Not just that, but there is also overlap. I.e. most of the Mozilla vulnerabilities also apply against IE. If the basic issue were solved (for example, the JPEG flaw in MS Windows), then Mozilla wouldn't have to add code to catch OS and protocol level flaws.
The shell: vulnerability is a perfect example of this. Mozilla didn't fix anything. They simply decided that the shell: protocol was so incredibly insecure that they would disable it entirely. IE is still vulnerable, as the protocol still sucks. Now though, people using IE have to click the run from remote location button rather than "Save As" in order to get cracked.
"That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability."
Only if people with sledgehammers are as common as P2P use in MS Windows. This isn't a listing of default install vulnerabilities. This is a list of the most likely reasons for a system to get cracked. Apparently idiot installing P2P software is the 7th most common reason for a MS Windows box to get cracked. I doubt that DOS via sledgehammer appears very high among crack causes.
"An alternate browser provides little or no security advantage."
In this case, it reduced the number of security holes to patch from 15 to 7. I.e. Mozilla needs to be patched to cover up MS Windows security holes half as often as does IE.
Switching from IE to Mozilla does make one's system more secure. The fact that switching from MS Windows to a unix based system will have a greater effect on security should not keep people who are using MS Windows from swapping browsers.
It is a problem if it causes underproduction (also the problem with monopolies). The standard used in economics is pareto efficiency. If something is pareto efficient, it means that there is no way that people can exchange things and *both* would be better off. For example, if I prefer oranges but have apples and you prefer apples but have oranges, we are not in a pareto efficient state. We would both be better off if we swapped the apples and oranges.
If fifty people would prefer to pay $1000 more for $50,000 worth of increased police protection but don't pay it because each does not find $1000 more of police protection worthwhile, then it is not pareto efficient. To go back to the military example, it would be like the US cutting back spending by 2/3 to join Japan and Germany. Then all of us have suboptimal defense.
You can of course simply accept this if you like. Obviously, we currently accept this in defense.
They were theoretical bugs for years. Once someone actually developed a proof of concept exploit they were fixed.
Another point is that the shell: exploit was only a bug in MS Windows. The short term response was to disable the shell: protocol (which they were able to do because of changes made in response to the original bug report; update pushed out the day after the proof of concept was published). The longer term response was to turn off OS passing by default. Previously, if a protocol was unknown to FireFox, it passed it on to the OS for handling unless blacklisted. Now it only passes protocols that are on a whitelist. This change was controversial, so the bug report stayed open a long time.
IE is *still* vulnerable to the shell: exploit. The victim just needs to click on the Open button instead of the Save button.
Nobel laureate Coase (famous for the Coasean Welfare Theorem, which generalizes the General Welfare Theorem) offers two potential solutions to this:
1. Breathers would get together and pay the polluter not to pollute. The problem with this is that encourages pollution as an extortionary tactic. I.e. it encourages people to pollute so as to get paid to stop. For that reason, most would advise against this.
2. Class action lawsuits against the polluters would force polluters to pay for the damage caused by the pollution. This seems to be Badnarik's position. It's worth noting that a mediation/arbitration system could improve on the class action lawsuit system here.
More interestingly (at least to me) is that I have never seen a solution to the reverse commons problem: even if (for example) a police force is not supported by me, I still get most of the benefits if all my neighbors pay for police protection. As a result, there is a tendency to underpay for police support on the theory that one's neighbors will do so for you.
You can see examples of this in military spending. Both Germany and Japan pay much less for defense (both per capita and as a percentage of GDP) than we (Americans) do. The presumption is that we would use our military to defend them if they are attacked. This originally started from our side; both were prohibited from developing their own military after World War 2. Now, both use it to keep their taxes lower than they would be if we were not providing defense services for them.
Note further that this is not irrational behavior on our part. If Japan or Germany were attacked, the loss of trade would do damage to us. Further, military capability often prevents military action (i.e. you don't attack someone who is bigger than you because you don't want to get beat up). As a result, the threat of us using our military is generally sufficient. Therefore, we don't actually require that much bigger a military to protect Japan and Germany than we would need to protect just ourselves.
