He preaches the same rhetoric to everyone, equally, without bias or prejudice.
Where I come from, if you simply change the context of that statement a little, we call those people "whores" or "sluts", depending on whether or not they get paid.
Another word is Jesus. Another is capitalists. It's funny how they all can be put into the same group because of a lack of bias and prejudice.
Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.
Ie, "you're an asshole if you don't consider the needs of the developers". I've got a big FYI for you but, at least with Windows, the user is supposed to come first. That means you take measures to protect the user *now* instead of twiddling your thumbs while all the testers put a patch through its paces. In the mean time, users could very well be exploited. If there's no way to block the exploit without unplugging the computer from the internet or otherwise isolating, then so be it. At least the user has a choice instead of being lead to believe that there's nothing wrong with your software.
Yes, developers are only human. Yes, developers can't instantly patch code and responsibly release it the same day in many cases. But there's a lot more to the equation than the wants and needs of the developers. Trying to isolate your users and keep them in the dark for the sake of keeping them safe doesn't work; if it did, there wouldn't be a problem with spam bots under Windows. The best you can do is try to help those who want to help themselves. The rest are really a lost cause for the open/free software world, and they're the entire reason why service businesses to clean and manage your computer will continue to exist.
I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale.
Some of us are into this thing called an "open" development process. This means that not only do we find out about a lot of stuff we're not particularly interested in (though assumedly others are), but it also means that we find out about security vulnerabilities sooner than we likely would have (although Mozilla isn't always as open as some of us would like). In this particular instance, there isn't a work around for the security vulnerability, but there are steps that can be taken (disabling javascript) that will mitigate the risk until a fix is instituted. Personally, I like being given the option to take those mitigating steps if I choose instead of relying on an "expert" and a "vendor" to know what's best for me when they likely don't know my circumstances and is more inclined to hide vulnerabilities instead of publicly admit that their software appears shoddy (not to say that it is, but any vulnerability tends to have that effect; and Mozilla does try to do this, most the time, but not all "experts" are so willing to hide the information).
So a file gets deleted: prove it had anything to do with his software.
I hope you're being facicious. In this day and age, we have readily available virtualization software that can trivially allow you to do before and after snapshots, repeatedly, using a piece of software as a test case. There's even different virtualization software, emulators, etc, so one can't reasonably argue it's a bug of *that* software (though one could still try to argue that it was Windows..of which you can possibly use WINE and show through the source code that it's not a function of it).
In short, proving that a piece of software deletes a file isn't difficult. It might be tedious. And it might be difficult explaining the circumstances to the judge. But, the proof would be doable.
The complaint would start with, "I tried to run an illegal copy of this software..." That'll be creditable.
Just because it's illegal doesn't mean you know it was. I've accidentally bought a pirated version of Doom 2 from Wal-Mart. I'm pretty sure Wal-Mart didn't know it was illegal either. There's also, of course, the circumstance where you bought it legally and mistyped the serial code.
What if the software simply deletes itself?
Then at minimal I've lost the time it took to install the software. Really, the last thing you want to do is piss off a person who thought they bought a legitimate copy. If every time I use your software I have to step on eggshells or it might self-destruct, why would I want to use it or buy future versions? The future losses are, truthfully, something more to worry about than a few tort cases.
Anymore? ESR, as was pointed out, is one of the co-founders of the Open Source Initiative. ESR has always focused more on acting "crazy" to draw attention to him and his causes than in trying to be reasonable in any fashion. I mean, look how some simple mailing list entries are now on/. for all the rapid ESR followers to read and, more importantly, the non-rapid non-ESR population to consider and possibly join.
Having said all that, I find ESR's position duplicitous. On the one hand, ESR acts like he's the champion of open source. Why? Not for any sanctuary of freedom. No, it's all about an ideology that believes that open source is inherently the better software because the "open source process" produces better code. Yet, when all that can be found is proprietary code, ESR is more than willing to push the use of it instead of OSS. One can see that as pragmatic and a "necessary evil" of the long-term superiority of OSS. But if you're being a whiny baby over a want to incorporate proprietary code into a *free software* distro to support *open source*, well, then you're just being a moron. If you want to be a rapid supporter of a cause, then you're going to have to do a better job justifying why you seem to shirk that position the second it's inconvenient. Would anyone take seriously a cause against premarital and adultery that, to increase its numbers, held regular gangbangs?
Google was seen as complicit in censoring free speech in the China market by
agreeing to expand into China
No.
and then agreeing to filter search results.
Yes. Google, had it simply expanded into China, would indeed be a means to allow the Chinese government to further its ends of oppressing people. At the same time, Google, had it simply expanded into China, would have provided a constant battleground upon which Google would inherently, even if constantly being firewalled by China, provide a means of increase the freedoms of the people. In the end, Google would have been an unbias tool that could have been for good or evil, but the mere fact that it existed in China would have been a net good because it was a clear avenue of increasing freedom for those on the inside and outside willing to proxy content. The reason Google received so much flak is because by going along with China's censorship, they've greatly squashed those enhanced freedoms and are instead merely a tool of the Chinese government to oppress. In only the minimal way is that an improvement (in that the internet is so flexible that google's/china's blacklist will never keep up fully, so google might still do some good).
Having said all that, I have to say I'm a bit annoyed with the rest of your post. Stallman isn't the champion of "open software". He's the champion of "free software". He doesn't support the existance of free software because it's "more robust" (hell, look at him repeatedly pushing to use outdated 3D cards or questionable quality free software (in comparison to commercial softwware available)). He supports it because of the increased freedom. And really, you're right, Cuba could fully ignore the GPL.
If they were never going to contribute back to the free software community anyways, then nothing Stallman said really matters. Ironically enough, it's precisely the collaboration and "freedom" that's the reason that "open software" is supposed to be "more robust", so if Cuba isn't willing to collaborate, then logically going "open software" would be *equally or less* robust than commercial software (before you try to argue that open source means "more eyes", that theory holds true when there's "more eyes" of the field; truthfully, I don't think there's an international gulag and dissenter tracking collaboration network; why help other evil regimes when you think your evil regime does it best?).
And no, using free software doesn't mean everyone gets a PC (just like how the US hasn't given everyone PCs, for that matter). Nor is free software some code word for "freedom of speech", so Cuba using free software won't magically change whatever firewall rules they have. But supporting free software is itself a good, at least as far as Stallman is concerned. The only really bad thing to say about Stallman in this instance is that, given the people involved, it might have been wise to hold off commenting for a while that they actually follow through with what free software means. But then again, Stallman hasn't been one to hold off commenting on anything of the sort. If he did so, then the free software movement would certainly be nowhere where it is today.
