The security issue is a design flaw, and I've never seen a language that can really protect you from design flaws. That stated, I've reviewed millions of lines of code across at least a dozen languages and I consider PHP one of the worst from a security and maintainability perspective. The only built in protection mechanism I know of is magic quotes. And I really consider magic quotes an extremely poor sustitute for parameter binding that you get with properly implemented prepared statements or stored procedures.
Good web app frameworks offer things like mandatory site-wide authentication, integrated user roles, and basic XSS filtering by default. They're also designed to enforce seperation of tiers, so you can remove your presentation from your business logic. And if you're using stored procedures, you can actually establish a hard security perimeter between your data and logic tiers. I haven't identified good support in PHP for any of these approaches. It's not that it's impossible, but the platform sure doesn't help you.
Unfortunately I haven't had a chance to look at much PHP5 code. It looks like they addressed some of the more glaring language issues, but the platform still leaves a lot to be desired in my opinion. I could be wrong though, as I don't review a lot of PHP. I'd appreciate if any PHP wizards would identify errors in my assessment of the platform.
I think MS can just see the real implications of Blu-Ray and they know it's a danger to them (and consumers in general). I don't think MS is being altruistic here, it's just that this time the general good happens to coincide with their goals. I've talked to a few people involved in DRM work at MS. They say that MS is only supporting DRM to appease content providers. From their point of view it limits their capabilities and doesn't really buy them anything. However DRM is the only way to get content providers to play ball.
Now the real danger in the whole Blu-Ray issue is this. The DRM model for Blu-Ray is extremely restrictive and especially wouldn't play nice in a PC type environment. Also, Blu-Ray is a closed spec that must be licensed, so any deviation from this DRM model risks legal action by Sony. The content providers like this because it's a model with legal and/or technical barriers at every link in the chain. However if Blu-Ray really becomes the preferred format for HD media we risk a situation where Sony gets final say in all HD content distribution because they own this heavily restricted standard. So in the end Blu-Ray would become a monopoly coup for Sony and fair use would be seriously crippled in the HD world.
So I'd prefer HD-DVD mostly because it's an open spec that is by nature more consumer friendly. Of course, it also helps that HD-DVD will be significantly less expensive and available for large-scale production in the near term.
Did we read the same article? The article I read stated that the shareholders were pushing them away from legacy offerings and wanted them to focus on Linux oriented strategies. The shareholders apparently think that's the most profitable course, but you seem to be implying Linux is a dead end. And I really don't understand where the comment about free software business managers came from. Did any of the Ximian crew end up as business managers? As far as I know they may be in senior technical positions, but none of them are running the business.
You're kidding right? Just because you get the text and formatting doesn't mean you'd have a usable document. You'd lose all of the necessary metadata. That includes most of the important functionality (such as text flow and soft line breaks) in the word processor. You'd lose pretty much everything useful from a spreadsheet because you'd have to try to rebuild the rows and columns based on text placement.
There is actually an intelligent response to everyone making this same tired joke. The Mozilla Foundation retargeted development on seperate applications to simplify things for most users. With that done, one of the next major steps (2.0 timeframe) is to break all the shared functionality out into XulRunner (currently being actively developed).
Eventually all of the apps (FF, TB, SB) will use XulRunner but still be developed and distributed as seperate applications. This should provide the best of both worlds. It will have the tight integration and lower resource usage of the single suite, but without requiring everyone to deal with the headaches of one big monolithic application.
To anyone interested I'd really advise heading over to the Mozilla wiki and taking a look at what's going.
I really like the spin you put on that. You could have stated that manufacturers and content producers didn't want to pay per unit licensing fees to Sony for use of the Beta format. You also could have mentioned the inititial shorter recording times of Beta versus VHS. Instead you went this whole "porn rules the world and Sony don't stand for it" route. I have to admit it was a somewhat entertaining... not particularly accurate but I did chuckle a little.
It's a fan site! Are you and the parent really suggesting that they should start applying international legal pressure to a fan site over use of the trademark? If they did, would you be sniping at them for that too?
