Think this case in terms of M&M security. M&M security has a crunchy outside and a soft inside.
Up until today, Microsoft was relying on M&M security - they spent all their time on the crunchy inside, while ignoring the soft inside. They kept on trying to fix problems in the things that called ADODB.Stream.
With this patch, they're making the soft inside go away by killing the ADODB.Stream object.
It might break some intranet applications, but the alternative is leaving holes that someone might find a new way of exploiting.
It's called Defense-In-Depth. You apply multiple layers of defense to ensure you're safe.
The ADODB.Stream was a dangerous object. You could constantly patch and patch and patch to make sure that everyone that called it was safe, or you could just get rid of it.
Microsoft chose to get rid of it. Makes sense to me.
Defense-In-Depth it the same reason you should remove strcpy and sprintf from the C runtime library (or at least from your code) - they're dangerous APIs, it's VERY hard to write code that correctly calls these APIs. If you use a safe version of them (one that checks the length of the buffer), you're not as likely to have buffer overruns in your code.
By turning off ADODB.Stream, the hackers now need to find a different way in. Maybe they will, maybe they won't. But this door's been shut and locked.
I've never received a fix from Microsoft that's required me to reformat my hard disk. Worst case I had to reinstall Windows and install the patches up to the one that messed me up. A major pain in the neck, but not the end of the world.
I've gotten infected by viruses. Whenever you're infected with a virus, you realistically have no choice but to reformat your hard disk. Because the virus might have contained a root kit. And once you've been root kitted, that's all she wrote, it's reformat time. As an alternative to reformatting you could remove the infected hard disk from the infected machine, virus scan it on a known good machine and then use it, but even then you're not 100% sure you're safe (maybe the root kit was hidden in one of the system restore partitions, which aren't accessable from Window (it's happened))
As I posted above - Intel has written and released an open source implementation of the UPnP Content Directory server, which means that a Linux version is totally possible (actually lots of these devices run Linux internally using the Intel toolkit). The intel toolkit has some bugs but...
The specifications for the protocol are at http://www.upnp.org
That's what being UPnP enabled buys you - the protocol's open.
Intel has an open source (GPL I think) version of the server side software available for download if you want to do a version for Linux. That's what UPnP support in the Gateway device means - you CAN do a Linux server for it, you're not locked into Microsoft's platform.
And Microsoft's going to be including the server software in it's Windows Media Connect add-on for windows (google for it).
It appears that ESR has decided that instead of highlighting the memos behind the FUD that was the hallmark of the previous halloween analysises, he wants to go after the published FUD instead.
Personally I think while his points may be valid he just ruined the value of the Halloween series.
The Halloween series worked because it was criticism of real leaked Microsoft memos.
This so-called "Halloween" memo is just counter-fud.
I'm not sure which release it was added (maybe it was W2K?). But the network page allows you to see your network traffic, which was what was being discussed above.
NT4 had it actually - its' the taskmgr, it's not always brought up by CAD, it's sometimes brought up by right clicking on the tray and selecting "task manager"
Does the time and effort you put into writing your code have any value to your corporation?
Red Hat's a corporation. They have a fiduciary responsibility to their stockholders to maximize their profits. So's IBM.
These companies aren't investing in open source solutions out of the goodness of their hearts, they have to have a business model that allows them to make money out of open source. If they didn't, their shareholders would find them a new board of directors who would come up with a new business model.
And they do have a business model. They sell services built on Linux. The OS is a loss leader for their servicing (or consulting) business divisions. They don't care about the cost of development of Linux, they have an unpaid work force that does all the work for them.
Now IBM and Red Hat do employ developers to work on Linux. And they do give back to the community. But the work of these developers is a loss leader as far as IBM and Red Hat are concerned. So as far as IBM and Red Hat, the work of their employees IS zero. Because their revenue model is based on services, not on open software.
I think that's what Sells is saying (in an incoherent way) - everyone who contributes to the open source effort (be it a government, or an individual) is actually giving Red Hat and IBM an opportunity to make even more profit on the value of the contributor's labor. And the contributor isn't getting paid for the value of their labor.
If a popular web site stopped working, the IE users would just stop going to the formerly popular web site.
They'd feel that it was the fault of the web site author, and not their browser. After all, it used to work, and now it doesn't work. They didn't change their browser, so the web site must have changed.
And thus it is the fault of the web site owner. It doesn't matter that they made their web site "standards compliant". Customers don't give a rats behind about "standards compliant". The only thing they care about is "Does it work with my browser".
