Let me phase it for you. This worked on the people I support. I actually got a decent reaction.
"Newer Sony CDs install a type of virus on your computer called a root kit."
The word virus is the key. If the president of Sony doesn't have a clue what a root kit is, then lets cut the BS and use the right word. It is a VIRUS in the since that the only term most normal people really "get" (I know, it isn't a virus as security people define it).
(by "you" I mean some hypethetical person in another country)
Not really... If you have your own top level domain (say uk) and you run your own top level servers for that TLD then the US can't do squat to your TLD over night. All the ISPs in your country will be able to get to your root DNS server over your network and resolve names under your TLD. However, the US could disable your ability to resolve say,.com,.org or other common domains.
Now, if you use a.com address, which is part of the US create and controled internet (I'll repeat - WE CREATED IT -.com,.org, etc are US domains), then, yes, you are beholden to the US and we could screw you. But you decided that trade off was ok when you get a.com instead of a.uk for example.
In the end, your argument is exactly why the US will never (in the near future anyways) give up control of DNS or any other key part of the internet. The internet as a whole is to vital to your economy and to the country in general.
Yah, the let them burn their hand might be a little over the top. It wouldn't be 0 impact on the US either (as mush as I would like to pretend that is the case). Our economy is to tied into the rest of the world.
The real problem with all this is, if the clueless buerocrats that don't understand the internet in even the smallest way (they demonstrate this on a regular basis in the US and elsewhere) decide they are going to set up their own root servers and then LEGISLATE that only those root servers can be used. This is not outside the relm of possibilities. If they don't legislate the change, then yes, anyone with a clue (including most ISPs) will simply ignore the change and use the US system.
At the moment, ICANN does answer to someone, the US goverment. BUT the US goverment doesn't micromanage them. Since the US goverment answers to US citizens and buisnesses, if ICANN became a real problem (there will always be some problems and some complainers) the US goverment would change the deal at contract renewal time. That hasn't been neccisary. That is a good thing.
If (and there is a snow balls chance in Hell the US will give up that kind of countrol) the rest of the world (!US) gets control, the US will almost ceartainly maintain control of what it has now and will simply ignore the other DNS/IP allocation systems. Companies that sell in Europe and China will be foreced to operate on both networks (IP/DNS allocation zones for lack of a better term) which is possible with some technical magic. It will hurt reliability, profit and useability.
In the end, this will be a disaster, but more so for people outside the US and companies that want to sell in multiple countries. The US internet will continue to function and I will have access ot 90% of the stuff I want/need as it lives on servers here in the US. I'd wager a couple of countries see the light either before the split or right after and rejoin us. For all its bitching, I bet Canada doesn't want Iran and China to have ANY control over anything it needs. That is what they are asking for though.
One of the other big loosers will be scientific collaberations (like those CERN runs to analyze collider data) because ALOT of their computing power is in the US.
Let them all start their own DNS systems, breaking the Internet into segments. Let their own stupidity be their punishment. First, they will legislate that ISPs operating in their countries will no be allowed to use root DNS servers other than their own...
Then, their citizens will realize that this effectively isolates them from anyone smart enough to stick with the current, very functional, system. Then, the break away group will begin bickering back and forth as some members want to use their control of DNS to influence both local and international political views. It will further splinter into smaller useless segments.
At some point the citizenry in some of the smarter countries that broke away will realize how stupid this is when they can't use credit cards controlled by US banks, or interact with US companies easily. They will usher the bureaucrats out to the gallows and the hole problem will be solved.
====
This whole thing is about controlling the flow of information. The currect (US led) system has 0 political control of domains. The US government doesn't tell ICANN to remove a root DNS entry if they have a problem. The find the server and seize it according to the law. If it is overseas, they work with the local government.
We bitch about the government restricting freedom of speech here in the US in general, but Europeans and especially China and the middle east are the the people with no real freedom in that respect (they can't even legally complain about not having freedom of speech in may cases). Allowing governments like that any control over the Internet on the international scale would be a disaster for free speech and a victory for dictators and autocrats that want complete control.
