What I want to know is what protects artists from dumb-ass corporate moves?
Nothing at all. In fact, unless the corporation has assumed liability on behalf of the artists, the artist is theoretically liable for damage caused by the CD that installed the malware. In the publishing industry, if you are worried about being sued, you have to get your own liability insurance - the publisher isn't going to indemnify you.
This situation is a bit different because the publisher added the malware, not the artist, but it's still not out of the question for the artist to be named in the lawsuit and wind up having to spend money disputing the assertion that they might be liable.
Of course, the artist can also sue the publisher for putting the malware on their CD, and in fact it wouldn't surprise me if we start seeing lawsuits from these artists, because regardless of whether or not they are sued, the fact that the music they've published isn't getting to the fans because of this fiasco is costing them money, and possibly also fans.
Hm, in MxO all the avatars are the same height, so I don't think it's a height thing. And normally the avatar is taking up about a sixteenth of the width of the screen - of course this varies depending on your screen size and the way you've configured the camera.
Personally, I chose the avatar I did because she is about the same build as my sweetie, whom I happen to find very aesthetically pleasing.:')
What I'd like to see is Sony doing a cost/benefit analysis for this fiasco and realizing that they actually lost more money dealing with the aftermath of this mistake than they could possibly have lost from "piracy."
Unfortunately, I haven't seen any honest CBA's out of the music industry, so I'm not holding my breath.
Just because something is obvious doesn't mean that it's true. I'm one of the three people who plays Matrix Online, and I know quite a few people in the game. I'm male, but play female avatars because I don't feel like looking at a guy's butt for hours on end as I play the game. I know some other men who play female avatars, and also women who play female avatars, and men who play male avatars. This is all just anecdotal, but here's how my experience breaks down:
1. All of the men who play female avatars pick the female avatar with the smallest breasts and hips. 2. Women who play female avatars are all over the spectrum, but seem to have a tendency to pick avatars with big or medium breasts and hips. 3. Men who play male avatars tend to choose the middle-size or small avatar more often than the giant avatar.
I haven't run into a lot of female players who play male avatars, either because they don't admit it or because there aren't any - I don't know. I'm not counting the people I haven't asked, so my sample is small.
And as for clothing, the people who have female avatars all tend to wear sexy clothing, whether the player is male or female.
MxO is in one sense not the best example, because there's a limit to how risque the character's outfit gets, and none of the character wear anything that looks like armor, so there's no male/female mismatch there. All of the characters can dress up styley or dress down, and for the most part people dress up, not down, even to the extent of choosing clothes with fewer buffs that look nicer.
Worse still, the study once again pushes the idea that having tons of software on your computer to scan everything you download and to scan the machine itself over and over again, at great cost, is the way to secure your computer, and that a firewall prevents you from getting hacked. This kind of received wisdom encourages people to run Windows XP pre-SP2 with antivirus software because "the antivirus software will protect me" when in fact the user would be better off upgrading and not bothering with the AV software.
AV and AS software have their place - as gatekeepers, not as perpetual performance-draining devices. A system that scans anything before it's installed as an executable is a great idea. A system that scans everything, all the time, isn't. Too bad that's how most of this software works.
"Not connected to the internet", then? BIND is notorious for remote root exploits. This by you is "okay"?
Do you mean BIND 8 or BIND 9? Looking at your google query, I see about four different hits that actually have to do with BIND, and they're all about BIND 8, and they are all the same root exploit, not four different root exploits. Along with them is a root exploit for tcpdump - are you proposing that we stop using tcpdump as well?
Seriously, if you want an open source name server, BIND 9 is an amazingly high-quality piece of software. I've never used djb's software, because I hate managing patch trees, and because I like BIND 9's automatic, secure zone transfers, which aren't supported by djbdns. Perhaps there is some value in it, but it's not worth it to me. Also, the cult of personality implicit in naming a product after yourself upsets my stomach. Should I have called the ISC DHCP server tedhcp?
If you are running BIND 8 because BIND 9 doesn't perform as well, first of all, the difference probably isn't as great as you've been led to believe. Secondly, you can probably afford a high-quality commercial name server, such as the one my employer makes. Personally I don't think running BIND 8 is worth the headaches - it was a credible piece of software in the early days, but by the time version 8 rolled around, it was due for a rewrite, and that's why the ISC in fact completely rewrote it from scratch for version 9.