If it doesn't, they'll either complain to the site owner (unlikely) or they'll just stop using the site.
Um. NT4's still got the same kernel architecture that NT3 had.
The only difference is that in NT 4, the GDI and USER components were moved from user mode (in CSRSS.EXE) to kernel mode (as the Win32K.Sys device driver).
Having the GUI running at ring 0 is not the same thing as having a monolithic kernel.
Last I had heard, MSN was serving a different style sheet to attempt to work around bugs in Opera 6 (at least that was the conclusion the last time that this came up on/.).
People tried looking at the offending pages with Opera6 and they looked fine, but with Opera 7 they looked like crap.
The guess was that the Opera guys fixed the bugs in Opera 7, and all of a sudden the "bug fixes" became obvious.
It wasn't malicious, it was an honest attempt to make MSN look less than crappy with Opera 6.
The only thing the MSN guys did wrong was not testing with Opera 7 before it was released.
As a general principal, where do you think the money to pay the fines comes from?
In Microsoft's case, they've got cash in the bank to pay for it. But for other companies (Worldcom, for example) that have been convicted of crimes, they DON'T have the money to pay the fines.
So the money to pay the fines has to come from somewhere. There are two places it can come from: Either they increase their prices, or they decrease their profits.
Microsoft's saying that they're not going to decrease their profits, instead they're going to increase their prices.
Ya know, I shouldn't feed the AC trolls - I really shouldn't, but..
I'm not a lawyer. But I know several lawyers, including several IP lawyers (my brother, for one). He says that there are significant ambiguities associated with the GPL that have not yet been adjudicated. I trust him to know what he's saying.
I'm willing to bet that you're not a lawyer either, are you?
I didn't think so.
If you're not a lawyer, or can't quote me case law (in other words, the results of a trial), then your opinion is worth nothing.
I repeat my comment: Where is the case law on this?
What happens to Ford when GM (or Chrysler, or BMW, or Toyota, or whowever) sues them using the the GPL to force them to release the source code to their engine firmware? You say that there won't be a problem. But how do you know that?
More importantly, even if Ford's lawyers say "Yeah, the GPL doesn't require that we release this code", without this being litigated and thus resolved in the courts, how can they be sure that some jury (whose members never completed high school) won't decide to force them to release their entire source code?
And how many millions of dollars will they have to spend defending themselves?
IMHO, the GPL and it's ambiguities are the single greatest barrier to the adoption of Linux in corporate America.
If Ford uses Embedded Linux in the engine control systems of its cars, doesn't the GPL require that they release the source for the control systems of the car?
And the engine control systems are some of the most valuable intellectual property of the car manufacturers.
And before you say "That's ok, because they're using LGPL and they're only required to release the portions of the code that they modified", are you sure about that? Do you have the findlaw references of the court cases that adjudicated the lawsuit?
There's a really good reason that companies like Microsoft and IBM (yes, IBM) don't let their employees that work on their closed source projects work on open source projects. Their lawyers are scared witless about what accidentally including GPL code would do to their intellectual property.
FAT was designed to run on a machine with 16K of RAM (that's right, 16,384 bytes of RAM).
And it ran just fine on that machine. There's no WAY that Microsoft could have implemented the code for variable length filenames in that amount of RAM.
Not and do all the other things that DOS did (what little they were).
On the other hand, svchost.exe is the "Generic Host Process for Win32 Services". It's built into windows, and hosts almost all the windows services - if you kill all the svchost processes your chances of being able to use your machine is almost 0.
Also, svchost.exe is protected by windows file protection. So if you delete it, it'll come right back.
Those removal instructions are a recipe for user confusion:)
Slashdot Mirror
Think this case in terms of M&M security. M&M security has a crunchy outside and a soft inside.
Up until today, Microsoft was relying on M&M security - they spent all their time on the crunchy inside, while ignoring the soft inside. They kept on trying to fix problems in the things that called ADODB.Stream.
With this patch, they're making the soft inside go away by killing the ADODB.Stream object.
It might break some intranet applications, but the alternative is leaving holes that someone might find a new way of exploiting.
It's called Defense-In-Depth. You apply multiple layers of defense to ensure you're safe.
The ADODB.Stream was a dangerous object. You could constantly patch and patch and patch to make sure that everyone that called it was safe, or you could just get rid of it.
Microsoft chose to get rid of it. Makes sense to me.