I've just spent the last ten minutes searching for corroboration and all I found was the same thing you did. It is quite posible the hackers were serving up trojan binaries for a while before they defaced the site. That would fit in with the time line and explain this pretty well.
The other important point is that the Korean site was not officially affiliated with the Mozilla organization (unlike US, China, Europe, Japan, etc.). Because of this the the Mozilla foundation had no control and couldn't impose any standards. It was just a fan site.
If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.
That was actually only one of several points. They also brought up the severity of the vulnerabilities and transparent nature of OSS development among other things. Sorry, I would have clarified this sooner but I chose to read the article first.
The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.
It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.
With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.
My DSL provider started blocking port 25 so I switched to SSMTP (465). I've only seen that blocked on corporate intranets where they only allow HTTPS and proxied HTTP and FTP to the Internet; your only real option in that scenario is webmail.
It was a simple change to set up because I was already requiring authentication over TLS for mail relaying. If you're leaving a public mail server out there you really should be authenticating over an encrypted connection anyway. This is just a simple adjustment that I don't mind it if it reduces the number of spam zombies.
It doesn't sound like there are any issues to me. For IPC purposes Firefox listens on a local port on the loopback adapter; this is the request to access the trusted zone. After that you'll get prompted when it actually browses to a web page; this is the Internet request. I actually get three prompts when I install a new version. One for the local listening port, one for the first DNS query, and one for the first HTTP(S) connect.
When the software is no longer supported by MS and you need security updates you don't really have a choice. I ran a pen-test against a business unit of large organization that chose not to upgrade from Office 96 to 2K. They figured they could safely skip a version to 2003 because there were no compelling new features and it wasn't really worth it.
Unfortunately there were several security vulnerabilities discovered in late 2000 including macro execution vulnerabilities for Word, Powerpoint, and Excel. MS was not providing patches for these issues on anything below Office 2K and their only response was to disable macros in all of the applications or upgrade. Neither was on option for them because they had apps that needed macros and the software budget couldn't cover the upgrade cost at that time.
During the pen-test we determined that these guys had a pretty good DMZ setup and very limited Internet presence. We still wanted the keys to the kingdom so we just ended up harvesting email addresses and firing macro exploits with callback trojans. In the end we owned the whole network and they looked really bad. And all of this occurred because they chose not to follow their vendor's forced upgrade path.
I really have to disagree if your implication is that relative security is easy to measure between two systems. I also wonder why you would take Aitel's shameless pandering to mean anything more than he's a self-serving mercenary. That TC0 paper is just an advertisement for Immunity and their tools.
Back to the more important topic, switching from MS to a completely Open Source platform normally requires changing the whole software stack. In such cases you can't do a line by line comparison between the two different implementations. Handling of layered defenses and hardening measures vary too much between environments. Any valuable asessment has to view the system as a whole, including it's environment.
I've seen good and bad implementations on both sets of platforms. I admit that I like the freedom of Open Source and the ready access to code makes evaluation easier. It is my personal preference but I don't see it as a panacea of security and I'm sick of both sides slinging mud at each other.
The images aren't from Perfect 10 directly. They wants Google to stop linking to other sites that have (potentially illegal) copies of their copyrighted images. So to put it in really simple terms, Perfect 10 wants Google to enforce their copyrights for them. Seems to me that the burden of copyright enforcement is on the owner of said rights and Google isn't doing anything to aid in misappropriation of copyrighted material. Throwing the DMCA claim on top just adds to the absurdity. Personally, I hope these guys get crushed in court for trying to pull a stunt like this.
If you had a valid sublicense before August 2004 you are grandfathered in for free. Based on that I expect that Red Hat doesn't have to purchase a license at all. Perhaps Novell did need to purchase a license due to Suse changing hands, or maybe they just chose to opt in and avoid any potential hassle. After all, the cost is quite negligible for them.
I really have to ask for some clarification on what exactly you think you're talking about? You've referred to three situations that share almost no commonality and then throw some random thought at the end about IP. And where does socialist angle possibly fit into this at all? The thing that bothers me more than your post is the fact that someone modded you up. So in the spirit of being properly informed, allow me to sum up these issues for you.
