You do this and you lose the ability to complain when your box gets 0wned by the next Quicktime vulnerability coming down the pike (and there have been enough of them this year).
In all honesty, I think that MSFT was right in pushing IE7 as an upgrade for IE6. IE7 is an update to IE6, not a totally separate product. The reality is that the security improvements in IE7 (the phishing filter and the fact that it disabled most ActiveX controls by default) are enough of a reason to justify recommending it to customers (and just like the Safari "update" people are complaining about, you can turn it off).
I'd have more issues if Microsoft decided to force a download of (say) Visual Studio Express as an "upgrade" to Windows (or any other component that's not a part of Windows). Or if they made the Silverlight update enabled by default (as of today, they offer it as an optional download (it's disabled by default)). Heck Microsoft doesn't even include Office products in Windows Update (you have to opt into the Microsoft Update version to get non Windows products offered in Windows update).
Apple's doing one of two things: either they're (a) leveraging their iTunes monopoly to push Safari or (b) using their security holes as opportunities to upsell iTunes and Safari (since you need to use Apple Update to get fixes for the Quicktime security hole of the week)
Neither of these are OK in my opinion. Software update should be for updating existing software to fix bugs in the software you chose to install.
I don't have any problems with the Apple updater offering other products, I do have issues with the updater offering those products by default.
Several of the vulnerabilities in libPNG are exploitable integer overflow vulnerabilities. Java does absolutely nothing to stop those vulnerabilities. And even if it does, much of the java runtime is written in C, and is just as vulnerable to buffer overflows.
The grandparent was right: People should stop thinking that somehow interpreted languages (Java,.Net, VB6, etc) are solutions to security problems. All they do is to raise the bar.
As I understand the vulnerability, MSFT can't fix this - the problem is that the 1394 hardware specification allows a device plugged into a 1394 port to read or write to arbitrary locations in memory. The OS isn't involved.
As such, this is a hardware vulnerability - every OS in the world is affected.
My answer was relatively simplified for the audience. I was just trying to get across the idea that ActiveX isn't an insecure technology per-se (which appears to be the general opinion on the internet), but instead a vehicle for deploying plugins, and it's the plugins that are insecure. As I mentiond, at least one of the vulnerabilities mentioned in TFA are applicable to Firefox (the vulnerability is in QT). The attackers are only targetting QT when it's hosted in IE, but according to Apple, QT is vulnerable in all flavors.
In reality, ActiveX is the name for a collection of technologies that are used to get a plugin running in the browser. The biggest part of ActiveX is the COM/OLE Automation programming interface (which provides activation and scripting control). There is also the Authenticode code signing technology (which allows you to know that a particular control was written by the person who said they authored the control), the IObjectSafety COM interface (which is required to get a COM object to run in the browser), and there are others.
ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).
The plugins have vulnerabilities, and the bad guys are exploiting the vulnerabilities in the plugins. There's nothing about ActiveX involved except for the fact that the plugins are written for IE.
The exact same exploits could be written for Firefox or Safari or Opera, because they all contain support for the vulnerable plugins.
Windows Vista runs all browser plugins in a very locked down sandbox which should mitigate most vulnerabilities caused by browser plugins, but other browsers don't run their plugins in a locked down mode.
There's one real negative about ActiveX controls - Microsoft, for whatever reason, chose to make it easy for a web site to host and use plugins, and before Windows XP SP2, certain ActiveX controls were automatically assumed to be safe (which is utterly stupid).
From a security standpoint, an ActiveX control is indistinguishable from any other browser plugin - the security holes are in the plugins, NOT in ActiveX.
Microsoft can't give you a legal promise about how the OSP affects you because Microsoft's lawyers CAN'T tell you how a legal document applies to you. They're lawyers representing Microsoft, and they can't issue legal opinions for anyone else.
