion of the ISPs IP range inconveniences them and their non-spammy customers. It encourages them (if nothing else) to take responsibility instead of going for the cheap buck. If blocking wide-ranging ISP IP ranges means that they wake up and stop hosting spammers (or implement stricter controls) then surely that's a good thing in the grand scheme of things.
I'm curious - how can it be determined without the benefit of source code for ES5 that the exploit isn't just a horrendous oversight instead of a malicious pre-meditated function of the software?
If it is malicious it seems odd that they would make it possible for ANYONE to delete someone elses files through crafted search strings, thus significantly increasing the chance of their nefarious plans being uncovered.
If it were me, and I was secretly working for the RIAA, I'd just code in a simple client/server protocol that the RIAA could use to delete people's files, entirely seperate from the normal operation of the program itself. This would be much harder to identify as malicious code.
Sorry, but this just looks to me like a bad "failure to chroot()" bug and not the big conspiracy theory its purported to be...
Lego-Las Kenobi: That boy is our last hope..
Yodagorn: No, there is another.
(sorry, couldn't resist)
Where will the power come from to illuminate these wonderous paperlike display devices?
I would've thought one of the major attractions of a book (besides the obvious) is that it can be used in circumstances where AC/DC power is unavailable - e.g. camping, travelling in most forms of transport (e.g. cars, planes, etc). It's a form of "entertainment" with zero technological requirements.
If you make something like this require power from a wall socket, or require the user to lug around a Li-Ion battery everywhere they go (for 1 hour of uninterrupted reading before it requires a recharge) isn't the technology effectively largely redundant before it gets off the ground?
It's worth noting also, in keeping with the main thrust of this article, is that SWG has its own severe economy issues.
Duping resources (particularly credits) has become an almost overnight cancer. Whereas until recently the methods for duping was known only by a select few, now they are widely known (and even posted on Ebay). There are people running around in the game with upwards of 200 million credits, some have 500-900 million spread stashed away. And if its not being stashed, its being sold everywhere on Ebay.
To give some kind of context - a large *house* is typically sold in game for around 75,000 - 150,000 credits. Right now, since the loot system is entirely different to EQ and suchlike (i.e. there is no "uber" loot - the game is engineered in such a way that player-crafted items are always better than any looted item) - a large house is about the most money you could spend on a single item.
The sad fact is, whichever way you look at it, with an economy so skewed by artificial duped wealth when the developers come to think about suitable prices for starships in the upcoming Space expansion pack, they're going to see a completely disjointed wealth median, and price ships accordingly.
(You think I'm overexaggerating? They [the Devs] expressed concern recently that an overwhelming majority of the players were pistol users. Guess what weapon you start with when you create a character.. yup, a pistol. Hardly a leap of faith to assume that this is what most people would naturally start to level up in)
This is a very valid point.
The danger with what Verisign has done is not only limited to SPAM filtering, etc but also in corporate thinking.
I have seen a number of ISPs that have already started subtituting Verisign's wildcard unregistered domain catcher with their own branded page, often disparaging Verisign's stance. However, whilst at the moment these pages and the motivation for creating them are altruistic - I would be surprised if a number of ISPs don't suddenly recognise this as a viable revenue stream (e.g. redirecting customers to a branded search engine, or "Customers who purchased leased lines also bought..", etc
We could find a number of ISPs adopt this wildcard scheme now that Verisign have shown the way.