Yeah, but how many of those eyes actually have the experience it takes to audit code for security? Writing and auditing for security (especially for operating systems) is *hard*. From "Secrets and Lies", pg. 345, by Bruce Schneier:
"First, simply publishing the code does not automatically mean that people will examine it for security flaws, and it certainly doesn't mean that experts will examine it for security flaws. Researchers found buffer overflows in MIT code for Kerberos ten years after the code was released...Second, simply publishing the code does not automatically mean that security problems are fixed promptly when found. There's no reason to believe that a two-year-old piece of open source code has fewer security flaws than a two-year-old piece of proprietary code. If the open source code has been well examined, this is likely to be true. But just because a piece of source code has been open source for several years does not, by itself, mean anything."
The article's point was not about how quickly things get fixed, but whether the vulnerability is ever discovered in the first place. Holes are not always discovered the first time they are exploited, and there can be considerable damage done before people can clue in on it. How do you know that security advisaries include ALL the holes on your system, particularly the ones that a given cracker will decide to exploit for your particular system?
The open source community has done some cool, amazing things, but now needs to swallow a big humble pill (yes, just like the company you love to hate has had to do) and change their process to be more preventative, rather than focusing on patches so much (although patching is certainly not something to abandon).
They *are* "truly changing their design philosophy" for Avalon and Longhorn. Of course they couldn't do that with SP2 - it requires much deeper changes than can be put in a service pack. And recompiling the entire system with buffer-overflow checking and rewriting anything that fails static bug/security analysis tools is supposed to be "hand-waving"?
Of course MSFT will componentize Windows. They like it because it allows them to mix and match pieces to get different versions of Windows for different markets. As far as integrating IE into everything, it makes sense to provide a system-wide component that everyone can use to display web content. If I am not mistaken, KDE and GNOME have similar components. On any operating system, just because something comes as a default, does not mean you have to use it. As far as lock-in and leveraging your OS channel goes, I don't see anyone complaining about ichat, itunes, quick time that come with a Mac, or all the bells and whistles that come with a typical Linux distro.
Now they are breaking the dependency between WinFX, Avalon, and the OS. Last time I checked, you couldn't get Aqua on anything but OS X.
Finally, they know their but is on the line for security, and they have slipped LH, Avalon, WinFS, and friends so they could do a FREE major update (that cost them as much or more as an OS X release does for Apple) while learning how they can build security in from the start to Longhorn.
For example, security training is mandatory for developers, and threat models analysis are now required for every single piece of the LH system (that includes Avalon and.NET). There are at least three static/dynamic tools (FXCop, PreFix, PreFast) they are constantly improving to enforce guidlines and flag common bugs and security vulnerabilities. Is there anything equivalent to this for Linux distros or the kernel itself? (I am not assuming anything here - I really don't know. What's the story from people like Novell and RedHat?)
I tried Hare, Zoom, and Double Battery. Benchmarked using Performance Test and was totally... NOT blown away. There was no significant change. I also just worked as usual on my laptop/workstation and did not notice any difference, except that Windows shut down a little bit quicker with Zoom, but not much.
The programs include "benchmark" utils that tell you will get a great speedup - I can't figure out what they were testing, though!
Clearly, these people are not to be trusted. I have had better luck tweaking registry settings as someone else mentioned.
If you want the benchmarks from me, let me know.
Of course they would rather have long term solutions, but they release short-term solutions first because they are easier and help buy MSFT time until they can come up with something better.
In the article they compare the web servers, but neglect the languages themselves. PHP is atrocious - there are many well-known exploits, some that can even let you see the PHP code (better not hide any secrets there)!
Make sure you do your research instead of just regurgitating what the OSS community says.