Lawyers are professionals who are trained to understand the language of the law, just like software developers are professionals who are trained to understand the language of computers. Just as I wouldn't expect a lawyer to be able to writing an operating system, I wouldn't expect a software developer to be able to interpret a legal document.
That's why this entire discussion is stupid. Microsoft has created a legal document (the OSP). If you want to understand your rights under the OSP, you need to talk to your lawyer.
Re:well, not effortlessly
on
RTF Vs. OOXML
·
· Score: 1
Strangely enough, the first link in the search you used for "Dos isn't done.." is a refutation of that particular myth. One where the author went not only to the MS engineers who wrote DOS, but to Mitch Kapor of Lotus and several of the Lotus developers who were developing the product at the time.
"DOS ain't done 'til Lotus don't run" sounds catchy, but if the people who wrote DOS and the people who wrote Lotus 1-2-3 are to be believed, it didn't happen.
The base comment is the one that's unreasonable (an OS can't be considered secure if it allows 3rd party applications to make it insecure).
By that standard, no general purpose operating system in use today can be considered "secure".
If the operating system allows the use of 3rd party code that runs with supervisor privileges, then the 3rd party coe can render the operating system insecure.
Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.
Why is this a problem? Are you saying that Microsoft is lying in their post?
Sources? In the past, Microsoft used to do what you said (charge more if you didn't take the Microsoft stuff), but the DoJ stopped that.
As far as I know, none of the PC manufacturers are required to include IE as the default browser - they can do whatever they want and Microsoft can't stop them.
Which, if true, implies that they must have a different reason for choosing to include IE as the default browser on their machines.
Maybe the Mozilla foundation should start paying OEMs to include Firefox, just like Google pays OEMs to include the Google toolbar.
The reason that Law #1's written the way that it is is because it's written with the assumption that the attacker knows more than you do.
To be more specific, the bad guy knows about the as of yet undiscovered security hole that renders all of your OS level sandboxing moot. That's why when the bad guy gets to run code on your computer, it's not your computer any more.
Beats me. I just knew that it was disabled by default and 30 seconds of searching found the privacy policy. There might be more information there, I don't know.
Then, of course, there's the tinfoil hat issue of whether or not you can trust Microsoft (or Google, for that matter) to abide by their privacy policy.
On every machine I've installed IE7 on, the first time you hit a page in the internet, it pops up and asks you if you want to turn antiphishing on.
Microsoft also claims that it's off by default: "Automatic checking of all websites by Phishing Filter is off by default. Phishing Filter can be turned on and off from the Internet Explorer Tools menu. For example, to turn off automatic checking of all websites:"
One of the problems is that lawyers are forced to work in an incredibly imperfect language for conveying contracts: English (or whatever the local language is).
This means that the language that lawyers use is almost a different language than lay people - certain words that have one meaning (like "opinion") mean something very different when a lawyer uses them than when a lay person uses them. In my example, a lay person thinks that an "opinion" is a statement of belief. But to a lawyer, an "opinion" is a statement of how something will be interpreted under the law, based on their fullest understanding (including relevant case law).
It's very similar to code. English is too inexact a language for computers, you MUST use a separate, more precise language when dealing with something that needs precision.
It's extraordinarily difficult to use the vernacular when dealing with contracts, the language is simply not exact enough to convey the complete meaning of the contract. Thats where the years and years of training come in.
Playing MP3s and DVDs without breaking the law (fair law or not, still a law)
As long as you're whitelisting opinions here, I'd like to point out that you can do the same thing on Windows XP, Windows 2000, Windows Server 2003, Mac OS, et al.
Technically, the first version of Windows that came with a DVD encoder was Vista (and only in the premium and ultimate SKUs). On the other Windows versions, the DVD decoder came with the video card.
Absolutely, and I have huge amounts of respect for him.
But until the GPL's actually adjudicated, all we know is that it's his legal opinion that the GPL is enforcable (IMHO it probably is).