Yeah, I know, it's very cool, but all my domains are in the US. So I could register in.se, but it would look weird to my users. And it still requires installing the zone key for.se in any resolver that's going to securely resolve DNS entries in my zone, so it's actually not that useful yet. But it is a nice start - I hope more TLDs follow suit.
I find Dan highly amusing, and would find a world without him a sadder place, but that's an opinion piece, without an iota of basis for any of the assertions he makes.
The one factoid he presents is the Microsoft ActiveX key spoof, which is indeed interesting. It also isn't addressed by his proposal, so I'm not sure what good it is. As for querying multiple servers to validate a lookup, that's a fun idea, but you still haven't cryptographically authenticated the information, and all it would take to hack this would be to successfully spoof the NS records for the zone, which isn't particularly harder than spoofing the zone itself.
The reason that reputation-based security works is that you have an active, intelligent participant tracking reputation; even in that case, it works only so well - many of the spoofs we're talking about here actually take advantage of someone's trust in reputation, by convincing the person that they are talking to someone to whom they are not actually talking. The better a critical thinker you are, the better reputation-based security will work for you; the more you know in the moment about the person to whom you are talking, the better it will work for you. Lacking either of these, as is the case with Dan's proposal, you've got nothing but a house of cards.
If Fred's House of Flowers has your credit card info, and it's not secure, then it's the weak link in the chain, and it's the place where the attack will happen. I don't mean to say that in order for secure DNS to be useful, everyone has to use it, but certainly if it comes into widespread use and its use makes it a lot harder to spoof secured sites, then the sites that aren't secured are the ones that are going to get spoofed.
Most people can't tell if they are connected using SSL or not. One of the nice things about secure DNS is that if the DNS response is spoofed, it just doesn't come back. So if you have someone spoofing a zone, you don't see answers to the zone, rather than seeing and accepting the wrong answers. This leads to trying to figure out why "the internet isn't working," which leads to the revelation that someone is spoofing DNS, which leads to the problem being corrected.
To spoof you without secure DNS, all I have to do is present a copy of the real web page that has all the https:/// strings substituted for http:/// - at that point unless you're fairly sophisticated, you're going to wind up sending your info to the spoofer, and you're not going to know that you've been spoofed.
This is not to say that secure DNS is a panacea, but if it were deployed on a widespread basis, it would solve a number of significant problems.
By the way, speaking of SSL again, it has no root key rollover. Your root keys are preconfigured in your browser. So if a root key is ever compromised, your browser is going to be vulnerable until such time as you download a new copy, even assuming that the root key compromise is detected. DNS also lacks root key rollover right now, but this is a problem that is being worked on, whereas as far as I can tell in the SSL world, at least on a practical level, it's not.
The main problem with "secure DNS" is that you can't get it. This is because some of the problems remain unsolved - the problem of key rollover is currently generating a huge debate on the namedroppers mailing list, not the least because one of the proposals being advanced is patented.
On top of that, even if you ignore the signing of the root key, by and large you can't get ad-hoc zone signing - if you want to secure a zone, everybody who's going to see it as secure needs a copy of the zone key, because your top level domain (e.g.,.com) isn't in a signed zone.
On top of that, many TLD providers seem to want signed zones to be a value-added option rather than basic functionality. So as with RSA, lo those many years ago, adoption will be slow because people want to monetize it, rather than seeing it as basic functionality that has to be there.
So it's no surprise that the end user isn't interested in it yet - they can't get it even if they are interested.
More precisely, done badly, anything is bad. And perhaps it's easy to do it badly. However, the counterargument to that is that sometimes a thing done badly is better than a thing not done at all. And also, best is the enemy of good enough.
Hm, can I think of any more slogans to throw in here?
My experience back in the 1980s when New England Telephone was charging for DTMF was to get rotary. Turned out that DTMF worked anyway - you couldn't turn it off at the switch. So I got DTMF without paying the surcharge. Chances are that your switch also doesn't support turning off DTMF support, so even if you don't have a rotary phone, if you opt out of DTMF, it'll still work. If it were me, I'd *get* a rotary phone.
There are a lot of users who travel, and need their email to be on their laptop when they're in the air, and who don't always have high-speed internet where they happen to land at any given time (e.g., in a sales situation where the place you're visiting doesn't allow you on their network). So I don't think webmail is going to supplant regular email anytime soon. Also, consider that you really can't do business with your gmail account - you're entrusting someone with your confidential information who hasn't promised either to keep it safe from loss or to keep it safe from eavesdropping.