"Hell, if I knew C, and any particular artistic talent, I'd do it."
The people who want that spend all their time being cool, while those of us who just want stuff to work are busy learning C, Perl, etc, etc, etc. The people who can change it, don't care because they are to busy doing other things.
I'm not trying to rag on you or anyone that isn't a programmer. However, everyone should realize that the VOLANTEERS that wrote gaim didn't nessisarly do it to make it exactly like MSN or Yahoo. They did it so that people using linux/bsd/solaris for whatever reason could talk to the rest of the world. In fact, I'd guess most of the people responsible are experts at reverse engineering protocols which means flashing UIs are almost irrelivant to them.
Once they succeeded in making Gaim talk to all the various IM systems, the project was no longer interesting. They are interested in protocol work, not UI.
Gaim would be a playground for someone that wants to build a cool UI because there is a huge audiance. But, PLEASE (as others have asked) put one button that says: "Turn off all eye-candy crap" and make sure it works.
What bothers me is that most programmers (myself included) honestly try hard to write robust, bug free code. I find it hard to beleive that anyone with this view has ever written a line of code in his/her life.
Ignoring the complexity of software, there are deadlines which force compromises. As a developer, I have some say, but not enough to avoid some sacrifices. This is simply a fact of competing in a world market.
Second, my employer dictates how much time I can spend on any given part of the development process (after listening to my feed back). As a developer, I always stress trying to make the code as bullet proof and well tested as possible. Sometimes I'm over riden. Managment has to make sure the cost of developing the software doesn't exceed their expected return. They are a buisness. In the end, they arn't going to pay for the time it takes to make software bullet proof, and they won't sacrifice the feature set to help the process either.
Buisnesses that SELL software for a specific purpose (say reading email and callender) should be held somewhat responsible if that software fails to live up to their own advertising. Beyond that, gross negligence at the buisness level should ceartainly be criminal (say building a mail client that exeicutes scripts it receives via mail without so much as asking the user).
Your entire post is a straw man attack. You either don't understand my points or are pretending not to so you have a ground for this post. As such it is invalid (ever had a class in classic logic?). But, what the hell, it is Friday, so I'll engage in a little sparring.
You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.
You should be on the news as a talking head. You could have your own "no spin zone" shirt (and on the back it could say "except for me").
First, I wasn't trying to bash MS. I was explaining why the guys article was crap.
Like most media, he reports a number in a vacume (that was the point of #1). He doesn't give you context. Without context the number is meaningless. We have no idea what he did because he doesn't give you that info (not that you couldn't find it).
But, I continued, because arguments are built in layers. Even if you understand the context, there are still flaws. For example, what I point out in number two: How critical were the bugs that were reported? Comparing 10 critical bugs to 10 non critical ones is comparing a apple to a dump truck. It is meaningless. Since he doesn't even mention criticaility in the article, I can only assume he just added everything up and that is bad science. Tell your reader how you arrived at your answer.
Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.
I never said it didn't matter (another example of straw man). I said it didn't tell you anything about the total number that exists except as a minimum. Their could be 0 more, or 1,000,000 more. You don't know. Pretending (as the article writer does) that it somehow relates to the actual number is 100% speculation unless you do alot of work to demonstrate that the bugs were reported by people doing very similar things in both browsers. Of course, you can't do that because only MS has the IE source code. Firefox source code is open. The nessisarly means that the methods used to find bugs by outside researchers is different (regardless of who if benifits). Apples to dump trucks.
As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.
Would have been nice if he would have actually said that in the article. It would have saved me having to type the original post. Remember, my post was about bad journalism, not about religios browser loyalty.
My personal bias comes from actual recent experience running 100+ workstations with non-computer savy users. Firefox is better currently. Maybe it won't be in 6 months. If not, I'll go back to IE. I don't want my job to be any harder than it has to be.