The question that makes lawyers lose sleep is "What are the extents of the GPL?" If a developer look at GPL'ed code that implements an algorithm, then goes and implement the same algorithm in their code, does the GPL apply? Copyright law would tend to indicate that doing that is copyright infringement (obviously it depends on the amount of copying). And then you get the big question: Does infringing on the copyright of code that is licensed under the GPL cause the GPL to attach to their code?
I simply don't know, and neither do the lawyers. That's what scares them about the GPL.
On the other hand, consider my hypothetical example in the grandparent post. If someone sued a company using the GPL because they believed that the Gimp plugin that company authored violated the GPL (because the company included a necessary header), that company would do everything in its power to prevent its plugin from being open sourced - especally if that plugin contains valuable intellectual property.
It all depends on the value of the code - BOTH sides pick and chose their battlegrounds. Let me give you a somewhat more concrete example: Even though everyone I read complains about the closed source video drivers distributed for Linux, nobody seems to want to sue NVidia or ATI over their them, even though they might violate the GPL (they might not, it's never been tried in a court of law). Why? Because those NVidia and ATI drivers contain code that both NVidia and ATI believe gives them a competitive advantage. They'll do everything possible to avoid being forced to open source those drivers.
Slashdot Mirror
You do this and you lose the ability to complain when your box gets 0wned by the next Quicktime vulnerability coming down the pike (and there have been enough of them this year).
In all honesty, I think that MSFT was right in pushing IE7 as an upgrade for IE6. IE7 is an update to IE6, not a totally separate product. The reality is that the security improvements in IE7 (the phishing filter and the fact that it disabled most ActiveX controls by default) are enough of a reason to justify recommending it to customers (and just like the Safari "update" people are complaining about, you can turn it off).
I'd have more issues if Microsoft decided to force a download of (say) Visual Studio Express as an "upgrade" to Windows (or any other component that's not a part of Windows). Or if they made the Silverlight update enabled by default (as of today, they offer it as an optional download (it's disabled by default)). Heck Microsoft doesn't even include Office products in Windows Update (you have to opt into the Microsoft Update version to get non Windows products offered in Windows update).
Apple's doing one of two things: either they're (a) leveraging their iTunes monopoly to push Safari or (b) using their security holes as opportunities to upsell iTunes and Safari (since you need to use Apple Update to get fixes for the Quicktime security hole of the week)
Neither of these are OK in my opinion. Software update should be for updating existing software to fix bugs in the software you chose to install.
I don't have any problems with the Apple updater offering other products, I do have issues with the updater offering those products by default.
Several of the vulnerabilities in libPNG are exploitable integer overflow vulnerabilities. Java does absolutely nothing to stop those vulnerabilities. And even if it does, much of the java runtime is written in C, and is just as vulnerable to buffer overflows.
.Net, VB6, etc) are solutions to security problems. All they do is to raise the bar.
The grandparent was right: People should stop thinking that somehow interpreted languages (Java,
As I understand the vulnerability, MSFT can't fix this - the problem is that the 1394 hardware specification allows a device plugged into a 1394 port to read or write to arbitrary locations in memory. The OS isn't involved.
As such, this is a hardware vulnerability - every OS in the world is affected.
My answer was relatively simplified for the audience. I was just trying to get across the idea that ActiveX isn't an insecure technology per-se (which appears to be the general opinion on the internet), but instead a vehicle for deploying plugins, and it's the plugins that are insecure. As I mentiond, at least one of the vulnerabilities mentioned in TFA are applicable to Firefox (the vulnerability is in QT). The attackers are only targetting QT when it's hosted in IE, but according to Apple, QT is vulnerable in all flavors.
In reality, ActiveX is the name for a collection of technologies that are used to get a plugin running in the browser. The biggest part of ActiveX is the COM/OLE Automation programming interface (which provides activation and scripting control). There is also the Authenticode code signing technology (which allows you to know that a particular control was written by the person who said they authored the control), the IObjectSafety COM interface (which is required to get a COM object to run in the browser), and there are others.