As for email/outlook functionality on Linux, it's not there. I've been trying all the email agents on Linux in succession. None of them are ready for prime time. They work, don't get me wrong, but Evolution crashes, and the UI is lacking some really crucial functionality. It really needs a usability makeover. KMail is somewhat better, but still needs a drastic makeover, and KMail in KDE 3.5 has this new namespace support, which means that you have to be an expert to configure it. Plus it crashes randomly. Sylpheed-claws is too slow to be usable, although it's got the best UI of the lot.
Then there's the problem of integration. Everybody has their own damned calendar system and their own address book system. Why? If I switch from one to the other I lose _everything_. There is some support in Evolution and KMail for interoperating with Microsoft's products, but if you have a Mac, you're SOL - there's no migration path at all.
Bottom line is that the article is correct in saying that email/calendaring/contact management really isn't there yet, and it is really, really important - email, calendaring and contact management are three of the main killer apps for the average computer user, and if they don't work better than the Microsoft and Apple alternatives, people who have a choice simply aren't going to switch.
His books are scaled and plotted for kids, but without talking down to them. Highly recommended. He's written some adult stuff too, which is also very good, but he's worth checking out for his teen books.
The cause of the problem is that you live in a world where people do not behave well. This would be a problem if it were an anarchy, as it is a problem in communist and capitalist countries. If you want to live in a different kind of world, start by controlling the behavior of the only person whose behavior you control: your own. Don't ever act in a way that's inconsistent with how you would like to be treated, and on a meta level, try to figure out how others want to be treated and treat them that way, even if it isn't how you yourself would like to be treated. Changing the world happens one person at a time, not one ideology at a time.
Do remember that it's a shared spectrum, and it's widely used by other devices, like portable phones. Most of the experience I've run into has come straight from the portable phone world. Changing the channel helps whether it's the wireless device or the portable phone, because you're just picking a channel that's not otherwise in use.
I've been in environments where there were ten or twenty browsable networks, and I was still able to get good service (in fact right now I'm connected to a base station that's not the strongest at my location, and I can browse about ten base stations, and I'm getting solid network service), so I am much more inclined to point the finger at a portable phone than at the competing base stations. Changing the frequency of your base station was the right thing to do in either case.
The rhinocerous in the living room of your little analysis there is that capitalists (capitol is the place where the legislature meets, btw) are just as corruptible as socialists. The difference? If everybody is a wage slave, nobody has time to oversee the overseers. So in terms of preventing corruption, socialism is actually a much safer form of government, because in a socialist society (e.g., most of the societies of Western Europe), the a broader range of different members of the electorate have enough free time to act as a check against massive government corruption.
I think it's no coincidence that in a time when Americans are working more hours than they have at any time in recent history, the government is also at its most corrupt.
Re:Throw your Microsoft boxes into Boston Harbor!
on
The Demise of IP?
·
· Score: 4, Insightful
If you've ever actually written any code, you already know this: producing something that is easy to use is hard. Coming up with the algorithm and the data structures isn't trivial, but compared to getting the thing so that it's useful to the end user, they are. Ironically, the thing that's hardest is the thing that's covered by copyright - you copyright an implementation of an idea. And the thing that's easiest is the thing that gets the most powerful protection - you can patent an idea (which is a scandal, by the way - patents are supposed to cover implementations, but at this point what they cover in the software arena is, effectively, the idea itself).
So what this means is that someone with a lousy implementation can corner the market if they get the patent first. In fact, someone with no implementation can corner the market. The thing with the least value winds up being the thing that controls the outcome.
In fact, by and large drug companies don't have a strong incentive to do new work. What they do is find ways to produce analogues that aren't covered by existing patents, and then try to take markets away from their competitors. So you get Viagra, Cialis, Levitra, etc, none of which really add value, rather than getting Viagra and then moving on to something useful like, say, curing cancer.
A lot of really interesting work that could be done isn't done because it's not easy to get patent protection on it, or the profit margins aren't what they would be for a drug that gives you a reliable hard-on.
There are lots of ways to fund drug research. The current mechanism is really quite horrible, in the sense that it creates an artificial scarcity and makes drugs unaffordable to the people who most need them. And this is rightly justified by the fact that with the current drug development model, if you don't withhold drugs from the poor, the drug companies can't make back their investment.
Slashdot Mirror
What I want to know is what protects artists from dumb-ass corporate moves?
Nothing at all. In fact, unless the corporation has assumed liability on behalf of the artists, the artist is theoretically liable for damage caused by the CD that installed the malware. In the publishing industry, if you are worried about being sued, you have to get your own liability insurance - the publisher isn't going to indemnify you.