"As it is, nobody is forcing anyone to purchase CDs. You can go online and use iTunes, Napster, or one of the other online services. And buying CDs online is generally much cheaper as it is. It's different from, say, Microsoft Windows which is the backbone for 90+% of the desktop computing world.
The term "freedom" when describing things like speech, the economy, etc. is more of an abstract idea referring to a certain system. We don't really have freedom of speech--our freedom only extends so far as to not step on the rights of others (i.e., you can't harrass someone). And at the same time, the freedom of the economy also extends only so far, but the idea is that someone can charge whatever they want for their product and people can choose or choose not to buy it."
Just reposting since the poster has negative karma. The Sherman anti-trust legislation confuses a lot of people. It doesn't outlaw monopolies; it outlaws types of extortion used by monopolies. By any argument against anti-trust as anti-freedom, we should also eliminate laws against extortion, blackmail, and slavery. They also restrict "freedom."
"There's no good reason to use register globals unless you don't know how to program secure applications."
That is entirely bass ackwards. If you don't know how to program properly, you should have register_globals turned off. If you do know how to code properly, then it doesn't matter if register_globals is off or on. Well written code is inherently immune to exploit of register_globals.
With the demise of PHP3, there is no reason not to write code that is compatible with register_globals off. However, this does not mean that older code that requires it is poorly written. It just means that it was using the interface that worked with PHP3.
Why wait a week? Just read the excerpt on the content page. Or get the book off your shelf (yes, it can include books that you already have). Or go to the library and get the book. Or have Amazon overnight it.
If you RTFL ( http://print.google.com/googleprint/about_example. html ), these aren't "advertisements;" they're actual excerpts and descriptions of the book. It might even contain the info that you want (e.g. a quotation). The advertisements are on the side (left rather than right) of the linked page just like always. The book results may be useless to you, but they aren't "evil."
" This little aspect is one sure way to find out if the guy doing your PHP is competent."
Yep, if your PHP guy or host tells you that you need to turn register_globals off for security reasons, you know that the twit doesn't know how to code properly. register_globals is only a security problem for badly written code. One reason that applications will use it is because it simplifies PHP3 compatibility for some uses. Of course, there shouldn't be too many PHP3 installs left now, so they should probably phase it out.
The reason that it (correctly) defaults to off now is that badly written code is quite common. Same thing with magic_quotes_gpc but moreso. It makes it harder to code in vulnerabilities but also makes it harder to process the data. This forces people to research the problem. Once they understand the issues, they can turn off magic_quotes_gpc and code the database insert code properly.
A surefire sign of a bad hosting company is one that won't allow you to revise these settings for your own site because it compromises "security." If the host can't protect sites from malformed code from other sites on the server, the host is not worth the trouble.
" Because mail($to, $subj, $body, $headers); is sooooo difficult.."
No, because MS Windows does not come with a mail server preinstalled. To get it to send email one must either install a mail server or use code that handles the SMTP connection manually (rather than the mail() function).
ASP uses the SMTP connector that comes with IIS; Apache/PHP do not come with an SMTP connector -- one must be installed separately.
Btw, I use Apache2Triad to simplify the Apache/MySQL/PHP install on MS Windows (XP). Others swear by EasyPHP (which works more in the win9x fashion).
The issue is not people critiquing the application; it's people who act as if their critique is somehow more important than the other million critiques. Further, when people do that, they make it more likely that relevant readers will stop following the thread (because they follow your advice). That makes it less likely that the bug will be resolved for people other than the complainer. Thus, the complainer's behavior hurts not just the complainer (justified) and the developer, but everyone else.
Also, the OSS model does not do away with help desks; it just charges for it separately. Since many people in the OSS model are freeloaders, this means that they don't have access to the help desk. The proprietary model gets around this by requiring you to buy the help desk to get access to the software.
According to comment 58 in the bug report: "Given that this vulnerability actually allows sites to do useful things like steal passwords, I feel that we should address it ASAP."
This bug allows the browser to open and access a local file. The information about the file can then be sent to a remote site with some basic javascript. How is it not a remote data access again? The DoS issue is not good, but the file opening is worse, particularly if someone figures out a way to get the contents of the file rather than just the characteristics.