Not quite.
ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).
The plugins have vulnerabilities, and the bad guys are exploiting the vulnerabilities in the plugins. There's nothing about ActiveX involved except for the fact that the plugins are written for IE.
The exact same exploits could be written for Firefox or Safari or Opera, because they all contain support for the vulnerable plugins.
Windows Vista runs all browser plugins in a very locked down sandbox which should mitigate most vulnerabilities caused by browser plugins, but other browsers don't run their plugins in a locked down mode.
There's one real negative about ActiveX controls - Microsoft, for whatever reason, chose to make it easy for a web site to host and use plugins, and before Windows XP SP2, certain ActiveX controls were automatically assumed to be safe (which is utterly stupid).
From a security standpoint, an ActiveX control is indistinguishable from any other browser plugin - the security holes are in the plugins, NOT in ActiveX.
Microsoft can't give you a legal promise about how the OSP affects you because Microsoft's lawyers CAN'T tell you how a legal document applies to you. They're lawyers representing Microsoft, and they can't issue legal opinions for anyone else.
Lawyers are professionals who are trained to understand the language of the law, just like software developers are professionals who are trained to understand the language of computers. Just as I wouldn't expect a lawyer to be able to writing an operating system, I wouldn't expect a software developer to be able to interpret a legal document.
That's why this entire discussion is stupid. Microsoft has created a legal document (the OSP). If you want to understand your rights under the OSP, you need to talk to your lawyer.
Strangely enough, the first link in the search you used for "Dos isn't done.." is a refutation of that particular myth. One where the author went not only to the MS engineers who wrote DOS, but to Mitch Kapor of Lotus and several of the Lotus developers who were developing the product at the time.
"DOS ain't done 'til Lotus don't run" sounds catchy, but if the people who wrote DOS and the people who wrote Lotus 1-2-3 are to be believed, it didn't happen.
Their product for organizing books, etc was actually mentioned in TFA. They resell Collectorz's Book Collector.
One other option is to use the built-in support for that functionality in that alternative operating system.
See here for more details on how to enable "PageHeap", which does exactly what you're describing.
That's cool - fortunately no open source software uses the systrace facility, which has at least one well known vulnerability that affects apps that use the facility.
The base comment is the one that's unreasonable (an OS can't be considered secure if it allows 3rd party applications to make it insecure).
By that standard, no general purpose operating system in use today can be considered "secure".
If the operating system allows the use of 3rd party code that runs with supervisor privileges, then the 3rd party coe can render the operating system insecure.
100% agreed. Of course then you couldn't complain about how sluggish the UI was on the server's console either.
Especially when the OS doesn't use hardware acceleration for video rendering.
I don't know this for sure, but I suspect it - after all, why should a server OS need to use hardware accelerated video?
Someone above already commented on how it would suck if your server crashed because of a crappy video driver.
So? First off, the IE team claims that IE7's going to be available without WGA. So part of that is no longer valid.
Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.
Why is this a problem? Are you saying that Microsoft is lying in their post?
Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?")
It also appears that the Malicious Software Removal Tool doesn't require validation either.
So you can run the same malware removal tools on pirated versions of Windows as well.
Sources? In the past, Microsoft used to do what you said (charge more if you didn't take the Microsoft stuff), but the DoJ stopped that.
As far as I know, none of the PC manufacturers are required to include IE as the default browser - they can do whatever they want and Microsoft can't stop them.
Which, if true, implies that they must have a different reason for choosing to include IE as the default browser on their machines.
Maybe the Mozilla foundation should start paying OEMs to include Firefox, just like Google pays OEMs to include the Google toolbar.
The reason that Law #1's written the way that it is is because it's written with the assumption that the attacker knows more than you do.
.DMG file vulnerability for example) and Linux (the ELF file core dump issue for example), so this isn't just wild speculation (I found all 3 of those by simply typing in "<os> elevation of privilege" to my favorite search engine).