As for where your obvious bias comes from, I'd guess you either have no real experience (being a PHB does NOT count) in the field or are some kid that gets his kicks from the type of attention being a troll gets you.
But not a scientist, nor a rational thinker, apparently.
I use to love taking graduate classes with morons like you in them. You are easy fodder during class room discussions. It was unfortunate people like you would almost never make it more than a couple of semesters.
Actually, a better (and simpler) option is just to run the whole damn browser in a sandbox (chrooted in a memory jail on linux).
The main problem with security is it makes interfacing much harder (it is a barrier between componenents). If you run the browser in a jail, you can minize the amount of security between the browser and the plugins (still have a small amount as a sanity check) and not risk the computer system or user files.
This would also prevent spyware/adware/malware being installed on the system via a bug in the browser. How are you going to hook the registry if you don't have a path to it (because it is outside your chroot jail)? How are you even going to infect the browser if every time it is run, it is basicly a new fresh copy from a master?
And yes, things like bookmarks and history can be kept. You just copy them out of the jail after scanning them for validity (scan for goodness).
Your right in some since. That is the one redeeming thing about an otherwise alarmist and troll written article. Did the article remind anyone else of the anti-smoking people in the South Park episode Butt Out?
This is the type of meaningless media noise that confuses so many "normal" people. They don't have the background knowledge to cut through this type of crap, or to see the redeeming lesson (no software is perfect).
I think most in the IT world understand the part you are pointing out. It is important to reinforce the importance of updating your software, having safe computer habits, etc no matter what software you use.
A hacker could find a serious zero-day exploit in ANY code and use it for some really scary stuff. Those who are security minded will have the best chance of avoiding that trap. Of course, selection of something like firefox, where people are studying the source every day looking for "the big one" will probably help also.
That is actually a critisism of MS, so you can feel better. No one in their right mind would ever couple a browser (and application that downloads random information from the www and even executes some of if - javascript, css, even html can be thought of as a language - this ignores insane things like activeXpoit) with the kernel. That is nuts. It is also probably the biggest reason why MS has so many security problems in general.
Every peice of software they write is tied to everything in the OS in 10K ways.
Open source software probably has as many exploitable bugs (maybe even more). The difference is, when you crash my browser using spify example exploit, or even get it to run code, all you can do is execute in my user land environment or kill that app. It doesn't kill Gnome/KDE/X/the kernels swapping deamon, etc. There is almost no risk to the computer as a whole or even of effecting stability. As root (assuming you weren't running as root), I can wack your session at the gettty level and that's all she wrote for it.
Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?
3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.
The other thing that is probably true is that politics always comes into play. The article you link is about CA, and coastal realistate. That is some of the most prized (overprices) land on the planet. I wouldn't be surprised if there were some VERY currupt finances behind the goverments decisions to try to save it again and again.
My expereince is from a small working class town in central Texas when a Democrat was President and a ceartain Republican was still Govenor (pre-2000).
Agreed, except, people have short memories. I will personally NEVER live in a known flood plane. My parents live above the 500 year flood plane on a bend in the Gudalupe River. That is as close as I will get.
You couldn't pay most of the people the lost their homes across the river to live within 10 miles of the river after that. Of course, there are 1000s of people lined up who would be thrilled to buy 2 acres on the river after the memory of the flood fades away from the public memory (which it has) and that is really the problem. 10K people can learn there lesson (10K homes would be a huge disaster - which points to the size of Katrina) bu t the other 250M would all gladly put them selves in the same place.
I second that. One thing being through several disasters has taught me is that the US goverment has more than enough reserve resources for something like this. It is GETTING THEM THERE that is the problem.
The armed services have mobile system to feed/house/clothe 100Ks and even millions of people. But, that many resource take A LONG TIME to move, even when you have air fields, ports and highways. All airport are underwater, the ports are closed and the highways are trashed.
