We can be reasonably assured that there will be bugs in that one test suite. Eventually they will become known bugs. Well technically, an obviously buggy implementation will pass the official test suite.
A different test suite will cover those now known bugs, but introduce some unknown bugs. If you are risk-averse, then trading known bugs for unknown bugs is not a good idea. I think that some of the stuff that Sun does involves things that are very risk averse.
Changing standards is a very awkward and time-consuming process. Look how long it has taken the USA to switch to the metric system.
Actually, I don't think M$ wants to be *seen* as anything other than good.
Applies to any confidence man, don't you think? Actually, I expect Microsoft actually believes it. The logic is something like: I am good. This is the best I can do. Therefore it is good.
Methinks IBM is the company to watch, maybe moreso if you cannot afford IBM. IBM has figured something out. I don't know what it is, but there's no way the ads that IBM runs would pass management review unless IBM was dealing from strength. Long term strength, not short term.
Methinks it runs deeper than that. The best I've been able to come up with is that Microsoft makes mediocrity an asperation. Which is of course very comforting to the mediocre.
but the style is markedly different Very. I'd rather have IBM for an enemy than Microsoft for a friend.
IBM, methinks, wants to regain its position as King of the Hill. Which is of course a much better position if its a very good hill rather than a very poor hill. Which means IBM wants competition, very good competition.
If the news is significant I expect it to be in the headlines even when the headlines scroll down off the page. I expect this to happen whether or not there are any new developments. In many situations, the fact that there are no new developments can be the most newsworthy aspect to the information.
Some people grab a bit of/. whenever they have time and expect the top headlines to be whatever seems most important at the moment. I suspect that most of us do not want to have to dig through the archives to try to see whatever old stories are still of high importance.
If it bothers you, why even read it let alone post complaints about it?
Methinks the only way to actually achieve security is with something that is too stupid to do something wrong.
Military Intelligence is regarded as an oxymoron. That's the Military Intelligence of those who have won the wars.
There is a problem with being smart. Being smarter than other people isn't the real competition. You have to compete with Mother Nature. The accurate form of Murphy's law is that Mother Nature sides with the hidden. I didn't say flaw. But if that's what hidden then that's what Mother Nature is siding with. To see it in action, watch anything Road Runner and Wyle E. Coyote.
I think he's got a valid (and scary) point about how security can be misused.
It's scary if Microsoft gets to have their way, but as media and PHBs begin to realise that they have been played as suckers, Microsoft will have a harder and harder time of it. "Always Blame Microsoft" is becoming an effetive tactic. This is shoot first and ask questions second. Surprisingly and even annoyingly effective. Once you start looking for somethig vaguely related that Microsoft did wrong, you will find somethig. I've even seen our CEO use it effectvely where Microsoft has no possible involvment. It has the advantage of turning the "blame game" into "It's not your fault. It's not my fault. It's Microsoft's fault."
Cringely's point is valid and it's just one more in a long line of Microsoft trying to take over the joint. There is a tendency of even the "good guys" to want to call the tune that everybody else dances to. There is a tendency to point out the obvious anytime someone says everything is secure.
"Microsoft may be over-estimating their power and creating the very environment that might allow a viable alternative (probably NOT Linux my gut tells me) to emerge. If this change happens, it will come to the USA last. At some point, the big emerging markets like China and India will realize they have do do something.... So Microsoft's dream of total world domination may be riskier than they think, but that doesn't mean they won't try."
Probably accurate. It's a two-step move not a one-step.
Somehow methinks that it's really a control issue rather than a security issue. And it's got got subtleties. root versus Administrator. Only a geek would ever want to run as root. Somehow I got smart enough to rename the domain administrator as root. The computers I normally use are logged on as root 24/7 and do not run screen savers. And nobody messes with my computers. If I've left a root login on their computers they log me off to get to their stuff. When IBM "embraced" Linux, I think it was more the realization that you're much better off if you can extend your scope to what you cannot control. I think part of it is that the big customers with big iron have to be able to communicate with various riff-raff who cannot afford IBM and the whole mess has to work or the big iron just sits there looking pretty (useless).
"Quite honestly it's somewhat insulting to elections officials and volunteers," he said to the idea that elections officers would tamper with vote results."