To be more specific, the bad guy knows about the as of yet undiscovered security hole that renders all of your OS level sandboxing moot. That's why when the bad guy gets to run code on your computer, it's not your computer any more.
And there have absolutely been such flaws in Windows (the windows manifest file vulnerability for example), OSX (the
Every single one of them.
What percentage of the customers of the big media companies use PC's as their primary device for consuming their content?
I don't know about you, but I use a TV and a dedicated DVD player to watch movies. I don't use my PC primarily.
And every single one of the consumer electronic devices out there has already implemented the DRM that the media companies want.
The content companies would be quite happy to lock out Windows - it doesn't represent a significant portion of their viewers.
Beats me. I just knew that it was disabled by default and 30 seconds of searching found the privacy policy. There might be more information there, I don't know.
Then, of course, there's the tinfoil hat issue of whether or not you can trust Microsoft (or Google, for that matter) to abide by their privacy policy.
???? IE7's antiphishing is enabled by default?
On every machine I've installed IE7 on, the first time you hit a page in the internet, it pops up and asks you if you want to turn antiphishing on.
Microsoft also claims that it's off by default:
"Automatic checking of all websites by Phishing Filter is off by default. Phishing Filter can be turned on and off from the Internet Explorer Tools menu. For example, to turn off automatic checking of all websites:"
In addition, it's worse.
One of the problems is that lawyers are forced to work in an incredibly imperfect language for conveying contracts: English (or whatever the local language is).
This means that the language that lawyers use is almost a different language than lay people - certain words that have one meaning (like "opinion") mean something very different when a lawyer uses them than when a lay person uses them. In my example, a lay person thinks that an "opinion" is a statement of belief. But to a lawyer, an "opinion" is a statement of how something will be interpreted under the law, based on their fullest understanding (including relevant case law).
It's very similar to code. English is too inexact a language for computers, you MUST use a separate, more precise language when dealing with something that needs precision.
It's extraordinarily difficult to use the vernacular when dealing with contracts, the language is simply not exact enough to convey the complete meaning of the contract. Thats where the years and years of training come in.
Technically, the first version of Windows that came with a DVD encoder was Vista (and only in the premium and ultimate SKUs). On the other Windows versions, the DVD decoder came with the video card.
That's what the VSS feature listed above is. The one that the lawyers were saying was a "nightmare".
OSX Leopard will have the exact same issues as Vista in this area.
Absolutely, and I have huge amounts of respect for him.
But until the GPL's actually adjudicated, all we know is that it's his legal opinion that the GPL is enforcable (IMHO it probably is).
The question that makes lawyers lose sleep is "What are the extents of the GPL?" If a developer look at GPL'ed code that implements an algorithm, then goes and implement the same algorithm in their code, does the GPL apply? Copyright law would tend to indicate that doing that is copyright infringement (obviously it depends on the amount of copying). And then you get the big question: Does infringing on the copyright of code that is licensed under the GPL cause the GPL to attach to their code?
I simply don't know, and neither do the lawyers. That's what scares them about the GPL.
On the other hand, consider my hypothetical example in the grandparent post. If someone sued a company using the GPL because they believed that the Gimp plugin that company authored violated the GPL (because the company included a necessary header), that company would do everything in its power to prevent its plugin from being open sourced - especally if that plugin contains valuable intellectual property.
It all depends on the value of the code - BOTH sides pick and chose their battlegrounds. Let me give you a somewhat more concrete example: Even though everyone I read complains about the closed source video drivers distributed for Linux, nobody seems to want to sue NVidia or ATI over their them, even though they might violate the GPL (they might not, it's never been tried in a court of law). Why? Because those NVidia and ATI drivers contain code that both NVidia and ATI believe gives them a competitive advantage. They'll do everything possible to avoid being forced to open source those drivers.