"you're bitching that they won't pay you to work for them, when you don't pay them for their product?"
And complaining about how slow they are to fix their free product.
I knew a guy who participated in a church program to distribute donated furniture to the needy. They showed up at one house and the lady told them to take the couch back since it didn't match her drapes. For some reason, he stopped participating.
FOSS means that you don't have to wait for someone to change program behavior if you do not want to do so; however, it also means that you don't have any leverage if you want them to change the behavior for you -- they will always be happy to refund your $0.
What if they read the mail while it is still in the truck? Or at the post office? What if a piece of your mail drops on the sidewalk? Can anyone read it now? The side walk is public property?
"An e-mail would require the sysadmin or employee to actually intentionally retrieve it from their system to read it."
What if they are using a network sniffer? Email is passed in plain text. Further, a lot of info about the email is stored in the logs (e.g. sender and subject). For example, when I worked at a university, there was a faculty member who required 80 MB of space (default was 10; anyone could get 20 by asking; 80 required special permission) to get emails from the gay.black.male mailing list (I knew this because if he took a day or two off without reading his email, his account would overfill and clog up the incoming mail queues; yes, it was enough mail to make a difference even with 30,000 active mail users).
"it will always be very much to each State's advantage to award the Electors as winner-take-all, because this maximizes their leverage against the other states in the Union"
No, not each state, winner takes all minimizes the leverage of states where the outcome is not close. Since 50.01% is as good as 90%, a state where the margin is high will not be able to influence the candidates positions as much as those states where either candidate could win. For Florida, winner takes all makes sense, since both candidates will agressively try to win the state. For Texas and Massachusetts, winner takes all ensures that neither candidate will campaign in those places at all. If they changed to proportional representation, they would gain influence (albeit not as much as a winner take all state).
If you already have a working driver on one platform, it is cheaper to rewrite that driver than it is to write a new one. If you do this over several design iterations of your product, you can develop a design system where platform dependent code is separated from platform independent code in such a way that you have to make few changes to the platform dependent code per product. I.e. platform dependent code will be most product independent and product dependent code will be most platform independent.
To respond using your numbers as a base: if it costs $1M USD to develop a MS Windows driver, then I would expect it to cost less to develop a Linux driver from the MS Windows driver, perhaps $100K. Thus, even though your Linux numbers are wildly optimistic (Linux is closer to 3% than 10%), it is not nearly as bad as it seems at first.
Another issue is that video cards are a competitive market. Even if the overall market is only 3%, it is worth noting that by having the better driver, that company gets most of the 3%. They have to split the 90% from MS Windows.
It's also worth noting that MS Windows sales are largely through OEMs and get the OEM discount. Linux sales are largely singletons and get the retail premium. Thus, Linux users as a group are somewhat more profitable than MS Windows users as a group.
Finally, nVidia makes motherboard chipsets as well as video chipsets. By producing the better video drivers, they encourage people to buy their motherboards as well. ATI otoh, produces Mac and Sun video cards; thus, they already need to maintain platform independent code. This makes it much easier to produce lousy drivers, which they do so as to keep a toe in the market.
"The bogus patent boom has coincided with the tech boom."
I think that you misspelled "tech bust." During the boom, I don't recall any major patent abuse litigation. Now we get a new case every month. Note also how many abused patents came from previously bankrupt companies; the patents were bought purely to be litigated (why does *Kodak* have a patent on object oriented programming? Answer: they bought it from Wang Labs).
"Once the patent wars start, there'll be no stopping them"
Unfortunately, the big players cross license with each other. Microsoft deals with Sun deals with IBM. The only companies that work as loose cannons are those (like Eolas) that do not produce software products profitably. They can't be intimidated into cross licensing because they don't actually produce the software.
Slashdot Mirror
Not just that, but there is also overlap. I.e. most of the Mozilla vulnerabilities also apply against IE. If the basic issue were solved (for example, the JPEG flaw in MS Windows), then Mozilla wouldn't have to add code to catch OS and protocol level flaws.