This situation is a bit different because the publisher added the malware, not the artist, but it's still not out of the question for the artist to be named in the lawsuit and wind up having to spend money disputing the assertion that they might be liable.
Of course, the artist can also sue the publisher for putting the malware on their CD, and in fact it wouldn't surprise me if we start seeing lawsuits from these artists, because regardless of whether or not they are sued, the fact that the music they've published isn't getting to the fans because of this fiasco is costing them money, and possibly also fans.
Hm, in MxO all the avatars are the same height, so I don't think it's a height thing. And normally the avatar is taking up about a sixteenth of the width of the screen - of course this varies depending on your screen size and the way you've configured the camera.
:')
Personally, I chose the avatar I did because she is about the same build as my sweetie, whom I happen to find very aesthetically pleasing.
What I'd like to see is Sony doing a cost/benefit analysis for this fiasco and realizing that they actually lost more money dealing with the aftermath of this mistake than they could possibly have lost from "piracy."
Unfortunately, I haven't seen any honest CBA's out of the music industry, so I'm not holding my breath.
Just because something is obvious doesn't mean that it's true. I'm one of the three people who plays Matrix Online, and I know quite a few people in the game. I'm male, but play female avatars because I don't feel like looking at a guy's butt for hours on end as I play the game. I know some other men who play female avatars, and also women who play female avatars, and men who play male avatars. This is all just anecdotal, but here's how my experience breaks down:
1. All of the men who play female avatars pick the female avatar with the smallest breasts and hips.
2. Women who play female avatars are all over the spectrum, but seem to have a tendency to pick avatars with big or medium breasts and hips.
3. Men who play male avatars tend to choose the middle-size or small avatar more often than the giant avatar.
I haven't run into a lot of female players who play male avatars, either because they don't admit it or because there aren't any - I don't know. I'm not counting the people I haven't asked, so my sample is small.
And as for clothing, the people who have female avatars all tend to wear sexy clothing, whether the player is male or female.
MxO is in one sense not the best example, because there's a limit to how risque the character's outfit gets, and none of the character wear anything that looks like armor, so there's no male/female mismatch there. All of the characters can dress up styley or dress down, and for the most part people dress up, not down, even to the extent of choosing clothes with fewer buffs that look nicer.
Worse still, the study once again pushes the idea that having tons of software on your computer to scan everything you download and to scan the machine itself over and over again, at great cost, is the way to secure your computer, and that a firewall prevents you from getting hacked. This kind of received wisdom encourages people to run Windows XP pre-SP2 with antivirus software because "the antivirus software will protect me" when in fact the user would be better off upgrading and not bothering with the AV software.
AV and AS software have their place - as gatekeepers, not as perpetual performance-draining devices. A system that scans anything before it's installed as an executable is a great idea. A system that scans everything, all the time, isn't. Too bad that's how most of this software works.
I don't play a lot of games, but I certainly don't mind, and I'm pretty sure there's no quota issue.
"Not connected to the internet", then? BIND is notorious for remote root exploits. This by you is "okay"?
Do you mean BIND 8 or BIND 9? Looking at your google query, I see about four different hits that actually have to do with BIND, and they're all about BIND 8, and they are all the same root exploit, not four different root exploits. Along with them is a root exploit for tcpdump - are you proposing that we stop using tcpdump as well?
Seriously, if you want an open source name server, BIND 9 is an amazingly high-quality piece of software. I've never used djb's software, because I hate managing patch trees, and because I like BIND 9's automatic, secure zone transfers, which aren't supported by djbdns. Perhaps there is some value in it, but it's not worth it to me. Also, the cult of personality implicit in naming a product after yourself upsets my stomach. Should I have called the ISC DHCP server tedhcp?
If you are running BIND 8 because BIND 9 doesn't perform as well, first of all, the difference probably isn't as great as you've been led to believe. Secondly, you can probably afford a high-quality commercial name server, such as the one my employer makes. Personally I don't think running BIND 8 is worth the headaches - it was a credible piece of software in the early days, but by the time version 8 rolled around, it was due for a rewrite, and that's why the ISC in fact completely rewrote it from scratch for version 9.
No, you're a good pattern matcher. Which is a key part of being a geek. So wear your colors proudly, brother (or sister). :')
Yeah, I know, it's very cool, but all my domains are in the US. So I could register in .se, but it would look weird to my users. And it still requires installing the zone key for .se in any resolver that's going to securely resolve DNS entries in my zone, so it's actually not that useful yet. But it is a nice start - I hope more TLDs follow suit.
