But why should utilizing others' discoveries be illegal if proper credit is given? I can't conceive any principle or moral factor that justifies that.
It is unfortuante that people seem to have such a poor understanding of what led to the establishment of a patent system. Prior to patents, businesses and trades kept ideas that gave them a commercial advantage secret (this is where the term 'trade secret' comes from). There was no dissemination of these ideas whatsoever. This had a large negative impact in the growth of technology.
To counteract this, the concept of the patent was developed. In its most fundamental form, the patent is a contract between a government and an individual. The exchange of value is that the inventor fully discloses his invention in the form of a document that becomes freely available (the patent) - this is why patents are NOT copyrighted. In return the government provides the patent holder with a limited time monopoly on the practice of the invention. This system is so effective that the only inventions that are kept as trade secrets these days are those that cannot be patented for one reason or another.
The history is quite compelling - prior to the institution of the patent system there were very few inventions that made an impact in daily life. With the possible exception of the chimney and the horse collar man lived little differently in the 17th century than he did immediately after the invention of agriculture 5000 years previously. The patent was one of the keys to the occurance of the industrial revolution in England in the 18th century, and the onset of modern technological society. In the past 200 years the effect of and growth of technology, and the improvement in the lot of mankind has far outpaced the previous 5000 years.
The patent plays a siginifcant role in this, for the simple reason that it promotes the dissemination of ideas that would have otherwise been kept secret.
Bans of CFC's that deplete ozone have already essentially stopped ozone depletion and in fact ozone levels are expected to slowly recover over the next 50 years or so.
I had severe misgivings when I read that.Net generates its own HTML for some of its features, AND it was doing so in a browser specific way.
Suppose I wnat it to do something else?
I imagine that you could write your own control, but that would sort of defeeat the purpose of the elaborate architecture that MS touts as saving considerable development time.
Nah. The Feds changed the accounting rules for certain types of mergers. As a result AOL had to make some changes in the the way they state the value of companies they own. The 99,000,000,000 that was appearing on the books never acually existed except perhaps as some ridiculous stock valuation during the peak of the dotbomd sillyness.
I didn't say that I wouldn't have any vulnerabilities, but no worms have yet been made to exploit them.
There are plenty of worms out there that will attack IIS on an out of the box W2K install. Worms that attack Linux systems choose different services. If you are going to make a statement like 'I can install a three year old Windows OS, turn off IIS and have no worm attacks' you have to also allow for the scenario where I say 'I can install a three year old RedHat system, turn off inetd, and have no worm problems'. No difference.
so far, the linux box has required significantly more work.
I can see that happening in your particular circumstance. Myself, I find Windows servers to be much harder to work with - for example their need to be rebooted when installing security patches is terrifying if you are in New Jersey trying to administer a box siting in a colo in Virginia.
but if I install a three year old version of RedHat, I am vulnerable to half a dozen worms
Why would anyone install a three year old version of any software package that has freely available current versions? You are obviously setting up a straw man argument here that can be rejected out of hand.
There are only 4 known Linux worms, and very few known virii, and AFAIK none of them affect the current RedHat software package. And you don't have to turn anything off, or patch anything, either. None of then have ever come close to wreaking the internet the way nimda, code red and slapper have.
install Win2k and disable IIS, I don't know of any worms that I would be vunerable to.
There are all sorts of vulnerabilities in an out of the box W2K installation. The last time I did one of those from scratch I had to go through six reboots and 2.5 hours of downloading to get it up to date. Win2K was famous with its out of the box problems - the day it was released Microsoft went public with a security alert.
And when you are done, you still have the bleeding hole named Outlook. A virus vector of legendary proportions.
As far as Windows Update, don't even get me started on that. No serious sysadmin would use that - it flat out lies as to what the configuration status of the machine is. If you are serious about security on Windows you are using something like the HFNetchk utility.
what the heck is a database server doing with a direct Internet connection
How about providing students with a test bed to do their work on from home?
MS SQL Server was not the only MS product affected by this, either. Some.Net development components were hit, and some 3rd party sales automation tools have vulnerability to his worm.
While you certainly don't want to put a database with critical corporate information naked on the net, there are plenty of reasons why it might be useful to have a database server accessable to the net.
There is only one marginally excusable reason to have an SQL server visiable on the net.
A lot of companies (including Mircorosft) are having their internal netowrks hammered by this because the worm can spread from laptops brought in behind and across VPN's.
with easy-installable Service Pack 3 released _before_ worm hit.
ONE WEEK before the worm hit.