Defense-In-Depth it the same reason you should remove strcpy and sprintf from the C runtime library (or at least from your code) - they're dangerous APIs, it's VERY hard to write code that correctly calls these APIs. If you use a safe version of them (one that checks the length of the buffer), you're not as likely to have buffer overruns in your code.
By turning off ADODB.Stream, the hackers now need to find a different way in. Maybe they will, maybe they won't. But this door's been shut and locked.
I've never received a fix from Microsoft that's required me to reformat my hard disk. Worst case I had to reinstall Windows and install the patches up to the one that messed me up. A major pain in the neck, but not the end of the world.
I've gotten infected by viruses. Whenever you're infected with a virus, you realistically have no choice but to reformat your hard disk. Because the virus might have contained a root kit. And once you've been root kitted, that's all she wrote, it's reformat time. As an alternative to reformatting you could remove the infected hard disk from the infected machine, virus scan it on a known good machine and then use it, but even then you're not 100% sure you're safe (maybe the root kit was hidden in one of the system restore partitions, which aren't accessable from Window (it's happened))
I'll take the patches over the reformat anyday.
But Microsoft licensed the Apple trash can back in the 1980's.
That was the whole Apple/Microsoft lawsuit thingy.
As I posted above - Intel has written and released an open source implementation of the UPnP Content Directory server, which means that a Linux version is totally possible (actually lots of these devices run Linux internally using the Intel toolkit). The intel toolkit has some bugs but...
The specifications for the protocol are at http://www.upnp.org
That's what being UPnP enabled buys you - the protocol's open.
Intel has an open source (GPL I think) version of the server side software available for download if you want to do a version for Linux. That's what UPnP support in the Gateway device means - you CAN do a Linux server for it, you're not locked into Microsoft's platform.
And Microsoft's going to be including the server software in it's Windows Media Connect add-on for windows (google for it).
So you won't need any special software to run it.
That was a flaw in the custom software that was running the C&C systems on the USS Yorktown. It wasn't a flaw in Windows NT.
I refuse to see the difference between a Linux segfault and a windows application error. THe ship would have been just as broken in either case.
It appears that ESR has decided that instead of highlighting the memos behind the FUD that was the hallmark of the previous halloween analysises, he wants to go after the published FUD instead.
Personally I think while his points may be valid he just ruined the value of the Halloween series.
The Halloween series worked because it was criticism of real leaked Microsoft memos.
This so-called "Halloween" memo is just counter-fud.
And it didn't work. Win16 had 21 timers. 20 were available for applications, the 21st was the system timer.
GetTimer gave you one of the 20, when they were used up, you ran out.
The Excel guys found out about GetSystemTimer and assumed it did something special since it gave them one more timer.
Of course it really didn't, it just made a bunch of things inside windows (like memory management) stop working.
Check out the "Network" page.
I'm not sure which release it was added (maybe it was W2K?). But the network page allows you to see your network traffic, which was what was being discussed above.
Ok, I'm an idiot then. Sigh.
Try #2: I believe the issue was the moneychangers in the temple that caused the usury ban.
NT4 had it actually - its' the taskmgr, it's not always brought up by CAD, it's sometimes brought up by right clicking on the tray and selecting "task manager"
Actually Usury as a sin comes from the New Testament: "Neither a borrower or a lender be"
:).
Since it wasn't a part of the Jews bible, they didn't mind violating that stricture
Ah, but here's the rub.
Does the time and effort you put into writing your code have any value to your corporation?
Red Hat's a corporation. They have a fiduciary responsibility to their stockholders to maximize their profits. So's IBM.
These companies aren't investing in open source solutions out of the goodness of their hearts, they have to have a business model that allows them to make money out of open source. If they didn't, their shareholders would find them a new board of directors who would come up with a new business model.
And they do have a business model. They sell services built on Linux. The OS is a loss leader for their servicing (or consulting) business divisions. They don't care about the cost of development of Linux, they have an unpaid work force that does all the work for them.
Now IBM and Red Hat do employ developers to work on Linux. And they do give back to the community. But the work of these developers is a loss leader as far as IBM and Red Hat are concerned. So as far as IBM and Red Hat, the work of their employees IS zero. Because their revenue model is based on services, not on open software.
I think that's what Sells is saying (in an incoherent way) - everyone who contributes to the open source effort (be it a government, or an individual) is actually giving Red Hat and IBM an opportunity to make even more profit on the value of the contributor's labor. And the contributor isn't getting paid for the value of their labor.
If a popular web site stopped working, the IE users would just stop going to the formerly popular web site.