Bwahahahahahaha!
I find Dan highly amusing, and would find a world without him a sadder place, but that's an opinion piece, without an iota of basis for any of the assertions he makes.
The one factoid he presents is the Microsoft ActiveX key spoof, which is indeed interesting. It also isn't addressed by his proposal, so I'm not sure what good it is. As for querying multiple servers to validate a lookup, that's a fun idea, but you still haven't cryptographically authenticated the information, and all it would take to hack this would be to successfully spoof the NS records for the zone, which isn't particularly harder than spoofing the zone itself.
The reason that reputation-based security works is that you have an active, intelligent participant tracking reputation; even in that case, it works only so well - many of the spoofs we're talking about here actually take advantage of someone's trust in reputation, by convincing the person that they are talking to someone to whom they are not actually talking. The better a critical thinker you are, the better reputation-based security will work for you; the more you know in the moment about the person to whom you are talking, the better it will work for you. Lacking either of these, as is the case with Dan's proposal, you've got nothing but a house of cards.
If Fred's House of Flowers has your credit card info, and it's not secure, then it's the weak link in the chain, and it's the place where the attack will happen. I don't mean to say that in order for secure DNS to be useful, everyone has to use it, but certainly if it comes into widespread use and its use makes it a lot harder to spoof secured sites, then the sites that aren't secured are the ones that are going to get spoofed.
Most people can't tell if they are connected using SSL or not. One of the nice things about secure DNS is that if the DNS response is spoofed, it just doesn't come back. So if you have someone spoofing a zone, you don't see answers to the zone, rather than seeing and accepting the wrong answers. This leads to trying to figure out why "the internet isn't working," which leads to the revelation that someone is spoofing DNS, which leads to the problem being corrected.
To spoof you without secure DNS, all I have to do is present a copy of the real web page that has all the https:/// strings substituted for http:/// - at that point unless you're fairly sophisticated, you're going to wind up sending your info to the spoofer, and you're not going to know that you've been spoofed.
This is not to say that secure DNS is a panacea, but if it were deployed on a widespread basis, it would solve a number of significant problems.
By the way, speaking of SSL again, it has no root key rollover. Your root keys are preconfigured in your browser. So if a root key is ever compromised, your browser is going to be vulnerable until such time as you download a new copy, even assuming that the root key compromise is detected. DNS also lacks root key rollover right now, but this is a problem that is being worked on, whereas as far as I can tell in the SSL world, at least on a practical level, it's not.
The main problem with "secure DNS" is that you can't get it. This is because some of the problems remain unsolved - the problem of key rollover is currently generating a huge debate on the namedroppers mailing list, not the least because one of the proposals being advanced is patented.
.com) isn't in a signed zone.
On top of that, even if you ignore the signing of the root key, by and large you can't get ad-hoc zone signing - if you want to secure a zone, everybody who's going to see it as secure needs a copy of the zone key, because your top level domain (e.g.,
On top of that, many TLD providers seem to want signed zones to be a value-added option rather than basic functionality. So as with RSA, lo those many years ago, adoption will be slow because people want to monetize it, rather than seeing it as basic functionality that has to be there.
So it's no surprise that the end user isn't interested in it yet - they can't get it even if they are interested.
More precisely, done badly, anything is bad. And perhaps it's easy to do it badly. However, the counterargument to that is that sometimes a thing done badly is better than a thing not done at all. And also, best is the enemy of good enough.
Hm, can I think of any more slogans to throw in here?
Nevermind.
Right, what you don't realize is that these people are meat-eating tools of the Man. :')
I dunno, mate, I thought it was pretty funny, and I'm a pale vegetarian myself.
Well, actually, not so pale. Arizona sun and all, eh?
My experience back in the 1980s when New England Telephone was charging for DTMF was to get rotary. Turned out that DTMF worked anyway - you couldn't turn it off at the switch. So I got DTMF without paying the surcharge. Chances are that your switch also doesn't support turning off DTMF support, so even if you don't have a rotary phone, if you opt out of DTMF, it'll still work. If it were me, I'd *get* a rotary phone.
There are a lot of users who travel, and need their email to be on their laptop when they're in the air, and who don't always have high-speed internet where they happen to land at any given time (e.g., in a sales situation where the place you're visiting doesn't allow you on their network). So I don't think webmail is going to supplant regular email anytime soon. Also, consider that you really can't do business with your gmail account - you're entrusting someone with your confidential information who hasn't promised either to keep it safe from loss or to keep it safe from eavesdropping.