It is not insulting. Most of the election officials are there to insure that somebody else doesn't tamper with vote results. I'd be a bit suspicious of anyone claiming to be insulted. Too much like they want to be able to tamper and get away with it because they are "trusted". "Trust me" is too much like the opening line of a con man.
I dunno, the best software I've seen has come out of derision of bad software.
[Chuckle] Very true, but I wouldn't lay heavy odds on whether it's the software of the derider or of the derided.
The key question is how good is good enough. The answer is not seeable beforehand. You have to look at it just right to see what is/should be painfully obvious. "With enough eyes all bugs are shallow" You have to look at it just right to see the bug. Just knowing there's a bug in there somewhere doesn't help. We already know that.
What Diebold clearly don't understand (or care about) is that while trust in the election officials has always been very important, never before could one single person change all the votes in seconds leaving no evidence! [Emphasis added]
The classic case of a cashier who trades tickets for money and a ticket taker shows that you can have a trustworthy system even if you don't trust the participants.
Flim-flam. Make it complicated enough and there's plenty of room for skuldudgery. Sure you run checks and balances, but it needs to be simple and obvious enough that it can be trusted without looking any further. In fact if there is a problem it is more likely to be in those checks and balances. Think Road Runner and Coyote. You do not want a voting system invented by Wyle E. Coyote, Super Genius.
"If you don't know how to crack you don't know how to protect."
I believe you are wrong.... Just because I do not understand the fine art of being a code junkie does not mean I don't have the ability to stop unwanted people from my network.
It's hard to lock a door if you have no idea what a door is.
the attacker just needs to be skilled enough to be able to defeat the security measures put in place. Bingo! Also the attacker gets to move around and the defense has to just sit there.
It's probably more a case of knowing how much skill and effort is required to crack than having said skill and knowledge. However, no idea of what is required will cause the defenders to expend a lot of time and effort erecting useless defenses. It's everything you don't know that matters.
Which would suggest that the idea of throwing money at a problem isn't always the best solution.
Throwing money at the problem tends to enlarge the scope of the problem, i.e. more and bigger problems. The ones who spend least probably secure the few things that need securing and do those few rather well and do not impose unwarranted restrictions on everybody else. Easy way to check. If they lock their doors whenever they leave, they need security. Open doors when they aren't there means they do not need a lot of security, and certainly not on their computers.
There are two aspects to security. First and formost is losing access to what you have. That, whether by hardware or software fault is what puts companies out of business. Second is depriving unauthorized people access to sensitive information. You put that in the hands of people who are naturally protective of it which really must mean that they control access, not IT, nt security. For a cheap shot, just give 'em two computers.
But what if the virus messes with that recovery system?
Worse, What happens when the virus uses the recovery system.
You can have an effective recovery system, but it must be totally outside the control of the running system. Anything inside the running system is just another place that can have holes, very insidious holes.
The recovery system doesn't even need to be that good, but it does need to be independent.
Somehow I get the feeling of coming in second best. Good firewall, no IE/OE gives you a better hand. But I stand by my original assertion. Question. Does Microsoft have a clue about security, or is this just another example of facade over substance?
Hmmm, very interesting. It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.
My first reaction is to violently disagree. It is quite possible to knock that number down, way way down. There are even some things we can do like recover back to a previous state. "I wish I hadn't done that. Wish granted."
However, the question is how uninfected is it worth taking the trouble to be. I'm afraid the answer is that it's a lot more trouble than it's worth.
The problem with "generally ensures that the parasite adapts to becoming less harmful and eventually passive or even cooperative" is that is true of the survivors and not necessarily representative of the original population. This makes avoiding a monoculture all the more essential to having something survive.
Umm, you can turn off services to make a system more secure on any OS - XP, 2000, NT 4, NT 3.5, ME, 98, 95, 3.1. So, it is misleading to say that NT 4 with services disabled is more secure. You are basically turning it into a stand alone box with very little networking functionality - of course it will be more secure.