Mozilla Corporation - Mozilla has a historically commercial background and their more corporate approach to open source should come as no surprise to anyone familiar with their history. The formation of Mozilla Corp should in no way change the direction of the project, and it's not that uncommon of an approach for a non-profit to take.
Linux Trademark - Linux is trademarked to prevent the FUD campaigns under the Linux name, which is unfortunately a growing problem. The costs for licensing are small (from $200 to a max of $5000 for multi-million dollar corps) and only exist to support the maintenance and defense of the trademark.
Mambo - Seems like a straight split because of developer differences. It's a GPL'd project so they can fork and have at it.
In all of these cases the status of the code has not been changed from open source. In fact, the terms of the licenses for all the projects prohibit them from ever trying to "retract" the released source.
In the future please perform a little research and analysis to avoid spreading this type of misinformation.
Evolution uses the Outlook Web Access over WebDAV interface. This is far simpler than trying to create a compatible MAPI stack because (as you pointed out) there are a number of complex layered protocols required. To my knowledge, only MS has ever made a complete MAPI stack. Everything else uses either MAPI client connectors on Windows or OWA WebDAV to talk to the server from a non-Windows client.
There is a plugin (http://www.iol.ie/~locka/mozilla/plugin.htm) for Firefox that allows you to run ActiveX controls, but that doesn't solve the problem. Most sites that use ActiveX also heavily use IE only scripting objects. As such, they still won't run even if you have ActiveX support in Firefox.
One more important note; ISS had been contracted by Cisco to perform a source review of portions of IOS. This means that Lynn was under NDA and was basically screwing over his client by presenting without their consent. The more I look at this, the more I think that Cisco was actually the victim here.
Slashdot Mirror
The security issue is a design flaw, and I've never seen a language that can really protect you from design flaws. That stated, I've reviewed millions of lines of code across at least a dozen languages and I consider PHP one of the worst from a security and maintainability perspective. The only built in protection mechanism I know of is magic quotes. And I really consider magic quotes an extremely poor sustitute for parameter binding that you get with properly implemented prepared statements or stored procedures.
Good web app frameworks offer things like mandatory site-wide authentication, integrated user roles, and basic XSS filtering by default. They're also designed to enforce seperation of tiers, so you can remove your presentation from your business logic. And if you're using stored procedures, you can actually establish a hard security perimeter between your data and logic tiers. I haven't identified good support in PHP for any of these approaches. It's not that it's impossible, but the platform sure doesn't help you.
Unfortunately I haven't had a chance to look at much PHP5 code. It looks like they addressed some of the more glaring language issues, but the platform still leaves a lot to be desired in my opinion. I could be wrong though, as I don't review a lot of PHP. I'd appreciate if any PHP wizards would identify errors in my assessment of the platform.
I think MS can just see the real implications of Blu-Ray and they know it's a danger to them (and consumers in general). I don't think MS is being altruistic here, it's just that this time the general good happens to coincide with their goals. I've talked to a few people involved in DRM work at MS. They say that MS is only supporting DRM to appease content providers. From their point of view it limits their capabilities and doesn't really buy them anything. However DRM is the only way to get content providers to play ball.
Now the real danger in the whole Blu-Ray issue is this. The DRM model for Blu-Ray is extremely restrictive and especially wouldn't play nice in a PC type environment. Also, Blu-Ray is a closed spec that must be licensed, so any deviation from this DRM model risks legal action by Sony. The content providers like this because it's a model with legal and/or technical barriers at every link in the chain. However if Blu-Ray really becomes the preferred format for HD media we risk a situation where Sony gets final say in all HD content distribution because they own this heavily restricted standard. So in the end Blu-Ray would become a monopoly coup for Sony and fair use would be seriously crippled in the HD world.
So I'd prefer HD-DVD mostly because it's an open spec that is by nature more consumer friendly. Of course, it also helps that HD-DVD will be significantly less expensive and available for large-scale production in the near term.