Stallman is trying to be optimistic about someone saying they support free software. That' pretty consistent.
Not sure I entirely understand how Stallman isn't getting slagged for this, after Google got so roundly derided about its decisions to filter results in the China market...
Aren't you answering your own question? Google decided to *filter results in the China market*. Stallman didn't change the GPL to comply with Cuba's laws. Stallman is continuing to expound the same sorts of beliefs he's always expressed. The fact that Stallman isn't going out of his way to be champion to fight *all* the bad things that happens in the world is mainly a choice by him, realizing that one can't find everything bad in the world at the same time as pointing out the evil of copyright and be seen as a serious pusher of the evil of copyright--you become too deluted. One might as well complain that the NRA doesn't take up free speech cases enough or that the ALCU doesn't do enough when it comes to the environment. Stallman is consistently pushing his message about the need for free software. The problem with Google was their inconsistent of "do no evil" while *actively helping* China to block free speech.
Nonsense. You're saying if a being could be unfair, e.g. not follow his own rules, then he must be unfair.
No, I'm saying if an *omnipotent* being could be unfair, then he must be unfair. It comes down to this. There are certain circumstances where God can make a choice, A or B. A is fair. B is not. If God is truly omnipotent he can choose B. But, if he's fair, there's no way he can choose B. To do so would make him, by definition, unfair. So, he is either not omnipotent and bound to fair choices or he's omnipotent and not bound to fair choices. This is just a weaker form of the question whether God can create a rule he cannot break, where fairness would be the effective rule.
To make up rules which are impossible for God to violate is to negate that omnipotence.
And at the same time, to be unable to bind his power means God has not the power to bind himself, which means he's not all-power.
Just because some human sees a logical fallacy in the temporary suspension of free will does not make it impossible for God to have done so...
Actually, it does. That's precisely what logical fallacies are about proving: faulty logic. Let me give you another example, again steming from the idea of God's omnipotence. Now, the Christian God is supposed to be merciful and overall fair (obviously, the human concept of fair, as we're the audience). At the same time, he has supposedly set down rules that dictate how one gets into heaven. Well, that's the paradox right there. If he sets rules that insure one's entry into heaven, then he is binding himself to allow people into heaven. Yet, if he's not binded to follow his own rules on who gets into heaven, then he's not fair. The concept of God's grace follows virtually reverse logic; inherently him choosing certain unworthy people is unfair, so has bound himself to only allowing certain people in, but such reverts back to the issue of him not being able to bind himself.
What does this all mean? Among other things, an omnipotent, fair God, Christian or otherwise, can't exist. But if we remove the quality of omnipotence, then we're left with a being who can be fair (and can bind himself to his own rules). Whether he's fair or omnipotent, the Bible, Quran, etc is in error, which leaves what and why to believe from it is very much placed on the people who read it. So, feel free to turn towards a slightly less-than-omnipotent God and worship him. Me, personally? I don't find it any more logical to worship to a nearly omnipotent God any more than a nearly omnipotent Devil. And why would I worship a being who is unfair?
However, I do find it easier to relate to a character who looks like me. That is, I'm most comfortable playing a Caucasian male character.
That's funny. I find it easier to identify with characters that *are* like me. That is, I'd much quicker relate to a yellow fox or a blue armored robot than some male character that happens to be Caucasian. Hell, I even relate well to characters who aren't of my gender. But then again, I thought a major point of video games was to look beyond the polygons that represent the outside and to take a more abstract view and ingest that to be considered. After all, those textures that make that Caucasian male white could be trivially altered to make him green or the polygons altered to make him look like a her. Until there's the point at which games are actually rendered at a detail when I can no longer trivially think of the polygons as merely a hitbox or the color as merely a means to differentiate the character from the background, I'll still be left to thinking of it as a walking hitbox.
OTOH, without net neutrality, the telcos could very well examine packets and try to censor packets that are part of hate speech (or really anything they want to censor, like fluffy blue bunnies) with no legal repercussions. IANAL.
IANAL, either. But, what you try to claim doesn't really hold water. The entire point of telecoms *wanting* common carrier status is precisely to be protected from "legal repercussions". Without that status, any action to edit or change that which occurs infers that one has taken upon the responsibility of handling the task of insuring that illegal activities do not occur as a result of the company's actions or inactions. Without this protection, companies would be liable under, minimally, the same sort of context that has seen various P2P companies shut down and otherwise sued. It is, after-all, not much of a defense to claim that you were more than willing to stop fraud in one case but not another because you "lack the resources". And with something like telecommunication and the complexity of all the possible conspiracy laws that could be violated, it's unlikely that any telecom would dare pass any content over its network.
In short, the price of being held non-liable for the many crimes that your company facilitates is to objectively allow for such crimes to occur without a hunt to stop them. Otherwise, how are you any different than a conspirator that looks the other way in some cases?
You do know that HD HD-DVD and Blu-Ray video won't display in HD but on HD monitors, right? Being an HD monitor is necessary, btw, as a part of the HD-DVD and Blu-Ray specs as a means to try to close the analog hole; there's nothing intrinsic about most non-HD monitors sold today that prevents them from displaying the video. So they could have a legally owned copy of a reference video and end up playing it on a Windows Vista machine which either (a) doesn't have an HD monitor or (b) the HD monitor is acting up. Certainly, this is technically a screw-up on the part of the IT staff.
What becomes more fun is scenarios where a hospital buys some HD software that ends up DRMing the video they create. Even more fun is if the key gets revoked. I don't think it's very far fetched when you consider that DRMing video is a great way to protect the privacy rights of individuals, in theory. But at the same time it's the same DRMing scheme that leaves open the potential for so much abuse by those who control revoking keys.
"the content protection mechanisms...... will lead to better driver quality control."
This is probably one of the truest statements made in the article. Why? Because Microsoft doesn't want to have Vista blacklisted by movie providers. So, they're certainly going to go out of their way to implement such protections properly and if any exploit is found to fix it as promptly as possible. Recall how quickly the previous DRM exploit was patched?
Obviously, "better driver quality control" != "better drivers" nor "more stable", so it's really more spin than answering the real issue. But I guess if you assume that Windows drivers are generally crap, then simply implementing the function of the driver properly with less exploits means by definition such will be stabler and better. I'm not sure if that's what they were trying to imply.
"Try taking an animal biology course with a veterinarian professor and then express your dog extermination viewpoints during discussions. I'd bet 90% of the time you would come out of the class with a lower grade than your "puppy-loving" classmates even though you showed the same amount of enthusiasm and willingness to participate in class discussions as they did."