The military can deal with that, but it takes more time. It won't be pleasent, but no-one will starve to death in the short term if they make 1/2 an effort to get help for themselves. Unfortunatly, alot of people are dead now (or are so close anything but immediate intervention will not help) .
In the long term, alot of people are probably screwed, but hay, that is life. We can all pitch in to minimize it, but that is it. That is the price to pay for living in a coastal area that is below sea level (for whatever reason).
Actually, that is exactly what happens (and I have been through several floods). FEMA bails you out ONCE and only ONCE.
If your house is a total loss, they generally won't allow you to rebuild there. They settle and turn your land into a park. There is a hole neighborhood across the river from my parents (my parent's house doesn't flood) that is now a park.
I have friend's who homes (in Houston) were CONDIMIED because, after essesive development around their aera, there was not enough drainage and so everytime it rain their neighborhood would flood (it didn't do this until the last 10 years). The land and homes were purchased using emminent domain, and then buldozed.
Non-tech example... The department chariman (Physics) says his job is to be shit diode for the faculty. Shit goes up to the dean, but doesn't come back down to them. That is one of the most improtant responsibilities of any leader. Take responsibility for your team and their decisions and make sure they are insulated from routine BS from above.
Of course, you also have to stear them so they do the job upper managment wants (or needs) without micromanaging.
Well, I agree in principle with what you are saying. There are alot of patents which are at a minimum inconvient. Unfortunatly, the USPTO has become a pawn (or a club really) for corperations to go around wacking others who want to compete. However, this doesn't make them liable for the result. They were directed by congress who has the power to pass such laws because of the constitution. Are you going to sue congress or your congress man?
It is interesting that the ONLY article of the constitution that includes reasoning for the rules there-in is the part about IP. It states (I don't remember the exact quote) that in order to foster inovation and creativity congress shall...
So the only real way the USPTO will ever change is either:
1) you (and a hole lot of other people) vote based soley on a desire for patent/IP reform (and lets face it, most sheople are to easly frightened by "terrorist" or other red herrings to vote based on anything as non-scary as patent reform), or
2) the courts decide some or all of the current IP law is unconstitutional, which is equally unlikely.
In the end, patents DO foster inovation. It is a trade. You get a goverment enforced monopoloy on your patent for 17 years. In exchange you must put, in detail, the techonology into the public record for all to see. If you don't, your patent is instantly null and void.
I'm not sure what you mean. If the patent office did what their charter said (which is check a patent application and then issue a patent) they are in no way liable for the results.
On the other hand, it was Congress who used its power under the constitution to create the patent office. If the courts decide that they oversteped their power as granted by the constitution (probably not) then the laws that created the patent office will disappear as will all patents.
As the constitution pretty much spells out that congress should create IP laws for the sake of fostering inovation and creativity, there is very little chance of an all out revoking of any part of IP law. The most that might happen is that the courts will begin to strike down parts of patent law and replace them with common law (law created by precidence in court).
Well, you are correct unless they had a clue and filed in the patent offices in most major countries (and international treaty allows you to do so with an effective filing date) so this most likely applied to every country developed enough to have internet.
So, in this case (assuming the patent holders were not stupid), US != World, but it might as well be because of the various IP treaties that all major players in the world have signed.
Correct. If forgot about the "appropriate" licence fee part. In any case, unlike any one else, the goverment MUST be given a licence or the patent gets revoked (if I remember the IP law lectures I've had right). The patent holder can legaly sit on a patent and not licence anyone else if they choose.
As I said in a previous post, the US goverment can more or less ignore a patent as patents are property rights and all property rights are given by goverement... Basically, they can use it and ignore you and it is legal. Private citizines and other companies are of course suject to it though.
Slashdot Mirror
Let me phase it for you. This worked on the people I support. I actually got a decent reaction.
"Newer Sony CDs install a type of virus on your computer called a root kit."