They'd feel that it was the fault of the web site author, and not their browser. After all, it used to work, and now it doesn't work. They didn't change their browser, so the web site must have changed.
And thus it is the fault of the web site owner.
It doesn't matter that they made their web site "standards compliant". Customers don't give a rats behind about "standards compliant". The only thing they care about is "Does it work with my browser".
If it doesn't, they'll either complain to the site owner (unlikely) or they'll just stop using the site.
Did I say it was? I just said that the architecture of the kernel didn't change when they moved the gui stuff into kernel mode.
Um. NT4's still got the same kernel architecture that NT3 had.
The only difference is that in NT 4, the GDI and USER components were moved from user mode (in CSRSS.EXE) to kernel mode (as the Win32K.Sys device driver).
Having the GUI running at ring 0 is not the same thing as having a monolithic kernel.
Last I had heard, MSN was serving a different style sheet to attempt to work around bugs in Opera 6 (at least that was the conclusion the last time that this came up on /.).
People tried looking at the offending pages with Opera6 and they looked fine, but with Opera 7 they looked like crap.
The guess was that the Opera guys fixed the bugs in Opera 7, and all of a sudden the "bug fixes" became obvious.
It wasn't malicious, it was an honest attempt to make MSN look less than crappy with Opera 6.
The only thing the MSN guys did wrong was not testing with Opera 7 before it was released.
But the primary reason for going with open source is that you can modify the source.
If you run a binary-only distro, you might as well run Windows CE in the engine module.
Or you could buy one of the non-GPL embedded operating systems...
As a general principal, where do you think the money to pay the fines comes from?
In Microsoft's case, they've got cash in the bank to pay for it. But for other companies (Worldcom, for example) that have been convicted of crimes, they DON'T have the money to pay the fines.
So the money to pay the fines has to come from somewhere. There are two places it can come from: Either they increase their prices, or they decrease their profits.
Microsoft's saying that they're not going to decrease their profits, instead they're going to increase their prices.
Which they can do because...
They're a monopoly?
Ya know, I shouldn't feed the AC trolls - I really shouldn't, but..
I'm not a lawyer. But I know several lawyers, including several IP lawyers (my brother, for one). He says that there are significant ambiguities associated with the GPL that have not yet been adjudicated. I trust him to know what he's saying.
I'm willing to bet that you're not a lawyer either, are you?
I didn't think so.
If you're not a lawyer, or can't quote me case law (in other words, the results of a trial), then your opinion is worth nothing.
I repeat my comment: Where is the case law on this?
What happens to Ford when GM (or Chrysler, or BMW, or Toyota, or whowever) sues them using the the GPL to force them to release the source code to their engine firmware? You say that there won't be a problem. But how do you know that?
More importantly, even if Ford's lawyers say "Yeah, the GPL doesn't require that we release this code", without this being litigated and thus resolved in the courts, how can they be sure that some jury (whose members never completed high school) won't decide to force them to release their entire source code?
And how many millions of dollars will they have to spend defending themselves?
IMHO, the GPL and it's ambiguities are the single greatest barrier to the adoption of Linux in corporate America.
Are you sure of that?
If Ford uses Embedded Linux in the engine control systems of its cars, doesn't the GPL require that they release the source for the control systems of the car?
And the engine control systems are some of the most valuable intellectual property of the car manufacturers.
And before you say "That's ok, because they're using LGPL and they're only required to release the portions of the code that they modified", are you sure about that? Do you have the findlaw references of the court cases that adjudicated the lawsuit?
There's a really good reason that companies like Microsoft and IBM (yes, IBM) don't let their employees that work on their closed source projects work on open source projects. Their lawyers are scared witless about what accidentally including GPL code would do to their intellectual property.
FAT was designed to run on a machine with 16K of RAM (that's right, 16,384 bytes of RAM).
And it ran just fine on that machine. There's no WAY that Microsoft could have implemented the code for variable length filenames in that amount of RAM.
Not and do all the other things that DOS did (what little they were).
You misunderstand. EVERYONE running Windows XP has this file on their system. None of them are infected.
There isn't an 0wn3d copy on the machine, the instructions are just screwed up.
On the other hand, svchost.exe is the "Generic Host Process for Win32 Services". It's built into windows, and hosts almost all the windows services - if you kill all the svchost processes your chances of being able to use your machine is almost 0.
:)
Also, svchost.exe is protected by windows file protection. So if you delete it, it'll come right back.
Those removal instructions are a recipe for user confusion