Everyone copies from everyone else. The only way we move forward is by building on the past. Apple does it. Linux/Open Source does it. MS does it. Innovation is simply synthesizing old concepts into new ones in different contexts. For example, Windows NT built on the ideas of useability and automatic hardware detection to make IT administration much easier than before. As another example,.NET != Java. There are fundamental differences and cool things that.NET does that you simple can't do as easily or with as good of results in other evironments (For example, ExxonMobil is ditching Java because of how crappy it is with interop, among other things). One more example is the cool work that MS research has done on natural language processing and handwriting recognition. Finally, check out their developer tools they are creating to statically check code for security-related bugs.
There is a more fundamental problem in the essay's logic. Brooks explains it in "The Mythical Man Month". You could turn the whole world loose on writing replacements for Microsoft software, but there is a point at which the communication overhead bogs everything down and you would have been better off sticking to fewer people. The collaboration required to create a great, consistent user experience for something like an operating system or office suite is tremendous, and open source needs to do a better job at this if it ever hopes to achieve the aims of its evangelists in taking over the business and government computer world.
I see what you mean. "One Microsoft Way" has certainly gained a lot of momentum over the years that is proving difficult to overcome. You see a similar momentum in the media industry. Whenever a new innovation in product delivery comes along, the big players generally freak out because they are either too set in their ways, or are not nimble enough to respond as fast as they would like (note that these reasons, especially the latter, do not necessarily make them "evil"). This has happened with VHS, music sharing, and now movie sharing and PVRs. The response is always to pretend that nothing needs to change, and even to fight the inevitable change in consumer preferences.
Now we have a "new" model (new as in it is mainstream enough now to worry the big boys) called open source, with its various licensing schemes. Just like the media companies are nervous about new technologies cutting into their bottom line (that is what the execs get payed to defend), Microsoft and Friends can't see much benefit in open source, and even see a lot of competition. So they stall until they can figure out either how to get rid of the threat, or are fourced by the market to embrace the new paradigm.
I think it would not hurt Microsoft and other traditional software companies to give out their source code with every purchase. They are scared that by so doing all their hard work will go unpaid. Their fears are valid. You simply can't work hard all day and then come home to your family with empty hands. You can't buy groceries with "good will".
That being said, I do not think that sharing one's source code necessarily predicates the failure of one's product to make plenty of money. Here's why:
1) With so many concerns about security these days, people feel better about having the source code to tweak as they like when problems arise. However, as Microsoft gets better at writing secure code, people will tend to rely on them for their software updates anyway, since it is generally less expensive than hiring your own team of security programmers to sit around hacking the source code. Whether or not they ever look at the code, however, customers just feel better knowing they can if they need to. When you have the code, you feel more like you own what you payed for.
2) Even though you can download linux distros for free, many people still pony up the dead presidents for a nice box of CDs with some documentation. The greate majority of the population have no clue how to burn an ISO image, but they know what CompUSA or Walmart is.
3) Tech-savy customers have more faith in you if they see that you "have nothing to hide" (e.g., crappy code hiding behind a facade).
4) Non-programmer customers don't have a clue what "source code" even means, let alone have the skills to do anything with it. There are a whole ton of these kind of people out there.
5) Of course, potential competitors will get a hold of your code. Look at companies like Trolltech that give you the source code. Yet you don't see a million versions of Qt running about from various vendors that snatched the code and rebranded it. There are several possible reasons for this. First of all, it takes a lot of time, talent, contacts, and money to successfully market a product, and especially to take it to the commercial channel (Walmart, CompUSA, and friends), especially against the originaly vendor of that product. Secondly, In order to compete, you need your product to be different and more exciting than the other guys' stuff. You can pretend it is through false advertising, but that doesn't work for very long. You can actually mess with the source code to get something different, but then you have to spend a lot of money and time on regression testing and maintainence for your branched code. When all is said and done, it is generally easier to use the original vendor's APIs and tools to create a plugin (or custom control, in the case of Qt). Such things are easier to market and maintain. Therefore, re
So What? I have heard open-source advocates contradict themselves much worse, and even resort to spouting misinformed opinions when it suits their needs. It isn't that Open Source or Microsoft are inherently good or evil. Both worlds are full of unselfish and selfish people. You have to take everything with a grain of salt.