Perhaps the problem is that neo-conservatism argues a position with less rational backing while liberals support a position that has more rational backing? This isn't to say that the liberal position is right (more that neo-conservatism is wrong), but that most liberal professors require that even the liberally minded back their position up, not simply nod their head and agree with the group. Simply being enthusiastic and being willing to participate isn't justification for receiving the same grade as others. One of the core points is being able to have substantial argument to support your position.
For starters, the discussion of evolution vs intelligent design/creationism isn't one of the creation of life. Instead, it's the creation of most species.
What they deny is that one species can change so much that it becomes another species. In technical terms, what they refuse is the notion of macroevolution.
Notice the similarities? One thing that has to be recognized is that those small changes that make a species resistant to a pesticide or an antibiotic could be precisely the change that makes them a new species. The only real issue is that while there are many instances where it has been shown that a "negative" genetic trait has persisted in a society (sickle-cell anemia being a good example) because of the overall positive net effect it gives in resistance to attack from other organisms, I can't think of a laboratory example where this has been demonstrated. So while it's true that macroevolution has been observed in that lab, you're correct in pointing out that macroevolution as the result of a mutation to build resistance hasn't been demonstrated to produce new species. Given that speciation as a result of such a specific genetic mutation would only last if enough of a species developed the same mutation to procreate (and hence create a separate line)--since most bacteria are asexual and hence their species is determined by genetic similarity not the ability to mate, there is no simple definite means of declaring a resistance mutation as that which makes a new species*--, I can understand why such a scenario will take a long time to demonstrate to exist.
*Obviously, this isn't entirely true. For example, like-species might be defined by their willingness to trade plasmids. Or, bacteria switching graham negativity might define them as a new species.
No matter what you believe how the world was born, this will not change the past, and it will certainly have no influence on the way you work.
I have to disagree pretty substantially with what you've said. For starters, the discussion of evolution vs intelligent design/creationism isn't one of the creation of life. Instead, it's the creation of most species. The difference is pretty significant. The former is a very dynamic viewpoint while the latter two are more static (well, unless intelligent designers think that their "designer" is still around). This is important because there are many jobs that involve nature, and one that views species as fundamentally unalterable creates all sorts of problems, from the overuse of antibiotics to the short-sightedness of becoming dependent on a pesticide without any long-term plans to research and develop new pesticides as current pesticides are adapted to. Hell, even non-life evolves (viruses). If there's enough people who refuse to acknowledge evolution and they vote into office politicians who cut funding and research into combat ever evolving microorganisms, the consequences could be rather catastrophic economically and mortally. Until we're in a situation where there isn't a reliance on large government funding to do the sort of research that seems necessary because of evolution, I think it does rather matter what people think.
But 3D accelleration driver for a high end graphics card?
What makes you think I have a high-end graphics card? Or that I should only concern myself with the costs of something when it involves running a company?
If NVidia die within a year of buying a new graphics card, that's pretty unlucky, but anything over that, you'll be able to replace your graphics card with a similarly powerful one without having to fork out too much at all. A pain, but nothing too tragic. And with Windows backward compatability what it is, you can be pretty confident that todays drivers will see you through the next 5 years.
No, it's not "too tragic" to have to fork out $100 every 5 years just to keep a computer system running. But the question is, will I actually see drivers that will see me through the next 5 years? And just how smart is it to feed into a system of consumerism that suggests that I just buy a new board every so often to work around design flaws of a driver or hardware?
Windows 2003 will still load drivers designed for Win98 (and pos 95 (VxDs) but not sure). I just can't see, in this case, it being that big a problem.
If you hadn't noticed, the original discussion was about an nvidia driver that had a locally/remotely exploitable security flaw in it. So, being able to run *known* insecure drivers isn't exactly a great example of good security. That was the major reason for the complaint.
But on the other hand, look from NVidia's point of view. They're state of the art leaders, in constant battle with ATI for the best and the fastest GPUs, they gotta keep some things close to their chest. They also gotta protect their brand. If a driver fork doesn't perform quite as well (which can be for many reasons, eg, if they've licensed a compiler that can optimise better than the standard GCC everyone'll be using), benchmark figures could reflect badly on their product. And, at on a smaller level, they get to do things like flash their latest and greatest at people who come to their website's front page looking for drivers.
Ever heard of a magical word called Trademark? There's nothing stopping NVidia from trademarking their driver (both ATI and NVidia already seem to have) to prevent most of the badness you make out. More to the point, there's nothing stopping someone *right now* from making a crappy nvidia driver and pushing it into Linux distros precisely because it's the only legal option at the moment. If NVidia's driver is so good, do you really think a crappy reverse engineered one will "smear" their name less than a badly optimized one that someone else compiled from the official source? And I agree, it is at a very small level that nvidia or ati could use their websites as a marketing tool when a person is looking for security-update drivers.
If things change, then we can reevaluate, but as things are at the moment, we have little to gain, but they have a lot more to lose, they keep on top of kernel changes fast enough, and the drivers seem to do their job just fine.
I already reevaluated, after having more than I desired in crashes with my NVidia card. This was especially the case when it became clear I couldn't get help from Linux or Xorg developers for problems I was having and I'd have to rely solely on NVidia to fix my problems. Given the probable complex interactions involved and the simple fact that NVidia was clearly not so invested in Linux (again, they haven't gone out of their way to ensure that their driver can be legally included with distros), it was something of a futile condition to be in. I've already made my decision. The point of my position was more to express my reasoning than as some sort of mantra that no one should buy from NVidia. But certainly, I can't fully reason on the logic behind why I should choose NVidia over ATI or the reverse, at least based on company actions. I'll just have to go with the reverse-engineered drivers that exist for ATI instead of having to deal with such petty squabbles.
Nvidia have paid people on the job, with the relevant experience. What makes people think that the oss community can do a better job than nvidia's own people, when they can't even keep their own codebases bugfree? Bugs happen, and with really complex code, it takes people with the most experience available to find and resolve the problem, properly.
You highlight one of the reasons why I'm a member of the Free Software movement instead of the Open Source Software movement. That is, the OSS movement tries to present an unrealistic and unprovable supposition: that open source software is invariable "better" (ie, more bug free) than closed source software. It reminds me a lot of capitalists who try to equate an idealized model (free market) with the real world as a basis to ignore obvious examples where the idealized model doesn't work.
Back to the discussion, the real reason why those of us in the Free Software movement want access to the source code, beyond any moral reasons, are a few pragmatic ones. NVidia may not be around forever. Even if they are, they won't necessarily release updates in a timely fashion or for the hardware/software that I use. Once a bug is found, cutting off the ease of anyone being able to fix it, by making any fix a result of binary blob hacking, does in no way improve the odds of it being fixed. Further, the fact that the source is closed is a prime reason *why* NVidia employees are the only ones so well familiar with their driver. Given enough people in the world, especially those willing to hire others to write software for them, it stands to reason that the source being available would very likely increase the number of people who are familiar with what were "binary blobs".