The word virus is the key. If the president of Sony doesn't have a clue what a root kit is, then lets cut the BS and use the right word. It is a VIRUS in the since that the only term most normal people really "get" (I know, it isn't a virus as security people define it).
"ALONtm is virtually scratch resistant"
So, it isn't scratch resistant?
(by "you" I mean some hypethetical person in another country)
.com, .org or other common domains.
.com address, which is part of the US create and controled internet (I'll repeat - WE CREATED IT - .com, .org, etc are US domains), then, yes, you are beholden to the US and we could screw you. But you decided that trade off was ok when you get a .com instead of a .uk for example.
Not really... If you have your own top level domain (say uk) and you run your own top level servers for that TLD then the US can't do squat to your TLD over night. All the ISPs in your country will be able to get to your root DNS server over your network and resolve names under your TLD. However, the US could disable your ability to resolve say,
Now, if you use a
In the end, your argument is exactly why the US will never (in the near future anyways) give up control of DNS or any other key part of the internet. The internet as a whole is to vital to your economy and to the country in general.
Yah, the let them burn their hand might be a little over the top. It wouldn't be 0 impact on the US either (as mush as I would like to pretend that is the case). Our economy is to tied into the rest of the world.
The real problem with all this is, if the clueless buerocrats that don't understand the internet in even the smallest way (they demonstrate this on a regular basis in the US and elsewhere) decide they are going to set up their own root servers and then LEGISLATE that only those root servers can be used. This is not outside the relm of possibilities. If they don't legislate the change, then yes, anyone with a clue (including most ISPs) will simply ignore the change and use the US system.
At the moment, ICANN does answer to someone, the US goverment. BUT the US goverment doesn't micromanage them. Since the US goverment answers to US citizens and buisnesses, if ICANN became a real problem (there will always be some problems and some complainers) the US goverment would change the deal at contract renewal time. That hasn't been neccisary. That is a good thing.
If your going to play chicken and you drive a Fiat, don't do it with a Mac truck that has a US flag on the font. Right or wrong, that is just STUPID.
If (and there is a snow balls chance in Hell the US will give up that kind of countrol) the rest of the world (!US) gets control, the US will almost ceartainly maintain control of what it has now and will simply ignore the other DNS/IP allocation systems. Companies that sell in Europe and China will be foreced to operate on both networks (IP/DNS allocation zones for lack of a better term) which is possible with some technical magic. It will hurt reliability, profit and useability.
In the end, this will be a disaster, but more so for people outside the US and companies that want to sell in multiple countries. The US internet will continue to function and I will have access ot 90% of the stuff I want/need as it lives on servers here in the US. I'd wager a couple of countries see the light either before the split or right after and rejoin us. For all its bitching, I bet Canada doesn't want Iran and China to have ANY control over anything it needs. That is what they are asking for though.
One of the other big loosers will be scientific collaberations (like those CERN runs to analyze collider data) because ALOT of their computing power is in the US.
Let them all start their own DNS systems, breaking the Internet into segments. Let their own stupidity be their punishment. First, they will legislate that ISPs operating in their countries will no be allowed to use root DNS servers other than their own...
Then, their citizens will realize that this effectively isolates them from anyone smart enough to stick with the current, very functional, system. Then, the break away group will begin bickering back and forth as some members want to use their control of DNS to influence both local and international political views. It will further splinter into smaller useless segments.
At some point the citizenry in some of the smarter countries that broke away will realize how stupid this is when they can't use credit cards controlled by US banks, or interact with US companies easily. They will usher the bureaucrats out to the gallows and the hole problem will be solved.
====
This whole thing is about controlling the flow of information. The currect (US led) system has 0 political control of domains. The US government doesn't tell ICANN to remove a root DNS entry if they have a problem. The find the server and seize it according to the law. If it is overseas, they work with the local government.
We bitch about the government restricting freedom of speech here in the US in general, but Europeans and especially China and the middle east are the the people with no real freedom in that respect (they can't even legally complain about not having freedom of speech in may cases). Allowing governments like that any control over the Internet on the international scale would be a disaster for free speech and a victory for dictators and autocrats that want complete control.