Plausible assumptions maybe, but dead wrong. It's the Domain Controller's main workstation that's up and logged in as root 24/7. The only services disabled are messenger (Kill the Messenger) and Computer Browser (Gateway Computer - Kill the moo cow). It has Outlook running, with peview active. No anti-virus software, but a few folders named VIRUS. It's got a copy of Melissa on the Desktop from when Melissa was fresh. It's even got a VNC server running that I haven't accessed remotely in over a year. The only thigs done to ehance security are sticking a _ in front of the name of the executables for Windows Scripting Host and friends and of course unhiding filename extensions and such. Piss-poopr security really, but when the big one hits it will be standing and Microsoft's latest and greatest will be dead.
from Windows is the 'biggest beta test in history' - Gartner "Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure." There's a message in that. I wonder if it's getting through. If you want gizmos instead of security you don't get security. This includes security gizmos.
"The most secure version of Windows today is Windows XP with SP2." The most secure version of Windows tomorrow will still be my unpatched NT4 Workstation with a few gizmo handlers neutered.
Ultimately you have to depend on the reputations of Opera and Google. The problems come from cheap and sleazy operations which will sell your privacy for a pittance. Neither Opera nor Google seem to fit the pattern of sleazy operators. It's impossible to do targeted ads without temporary knowledge of the targets. It's what they do with it later that matters.
"Google determines what ads and related searches are relevant based on the URL and content of the page you are viewing and your IP address, which are sent to Google via the Opera browser. A "URL" is the address of a page and an "IP address" is an address assigned to your computer when you connect to another computer on the Internet. Google retains these IP addresses temporarily for country targeting purposes, advertiser audits, ad service performance statistics, and generally to improve product quality (such as for tracking spam). Google only shares aggregate information with third parties and will not share personally identifiable information except as outlined in the Google Privacy Policy."
I am merely pointing out that there is great confusion over licensing, and thus the necessity for this book.
Amen, brother.
No ridicule involved. If you look hard enough, it is impossible to not become confused. If you remember when daylight savings time came into being, if you think about it long enough and hard enough, you will get it wrong.
There are already laws about unauthorized use of computing facilities. Rather strong criminal laws.
To be effective, any new legislation should better define what constitutes authorization, specifically that any authorization burried deep down in anything expected to clicked through constitutes fraud.
from Windows is the 'biggest beta test in history' - Gartner "Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure." More legislation to help out a few favored scammers at the expense of the populace is not a good idea. CAN-SPAM? Spammers: Sure we CAN!
One particular project wanted to incorporate some of my code into theirs. My code was under the BSD license and theirs under the GPL. No problem, right?
Could be common curtesy. Could be misunderstandings. Not really redundant. Much easier to have everybody's concerns satisfied early that later.
Using your good name to promote my garbage has to be a no-no. The precise phrasing required depends on the times, the culture, the context and probably gives rise to a multitude of inscrutable licenses trying to figure out where to draw the lines. Failure to give you credit, or doing something that implies that your stuff is under a different license than it is, is another no-no.
Put a 20 foot 2x12 on the ground. Walk across it. Put same board 200 feet up in the air. Now walk across it. Same board. Same walk. Different consequences of a misstep.
Most of ideas, changes and patches made by a random Joe Sixpack are dumb. And not even Joe sixpack really cares. The redundant work is wasted but it's a very small waste even in agregate.
Joe Sixpack has no monopoly on dumb ideas. Watch any new user with a lot of clout.
Except, of course, if the company stops at step #2 and keeps it in-house.
Which is what will usually happen. First because the company knows it's not all that great and they don't want to embarrass themselves. Second because the maintainers wouldn't accespt it because of quality or if it's not heading in the direction the maintainers wish it to go.
Eventually Company B will figure out a better way to solve the same problem, and release it. Now the first company can still freeload off the better implementation, but it has been tailor-made for Company B and will not be that great a fit. The first company is eventually forced to dance to Company B's tune.
There seems to be some tendency to equate F/OSS with cheap software. While it can be had for very cheap, any effective opinion as to what it should be or where it should be going will not come cheap.
Slashdot Mirror
"New bugs for Old!"
We can be reasonably assured that there will be bugs in that one test suite. Eventually they will become known bugs. Well technically, an obviously buggy implementation will pass the official test suite.
A different test suite will cover those now known bugs, but introduce some unknown bugs. If you are risk-averse, then trading known bugs for unknown bugs is not a good idea. I think that some of the stuff that Sun does involves things that are very risk averse.