Will this make source code magically less buggy? No more than making source closed has made it less buggy. But the source code being Free at least offers the potential for people themselves or to pay others to fix bugs and for the advantage to pass to everyone. And personally I like being in a position where I have a reasonable chance of fixing known problems even if some company or other specific person isn't interested. Certainly, software being Free only helps.
they blame everything but the vulnerable system that propagate this kludge...
You think that's a good idea? What happens when people start suing Linux developers for bugs and holes in that software? No software is perfect. Unless MS is doing this deliberately, it's not negligent. It's the nature of software.
Ignoring that you completely miss the meaning of negligence, I'd say that most of the security vulnerabilities present today are a result of negligence. Simply put, it's a well-known fact (and probably equally easy to demonstrate) that buffer overflows and internet overflows account for the vast majority of bugs that can be used as exploits. However, programmers (and by extension, consumers as well) have consistently chosen to use languages that allow for such bugs to readily exist instead of languages that greatly reduce the risk of such problems ever occurring. This is mostly done because of performance reasons.
To make a bad car analogy, if you started selling a car with zero safety features, not even tempered glass, purely for economics/performance, you'd be very likely held liable for the "excessive" damage in any accident that occurs. You might be able to sell the car without fear of lawsuits if you adequately explain just how dangerous the vehicle could be and state the car is only to be used on private land, but pretend that you're offering any level of "safety" just because when designing the car you tried to avoid having pointy edges doesn't remove a need for the serious design considerations that have to be put into place to greatly reduce the damage from an accident.
I don't want Linux developers or Windows developers to be sued any more than you likely do. But knowing what I know, I find it hard to ignore that developers (and their manager(s)) will often choose the riskier option, even knowing how well "no software is perfect". Consumers have the right to choose riskier software if they want to. But with platitudes of "no software is perfect" and no real discussion about serious options to greatly reduce the possible risk, consumers will never become better informed and really have the option to choose the software that won't cause them to be suddenly hosting child porn one day.
Well, the only thing left is to cue the people who point out that by taking steps to reduce the risk and advertising it, one opens oneself up litigation whenever a security vulnerability is found. Funny how people have an innate expectation that Windows won't be "owned" to host child porn and MS isn't ever sued over it but that there'd be a serious legal case if Foo was deployed with a promise of choosing a less risky base and Foo would likely be litigated into the ground. I thought sue trolls went after companies with the most money. Or is it only while they're not established enough to seem to have competent lawyers to defend themselves?
You don't need to shut down the internet. All [that] is required... [is to].. make a law.... It isn't like the military cannot start shooting down aircraft flying over bases and taking pictures.
I didn't realize there was one government body that controlled the internet. Nor did I realize that the military could retroactively shoot down satellites that have taken pictures of the Earth for years. Nor that it would suddenly be legal, under treaties most countries capable of shooting down satellites have signed, to start shooting down all satellites that "fly over" a warzone.
This talk about threatening is nonsense: when security researchers set a deadline they generally say they will release the information whether or not the vendor makes the fix.
Actually, that depends. Some security researchers will remain in contact with the company and if the vendor says they're about to release a patch, the researcher may be willing to hold off for a while. It's usually only when a vendor seems to be "stiffing" the security researcher that they feel compelled to release information about the exploit because they feel that if the vendor isn't going to release a patch, at least they can inform users so they can take steps to avoid the problem, which in many cases amount to not using the software at all. One could construe that as a malicious act.
Even if the intended release of information is conditional, saying "do this or I give the public objective evidence that your product is defective" does not fall within any legal definition of extortion.
Again, if you agreed to an EULA that specifically states that the software maker disclaims any fitness for the software, then what you're really reporting isn't a defect according to them. It is, after all, not illegal to include in software the ability to remote execute or crash a program, no more than it's illegal to make locks that can be opened with a paper clip. It's only if there's a claim that such features don't exist that they have fear of fraud charges and claims of defects. Of course, the country one lives in might have laws that supercede any EULA or contract, making it the case that such exploits are inherently are seen as defects; so, at least in those countries you're right that you'd be clearly legally protected. Just consider that for all the exploits that Microsoft software has and the billions they possess that they've yet to be sued over defects that they've not patched.
In the end, the real problem is that you can sue anyone for anything, no matter how groundless. Trying to be responsible and giving the vendor the information they can use to sue you, forcing you to spent thousands of dollars to defend yourself on a ludicrous case, can have a strong chilling effect on a willingness to risk releasing information about exploits at all. In the end, I just see it as the case that the few vendors that do end up suing people will have a profound negative impact. After all, how hard is it to sell to the courts the story that you weren't just reporting a vulnerability but that you were asking for money? Unless you're a well known researcher or have connections to one, it's not hard to imagine being able to push that story at least long enough to cause you to accept a plea bargain.
Of course, having said all that, I'm still for releasing the information to the public ASAP. People should be as informed as you can make them. If the repeated reports of Windows or Linux bugs cause people to not use that software for extended periods of time because they're unsafe, then perhaps people will finally focus more on the sort of security we should have always had.
So when you choose to disclose previously undocumented issues before giving the vendor any chance to respond, which some claim they're doing to improve security, there is a greater chance of exploit across a much wider base of users, which can have a much wider and catastrophic impact.
So? Not to be callous, but if my machine is being actively exploited, I'd like to know about it. Waiting 2 months without a clue while my machine is being used doesn't make me feel particularly good. And what happens if there is a wide and catastrophic impact *in spite* of your efforts to keep the vulnerability secret? Do you shrug your shoulders and try to rationalize that in the long term the negative impact is much less than the negative impact otherwise? At least when people know of a vulnerability, they can take steps to try to mitigate the problem.
Some say that as a sysadmin, they'd want to know about such vulnerabilities so that they can protect and mitigate themselves. But other than for high value targets and corporate or government espionage - which can perhaps have their own channels for "earlier" disclosure when identified by entities like US-CERT or Information Assurance agencies - I don't see how people can reasonably expect to be targeted by extremely valuable and as-yet-undocumented vulnerabilities.
For the same reason that people are targeted by "not" extremely valuable and documented vulnerabilities, those both not fixed and those fixed but for which people have yet not patched their system against. As far as I see it, what makes a vulnerability extremely valuable has more to do with the attacker's intentions than some all-encompassing umbrella of "not publicly documented". Certainly it is well known that while you can use some exploits to attack banks, it's much simpler (and safer) to attack millions of machines and sell them off as zombies for spamming purposes. If anything, it's the fact that patches are released that makes attackers aware of these exploits and it's the many people who rarely or never patch that make such attacks feasible. If it's not responsible to provide the information to protect people before a patch is released, how is it responsible to provide a patch that you know a great many people will never use but that attackers *will* use to their advantage? Are you against patching as well?