You answered your own question:
"Hell, if I knew C, and any particular artistic talent, I'd do it."
The people who want that spend all their time being cool, while those of us who just want stuff to work are busy learning C, Perl, etc, etc, etc. The people who can change it, don't care because they are to busy doing other things.
I'm not trying to rag on you or anyone that isn't a programmer. However, everyone should realize that the VOLANTEERS that wrote gaim didn't nessisarly do it to make it exactly like MSN or Yahoo. They did it so that people using linux/bsd/solaris for whatever reason could talk to the rest of the world. In fact, I'd guess most of the people responsible are experts at reverse engineering protocols which means flashing UIs are almost irrelivant to them.
Once they succeeded in making Gaim talk to all the various IM systems, the project was no longer interesting. They are interested in protocol work, not UI.
Gaim would be a playground for someone that wants to build a cool UI because there is a huge audiance. But, PLEASE (as others have asked) put one button that says: "Turn off all eye-candy crap" and make sure it works.
What bothers me is that most programmers (myself included) honestly try hard to write robust, bug free code. I find it hard to beleive that anyone with this view has ever written a line of code in his/her life.
Ignoring the complexity of software, there are deadlines which force compromises. As a developer, I have some say, but not enough to avoid some sacrifices. This is simply a fact of competing in a world market.
Second, my employer dictates how much time I can spend on any given part of the development process (after listening to my feed back). As a developer, I always stress trying to make the code as bullet proof and well tested as possible. Sometimes I'm over riden. Managment has to make sure the cost of developing the software doesn't exceed their expected return. They are a buisness. In the end, they arn't going to pay for the time it takes to make software bullet proof, and they won't sacrifice the feature set to help the process either.
Buisnesses that SELL software for a specific purpose (say reading email and callender) should be held somewhat responsible if that software fails to live up to their own advertising. Beyond that, gross negligence at the buisness level should ceartainly be criminal (say building a mail client that exeicutes scripts it receives via mail without so much as asking the user).
The developers have almost no say in the process.
Your entire post is a straw man attack. You either don't understand my points or are pretending not to so you have a ground for this post. As such it is invalid (ever had a class in classic logic?). But, what the hell, it is Friday, so I'll engage in a little sparring.
You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.
You should be on the news as a talking head. You could have your own "no spin zone" shirt (and on the back it could say "except for me").
First, I wasn't trying to bash MS. I was explaining why the guys article was crap.
Like most media, he reports a number in a vacume (that was the point of #1). He doesn't give you context. Without context the number is meaningless. We have no idea what he did because he doesn't give you that info (not that you couldn't find it).
But, I continued, because arguments are built in layers. Even if you understand the context, there are still flaws. For example, what I point out in number two: How critical were the bugs that were reported? Comparing 10 critical bugs to 10 non critical ones is comparing a apple to a dump truck. It is meaningless. Since he doesn't even mention criticaility in the article, I can only assume he just added everything up and that is bad science. Tell your reader how you arrived at your answer.
Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.
I never said it didn't matter (another example of straw man). I said it didn't tell you anything about the total number that exists except as a minimum. Their could be 0 more, or 1,000,000 more. You don't know. Pretending (as the article writer does) that it somehow relates to the actual number is 100% speculation unless you do alot of work to demonstrate that the bugs were reported by people doing very similar things in both browsers. Of course, you can't do that because only MS has the IE source code. Firefox source code is open. The nessisarly means that the methods used to find bugs by outside researchers is different (regardless of who if benifits). Apples to dump trucks.
As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.
Would have been nice if he would have actually said that in the article. It would have saved me having to type the original post. Remember, my post was about bad journalism, not about religios browser loyalty.
My personal bias comes from actual recent experience running 100+ workstations with non-computer savy users. Firefox is better currently. Maybe it won't be in 6 months. If not, I'll go back to IE. I don't want my job to be any harder than it has to be.