Changing standards is a very awkward and time-consuming process. Look how long it has taken the USA to switch to the metric system.
No, methinks you are an optimist.
"What if the test suite is flawed, or has a bunch of bugs in it?" [Emphasis added]
What if many test suites are flawed and have a bunch of bugs, all different?
Actually, I don't think M$ wants to be *seen* as anything other than good.
Applies to any confidence man, don't you think?
Actually, I expect Microsoft actually believes it.
The logic is something like: I am good. This is the best I can do. Therefore it is good.
Methinks IBM is the company to watch, maybe moreso if you cannot afford IBM.
IBM has figured something out. I don't know what it is, but there's no way the ads that IBM runs would pass management review unless IBM was dealing from strength. Long term strength, not short term.
Methinks it runs deeper than that. The best I've been able to come up with is that Microsoft makes mediocrity an asperation. Which is of course very comforting to the mediocre.
but the style is markedly different
Very. I'd rather have IBM for an enemy than Microsoft for a friend.
IBM, methinks, wants to regain its position as King of the Hill. Which is of course a much better position if its a very good hill rather than a very poor hill. Which means IBM wants competition, very good competition.
"3) Things we don't know we know."
"Right, I knew that all along."
"Oh yeah, I already knew that."
Now visualize this statement and you will see that state 3 is not empty.
More like playing with "I think, therefore I think I am."
Missing from the list are the things we know that aren't so.
If the news is significant I expect it to be in the headlines even when the headlines scroll down off the page. I expect this to happen whether or not there are any new developments. In many situations, the fact that there are no new developments can be the most newsworthy aspect to the information.
/. whenever they have time and expect the top headlines to be whatever seems most important at the moment. I suspect that most of us do not want to have to dig through the archives to try to see whatever old stories are still of high importance.
Some people grab a bit of
If it bothers you, why even read it let alone post complaints about it?
Security through braindeadness. :)
Methinks the only way to actually achieve security is with something that is too stupid to do something wrong.
Military Intelligence is regarded as an oxymoron. That's the Military Intelligence of those who have won the wars.
There is a problem with being smart. Being smarter than other people isn't the real competition. You have to compete with Mother Nature.
The accurate form of Murphy's law is that Mother Nature sides with the hidden.
I didn't say flaw. But if that's what hidden then that's what Mother Nature is siding with. To see it in action, watch anything Road Runner and Wyle E. Coyote.
I think he's got a valid (and scary) point about how security can be misused.
...
It's scary if Microsoft gets to have their way, but as media and PHBs begin to realise that they have been played as suckers, Microsoft will have a harder and harder time of it.
"Always Blame Microsoft" is becoming an effetive tactic. This is shoot first and ask questions second. Surprisingly and even annoyingly effective. Once you start looking for somethig vaguely related that Microsoft did wrong, you will find somethig. I've even seen our CEO use it effectvely where Microsoft has no possible involvment. It has the advantage of turning the "blame game" into "It's not your fault. It's not my fault. It's Microsoft's fault."
Cringely's point is valid and it's just one more in a long line of Microsoft trying to take over the joint.
There is a tendency of even the "good guys" to want to call the tune that everybody else dances to.
There is a tendency to point out the obvious anytime someone says everything is secure.
"Microsoft may be over-estimating their power and creating the very
environment that might allow a viable alternative (probably NOT Linux
my gut tells me) to emerge. If this change happens, it will come to
the USA last. At some point, the big emerging markets like China and
India will realize they have do do something.
So Microsoft's dream of total world domination may be riskier than
they think, but that doesn't mean they won't try."
Probably accurate. It's a two-step move not a one-step.
Somehow methinks that it's really a control issue rather than a security issue. And it's got got subtleties.
root versus Administrator. Only a geek would ever want to run as root.
Somehow I got smart enough to rename the domain administrator as root. The computers I normally use are logged on as root 24/7 and do not run screen savers. And nobody messes with my computers. If I've left a root login on their computers they log me off to get to their stuff.
When IBM "embraced" Linux, I think it was more the realization that you're much better off if you can extend your scope to what you cannot control. I think part of it is that the big customers with big iron have to be able to communicate with various riff-raff who cannot afford IBM and the whole mess has to work or the big iron just sits there looking pretty (useless).