The bottom line is that the vendor should always be informed in advance, if there is any real concern about security on the platform, and not just ego stroking or slapping down "fanbois".
Oh yes, vendors should always be informed in advance. One should especially inform those companies that are sue happy. After all, isn't it possibly a form of exploitation to inform vendors? You may question how, but it's quite simple. By informing a vendor and effectively threatening to release information about an exploit if they don't release a patch in a set time, you're effectively demanding they spend money on you to patch software. You might claim that software has to be patched otherwise it's unfit software, but such logic has yet to be tested in court and the EULA you likely agreed to conceivably negates any claim of fitness. The only way to avoid this scenario is to inform a vendor but to never release information about the exploit (waiting until after a patch is released still looks incriminating) even if the vendor never even attempts to fix it. I'm sure the company can otherwise spin it as demanding thousands of dollars (in wages to employees to fix the exploit). You're an evil hacker, after all.
It's not as if the firmware blob had to run on the main CPU, as is the case with the far more evil nVidia and ATI graphics blobs, which are not firmware but binary modules. That would be extremely different.
One issue you ignore is that firmware blobs could, potentially, contain backdoors or spying software connected to whatever bus(es) they're connected to. While it's certainly possible for hardware to be directly bugged, it's much easier (and cheaper) to allow for upgradeable bugging. Truthfully, main CPUs could fall under this same problem. But I think in the long term, the desire is to open as much as possible so that users of a system can better trust the system. Getting hardware to work in the first place without some huge hurdle for users is merely a first step. It is, after all, the case that people buy hardware for the functionality the hardware can perform well. So, I don't think there's a reasonable fear of them becoming obsolete. They just have to fear not gaining as much profits or perhaps being associated with the shoddy programming of other developers (at least one reasonable reason for why they might wish to only have their own code be used; whether the adversarial approach of keeping code closed and being as tight-lipped about hardware as possible is reasonable is another issue).
Slashdot Mirror
Another word is Jesus. Another is capitalists. It's funny how they all can be put into the same group because of a lack of bias and prejudice.
Ie, "you're an asshole if you don't consider the needs of the developers". I've got a big FYI for you but, at least with Windows, the user is supposed to come first. That means you take measures to protect the user *now* instead of twiddling your thumbs while all the testers put a patch through its paces. In the mean time, users could very well be exploited. If there's no way to block the exploit without unplugging the computer from the internet or otherwise isolating, then so be it. At least the user has a choice instead of being lead to believe that there's nothing wrong with your software.
Yes, developers are only human. Yes, developers can't instantly patch code and responsibly release it the same day in many cases. But there's a lot more to the equation than the wants and needs of the developers. Trying to isolate your users and keep them in the dark for the sake of keeping them safe doesn't work; if it did, there wouldn't be a problem with spam bots under Windows. The best you can do is try to help those who want to help themselves. The rest are really a lost cause for the open/free software world, and they're the entire reason why service businesses to clean and manage your computer will continue to exist.
Some of us are into this thing called an "open" development process. This means that not only do we find out about a lot of stuff we're not particularly interested in (though assumedly others are), but it also means that we find out about security vulnerabilities sooner than we likely would have (although Mozilla isn't always as open as some of us would like). In this particular instance, there isn't a work around for the security vulnerability, but there are steps that can be taken (disabling javascript) that will mitigate the risk until a fix is instituted. Personally, I like being given the option to take those mitigating steps if I choose instead of relying on an "expert" and a "vendor" to know what's best for me when they likely don't know my circumstances and is more inclined to hide vulnerabilities instead of publicly admit that their software appears shoddy (not to say that it is, but any vulnerability tends to have that effect; and Mozilla does try to do this, most the time, but not all "experts" are so willing to hide the information).
I hope you're being facicious. In this day and age, we have readily available virtualization software that can trivially allow you to do before and after snapshots, repeatedly, using a piece of software as a test case. There's even different virtualization software, emulators, etc, so one can't reasonably argue it's a bug of *that* software (though one could still try to argue that it was Windows..of which you can possibly use WINE and show through the source code that it's not a function of it).
In short, proving that a piece of software deletes a file isn't difficult. It might be tedious. And it might be difficult explaining the circumstances to the judge. But, the proof would be doable.
Just because it's illegal doesn't mean you know it was. I've accidentally bought a pirated version of Doom 2 from Wal-Mart. I'm pretty sure Wal-Mart didn't know it was illegal either. There's also, of course, the circumstance where you bought it legally and mistyped the serial code.
Then at minimal I've lost the time it took to install the software. Really, the last thing you want to do is piss off a person who thought they bought a legitimate copy. If every time I use your software I have to step on eggshells or it might self-destruct, why would I want to use it or buy future versions? The future losses are, truthfully, something more to worry about than a few tort cases.
Anymore? ESR, as was pointed out, is one of the co-founders of the Open Source Initiative. ESR has always focused more on acting "crazy" to draw attention to him and his causes than in trying to be reasonable in any fashion. I mean, look how some simple mailing list entries are now on /. for all the rapid ESR followers to read and, more importantly, the non-rapid non-ESR population to consider and possibly join.
Having said all that, I find ESR's position duplicitous. On the one hand, ESR acts like he's the champion of open source. Why? Not for any sanctuary of freedom. No, it's all about an ideology that believes that open source is inherently the better software because the "open source process" produces better code. Yet, when all that can be found is proprietary code, ESR is more than willing to push the use of it instead of OSS. One can see that as pragmatic and a "necessary evil" of the long-term superiority of OSS. But if you're being a whiny baby over a want to incorporate proprietary code into a *free software* distro to support *open source*, well, then you're just being a moron. If you want to be a rapid supporter of a cause, then you're going to have to do a better job justifying why you seem to shirk that position the second it's inconvenient. Would anyone take seriously a cause against premarital and adultery that, to increase its numbers, held regular gangbangs?
No.
Yes. Google, had it simply expanded into China, would indeed be a means to allow the Chinese government to further its ends of oppressing people. At the same time, Google, had it simply expanded into China, would have provided a constant battleground upon which Google would inherently, even if constantly being firewalled by China, provide a means of increase the freedoms of the people. In the end, Google would have been an unbias tool that could have been for good or evil, but the mere fact that it existed in China would have been a net good because it was a clear avenue of increasing freedom for those on the inside and outside willing to proxy content. The reason Google received so much flak is because by going along with China's censorship, they've greatly squashed those enhanced freedoms and are instead merely a tool of the Chinese government to oppress. In only the minimal way is that an improvement (in that the internet is so flexible that google's/china's blacklist will never keep up fully, so google might still do some good).