How can Microsoft sue companies for not applying patches that they could not manage to apply themselves? The fact is that Microsoft is being totally hypocritical in blaming others for not following a process that they, as the most profitable company in the world can't manage to implement themselves, on their own products.
If I was running an IT department there is NO WAY IN HELL I would allow a database server software package that had to be patched every two months into my show. The risk and downtime associated with this would be totally unacceptable.
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software
Some patching is going to be part of server maintenance, no question. However there are issues with this. You can't just go and apply a patch to a production server that is supposed to have 4 or 5 9's uptime and is taking in many thousands of dollars in ecommerce orders per day without first doing some testing. This patching process costs real money, takes time and introduces real risk. Microsoft releases a LOT of patches. Some organizations decide not to apply hotfixes because of the economics of this - and guess what, the service pack with the fix for this vulnerability was only released a week before the attack.
It starts with identifying how not to program, basically by highlighting that some of your basic ANSI c functions are garbage and that using them will only result in immediate termination.
I would hope by now Microsoft (and everybody else) is using tools that blow out strcpy and its friends during the compile process.
Gates says security is job #1 and sends all his programmers to security training.
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
The administrators should keep up with the newest patches and update systems during the maintanance window.
Any organization that applies patches willy-nilly without preforming application tests is going to have problems. A company that just applies patches with testing is going to have problems that are going to be as big, if not bigger than the security issues that arise from not patching.
I.e., could you pull a random group of CS majors off the assembly line (heh) and train them in these methods, and achieve the same results?
Talent level may be necessary, it is clearly not sufficient. There are plenty of organizations with high levels of talented programmers that produce poor quality software.
with the comparison to a scientific experiment that demands exact reproducibility
Then your post was in response to something I did not write. Nowhere did I mention anything about a scientific experiment. Nor in fact do such experiments demand anything like exact reproducability. There is no such thing. All experimental results contain uncertainty and error due to variations in procedure, conditions and measurement.
and can almost always be stripped down to "first principles" like the laws of physics.
Engineers existed long before any laws of physics were codified. In Fact, the first formal mathematics was invented as the result of studies of the methods Egyptian Engineers used to construct pyramids. For example the Egyptians used 3-4-5 triangles to lay out right angles.
Engineering does NOT requires ANY proof of anything, merely a well structured set of rules that works. Over time Engineers have fould that there are good uses for things like mathematics and physics, but for the most part the rules that engineers have used to build things over the past 4000 years were codified into the laws of physics and mathematics as an afterthought.
Writing software involves re-inventing the wheel for every project, constantly changing it, and constantly changing methodologies to try and put out software
That is not software development, that is Calvin Ball. Take a look at the Software Engineering Institute's Capability Maturity Model and you will immediately recognize your description of software development as CMM Level 1, i.e. chaos. The only reason your method ever succeeds is through the heroic efforts of a few talented individuals. This is the reason so many software projects fail, are late, and are over budget. Random actions are not a fundamentally sound way to build products.
Other organizations have better ways - for example the Loral Space Shuttle Software Group operates at CMM level 5 and produces the code with error levels on the order of 0.5 errors/KLOC where good quality commercial software runs at an average of 20 errors/KLOC.
In 100 years, Software may be specified, designed, built, and maintained just like bridges or radios, but not now.
Some places do that now. Unfortunately about 90% of the software industry is operating at the level of Calvin Ball.
No it isn't since you never repeat writing the same software no more than an architect or engineer builds more than one of the exact same building
Think like that and you will never be a software engineer. Every bridge, building and program is assembled from components with common structures. Bulidings have foundations, walls, support beams in the walls, windows, HVAC, etc. An architect can put these together, predict how they behave as a whole and estimate how much the assembly will cost time after time in a repeatable fashion, even though no two final buildings are the same. Software engineering is about the same thing - assembling a program from commonly used components and being able to predict the cost and operational characteristics of the final product even though no two such products are the same.
better designed tires that Firestone's would survive those natural road stresses.
The worm is not a natural stress. The writer committed a deliberate and criminal act.
Only an idiot would have 'key' business functions exposed like that.
Yes, but having a SQL server on the net for non-key business activities, ie training, development, etc is entirely reasonable.
You wouldn't say that if you were a typical sysadmin in the post dotbomb world - working 60-80 hours per week, on call 24x7, etc.
The fact is that sysadmins didn't put the security hole in the software, nor did they write the virus.
The bigger question is why isn't Microsoft being held responsible?
Maybe because they didn't write the worm?