"Quite honestly it's somewhat insulting to elections officials and volunteers," he said to the idea that elections officers would tamper with vote results."
It is not insulting. Most of the election officials are there to insure that somebody else doesn't tamper with vote results. I'd be a bit suspicious of anyone claiming to be insulted. Too much like they want to be able to tamper and get away with it because they are "trusted".
"Trust me" is too much like the opening line of a con man.
I dunno, the best software I've seen has come out of derision of bad software.
[Chuckle] Very true, but I wouldn't lay heavy odds on whether it's the software of the derider or of the derided.
The key question is how good is good enough. The answer is not seeable beforehand. You have to look at it just right to see what is/should be painfully obvious.
"With enough eyes all bugs are shallow" You have to look at it just right to see the bug. Just knowing there's a bug in there somewhere doesn't help. We already know that.
What Diebold clearly don't understand (or care about) is that while trust in the election officials has always been very important, never before could one single person change all the votes in seconds leaving no evidence! [Emphasis added]
The classic case of a cashier who trades tickets for money and a ticket taker shows that you can have a trustworthy system even if you don't trust the participants.
Flim-flam. Make it complicated enough and there's plenty of room for skuldudgery. Sure you run checks and balances, but it needs to be simple and obvious enough that it can be trusted without looking any further. In fact if there is a problem it is more likely to be in those checks and balances.
Think Road Runner and Coyote. You do not want a voting system invented by Wyle E. Coyote, Super Genius.
"If you don't know how to crack you don't know how to protect."
... Just because I do not understand the fine art of being a code junkie does not mean I don't have the ability to stop unwanted people from my network.
I believe you are wrong.
It's hard to lock a door if you have no idea what a door is.
the attacker just needs to be skilled enough to be able to defeat the security measures put in place.
Bingo!
Also the attacker gets to move around and the defense has to just sit there.
It's probably more a case of knowing how much skill and effort is required to crack than having said skill and knowledge. However, no idea of what is required will cause the defenders to expend a lot of time and effort erecting useless defenses. It's everything you don't know that matters.
...and spent M$ on security consultants...
... ?
And the difference is
Fundamentally it's the same thing. Spending lots of money on sham.
Which would suggest that the idea of throwing money at a problem isn't always the best solution.
Throwing money at the problem tends to enlarge the scope of the problem, i.e. more and bigger problems. The ones who spend least probably secure the few things that need securing and do those few rather well and do not impose unwarranted restrictions on everybody else. Easy way to check. If they lock their doors whenever they leave, they need security. Open doors when they aren't there means they do not need a lot of security, and certainly not on their computers.
There are two aspects to security. First and formost is losing access to what you have. That, whether by hardware or software fault is what puts companies out of business. Second is depriving unauthorized people access to sensitive information. You put that in the hands of people who are naturally protective of it which really must mean that they control access, not IT, nt security. For a cheap shot, just give 'em two computers.
But what if the virus messes with that recovery system?
Worse, What happens when the virus uses the recovery system.
You can have an effective recovery system, but it must be totally outside the control of the running system. Anything inside the running system is just another place that can have holes, very insidious holes.
The recovery system doesn't even need to be that good, but it does need to be independent.
Somehow I get the feeling of coming in second best. Good firewall, no IE/OE gives you a better hand. But I stand by my original assertion.
Question. Does Microsoft have a clue about security, or is this just another example of facade over substance?
Hmmm, very interesting.
It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.
My first reaction is to violently disagree. It is quite possible to knock that number down, way way down. There are even some things we can do like recover back to a previous state. "I wish I hadn't done that. Wish granted."
However, the question is how uninfected is it worth taking the trouble to be. I'm afraid the answer is that it's a lot more trouble than it's worth.
The problem with "generally ensures that the parasite adapts to becoming less harmful and eventually passive or even cooperative" is that is true of the survivors and not necessarily representative of the original population. This makes avoiding a monoculture all the more essential to having something survive.
Umm, you can turn off services to make a system more secure on any OS - XP, 2000, NT 4, NT 3.5, ME, 98, 95, 3.1. So, it is misleading to say that NT 4 with services disabled is more secure. You are basically turning it into a stand alone box with very little networking functionality - of course it will be more secure.