The shell: vulnerability is a perfect example of this. Mozilla didn't fix anything. They simply decided that the shell: protocol was so incredibly insecure that they would disable it entirely. IE is still vulnerable, as the protocol still sucks. Now though, people using IE have to click the run from remote location button rather than "Save As" in order to get cracked.
"That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability."
Only if people with sledgehammers are as common as P2P use in MS Windows. This isn't a listing of default install vulnerabilities. This is a list of the most likely reasons for a system to get cracked. Apparently idiot installing P2P software is the 7th most common reason for a MS Windows box to get cracked. I doubt that DOS via sledgehammer appears very high among crack causes.
"An alternate browser provides little or no security advantage."
In this case, it reduced the number of security holes to patch from 15 to 7. I.e. Mozilla needs to be patched to cover up MS Windows security holes half as often as does IE.
Switching from IE to Mozilla does make one's system more secure. The fact that switching from MS Windows to a unix based system will have a greater effect on security should not keep people who are using MS Windows from swapping browsers.
It is a problem if it causes underproduction (also the problem with monopolies). The standard used in economics is pareto efficiency. If something is pareto efficient, it means that there is no way that people can exchange things and *both* would be better off. For example, if I prefer oranges but have apples and you prefer apples but have oranges, we are not in a pareto efficient state. We would both be better off if we swapped the apples and oranges.
If fifty people would prefer to pay $1000 more for $50,000 worth of increased police protection but don't pay it because each does not find $1000 more of police protection worthwhile, then it is not pareto efficient. To go back to the military example, it would be like the US cutting back spending by 2/3 to join Japan and Germany. Then all of us have suboptimal defense.
You can of course simply accept this if you like. Obviously, we currently accept this in defense.
They were theoretical bugs for years. Once someone actually developed a proof of concept exploit they were fixed.
Another point is that the shell: exploit was only a bug in MS Windows. The short term response was to disable the shell: protocol (which they were able to do because of changes made in response to the original bug report; update pushed out the day after the proof of concept was published). The longer term response was to turn off OS passing by default. Previously, if a protocol was unknown to FireFox, it passed it on to the OS for handling unless blacklisted. Now it only passes protocols that are on a whitelist. This change was controversial, so the bug report stayed open a long time.
IE is *still* vulnerable to the shell: exploit. The victim just needs to click on the Open button instead of the Save button.
"I'd like to create a subsidary of myself that can declare bankruptcy without it affecting me."
So why don't you? How hard is it to incorporate in Nevada/Deleware these days?
"to the United States Treasury"
Couldn't you make the check out to "Internal Revenue Service" as well? Wouldn't that have the same effect?
Nobel laureate Coase (famous for the Coasean Welfare Theorem, which generalizes the General Welfare Theorem) offers two potential solutions to this:
1. Breathers would get together and pay the polluter not to pollute. The problem with this is that encourages pollution as an extortionary tactic. I.e. it encourages people to pollute so as to get paid to stop. For that reason, most would advise against this.
2. Class action lawsuits against the polluters would force polluters to pay for the damage caused by the pollution. This seems to be Badnarik's position. It's worth noting that a mediation/arbitration system could improve on the class action lawsuit system here.
More interestingly (at least to me) is that I have never seen a solution to the reverse commons problem: even if (for example) a police force is not supported by me, I still get most of the benefits if all my neighbors pay for police protection. As a result, there is a tendency to underpay for police support on the theory that one's neighbors will do so for you.
You can see examples of this in military spending. Both Germany and Japan pay much less for defense (both per capita and as a percentage of GDP) than we (Americans) do. The presumption is that we would use our military to defend them if they are attacked. This originally started from our side; both were prohibited from developing their own military after World War 2. Now, both use it to keep their taxes lower than they would be if we were not providing defense services for them.
Note further that this is not irrational behavior on our part. If Japan or Germany were attacked, the loss of trade would do damage to us. Further, military capability often prevents military action (i.e. you don't attack someone who is bigger than you because you don't want to get beat up). As a result, the threat of us using our military is generally sufficient. Therefore, we don't actually require that much bigger a military to protect Japan and Germany than we would need to protect just ourselves.
