I like this. You take the fact that a bunch of web pages decided to lock themselves into Netscape's browser (and thus lock out all other browsers (Microsofts, Mosaic, etc)).
And somehow, when Microsoft adopted to this practice, it's Microsoft's fault?
This is just like when every single display card manufacturer on the market used to put the string "This card emulates a VGA card from IBM" into their system ROMs to allow their VGA cards to work with apps that sniffed the system ROM for IBM's copyright string.
But instead of asking what happens if Adobe picks up on how Quark implemented some feature in Quark, what stops Adobe from shipping "Quark Express, by Adobe"? It's open source - most open source licenses (not all) don't restrict someone else from selling the open sourced code as their own.
It IS possible to license the source code in such a manner that precludes someone else from producing a commercial product based on your source code (that allows you to meet your obligations). In that case, you have an option - you can sue the offending company (assuming they're in a country that abides by US laws).
On the other hand, if a corporation tried to release their code under a restricted license (say one that retains their patent rights), they get roasted by the GPL zealots for not following the spirit of open source (which is free as in air as opposed to free as in beer like the first option).
And there's just about no way for a corporation to GPL (or BSD) their source code. If you're a corporation, you have a fiduciary responsiblity to your shareholders to maximize your profits. When you're a corporation, you need to use today's profits to finance tomorrow's engineering costs (or the loans that you took out to for the development costs of the current product). It doesn't matter if you're Quark or Microsoft, or Adobe, or Oracle, or Joe's software, new code costs money, and you have a legal obligation to your stockholders to make back the money you spent on that development and to maximize the ruturn on their investment. If you don't do that, you can literally go to jail (ask the Rigas family about that sometime). If you were to open source the products you make money from, unless you have an alternative strategy for making money off those products, open sourcing the products abrogates your fiduciary responsibilities, and once again, you can find yourself in jail or at least in lawsuits up to your eyeballs that will suck off all the profits you once had.
Now it IS possible to make money off of GPL products. You do that not by selling the products, but by selling intangables related to the products like the servicing and support of those products. Anyone can produce the exact same product you did, but they can't provide the intangables in the same way. You also have an added benefit to working with open source products - you can in effect completely outsource your product development - you don't have to spend those millions of dollars developing a cool new product, instead, you can take the products that the open source community makes and sell those instead. But if you're developing product using this model, then openness works just fine - since you're not going to be making money from your development staff, you can be as open as you want. On the other hand, the work that your development staff does isn't going to be of strategic value to your company - your product can't have an advantage over its competitors, since the competitors are running exactly the same code that your product is. The billable hours that you have as you service and support the open source products can be quite profitable to a service-oriented company, but that is a totally separate part of the organization from the areas that do product development from a financial standpoint. Of course, the service and support divisions don't care (mostly anyways) whether they are servicing and supporting an open-source product or a close-source product; they still write code and support people who use the CD tray as a coffee holder. The billable hours might be a bit more on open-source since the company can charge each hour of product development to "customize" the open-source, but from the larger perspective, that detail becomes irrelevant to the bottom line.
So if you're a corporation making money from GPLed open source code, you don't gain a tangible financial benefit from your development efforts. You do gain intangible benefits, and they shouldn't be underestimate
That doesn't work. The Mac and/or Linux port of the ad supported version of DivX (or kazaa) will simply require that you enter the root password so that they can install their spyware. The only reason that such a version hasn't appeared yet is that there's no market for them - the combined market share of Linux and OSX is about 2%.
Forcing users to run as non admins can't protect users from their own actions.
How does this catch Kazaa and other "freeware" that bundles the spyware within it? How about the freeware that includes a firefox plug-in that downloads its popups from port 80?
You're not blocking firefox from accessing port 80, are you?
Not quite true. Windows 3.0 hit one million copies a month, the best selling software title at the time. Windows 3.1 was a release to fix all the problems in Windows 3.0.
Half of them are running Debian, half of them are running RedHat.
I want to roll out a configuration change and I want it to apply to all 500 servers.