Plausible assumptions maybe, but dead wrong. It's the Domain Controller's main workstation that's up and logged in as root 24/7. The only services disabled are messenger (Kill the Messenger) and Computer Browser (Gateway Computer - Kill the moo cow). It has Outlook running, with peview active. No anti-virus software, but a few folders named VIRUS. It's got a copy of Melissa on the Desktop from when Melissa was fresh. It's even got a VNC server running that I haven't accessed remotely in over a year. The only thigs done to ehance security are sticking a _ in front of the name of the executables for Windows Scripting Host and friends and of course unhiding filename extensions and such. Piss-poopr security really, but when the big one hits it will be standing and Microsoft's latest and greatest will be dead.
from Windows is the 'biggest beta test in history' - Gartner
"Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure."
There's a message in that. I wonder if it's getting through. If you want gizmos instead of security you don't get security. This includes security gizmos.
"The most secure version of Windows today is Windows XP with SP2."
The most secure version of Windows tomorrow will still be my unpatched NT4 Workstation with a few gizmo handlers neutered.
Ultimately you have to depend on the reputations of Opera and Google. The problems come from cheap and sleazy operations which will sell your privacy for a pittance. Neither Opera nor Google seem to fit the pattern of sleazy operators. It's impossible to do targeted ads without temporary knowledge of the targets. It's what they do with it later that matters.
"Google determines what ads and related searches are relevant based on the URL and content of the page you are viewing and your IP address, which are sent to Google via the Opera browser. A "URL" is the address of a page and an "IP address" is an address assigned to your computer when you connect to another computer on the Internet. Google retains these IP addresses temporarily for country targeting purposes, advertiser audits, ad service performance statistics, and generally to improve product quality (such as for tracking spam). Google only shares aggregate information with third parties and will not share personally identifiable information except as outlined in the Google Privacy Policy."
I am merely pointing out that there is great confusion over licensing, and thus the necessity for this book.
Amen, brother.
No ridicule involved. If you look hard enough, it is impossible to not become confused. If you remember when daylight savings time came into being, if you think about it long enough and hard enough, you will get it wrong.
There are already laws about unauthorized use of computing facilities. Rather strong criminal laws.
To be effective, any new legislation should better define what constitutes authorization, specifically that any authorization burried deep down in anything expected to clicked through constitutes fraud.
from Windows is the 'biggest beta test in history' - Gartner "Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure."
More legislation to help out a few favored scammers at the expense of the populace is not a good idea. CAN-SPAM? Spammers: Sure we CAN!
One particular project wanted to incorporate some of my code into theirs. My code was under the BSD license and theirs under the GPL. No problem, right?
Could be common curtesy. Could be misunderstandings. Not really redundant. Much easier to have everybody's concerns satisfied early that later.
Using your good name to promote my garbage has to be a no-no. The precise phrasing required depends on the times, the culture, the context and probably gives rise to a multitude of inscrutable licenses trying to figure out where to draw the lines. Failure to give you credit, or doing something that implies that your stuff is under a different license than it is, is another no-no.
Put a 20 foot 2x12 on the ground. Walk across it.
Put same board 200 feet up in the air. Now walk across it.
Same board. Same walk. Different consequences of a misstep.
Most of ideas, changes and patches made by a random Joe Sixpack are dumb.
And not even Joe sixpack really cares. The redundant work is wasted but it's a very small waste even in agregate.
Joe Sixpack has no monopoly on dumb ideas.
Watch any new user with a lot of clout.
Except, of course, if the company stops at step #2 and keeps it in-house.
Which is what will usually happen.
First because the company knows it's not all that great and they don't want to embarrass themselves.
Second because the maintainers wouldn't accespt it because of quality or if it's not heading in the direction the maintainers wish it to go.
Eventually Company B will figure out a better way to solve the same problem, and release it. Now the first company can still freeload off the better implementation, but it has been tailor-made for Company B and will not be that great a fit. The first company is eventually forced to dance to Company B's tune.
There seems to be some tendency to equate F/OSS with cheap software. While it can be had for very cheap, any effective opinion as to what it should be or where it should be going will not come cheap.