But why should utilizing others' discoveries be illegal if proper credit is given? I can't conceive any principle or moral factor that justifies that.
It is unfortuante that people seem to have such a poor understanding of what led to the establishment of a patent system. Prior to patents, businesses and trades kept ideas that gave them a commercial advantage secret (this is where the term 'trade secret' comes from). There was no dissemination of these ideas whatsoever. This had a large negative impact in the growth of technology.
To counteract this, the concept of the patent was developed. In its most fundamental form, the patent is a contract between a government and an individual. The exchange of value is that the inventor fully discloses his invention in the form of a document that becomes freely available (the patent) - this is why patents are NOT copyrighted. In return the government provides the patent holder with a limited time monopoly on the practice of the invention. This system is so effective that the only inventions that are kept as trade secrets these days are those that cannot be patented for one reason or another.
The history is quite compelling - prior to the institution of the patent system there were very few inventions that made an impact in daily life. With the possible exception of the chimney and the horse collar man lived little differently in the 17th century than he did immediately after the invention of agriculture 5000 years previously. The patent was one of the keys to the occurance of the industrial revolution in England in the 18th century, and the onset of modern technological society. In the past 200 years the effect of and growth of technology, and the improvement in the lot of mankind has far outpaced the previous 5000 years.
The patent plays a siginifcant role in this, for the simple reason that it promotes the dissemination of ideas that would have otherwise been kept secret.
Bans of CFC's that deplete ozone have already essentially stopped ozone depletion and in fact ozone levels are expected to slowly recover over the next 50 years or so.
http://www.hvacmall.com/news/article_00020.htm
"Never attribute to malice that which is adequately explained by stupidity." --Robert Hanlon ("Hanlon's Razor")
Microsoft picked up Malice as a subsidiary when they acquired Evil a couple of years ago.
I had severe misgivings when I read that .Net generates its own HTML for some of its features, AND it was doing so in a browser specific way.
Suppose I wnat it to do something else?
I imagine that you could write your own control, but that would sort of defeeat the purpose of the elaborate architecture that MS touts as saving considerable development time.
Its a real honeypot and bear trap.
They lost $99,000,000,000 last year!
Nah. The Feds changed the accounting rules for certain types of mergers. As a result AOL had to make some changes in the the way they state the value of companies they own. The 99,000,000,000 that was appearing on the books never acually existed except perhaps as some ridiculous stock valuation during the peak of the dotbomd sillyness.
I didn't say that I wouldn't have any vulnerabilities, but no worms have yet been made to exploit them.
There are plenty of worms out there that will attack IIS on an out of the box W2K install. Worms that attack Linux systems choose different services. If you are going to make a statement like 'I can install a three year old Windows OS, turn off IIS and have no worm attacks' you have to also allow for the scenario where I say 'I can install a three year old RedHat system, turn off inetd, and have no worm problems'. No difference.
so far, the linux box has required significantly more work.
I can see that happening in your particular circumstance. Myself, I find Windows servers to be much harder to work with - for example their need to be rebooted when installing security patches is terrifying if you are in New Jersey trying to administer a box siting in a colo in Virginia.
but if I install a three year old version of RedHat, I am vulnerable to half a dozen worms
Why would anyone install a three year old version of any software package that has freely available current versions? You are obviously setting up a straw man argument here that can be rejected out of hand.
There are only 4 known Linux worms, and very few known virii, and AFAIK none of them affect the current RedHat software package. And you don't have to turn anything off, or patch anything, either. None of then have ever come close to wreaking the internet the way nimda, code red and slapper have.
install Win2k and disable IIS, I don't know of any worms that I would be vunerable to.
There are all sorts of vulnerabilities in an out of the box W2K installation. The last time I did one of those from scratch I had to go through six reboots and 2.5 hours of downloading to get it up to date. Win2K was famous with its out of the box problems - the day it was released Microsoft went public with a security alert.
And when you are done, you still have the bleeding hole named Outlook. A virus vector of legendary proportions.
As far as Windows Update, don't even get me started on that. No serious sysadmin would use that - it flat out lies as to what the configuration status of the machine is. If you are serious about security on Windows you are using something like the HFNetchk utility.
what the heck is a database server doing with a direct Internet connection
.Net development components were hit, and some 3rd party sales automation tools have vulnerability to his worm.
How about providing students with a test bed to do their work on from home?
MS SQL Server was not the only MS product affected by this, either. Some
While you certainly don't want to put a database with critical corporate information naked on the net, there are plenty of reasons why it might be useful to have a database server accessable to the net.