We could say Mini-Disc, but that would just be rubbing it in.
I suppose I'd be less hesitant if Forrester wasn't so often financed by the people they report on.
Did we read the same article? The article I read stated that the shareholders were pushing them away from legacy offerings and wanted them to focus on Linux oriented strategies. The shareholders apparently think that's the most profitable course, but you seem to be implying Linux is a dead end. And I really don't understand where the comment about free software business managers came from. Did any of the Ximian crew end up as business managers? As far as I know they may be in senior technical positions, but none of them are running the business.
You're kidding right? Just because you get the text and formatting doesn't mean you'd have a usable document. You'd lose all of the necessary metadata. That includes most of the important functionality (such as text flow and soft line breaks) in the word processor. You'd lose pretty much everything useful from a spreadsheet because you'd have to try to rebuild the rows and columns based on text placement.
There is actually an intelligent response to everyone making this same tired joke. The Mozilla Foundation retargeted development on seperate applications to simplify things for most users. With that done, one of the next major steps (2.0 timeframe) is to break all the shared functionality out into XulRunner (currently being actively developed).
Eventually all of the apps (FF, TB, SB) will use XulRunner but still be developed and distributed as seperate applications. This should provide the best of both worlds. It will have the tight integration and lower resource usage of the single suite, but without requiring everyone to deal with the headaches of one big monolithic application.
To anyone interested I'd really advise heading over to the Mozilla wiki and taking a look at what's going.
I really like the spin you put on that. You could have stated that manufacturers and content producers didn't want to pay per unit licensing fees to Sony for use of the Beta format. You also could have mentioned the inititial shorter recording times of Beta versus VHS. Instead you went this whole "porn rules the world and Sony don't stand for it" route. I have to admit it was a somewhat entertaining... not particularly accurate but I did chuckle a little.
It's a fan site! Are you and the parent really suggesting that they should start applying international legal pressure to a fan site over use of the trademark? If they did, would you be sniping at them for that too?
I've just spent the last ten minutes searching for corroboration and all I found was the same thing you did. It is quite posible the hackers were serving up trojan binaries for a while before they defaced the site. That would fit in with the time line and explain this pretty well.
The other important point is that the Korean site was not officially affiliated with the Mozilla organization (unlike US, China, Europe, Japan, etc.). Because of this the the Mozilla foundation had no control and couldn't impose any standards. It was just a fan site.
If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.
That was actually only one of several points. They also brought up the severity of the vulnerabilities and transparent nature of OSS development among other things. Sorry, I would have clarified this sooner but I chose to read the article first.
The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.
It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.
With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.
My DSL provider started blocking port 25 so I switched to SSMTP (465). I've only seen that blocked on corporate intranets where they only allow HTTPS and proxied HTTP and FTP to the Internet; your only real option in that scenario is webmail.
It was a simple change to set up because I was already requiring authentication over TLS for mail relaying. If you're leaving a public mail server out there you really should be authenticating over an encrypted connection anyway. This is just a simple adjustment that I don't mind it if it reduces the number of spam zombies.
It doesn't sound like there are any issues to me. For IPC purposes Firefox listens on a local port on the loopback adapter; this is the request to access the trusted zone. After that you'll get prompted when it actually browses to a web page; this is the Internet request. I actually get three prompts when I install a new version. One for the local listening port, one for the first DNS query, and one for the first HTTP(S) connect.
When the software is no longer supported by MS and you need security updates you don't really have a choice. I ran a pen-test against a business unit of large organization that chose not to upgrade from Office 96 to 2K. They figured they could safely skip a version to 2003 because there were no compelling new features and it wasn't really worth it.
Unfortunately there were several security vulnerabilities discovered in late 2000 including macro execution vulnerabilities for Word, Powerpoint, and Excel. MS was not providing patches for these issues on anything below Office 2K and their only response was to disable macros in all of the applications or upgrade. Neither was on option for them because they had apps that needed macros and the software budget couldn't cover the upgrade cost at that time.
