"If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."
I'm with you so far....
"So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."
Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.
The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.
And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.
Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.
I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.
"...the company had possibly overbilled the Transportation Security Administration by as much as 171,000 hours of labor and overtime."
Uh-oh.
Look, I don't really know how to tell you this, but those 171,000 hours? That's... uh, well, that'd be my fault. Back in '99, somebody asked me to get Windows ME running stable, and I haven't left my desk since.
Bob Metcalfe has been so consistently wrong in so many pronouncements that I have long since given up on him. I respect him for his work in developing ethernet, and I'm glad that he made whacks of money at 3Com.
Since he became a geek pundit, though, he's done worse than the Dvoraks of the world, who natter endlessly and (for the most part) harmlessly. Bob's great sin is that people actually listened to him. He is in no small part responsible for the abysmally unenlightened business tactics that defined the dot com boom.
Nowadays, I tend to assume that anything attributed to him is wrong by definition. I know it's not right to do that (heck, even Dvorak's been right at least once), but I can't help it. It's because of him and a few others that the Web became such a weird (and useless) place in the late 90s.
"I don't think that Churchill or FDR spent much time worrying about legacy, yet history counts them as great men."
Churchill cared so much about his legacy that he wrote a 6 volume memoir of his actions during the war, modestly entitled "The Second World War." It's good reading, but make no mistake about its purpose. From start to finish it's an apologia for his every action during that time.
And when talking about Roosevelts, I'm more prone to remember Eleanor Roosevelt as the modest one. This is a woman who, in the dark days of segregation, drove through southern towns with a pistol on the seat beside her, to address groups like the NAACP. When a bunch of up uptight matrons refused to allow a black soprano to perform at Constitution Hall in Washington, she arranged to have the concert at the Lincoln Memorial. 70,000 people attended.
Eleanor Roosevelt was also the driving force behind one of the most important documents since Hammurabi - the Universal Declaration of Human Rights.
Churchill and Roosevelt were both extremely dynamic personalities who knew exactly how to present themselves to the public, and whose private faces were sometimes strikingly different from their public ones. That said, they both made important - critical, even - contributions to world history.
"I wrote to them asking where I could send $100 to sponsor the creation of the laptop.. I was automailed a response."
While you're waiting, why not consider supporting other IT-related work that's changing lives in the developing world? Take a look at the GeekCorps, a volunteer sending agency that specialises in short-term volunteer work in the developing world. I find their Mali Project, where they're building a nationwide wireless network for peanuts, especially interesting. I'm on their mailing list, and if I weren't already doing the same kind of work in another part of the developing world, I'd be working for them.
Or you could do what I'm doing and spend a couple of years working as a VSO volunteer. VSO Canada recruits across North America, and VSO international recruits throughout the EU. If you're tied down by other commitments and don't have a couple of years to devote to development, you could think about a short-term stint with BESO, which provides tactical assistance with business and technology skills development.
Young Canadians with nominal IT experience can give a hand too, through the NetCorps programme, operated by the government of Canada through VSO Canada and CUSO. I've worked with a few of them, and they all love what they're doing.
I can say from experience that this kind of work does save lives, and it's incredibly gratifying. In fact, I like the work so much I've extended my contract for an extra two years, and I've decided on a career in international development.
"Sounds like a job for everyone's favorite do-everything markup language, XML! Seriously, why isn't it used to structure everything?"
Because it's not the right tool for every job. XML is explicitly a data interchange format. I've worked with material like this in the past, and I can tell you from experience that processing large volumes of XML (or any text-based markup format, for that matter) is extremely expensive in terms of processor and memory resource usage.
That said, I agree that in this case XML-formatted plain text is the right format, specifically because it is very suitable as a data interchange format. When one is archiving large volumes of data for intedeterminate periods of time (possibly decades), then it's worth the extra pain to maintain the source in the most flexible format.
I do not want to suggest, though, that this is the best format for accessing or processing the data. I'd suggest a source repository where text data is fielded with the proper metadata which can be updated periodically if necessary. Data can then be drawn from there and stored in a more accessible (e.g. database) format and that data store can be accessed by researchers, lawyers and lawmakers, etc. This has the double benefit of keeping the source material safe because we're not interacting with it constantly and making it accessible in the most appropriate technology of the day.