There is only one marginally excusable reason to have an SQL server visiable on the net.
A lot of companies (including Mircorosft) are having their internal netowrks hammered by this because the worm can spread from laptops brought in behind and across VPN's.
with easy-installable Service Pack 3 released _before_ worm hit.
ONE WEEK before the worm hit.
How can Microsoft sue companies for not applying patches that they could not manage to apply themselves? The fact is that Microsoft is being totally hypocritical in blaming others for not following a process that they, as the most profitable company in the world can't manage to implement themselves, on their own products.
Sysadmins who are lazy/ignorant don't do that.
If I was running an IT department there is NO WAY IN HELL I would allow a database server software package that had to be patched every two months into my show. The risk and downtime associated with this would be totally unacceptable.
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software
Some patching is going to be part of server maintenance, no question. However there are issues with this. You can't just go and apply a patch to a production server that is supposed to have 4 or 5 9's uptime and is taking in many thousands of dollars in ecommerce orders per day without first doing some testing. This patching process costs real money, takes time and introduces real risk. Microsoft releases a LOT of patches. Some organizations decide not to apply hotfixes because of the economics of this - and guess what, the service pack with the fix for this vulnerability was only released a week before the attack.
It starts with identifying how not to program, basically by highlighting that some of your basic ANSI c functions are garbage and that using them will only result in immediate termination.
I would hope by now Microsoft (and everybody else) is using tools that blow out strcpy and its friends during the compile process.
Gates says security is job #1 and sends all his programmers to security training.
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
The administrators should keep up with the newest patches and update systems during the maintanance window.
Any organization that applies patches willy-nilly without preforming application tests is going to have problems. A company that just applies patches with testing is going to have problems that are going to be as big, if not bigger than the security issues that arise from not patching.
Tell me specific examples
Here is one specific example - One of Microsoft's later patches can remove the patch that stops the SQL Slammer worm.
I.e., could you pull a random group of CS majors off the assembly line (heh) and train them in these methods, and achieve the same results?
Talent level may be necessary, it is clearly not sufficient. There are plenty of organizations with high levels of talented programmers that produce poor quality software.
Hence "repeatability" is not in play.
If this is so, why did the Software Engineering Institute gave their Capability Maturity Model Level 2 the title "Repeatable"?
with the comparison to a scientific experiment that demands exact reproducibility
Then your post was in response to something I did not write. Nowhere did I mention anything about a scientific experiment. Nor in fact do such experiments demand anything like exact reproducability. There is no such thing. All experimental results contain uncertainty and error due to variations in procedure, conditions and measurement.
and can almost always be stripped down to "first principles" like the laws of physics.
Engineers existed long before any laws of physics were codified. In Fact, the first formal mathematics was invented as the result of studies of the methods Egyptian Engineers used to construct pyramids. For example the Egyptians used 3-4-5 triangles to lay out right angles.
Engineering does NOT requires ANY proof of anything, merely a well structured set of rules that works. Over time Engineers have fould that there are good uses for things like mathematics and physics, but for the most part the rules that engineers have used to build things over the past 4000 years were codified into the laws of physics and mathematics as an afterthought.
Writing software involves re-inventing the wheel for every project, constantly changing it, and constantly changing methodologies to try and put out software
That is not software development, that is Calvin Ball. Take a look at the Software Engineering Institute's Capability Maturity Model and you will immediately recognize your description of software development as CMM Level 1, i.e. chaos. The only reason your method ever succeeds is through the heroic efforts of a few talented individuals. This is the reason so many software projects fail, are late, and are over budget. Random actions are not a fundamentally sound way to build products.
Other organizations have better ways - for example the Loral Space Shuttle Software Group operates at CMM level 5 and produces the code with error levels on the order of 0.5 errors/KLOC where good quality commercial software runs at an average of 20 errors/KLOC.
In 100 years, Software may be specified, designed, built, and maintained just like bridges or radios, but not now.
Some places do that now. Unfortunately about 90% of the software industry is operating at the level of Calvin Ball.
No it isn't since you never repeat writing the same software no more than an architect or engineer builds more than one of the exact same building
Think like that and you will never be a software engineer. Every bridge, building and program is assembled from components with common structures. Bulidings have foundations, walls, support beams in the walls, windows, HVAC, etc. An architect can put these together, predict how they behave as a whole and estimate how much the assembly will cost time after time in a repeatable fashion, even though no two final buildings are the same. Software engineering is about the same thing - assembling a program from commonly used components and being able to predict the cost and operational characteristics of the final product even though no two such products are the same.