Having said all that, I have to say I'm a bit annoyed with the rest of your post. Stallman isn't the champion of "open software". He's the champion of "free software". He doesn't support the existance of free software because it's "more robust" (hell, look at him repeatedly pushing to use outdated 3D cards or questionable quality free software (in comparison to commercial softwware available)). He supports it because of the increased freedom. And really, you're right, Cuba could fully ignore the GPL.
If they were never going to contribute back to the free software community anyways, then nothing Stallman said really matters. Ironically enough, it's precisely the collaboration and "freedom" that's the reason that "open software" is supposed to be "more robust", so if Cuba isn't willing to collaborate, then logically going "open software" would be *equally or less* robust than commercial software (before you try to argue that open source means "more eyes", that theory holds true when there's "more eyes" of the field; truthfully, I don't think there's an international gulag and dissenter tracking collaboration network; why help other evil regimes when you think your evil regime does it best?).
And no, using free software doesn't mean everyone gets a PC (just like how the US hasn't given everyone PCs, for that matter). Nor is free software some code word for "freedom of speech", so Cuba using free software won't magically change whatever firewall rules they have. But supporting free software is itself a good, at least as far as Stallman is concerned. The only really bad thing to say about Stallman in this instance is that, given the people involved, it might have been wise to hold off commenting for a while that they actually follow through with what free software means. But then again, Stallman hasn't been one to hold off commenting on anything of the sort. If he did so, then the free software movement would certainly be nowhere where it is today.
Stallman is trying to be optimistic about someone saying they support free software. That' pretty consistent.
Aren't you answering your own question? Google decided to *filter results in the China market*. Stallman didn't change the GPL to comply with Cuba's laws. Stallman is continuing to expound the same sorts of beliefs he's always expressed. The fact that Stallman isn't going out of his way to be champion to fight *all* the bad things that happens in the world is mainly a choice by him, realizing that one can't find everything bad in the world at the same time as pointing out the evil of copyright and be seen as a serious pusher of the evil of copyright--you become too deluted. One might as well complain that the NRA doesn't take up free speech cases enough or that the ALCU doesn't do enough when it comes to the environment. Stallman is consistently pushing his message about the need for free software. The problem with Google was their inconsistent of "do no evil" while *actively helping* China to block free speech.
No, I'm saying if an *omnipotent* being could be unfair, then he must be unfair. It comes down to this. There are certain circumstances where God can make a choice, A or B. A is fair. B is not. If God is truly omnipotent he can choose B. But, if he's fair, there's no way he can choose B. To do so would make him, by definition, unfair. So, he is either not omnipotent and bound to fair choices or he's omnipotent and not bound to fair choices. This is just a weaker form of the question whether God can create a rule he cannot break, where fairness would be the effective rule.
And at the same time, to be unable to bind his power means God has not the power to bind himself, which means he's not all-power.
Actually, it does. That's precisely what logical fallacies are about proving: faulty logic. Let me give you another example, again steming from the idea of God's omnipotence. Now, the Christian God is supposed to be merciful and overall fair (obviously, the human concept of fair, as we're the audience). At the same time, he has supposedly set down rules that dictate how one gets into heaven. Well, that's the paradox right there. If he sets rules that insure one's entry into heaven, then he is binding himself to allow people into heaven. Yet, if he's not binded to follow his own rules on who gets into heaven, then he's not fair. The concept of God's grace follows virtually reverse logic; inherently him choosing certain unworthy people is unfair, so has bound himself to only allowing certain people in, but such reverts back to the issue of him not being able to bind himself.
What does this all mean? Among other things, an omnipotent, fair God, Christian or otherwise, can't exist. But if we remove the quality of omnipotence, then we're left with a being who can be fair (and can bind himself to his own rules). Whether he's fair or omnipotent, the Bible, Quran, etc is in error, which leaves what and why to believe from it is very much placed on the people who read it. So, feel free to turn towards a slightly less-than-omnipotent God and worship him. Me, personally? I don't find it any more logical to worship to a nearly omnipotent God any more than a nearly omnipotent Devil. And why would I worship a being who is unfair?
That's funny. I find it easier to identify with characters that *are* like me. That is, I'd much quicker relate to a yellow fox or a blue armored robot than some male character that happens to be Caucasian. Hell, I even relate well to characters who aren't of my gender. But then again, I thought a major point of video games was to look beyond the polygons that represent the outside and to take a more abstract view and ingest that to be considered. After all, those textures that make that Caucasian male white could be trivially altered to make him green or the polygons altered to make him look like a her. Until there's the point at which games are actually rendered at a detail when I can no longer trivially think of the polygons as merely a hitbox or the color as merely a means to differentiate the character from the background, I'll still be left to thinking of it as a walking hitbox.
IANAL, either. But, what you try to claim doesn't really hold water. The entire point of telecoms *wanting* common carrier status is precisely to be protected from "legal repercussions". Without that status, any action to edit or change that which occurs infers that one has taken upon the responsibility of handling the task of insuring that illegal activities do not occur as a result of the company's actions or inactions. Without this protection, companies would be liable under, minimally, the same sort of context that has seen various P2P companies shut down and otherwise sued. It is, after-all, not much of a defense to claim that you were more than willing to stop fraud in one case but not another because you "lack the resources". And with something like telecommunication and the complexity of all the possible conspiracy laws that could be violated, it's unlikely that any telecom would dare pass any content over its network.
In short, the price of being held non-liable for the many crimes that your company facilitates is to objectively allow for such crimes to occur without a hunt to stop them. Otherwise, how are you any different than a conspirator that looks the other way in some cases?
Did copyright infringement bump murder off the list?
You do know that HD HD-DVD and Blu-Ray video won't display in HD but on HD monitors, right? Being an HD monitor is necessary, btw, as a part of the HD-DVD and Blu-Ray specs as a means to try to close the analog hole; there's nothing intrinsic about most non-HD monitors sold today that prevents them from displaying the video. So they could have a legally owned copy of a reference video and end up playing it on a Windows Vista machine which either (a) doesn't have an HD monitor or (b) the HD monitor is acting up. Certainly, this is technically a screw-up on the part of the IT staff.
What becomes more fun is scenarios where a hospital buys some HD software that ends up DRMing the video they create. Even more fun is if the key gets revoked. I don't think it's very far fetched when you consider that DRMing video is a great way to protect the privacy rights of individuals, in theory. But at the same time it's the same DRMing scheme that leaves open the potential for so much abuse by those who control revoking keys.