VI and EMACS don't cut it as admin tools, I'm not going to make the change by hand on all 500 servers.
How do I make a single change to the TCP configuration for all 500 servers.
That's what Ballmer's talking about. The monoculture allows Microsoft to provide tools for enterprise management that allow an administrator to make a configuration change on a single workstation and have that configuration change automatically apply to all machines in the enterprise.
If you've got a mixed distro environment, can you do that?
But it's not supposed to let you see files you don't have access to. And apparently that's what the reporter found - they couldn't access the files directly, but they WERE able to access them through the google cache.
My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.
XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.
Must be. I got to my link by going to Help, and clicking on "View Privacy Policy". I don't know where the OP got it from. It might be that the web view's privacy policy link is to a different location than the privacy policy in the view of the store from the player (I can't get that link to work currently to check).
Slashdot Mirror
I like this. You take the fact that a bunch of web pages decided to lock themselves into Netscape's browser (and thus lock out all other browsers (Microsofts, Mosaic, etc)).
And somehow, when Microsoft adopted to this practice, it's Microsoft's fault?
This is just like when every single display card manufacturer on the market used to put the string "This card emulates a VGA card from IBM" into their system ROMs to allow their VGA cards to work with apps that sniffed the system ROM for IBM's copyright string.
There are times when openness works just fine.
But instead of asking what happens if Adobe picks up on how Quark implemented some feature in Quark, what stops Adobe from shipping "Quark Express, by Adobe"? It's open source - most open source licenses (not all) don't restrict someone else from selling the open sourced code as their own.
It IS possible to license the source code in such a manner that precludes someone else from producing a commercial product based on your source code (that allows you to meet your obligations). In that case, you have an option - you can sue the offending company (assuming they're in a country that abides by US laws).
On the other hand, if a corporation tried to release their code under a restricted license (say one that retains their patent rights), they get roasted by the GPL zealots for not following the spirit of open source (which is free as in air as opposed to free as in beer like the first option).
And there's just about no way for a corporation to GPL (or BSD) their source code. If you're a corporation, you have a fiduciary responsiblity to your shareholders to maximize your profits. When you're a corporation, you need to use today's profits to finance tomorrow's engineering costs (or the loans that you took out to for the development costs of the current product). It doesn't matter if you're Quark or Microsoft, or Adobe, or Oracle, or Joe's software, new code costs money, and you have a legal obligation to your stockholders to make back the money you spent on that development and to maximize the ruturn on their investment. If you don't do that, you can literally go to jail (ask the Rigas family about that sometime). If you were to open source the products you make money from, unless you have an alternative strategy for making money off those products, open sourcing the products abrogates your fiduciary responsibilities, and once again, you can find yourself in jail or at least in lawsuits up to your eyeballs that will suck off all the profits you once had.
Now it IS possible to make money off of GPL products. You do that not by selling the products, but by selling intangables related to the products like the servicing and support of those products. Anyone can produce the exact same product you did, but they can't provide the intangables in the same way. You also have an added benefit to working with open source products - you can in effect completely outsource your product development - you don't have to spend those millions of dollars developing a cool new product, instead, you can take the products that the open source community makes and sell those instead. But if you're developing product using this model, then openness works just fine - since you're not going to be making money from your development staff, you can be as open as you want. On the other hand, the work that your development staff does isn't going to be of strategic value to your company - your product can't have an advantage over its competitors, since the competitors are running exactly the same code that your product is. The billable hours that you have as you service and support the open source products can be quite profitable to a service-oriented company, but that is a totally separate part of the organization from the areas that do product development from a financial standpoint. Of course, the service and support divisions don't care (mostly anyways) whether they are servicing and supporting an open-source product or a close-source product; they still write code and support people who use the CD tray as a coffee holder. The billable hours might be a bit more on open-source since the company can charge each hour of product development to "customize" the open-source, but from the larger perspective, that detail becomes irrelevant to the bottom line.