"As it is, nobody is forcing anyone to purchase CDs. You can go online and use iTunes, Napster, or one of the other online services. And buying CDs online is generally much cheaper as it is. It's different from, say, Microsoft Windows which is the backbone for 90+% of the desktop computing world.
The term "freedom" when describing things like speech, the economy, etc. is more of an abstract idea referring to a certain system. We don't really have freedom of speech--our freedom only extends so far as to not step on the rights of others (i.e., you can't harrass someone). And at the same time, the freedom of the economy also extends only so far, but the idea is that someone can charge whatever they want for their product and people can choose or choose not to buy it."
Just reposting since the poster has negative karma. The Sherman anti-trust legislation confuses a lot of people. It doesn't outlaw monopolies; it outlaws types of extortion used by monopolies. By any argument against anti-trust as anti-freedom, we should also eliminate laws against extortion, blackmail, and slavery. They also restrict "freedom."
As I read your parent, it said that that self taught person sneers at college grads. I doubt that he would listen to constructive criticism.
As you note, this attitude has less to do with being self taught and more to do with being an idiot.
"There's no good reason to use register globals unless you don't know how to program secure applications."
That is entirely bass ackwards. If you don't know how to program properly, you should have register_globals turned off. If you do know how to code properly, then it doesn't matter if register_globals is off or on. Well written code is inherently immune to exploit of register_globals.
With the demise of PHP3, there is no reason not to write code that is compatible with register_globals off. However, this does not mean that older code that requires it is poorly written. It just means that it was using the interface that worked with PHP3.
" all you have to do is enter your smtp server"
You need an SMTP server first... MS Windows does not come with one by default. Almost every version of *n?x has sendmail or equivalent.
Why wait a week? Just read the excerpt on the content page. Or get the book off your shelf (yes, it can include books that you already have). Or go to the library and get the book. Or have Amazon overnight it.
. html ), these aren't "advertisements;" they're actual excerpts and descriptions of the book. It might even contain the info that you want (e.g. a quotation). The advertisements are on the side (left rather than right) of the linked page just like always. The book results may be useless to you, but they aren't "evil."
If you RTFL ( http://print.google.com/googleprint/about_example
" This little aspect is one sure way to find out if the guy doing your PHP is competent."
Yep, if your PHP guy or host tells you that you need to turn register_globals off for security reasons, you know that the twit doesn't know how to code properly. register_globals is only a security problem for badly written code. One reason that applications will use it is because it simplifies PHP3 compatibility for some uses. Of course, there shouldn't be too many PHP3 installs left now, so they should probably phase it out.
The reason that it (correctly) defaults to off now is that badly written code is quite common. Same thing with magic_quotes_gpc but moreso. It makes it harder to code in vulnerabilities but also makes it harder to process the data. This forces people to research the problem. Once they understand the issues, they can turn off magic_quotes_gpc and code the database insert code properly.
A surefire sign of a bad hosting company is one that won't allow you to revise these settings for your own site because it compromises "security." If the host can't protect sites from malformed code from other sites on the server, the host is not worth the trouble.
"Postgres it is!"
I'm going to stick with Mys (MySQL is too long to write out all the time).
" Because mail($to, $subj, $body, $headers); is sooooo difficult.."
No, because MS Windows does not come with a mail server preinstalled. To get it to send email one must either install a mail server or use code that handles the SMTP connection manually (rather than the mail() function).
ASP uses the SMTP connector that comes with IIS; Apache/PHP do not come with an SMTP connector -- one must be installed separately.
Btw, I use Apache2Triad to simplify the Apache/MySQL/PHP install on MS Windows (XP). Others swear by EasyPHP (which works more in the win9x fashion).
The issue is not people critiquing the application; it's people who act as if their critique is somehow more important than the other million critiques. Further, when people do that, they make it more likely that relevant readers will stop following the thread (because they follow your advice). That makes it less likely that the bug will be resolved for people other than the complainer. Thus, the complainer's behavior hurts not just the complainer (justified) and the developer, but everyone else.
Also, the OSS model does not do away with help desks; it just charges for it separately. Since many people in the OSS model are freeloaders, this means that they don't have access to the help desk. The proprietary model gets around this by requiring you to buy the help desk to get access to the software.