I hear ya. My wife and I have WordPerfect, which we like better than Word for most things. However, the rest of academia is hooked on MS Office, and WordPerfect 9 (the version we have) does a poor job converting back and forth between WP and MS formats. Luckily we discovered OOo last year and have been happily communicating with classmates and professors ever since!
Slashdot Mirror
Yeah, but how many of those eyes actually have the experience it takes to audit code for security? Writing and auditing for security (especially for operating systems) is *hard*. From "Secrets and Lies", pg. 345, by Bruce Schneier:
"First, simply publishing the code does not automatically mean that people will examine it for security flaws, and it certainly doesn't mean that experts will examine it for security flaws. Researchers found buffer overflows in MIT code for Kerberos ten years after the code was released...Second, simply publishing the code does not automatically mean that security problems are fixed promptly when found. There's no reason to believe that a two-year-old piece of open source code has fewer security flaws than a two-year-old piece of proprietary code. If the open source code has been well examined, this is likely to be true. But just because a piece of source code has been open source for several years does not, by itself, mean anything."
Great book. I highly recommend it.
The open source community has done some cool, amazing things, but now needs to swallow a big humble pill (yes, just like the company you love to hate has had to do) and change their process to be more preventative, rather than focusing on patches so much (although patching is certainly not something to abandon).
They *are* "truly changing their design philosophy" for Avalon and Longhorn. Of course they couldn't do that with SP2 - it requires much deeper changes than can be put in a service pack. And recompiling the entire system with buffer-overflow checking and rewriting anything that fails static bug/security analysis tools is supposed to be "hand-waving"?
Of course MSFT will componentize Windows. They like it because it allows them to mix and match pieces to get different versions of Windows for different markets. As far as integrating IE into everything, it makes sense to provide a system-wide component that everyone can use to display web content. If I am not mistaken, KDE and GNOME have similar components. On any operating system, just because something comes as a default, does not mean you have to use it. As far as lock-in and leveraging your OS channel goes, I don't see anyone complaining about ichat, itunes, quick time that come with a Mac, or all the bells and whistles that come with a typical Linux distro.
Now they are breaking the dependency between WinFX, Avalon, and the OS. Last time I checked, you couldn't get Aqua on anything but OS X.
Finally, they know their but is on the line for security, and they have slipped LH, Avalon, WinFS, and friends so they could do a FREE major update (that cost them as much or more as an OS X release does for Apple) while learning how they can build security in from the start to Longhorn. For example, security training is mandatory for developers, and threat models analysis are now required for every single piece of the LH system (that includes Avalon and .NET). There are at least three static/dynamic tools (FXCop, PreFix, PreFast) they are constantly improving to enforce guidlines and flag common bugs and security vulnerabilities. Is there anything equivalent to this for Linux distros or the kernel itself? (I am not assuming anything here - I really don't know. What's the story from people like Novell and RedHat?)
The programs include "benchmark" utils that tell you will get a great speedup - I can't figure out what they were testing, though!
Clearly, these people are not to be trusted. I have had better luck tweaking registry settings as someone else mentioned. If you want the benchmarks from me, let me know.
At least they are trying hard to suck less.
Of course they would rather have long term solutions, but they release short-term solutions first because they are easier and help buy MSFT time until they can come up with something better.
In the article they compare the web servers, but neglect the languages themselves. PHP is atrocious - there are many well-known exploits, some that can even let you see the PHP code (better not hide any secrets there)!
Everyone copies from everyone else. The only way we move forward is by building on the past. Apple does it. Linux/Open Source does it. MS does it. Innovation is simply synthesizing old concepts into new ones in different contexts. For example, Windows NT built on the ideas of useability and automatic hardware detection to make IT administration much easier than before. As another example, .NET != Java. There are fundamental differences and cool things that .NET does that you simple can't do as easily or with as good of results in other evironments (For example, ExxonMobil is ditching Java because of how crappy it is with interop, among other things). One more example is the cool work that MS research has done on natural language processing and handwriting recognition. Finally, check out their developer tools they are creating to statically check code for security-related bugs.