During the pen-test we determined that these guys had a pretty good DMZ setup and very limited Internet presence. We still wanted the keys to the kingdom so we just ended up harvesting email addresses and firing macro exploits with callback trojans. In the end we owned the whole network and they looked really bad. And all of this occurred because they chose not to follow their vendor's forced upgrade path.
I really have to disagree if your implication is that relative security is easy to measure between two systems. I also wonder why you would take Aitel's shameless pandering to mean anything more than he's a self-serving mercenary. That TC0 paper is just an advertisement for Immunity and their tools.
Back to the more important topic, switching from MS to a completely Open Source platform normally requires changing the whole software stack. In such cases you can't do a line by line comparison between the two different implementations. Handling of layered defenses and hardening measures vary too much between environments. Any valuable asessment has to view the system as a whole, including it's environment.
I've seen good and bad implementations on both sets of platforms. I admit that I like the freedom of Open Source and the ready access to code makes evaluation easier. It is my personal preference but I don't see it as a panacea of security and I'm sick of both sides slinging mud at each other.
The images aren't from Perfect 10 directly. They wants Google to stop linking to other sites that have (potentially illegal) copies of their copyrighted images. So to put it in really simple terms, Perfect 10 wants Google to enforce their copyrights for them. Seems to me that the burden of copyright enforcement is on the owner of said rights and Google isn't doing anything to aid in misappropriation of copyrighted material. Throwing the DMCA claim on top just adds to the absurdity. Personally, I hope these guys get crushed in court for trying to pull a stunt like this.
If you had a valid sublicense before August 2004 you are grandfathered in for free. Based on that I expect that Red Hat doesn't have to purchase a license at all. Perhaps Novell did need to purchase a license due to Suse changing hands, or maybe they just chose to opt in and avoid any potential hassle. After all, the cost is quite negligible for them.
There are several reasons why that approach won't work. This groklaw post covers the issues very thoroughly.
I really have to ask for some clarification on what exactly you think you're talking about? You've referred to three situations that share almost no commonality and then throw some random thought at the end about IP. And where does socialist angle possibly fit into this at all? The thing that bothers me more than your post is the fact that someone modded you up. So in the spirit of being properly informed, allow me to sum up these issues for you.
Mozilla Corporation - Mozilla has a historically commercial background and their more corporate approach to open source should come as no surprise to anyone familiar with their history. The formation of Mozilla Corp should in no way change the direction of the project, and it's not that uncommon of an approach for a non-profit to take.
Linux Trademark - Linux is trademarked to prevent the FUD campaigns under the Linux name, which is unfortunately a growing problem. The costs for licensing are small (from $200 to a max of $5000 for multi-million dollar corps) and only exist to support the maintenance and defense of the trademark.
Mambo - Seems like a straight split because of developer differences. It's a GPL'd project so they can fork and have at it.
In all of these cases the status of the code has not been changed from open source. In fact, the terms of the licenses for all the projects prohibit them from ever trying to "retract" the released source.
In the future please perform a little research and analysis to avoid spreading this type of misinformation.
Evolution uses the Outlook Web Access over WebDAV interface. This is far simpler than trying to create a compatible MAPI stack because (as you pointed out) there are a number of complex layered protocols required. To my knowledge, only MS has ever made a complete MAPI stack. Everything else uses either MAPI client connectors on Windows or OWA WebDAV to talk to the server from a non-Windows client.
There is a plugin (http://www.iol.ie/~locka/mozilla/plugin.htm) for Firefox that allows you to run ActiveX controls, but that doesn't solve the problem. Most sites that use ActiveX also heavily use IE only scripting objects. As such, they still won't run even if you have ActiveX support in Firefox.
I don't think anyone got the joke. But it was an entertaining way to point out that IE7 will only be available for Windows XP and above.
One more important note; ISS had been contracted by Cisco to perform a source review of portions of IOS. This means that Lynn was under NDA and was basically screwing over his client by presenting without their consent. The more I look at this, the more I think that Cisco was actually the victim here.