"not ... a remote-data-access."
According to comment 58 in the bug report: "Given that this vulnerability actually allows sites to do useful things like steal passwords, I feel that we should address it ASAP."
This bug allows the browser to open and access a local file. The information about the file can then be sent to a remote site with some basic javascript. How is it not a remote data access again? The DoS issue is not good, but the file opening is worse, particularly if someone figures out a way to get the contents of the file rather than just the characteristics.
"you're bitching that they won't pay you to work for them, when you don't pay them for their product?"
And complaining about how slow they are to fix their free product.
I knew a guy who participated in a church program to distribute donated furniture to the needy. They showed up at one house and the lady told them to take the couch back since it didn't match her drapes. For some reason, he stopped participating.
FOSS means that you don't have to wait for someone to change program behavior if you do not want to do so; however, it also means that you don't have any leverage if you want them to change the behavior for you -- they will always be happy to refund your $0.
What if they read the mail while it is still in the truck? Or at the post office? What if a piece of your mail drops on the sidewalk? Can anyone read it now? The side walk is public property?
"An e-mail would require the sysadmin or employee to actually intentionally retrieve it from their system to read it."
What if they are using a network sniffer? Email is passed in plain text. Further, a lot of info about the email is stored in the logs (e.g. sender and subject). For example, when I worked at a university, there was a faculty member who required 80 MB of space (default was 10; anyone could get 20 by asking; 80 required special permission) to get emails from the gay.black.male mailing list (I knew this because if he took a day or two off without reading his email, his account would overfill and clog up the incoming mail queues; yes, it was enough mail to make a difference even with 30,000 active mail users).
"it will always be very much to each State's advantage to award the Electors as winner-take-all, because this maximizes their leverage against the other states in the Union"
No, not each state, winner takes all minimizes the leverage of states where the outcome is not close. Since 50.01% is as good as 90%, a state where the margin is high will not be able to influence the candidates positions as much as those states where either candidate could win. For Florida, winner takes all makes sense, since both candidates will agressively try to win the state. For Texas and Massachusetts, winner takes all ensures that neither candidate will campaign in those places at all. If they changed to proportional representation, they would gain influence (albeit not as much as a winner take all state).
If you already have a working driver on one platform, it is cheaper to rewrite that driver than it is to write a new one. If you do this over several design iterations of your product, you can develop a design system where platform dependent code is separated from platform independent code in such a way that you have to make few changes to the platform dependent code per product. I.e. platform dependent code will be most product independent and product dependent code will be most platform independent.
To respond using your numbers as a base: if it costs $1M USD to develop a MS Windows driver, then I would expect it to cost less to develop a Linux driver from the MS Windows driver, perhaps $100K. Thus, even though your Linux numbers are wildly optimistic (Linux is closer to 3% than 10%), it is not nearly as bad as it seems at first.
Another issue is that video cards are a competitive market. Even if the overall market is only 3%, it is worth noting that by having the better driver, that company gets most of the 3%. They have to split the 90% from MS Windows.
It's also worth noting that MS Windows sales are largely through OEMs and get the OEM discount. Linux sales are largely singletons and get the retail premium. Thus, Linux users as a group are somewhat more profitable than MS Windows users as a group.
Finally, nVidia makes motherboard chipsets as well as video chipsets. By producing the better video drivers, they encourage people to buy their motherboards as well. ATI otoh, produces Mac and Sun video cards; thus, they already need to maintain platform independent code. This makes it much easier to produce lousy drivers, which they do so as to keep a toe in the market.
"The bogus patent boom has coincided with the tech boom."
I think that you misspelled "tech bust." During the boom, I don't recall any major patent abuse litigation. Now we get a new case every month. Note also how many abused patents came from previously bankrupt companies; the patents were bought purely to be litigated (why does *Kodak* have a patent on object oriented programming? Answer: they bought it from Wang Labs).
"Once the patent wars start, there'll be no stopping them"
Unfortunately, the big players cross license with each other. Microsoft deals with Sun deals with IBM. The only companies that work as loose cannons are those (like Eolas) that do not produce software products profitably. They can't be intimidated into cross licensing because they don't actually produce the software.