As for where your obvious bias comes from, I'd guess you either have no real experience (being a PHB does NOT count) in the field or are some kid that gets his kicks from the type of attention being a troll gets you.
But not a scientist, nor a rational thinker, apparently.
I use to love taking graduate classes with morons like you in them. You are easy fodder during class room discussions. It was unfortunate people like you would almost never make it more than a couple of semesters.
Actually, a better (and simpler) option is just to run the whole damn browser in a sandbox (chrooted in a memory jail on linux).
The main problem with security is it makes interfacing much harder (it is a barrier between componenents). If you run the browser in a jail, you can minize the amount of security between the browser and the plugins (still have a small amount as a sanity check) and not risk the computer system or user files.
This would also prevent spyware/adware/malware being installed on the system via a bug in the browser. How are you going to hook the registry if you don't have a path to it (because it is outside your chroot jail)? How are you even going to infect the browser if every time it is run, it is basicly a new fresh copy from a master?
And yes, things like bookmarks and history can be kept. You just copy them out of the jail after scanning them for validity (scan for goodness).
Your right in some since. That is the one redeeming thing about an otherwise alarmist and troll written article. Did the article remind anyone else of the anti-smoking people in the South Park episode Butt Out?
This is the type of meaningless media noise that confuses so many "normal" people. They don't have the background knowledge to cut through this type of crap, or to see the redeeming lesson (no software is perfect).
I think most in the IT world understand the part you are pointing out. It is important to reinforce the importance of updating your software, having safe computer habits, etc no matter what software you use.
A hacker could find a serious zero-day exploit in ANY code and use it for some really scary stuff. Those who are security minded will have the best chance of avoiding that trap. Of course, selection of something like firefox, where people are studying the source every day looking for "the big one" will probably help also.
That is actually a critisism of MS, so you can feel better. No one in their right mind would ever couple a browser (and application that downloads random information from the www and even executes some of if - javascript, css, even html can be thought of as a language - this ignores insane things like activeXpoit) with the kernel. That is nuts. It is also probably the biggest reason why MS has so many security problems in general.
Every peice of software they write is tied to everything in the OS in 10K ways.
Open source software probably has as many exploitable bugs (maybe even more). The difference is, when you crash my browser using spify example exploit, or even get it to run code, all you can do is execute in my user land environment or kill that app. It doesn't kill Gnome/KDE/X/the kernels swapping deamon, etc. There is almost no risk to the computer as a whole or even of effecting stability. As root (assuming you weren't running as root), I can wack your session at the gettty level and that's all she wrote for it.
Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?
3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.
IAAITG (I am a IT guy)
Actually, yes I am a perl programmer... probably because I can't spell.
The other thing that is probably true is that politics always comes into play. The article you link is about CA, and coastal realistate. That is some of the most prized (overprices) land on the planet. I wouldn't be surprised if there were some VERY currupt finances behind the goverments decisions to try to save it again and again.
My expereince is from a small working class town in central Texas when a Democrat was President and a ceartain Republican was still Govenor (pre-2000).
Agreed, except, people have short memories. I will personally NEVER live in a known flood plane. My parents live above the 500 year flood plane on a bend in the Gudalupe River. That is as close as I will get.
You couldn't pay most of the people the lost their homes across the river to live within 10 miles of the river after that. Of course, there are 1000s of people lined up who would be thrilled to buy 2 acres on the river after the memory of the flood fades away from the public memory (which it has) and that is really the problem. 10K people can learn there lesson (10K homes would be a huge disaster - which points to the size of Katrina) bu t the other 250M would all gladly put them selves in the same place.
I second that. One thing being through several disasters has taught me is that the US goverment has more than enough reserve resources for something like this. It is GETTING THEM THERE that is the problem.