There is a more fundamental problem in the essay's logic. Brooks explains it in "The Mythical Man Month". You could turn the whole world loose on writing replacements for Microsoft software, but there is a point at which the communication overhead bogs everything down and you would have been better off sticking to fewer people. The collaboration required to create a great, consistent user experience for something like an operating system or office suite is tremendous, and open source needs to do a better job at this if it ever hopes to achieve the aims of its evangelists in taking over the business and government computer world.
I see what you mean. "One Microsoft Way" has certainly gained a lot of momentum over the years that is proving difficult to overcome. You see a similar momentum in the media industry. Whenever a new innovation in product delivery comes along, the big players generally freak out because they are either too set in their ways, or are not nimble enough to respond as fast as they would like (note that these reasons, especially the latter, do not necessarily make them "evil"). This has happened with VHS, music sharing, and now movie sharing and PVRs. The response is always to pretend that nothing needs to change, and even to fight the inevitable change in consumer preferences.
Now we have a "new" model (new as in it is mainstream enough now to worry the big boys) called open source, with its various licensing schemes. Just like the media companies are nervous about new technologies cutting into their bottom line (that is what the execs get payed to defend), Microsoft and Friends can't see much benefit in open source, and even see a lot of competition. So they stall until they can figure out either how to get rid of the threat, or are fourced by the market to embrace the new paradigm.
I think it would not hurt Microsoft and other traditional software companies to give out their source code with every purchase. They are scared that by so doing all their hard work will go unpaid. Their fears are valid. You simply can't work hard all day and then come home to your family with empty hands. You can't buy groceries with "good will".
That being said, I do not think that sharing one's source code necessarily predicates the failure of one's product to make plenty of money. Here's why:
1) With so many concerns about security these days, people feel better about having the source code to tweak as they like when problems arise. However, as Microsoft gets better at writing secure code, people will tend to rely on them for their software updates anyway, since it is generally less expensive than hiring your own team of security programmers to sit around hacking the source code. Whether or not they ever look at the code, however, customers just feel better knowing they can if they need to. When you have the code, you feel more like you own what you payed for.
2) Even though you can download linux distros for free, many people still pony up the dead presidents for a nice box of CDs with some documentation. The greate majority of the population have no clue how to burn an ISO image, but they know what CompUSA or Walmart is.
3) Tech-savy customers have more faith in you if they see that you "have nothing to hide" (e.g., crappy code hiding behind a facade).
4) Non-programmer customers don't have a clue what "source code" even means, let alone have the skills to do anything with it. There are a whole ton of these kind of people out there.
5) Of course, potential competitors will get a hold of your code. Look at companies like Trolltech that give you the source code. Yet you don't see a million versions of Qt running about from various vendors that snatched the code and rebranded it. There are several possible reasons for this. First of all, it takes a lot of time, talent, contacts, and money to successfully market a product, and especially to take it to the commercial channel (Walmart, CompUSA, and friends), especially against the originaly vendor of that product. Secondly, In order to compete, you need your product to be different and more exciting than the other guys' stuff. You can pretend it is through false advertising, but that doesn't work for very long. You can actually mess with the source code to get something different, but then you have to spend a lot of money and time on regression testing and maintainence for your branched code. When all is said and done, it is generally easier to use the original vendor's APIs and tools to create a plugin (or custom control, in the case of Qt). Such things are easier to market and maintain. Therefore, re
So What? I have heard open-source advocates contradict themselves much worse, and even resort to spouting misinformed opinions when it suits their needs. It isn't that Open Source or Microsoft are inherently good or evil. Both worlds are full of unselfish and selfish people. You have to take everything with a grain of salt.
I hear ya. My wife and I have WordPerfect, which we like better than Word for most things. However, the rest of academia is hooked on MS Office, and WordPerfect 9 (the version we have) does a poor job converting back and forth between WP and MS formats. Luckily we discovered OOo last year and have been happily communicating with classmates and professors ever since!