As for email/outlook functionality on Linux, it's not there. I've been trying all the email agents on Linux in succession. None of them are ready for prime time. They work, don't get me wrong, but Evolution crashes, and the UI is lacking some really crucial functionality. It really needs a usability makeover. KMail is somewhat better, but still needs a drastic makeover, and KMail in KDE 3.5 has this new namespace support, which means that you have to be an expert to configure it. Plus it crashes randomly. Sylpheed-claws is too slow to be usable, although it's got the best UI of the lot.
Then there's the problem of integration. Everybody has their own damned calendar system and their own address book system. Why? If I switch from one to the other I lose _everything_. There is some support in Evolution and KMail for interoperating with Microsoft's products, but if you have a Mac, you're SOL - there's no migration path at all.
Bottom line is that the article is correct in saying that email/calendaring/contact management really isn't there yet, and it is really, really important - email, calendaring and contact management are three of the main killer apps for the average computer user, and if they don't work better than the Microsoft and Apple alternatives, people who have a choice simply aren't going to switch.
His books are scaled and plotted for kids, but without talking down to them. Highly recommended. He's written some adult stuff too, which is also very good, but he's worth checking out for his teen books.
The cause of the problem is that you live in a world where people do not behave well. This would be a problem if it were an anarchy, as it is a problem in communist and capitalist countries. If you want to live in a different kind of world, start by controlling the behavior of the only person whose behavior you control: your own. Don't ever act in a way that's inconsistent with how you would like to be treated, and on a meta level, try to figure out how others want to be treated and treat them that way, even if it isn't how you yourself would like to be treated. Changing the world happens one person at a time, not one ideology at a time.
It's an Intel 802.11g card in my Sony VAIO. It does seem to get pretty good reception, possibly because the VAIO's case is not metallic.
Do remember that it's a shared spectrum, and it's widely used by other devices, like portable phones. Most of the experience I've run into has come straight from the portable phone world. Changing the channel helps whether it's the wireless device or the portable phone, because you're just picking a channel that's not otherwise in use.
I've been in environments where there were ten or twenty browsable networks, and I was still able to get good service (in fact right now I'm connected to a base station that's not the strongest at my location, and I can browse about ten base stations, and I'm getting solid network service), so I am much more inclined to point the finger at a portable phone than at the competing base stations. Changing the frequency of your base station was the right thing to do in either case.
The rhinocerous in the living room of your little analysis there is that capitalists (capitol is the place where the legislature meets, btw) are just as corruptible as socialists. The difference? If everybody is a wage slave, nobody has time to oversee the overseers. So in terms of preventing corruption, socialism is actually a much safer form of government, because in a socialist society (e.g., most of the societies of Western Europe), the a broader range of different members of the electorate have enough free time to act as a check against massive government corruption.
I think it's no coincidence that in a time when Americans are working more hours than they have at any time in recent history, the government is also at its most corrupt.
If you've ever actually written any code, you already know this: producing something that is easy to use is hard. Coming up with the algorithm and the data structures isn't trivial, but compared to getting the thing so that it's useful to the end user, they are. Ironically, the thing that's hardest is the thing that's covered by copyright - you copyright an implementation of an idea. And the thing that's easiest is the thing that gets the most powerful protection - you can patent an idea (which is a scandal, by the way - patents are supposed to cover implementations, but at this point what they cover in the software arena is, effectively, the idea itself).
So what this means is that someone with a lousy implementation can corner the market if they get the patent first. In fact, someone with no implementation can corner the market. The thing with the least value winds up being the thing that controls the outcome.
Go figure.
In fact, by and large drug companies don't have a strong incentive to do new work. What they do is find ways to produce analogues that aren't covered by existing patents, and then try to take markets away from their competitors. So you get Viagra, Cialis, Levitra, etc, none of which really add value, rather than getting Viagra and then moving on to something useful like, say, curing cancer.
A lot of really interesting work that could be done isn't done because it's not easy to get patent protection on it, or the profit margins aren't what they would be for a drug that gives you a reliable hard-on.
There are lots of ways to fund drug research. The current mechanism is really quite horrible, in the sense that it creates an artificial scarcity and makes drugs unaffordable to the people who most need them. And this is rightly justified by the fact that with the current drug development model, if you don't withhold drugs from the poor, the drug companies can't make back their investment.