The armed services have mobile system to feed/house/clothe 100Ks and even millions of people. But, that many resource take A LONG TIME to move, even when you have air fields, ports and highways. All airport are underwater, the ports are closed and the highways are trashed.
The military can deal with that, but it takes more time. It won't be pleasent, but no-one will starve to death in the short term if they make 1/2 an effort to get help for themselves. Unfortunatly, alot of people are dead now (or are so close anything but immediate intervention will not help) .
In the long term, alot of people are probably screwed, but hay, that is life. We can all pitch in to minimize it, but that is it. That is the price to pay for living in a coastal area that is below sea level (for whatever reason).
Actually, that is exactly what happens (and I have been through several floods). FEMA bails you out ONCE and only ONCE.
If your house is a total loss, they generally won't allow you to rebuild there. They settle and turn your land into a park. There is a hole neighborhood across the river from my parents (my parent's house doesn't flood) that is now a park.
I have friend's who homes (in Houston) were CONDIMIED because, after essesive development around their aera, there was not enough drainage and so everytime it rain their neighborhood would flood (it didn't do this until the last 10 years). The land and homes were purchased using emminent domain, and then buldozed.
Non-tech example... The department chariman (Physics) says his job is to be shit diode for the faculty. Shit goes up to the dean, but doesn't come back down to them. That is one of the most improtant responsibilities of any leader. Take responsibility for your team and their decisions and make sure they are insulated from routine BS from above.
Of course, you also have to stear them so they do the job upper managment wants (or needs) without micromanaging.
Of course, IANAM.
Well, I agree in principle with what you are saying. There are alot of patents which are at a minimum inconvient. Unfortunatly, the USPTO has become a pawn (or a club really) for corperations to go around wacking others who want to compete. However, this doesn't make them liable for the result. They were directed by congress who has the power to pass such laws because of the constitution. Are you going to sue congress or your congress man?
It is interesting that the ONLY article of the constitution that includes reasoning for the rules there-in is the part about IP. It states (I don't remember the exact quote) that in order to foster inovation and creativity congress shall...
So the only real way the USPTO will ever change is either:
1) you (and a hole lot of other people) vote based soley on a desire for patent/IP reform (and lets face it, most sheople are to easly frightened by "terrorist" or other red herrings to vote based on anything as non-scary as patent reform), or
2) the courts decide some or all of the current IP law is unconstitutional, which is equally unlikely.
In the end, patents DO foster inovation. It is a trade. You get a goverment enforced monopoloy on your patent for 17 years. In exchange you must put, in detail, the techonology into the public record for all to see. If you don't, your patent is instantly null and void.
I'm not sure what you mean. If the patent office did what their charter said (which is check a patent application and then issue a patent) they are in no way liable for the results.
On the other hand, it was Congress who used its power under the constitution to create the patent office. If the courts decide that they oversteped their power as granted by the constitution (probably not) then the laws that created the patent office will disappear as will all patents.
As the constitution pretty much spells out that congress should create IP laws for the sake of fostering inovation and creativity, there is very little chance of an all out revoking of any part of IP law. The most that might happen is that the courts will begin to strike down parts of patent law and replace them with common law (law created by precidence in court).
Of course, IANAL.
Once again, IANAL.
Well, you are correct unless they had a clue and filed in the patent offices in most major countries (and international treaty allows you to do so with an effective filing date) so this most likely applied to every country developed enough to have internet.
So, in this case (assuming the patent holders were not stupid), US != World, but it might as well be because of the various IP treaties that all major players in the world have signed.
Andrew
Correct. If forgot about the "appropriate" licence fee part. In any case, unlike any one else, the goverment MUST be given a licence or the patent gets revoked (if I remember the IP law lectures I've had right). The patent holder can legaly sit on a patent and not licence anyone else if they choose.
As I said in a previous post, the US goverment can more or less ignore a patent as patents are property rights and all property rights are given by goverement... Basically, they can use it and ignore you and it is legal. Private citizines and other companies are of course suject to it though.