This is probably one of the truest statements made in the article. Why? Because Microsoft doesn't want to have Vista blacklisted by movie providers. So, they're certainly going to go out of their way to implement such protections properly and if any exploit is found to fix it as promptly as possible. Recall how quickly the previous DRM exploit was patched?
Obviously, "better driver quality control" != "better drivers" nor "more stable", so it's really more spin than answering the real issue. But I guess if you assume that Windows drivers are generally crap, then simply implementing the function of the driver properly with less exploits means by definition such will be stabler and better. I'm not sure if that's what they were trying to imply.
"Try taking an animal biology course with a veterinarian professor and then express your dog extermination viewpoints during discussions. I'd bet 90% of the time you would come out of the class with a lower grade than your "puppy-loving" classmates even though you showed the same amount of enthusiasm and willingness to participate in class discussions as they did."
Perhaps the problem is that neo-conservatism argues a position with less rational backing while liberals support a position that has more rational backing? This isn't to say that the liberal position is right (more that neo-conservatism is wrong), but that most liberal professors require that even the liberally minded back their position up, not simply nod their head and agree with the group. Simply being enthusiastic and being willing to participate isn't justification for receiving the same grade as others. One of the core points is being able to have substantial argument to support your position.
Notice the similarities? One thing that has to be recognized is that those small changes that make a species resistant to a pesticide or an antibiotic could be precisely the change that makes them a new species. The only real issue is that while there are many instances where it has been shown that a "negative" genetic trait has persisted in a society (sickle-cell anemia being a good example) because of the overall positive net effect it gives in resistance to attack from other organisms, I can't think of a laboratory example where this has been demonstrated. So while it's true that macroevolution has been observed in that lab, you're correct in pointing out that macroevolution as the result of a mutation to build resistance hasn't been demonstrated to produce new species. Given that speciation as a result of such a specific genetic mutation would only last if enough of a species developed the same mutation to procreate (and hence create a separate line)--since most bacteria are asexual and hence their species is determined by genetic similarity not the ability to mate, there is no simple definite means of declaring a resistance mutation as that which makes a new species*--, I can understand why such a scenario will take a long time to demonstrate to exist.
*Obviously, this isn't entirely true. For example, like-species might be defined by their willingness to trade plasmids. Or, bacteria switching graham negativity might define them as a new species.
I have to disagree pretty substantially with what you've said. For starters, the discussion of evolution vs intelligent design/creationism isn't one of the creation of life. Instead, it's the creation of most species. The difference is pretty significant. The former is a very dynamic viewpoint while the latter two are more static (well, unless intelligent designers think that their "designer" is still around). This is important because there are many jobs that involve nature, and one that views species as fundamentally unalterable creates all sorts of problems, from the overuse of antibiotics to the short-sightedness of becoming dependent on a pesticide without any long-term plans to research and develop new pesticides as current pesticides are adapted to. Hell, even non-life evolves (viruses). If there's enough people who refuse to acknowledge evolution and they vote into office politicians who cut funding and research into combat ever evolving microorganisms, the consequences could be rather catastrophic economically and mortally. Until we're in a situation where there isn't a reliance on large government funding to do the sort of research that seems necessary because of evolution, I think it does rather matter what people think.
What makes you think I have a high-end graphics card? Or that I should only concern myself with the costs of something when it involves running a company?
No, it's not "too tragic" to have to fork out $100 every 5 years just to keep a computer system running. But the question is, will I actually see drivers that will see me through the next 5 years? And just how smart is it to feed into a system of consumerism that suggests that I just buy a new board every so often to work around design flaws of a driver or hardware?
If you hadn't noticed, the original discussion was about an nvidia driver that had a locally/remotely exploitable security flaw in it. So, being able to run *known* insecure drivers isn't exactly a great example of good security. That was the major reason for the complaint.
Ever heard of a magical word called Trademark? There's nothing stopping NVidia from trademarking their driver (both ATI and NVidia already seem to have) to prevent most of the badness you make out. More to the point, there's nothing stopping someone *right now* from making a crappy nvidia driver and pushing it into Linux distros precisely because it's the only legal option at the moment. If NVidia's driver is so good, do you really think a crappy reverse engineered one will "smear" their name less than a badly optimized one that someone else compiled from the official source? And I agree, it is at a very small level that nvidia or ati could use their websites as a marketing tool when a person is looking for security-update drivers.
I already reevaluated, after having more than I desired in crashes with my NVidia card. This was especially the case when it became clear I couldn't get help from Linux or Xorg developers for problems I was having and I'd have to rely solely on NVidia to fix my problems. Given the probable complex interactions involved and the simple fact that NVidia was clearly not so invested in Linux (again, they haven't gone out of their way to ensure that their driver can be legally included with distros), it was something of a futile condition to be in. I've already made my decision. The point of my position was more to express my reasoning than as some sort of mantra that no one should buy from NVidia. But certainly, I can't fully reason on the logic behind why I should choose NVidia over ATI or the reverse, at least based on company actions. I'll just have to go with the reverse-engineered drivers that exist for ATI instead of having to deal with such petty squabbles.
You highlight one of the reasons why I'm a member of the Free Software movement instead of the Open Source Software movement. That is, the OSS movement tries to present an unrealistic and unprovable supposition: that open source software is invariable "better" (ie, more bug free) than closed source software. It reminds me a lot of capitalists who try to equate an idealized model (free market) with the real world as a basis to ignore obvious examples where the idealized model doesn't work.
Back to the discussion, the real reason why those of us in the Free Software movement want access to the source code, beyond any moral reasons, are a few pragmatic ones. NVidia may not be around forever. Even if they are, they won't necessarily release updates in a timely fashion or for the hardware/software that I use. Once a bug is found, cutting off the ease of anyone being able to fix it, by making any fix a result of binary blob hacking, does in no way improve the odds of it being fixed. Further, the fact that the source is closed is a prime reason *why* NVidia employees are the only ones so well familiar with their driver. Given enough people in the world, especially those willing to hire others to write software for them, it stands to reason that the source being available would very likely increase the number of people who are familiar with what were "binary blobs".
Will this make source code magically less buggy? No more than making source closed has made it less buggy. But the source code being Free at least offers the potential for people themselves or to pay others to fix bugs and for the advantage to pass to everyone. And personally I like being in a position where I have a reasonable chance of fixing known problems even if some company or other specific person isn't interested. Certainly, software being Free only helps.
Ignoring that you completely miss the meaning of negligence, I'd say that most of the security vulnerabilities present today are a result of negligence. Simply put, it's a well-known fact (and probably equally easy to demonstrate) that buffer overflows and internet overflows account for the vast majority of bugs that can be used as exploits. However, programmers (and by extension, consumers as well) have consistently chosen to use languages that allow for such bugs to readily exist instead of languages that greatly reduce the risk of such problems ever occurring. This is mostly done because of performance reasons.