So if you're a corporation making money from GPLed open source code, you don't gain a tangible financial benefit from your development efforts. You do gain intangible benefits, and they shouldn't be underestimate
That doesn't work. The Mac and/or Linux port of the ad supported version of DivX (or kazaa) will simply require that you enter the root password so that they can install their spyware. The only reason that such a version hasn't appeared yet is that there's no market for them - the combined market share of Linux and OSX is about 2%.
Forcing users to run as non admins can't protect users from their own actions.
That's because they had the equivilant of a linux 2.4 kernel running on a 1.7 distro.
You can bollux up ANY operating system so it can't boot if you work hard enough.
How does this catch Kazaa and other "freeware" that bundles the spyware within it? How about the freeware that includes a firefox plug-in that downloads its popups from port 80?
You're not blocking firefox from accessing port 80, are you?
I'd love to see what gmail does when one mailbox all of a sudden starts getting 4 million email messages a day.
That'd be humorous to say the least.
Not quite true. Windows 3.0 hit one million copies a month, the best selling software title at the time. Windows 3.1 was a release to fix all the problems in Windows 3.0.
Microsoft's gotten a whole lot better at acknowledging submitters in their releases.
:(
Unfortunately, they didn't start giving credit until 2000 or so
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
That's being rather pedantic.
By the same logic, OE isn't vulnerable to this bug, it's the user's that are vulnerable.
And I'm not sure that the distinction is relevant.
My suspicion is that just like credit card numbers, some of the bits in the key are a checksum to validate the rest of the key.
Similarly, there is probably another set of regional data in the key.
I run an enterprise with 500 servers.
Half of them are running Debian, half of them are running RedHat.
I want to roll out a configuration change and I want it to apply to all 500 servers.
VI and EMACS don't cut it as admin tools, I'm not going to make the change by hand on all 500 servers.
How do I make a single change to the TCP configuration for all 500 servers.
That's what Ballmer's talking about. The monoculture allows Microsoft to provide tools for enterprise management that allow an administrator to make a configuration change on a single workstation and have that configuration change automatically apply to all machines in the enterprise.
If you've got a mixed distro environment, can you do that?
How well does Redhat integrate with Debian?
Can you use the same management tools work for both distros?
How about replicating config changes - does the same script work for both distros?
Are you still sure you'd rather have the browser crash?
The bad guys don't use valid HTML to attack browsers. They use invalid HTML. That's why Mikal's post is so relevant.
But it's not supposed to let you see files you don't have access to. And apparently that's what the reporter found - they couldn't access the files directly, but they WERE able to access them through the google cache.
From the article, it sure sounds like it does.
Spyware may be too strong, security hole big enough to drive a truck through might be appropriate however.
If you index the hard disk, you've got to honor the ACLs on the things you index.
Oooh, what a wonderful idea.
And then when the exploit that uses the BMP vulnerability in firefox gets spread, you'll be infected.
If you believe that Firefox is any more secure than IE (w.r.t. this vulnerability), you're smoking something.
Only if you're sending them in clear text.
NTLM V2's actually a decent auth protocol. Not as good as Kerberos, but not bad.
NTLM V1 was horrid and should be flushed down the toilet, but V2 is relatively safe to deploy.
My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.
XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.
Because Linux is somehow magically protected from buffer overruns?
Must be. I got to my link by going to Help, and clicking on "View Privacy Policy". I don't know where the OP got it from. It might be that the web view's privacy policy link is to a different location than the privacy policy in the view of the store from the player (I can't get that link to work currently to check).
That's the privacy policy for the BETA version of the MUSIC STORE. The privacy policy for WMP10 is here: http://www.microsoft.com/windows/windowsmedia/mp10 /privacy.aspx?locale=409&geoid=f4&version=10.0.0.3 646&userlocale=409/
Shipped in the OS? Tightly integrated with the shell? Available in a set of well documented APIs that are available as a part of the platform?
Cool. Where do I get it?
That's a quote from a reporter at news.com.com. It's not a quote from Jim Alchin.
According to Helen Custers (who worked on the team) in her book Inside Windows NT, it's "New Technology".