To make a bad car analogy, if you started selling a car with zero safety features, not even tempered glass, purely for economics/performance, you'd be very likely held liable for the "excessive" damage in any accident that occurs. You might be able to sell the car without fear of lawsuits if you adequately explain just how dangerous the vehicle could be and state the car is only to be used on private land, but pretend that you're offering any level of "safety" just because when designing the car you tried to avoid having pointy edges doesn't remove a need for the serious design considerations that have to be put into place to greatly reduce the damage from an accident.
I don't want Linux developers or Windows developers to be sued any more than you likely do. But knowing what I know, I find it hard to ignore that developers (and their manager(s)) will often choose the riskier option, even knowing how well "no software is perfect". Consumers have the right to choose riskier software if they want to. But with platitudes of "no software is perfect" and no real discussion about serious options to greatly reduce the possible risk, consumers will never become better informed and really have the option to choose the software that won't cause them to be suddenly hosting child porn one day.
Well, the only thing left is to cue the people who point out that by taking steps to reduce the risk and advertising it, one opens oneself up litigation whenever a security vulnerability is found. Funny how people have an innate expectation that Windows won't be "owned" to host child porn and MS isn't ever sued over it but that there'd be a serious legal case if Foo was deployed with a promise of choosing a less risky base and Foo would likely be litigated into the ground. I thought sue trolls went after companies with the most money. Or is it only while they're not established enough to seem to have competent lawyers to defend themselves?
No, the obvious question is why they didn't use urine instead of water? Oh wait, you said Gatorade. N/m.
I didn't realize there was one government body that controlled the internet. Nor did I realize that the military could retroactively shoot down satellites that have taken pictures of the Earth for years. Nor that it would suddenly be legal, under treaties most countries capable of shooting down satellites have signed, to start shooting down all satellites that "fly over" a warzone.
Actually, that depends. Some security researchers will remain in contact with the company and if the vendor says they're about to release a patch, the researcher may be willing to hold off for a while. It's usually only when a vendor seems to be "stiffing" the security researcher that they feel compelled to release information about the exploit because they feel that if the vendor isn't going to release a patch, at least they can inform users so they can take steps to avoid the problem, which in many cases amount to not using the software at all. One could construe that as a malicious act.
Again, if you agreed to an EULA that specifically states that the software maker disclaims any fitness for the software, then what you're really reporting isn't a defect according to them. It is, after all, not illegal to include in software the ability to remote execute or crash a program, no more than it's illegal to make locks that can be opened with a paper clip. It's only if there's a claim that such features don't exist that they have fear of fraud charges and claims of defects. Of course, the country one lives in might have laws that supercede any EULA or contract, making it the case that such exploits are inherently are seen as defects; so, at least in those countries you're right that you'd be clearly legally protected. Just consider that for all the exploits that Microsoft software has and the billions they possess that they've yet to be sued over defects that they've not patched.
In the end, the real problem is that you can sue anyone for anything, no matter how groundless. Trying to be responsible and giving the vendor the information they can use to sue you, forcing you to spent thousands of dollars to defend yourself on a ludicrous case, can have a strong chilling effect on a willingness to risk releasing information about exploits at all. In the end, I just see it as the case that the few vendors that do end up suing people will have a profound negative impact. After all, how hard is it to sell to the courts the story that you weren't just reporting a vulnerability but that you were asking for money? Unless you're a well known researcher or have connections to one, it's not hard to imagine being able to push that story at least long enough to cause you to accept a plea bargain.
Of course, having said all that, I'm still for releasing the information to the public ASAP. People should be as informed as you can make them. If the repeated reports of Windows or Linux bugs cause people to not use that software for extended periods of time because they're unsafe, then perhaps people will finally focus more on the sort of security we should have always had.
So? Not to be callous, but if my machine is being actively exploited, I'd like to know about it. Waiting 2 months without a clue while my machine is being used doesn't make me feel particularly good. And what happens if there is a wide and catastrophic impact *in spite* of your efforts to keep the vulnerability secret? Do you shrug your shoulders and try to rationalize that in the long term the negative impact is much less than the negative impact otherwise? At least when people know of a vulnerability, they can take steps to try to mitigate the problem.
For the same reason that people are targeted by "not" extremely valuable and documented vulnerabilities, those both not fixed and those fixed but for which people have yet not patched their system against. As far as I see it, what makes a vulnerability extremely valuable has more to do with the attacker's intentions than some all-encompassing umbrella of "not publicly documented". Certainly it is well known that while you can use some exploits to attack banks, it's much simpler (and safer) to attack millions of machines and sell them off as zombies for spamming purposes. If anything, it's the fact that patches are released that makes attackers aware of these exploits and it's the many people who rarely or never patch that make such attacks feasible. If it's not responsible to provide the information to protect people before a patch is released, how is it responsible to provide a patch that you know a great many people will never use but that attackers *will* use to their advantage? Are you against patching as well?
Oh yes, vendors should always be informed in advance. One should especially inform those companies that are sue happy. After all, isn't it possibly a form of exploitation to inform vendors? You may question how, but it's quite simple. By informing a vendor and effectively threatening to release information about an exploit if they don't release a patch in a set time, you're effectively demanding they spend money on you to patch software. You might claim that software has to be patched otherwise it's unfit software, but such logic has yet to be tested in court and the EULA you likely agreed to conceivably negates any claim of fitness. The only way to avoid this scenario is to inform a vendor but to never release information about the exploit (waiting until after a patch is released still looks incriminating) even if the vendor never even attempts to fix it. I'm sure the company can otherwise spin it as demanding thousands of dollars (in wages to employees to fix the exploit). You're an evil hacker, after all.
One issue you ignore is that firmware blobs could, potentially, contain backdoors or spying software connected to whatever bus(es) they're connected to. While it's certainly possible for hardware to be directly bugged, it's much easier (and cheaper) to allow for upgradeable bugging. Truthfully, main CPUs could fall under this same problem. But I think in the long term, the desire is to open as much as possible so that users of a system can better trust the system. Getting hardware to work in the first place without some huge hurdle for users is merely a first step. It is, after all, the case that people buy hardware for the functionality the hardware can perform well. So, I don't think there's a reasonable fear of them becoming obsolete. They just have to fear not gaining as much profits or perhaps being associated with the shoddy programming of other developers (at least one reasonable reason for why they might wish to only have their own code be used; whether the adversarial approach of keeping code closed and being as tight-lipped about hardware as possible is reasonable is another issue).