As someone has already stated, this is not exactly rocket science. It does require a certain simplicity and elegance of design, so I have very little hope that it will be implemented as I've described. 8^)
computer systems should not be released until they pass some theoretical threshold of security
Sounds reasonable, except that the threshold should be measurable. This is relatively easily achieved, even in very complex applications, if responsible coding practices and code management are used. I refuse to work for companies that do less than that, and avoid recommending any software that wasn't developed using that method. Which, of course, is why I've only supported *nix servers from about 1999 onwards.
and if the above is not done, then the authors of said systems shall be held (financially? criminally?) liable.
I don't want to put words in the GP's mouth (it's unsanitary), but IMO software should be warrantable just like any number of other products. There is a de facto expectation of suitability to use, EULAs notwithstanding, and it only remains for law to catch up to consumer expectations.
My preference would be to see financial liability for software vendors measured as a proportion of the sale price, except in cases where software failure directly caused death, disability or significant loss of property.
"In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it."
Not at all. Under the model I've described above, only those companies who package and sell the software would be responsible for maintaining a certain degree of quality. Hackers in the FOSS community would not be directly liable for releasing a no-cost application, unless it actually kills people, which is somewhat unlikely. 8^)
I think that decent software quality is achievable. I've seen it done. One company I worked for not so long ago ran a network operations centre whose management software had a six week development cycle. Two weeks of design, followed by two weeks of development, followed by two weeks of testing.
This had a very salutary effect on code quality, not the least of which was that stupid errors (e.g. syntax mistakes, border conditions, fencepost errors etc.) never saw the light of day. But the biggest benefit was that the cost of failure was low. We deliberately worked in small increments for this very reason. Even if a new feature turned out to be a steaming pile, we'd typically find out before release. But even if we didn't, the cost of rolling back was very low.
Now, I realise that this particular model doesn't apply directly to a number of areas, not the least of which are desktop client applications. But consider that if this incremental development approach were used internally (i.e. without constant public releases), the same practices could be used. This is only one example, though, of the many ways in which code quality can be improved without undue effort or expense.
One key to ensuring quality is frequent review and auditability of the code. This of course puts developers of proprietary applications at a bit of a deficit, but heck, them's the breaks. 8^)
""Kye-U also has released a filter for proxomitron that will block wmf file downloads[....]"
Careful, The folks at the Internet Storm Center are warning that Windows often ignores the file extension and reads the 'magic bits' at the beginning of the file to decide how to process it. This means that someone could rename a.wmf to.jpg, for example, in order to get it past that filter.
The best workaround currently available is to un-register the shimgvw.dll as suggested above.
"The real question is, is the open source community against it?"
Actually, I think the real question is 'How could everyone miss the point so completely?'
Look, I think that government does have a place in enforcing standards, especially with regards to safety and security, but those have to be standards of behaviour. The difference between saying 'nobody is allowed to run software that does X' and 'nobody is allowed to run software X' is critical.
Taken to its logical extreme, it's the difference between saying:
'Hoarding money is a crime, so we'll punish anyone who does it'
and saying:
'Jews hoard money, so we'll punish all Jews.'
Another example: I don't give a hoot who made the truck that pollutes my lungs with reeking black clouds of exhaust, nor do I care who the owner is. I just want it to stop. The best way to do this is to set standards for behaviour and punish or reward them as society sees fit.
Gee, when we put it that way, it almost sounds like what laws are for, huh? 8^)
In that sense, I have no objection to making malware quarantine compulsory, provided that malware is defined by its actions and not its name.
"Microsoft has also started selling Windows Starter Edition in developing countries. Just because other OSes aren't undercutting Microsoft and may understand economics more than you do doesn't mean it's Microsofts fault."
Wow, what a tour de force of disingenuousness. I hardly know where to start....
If you would only be so patient as to do some research, you would find that most people agree that Windows Starter Edition is a transparent (and half-assed) effort on MS' part to pander to politicians. They're using it to keep Windows on the desktop in places where it makes abundant sense to use FOSS.
Other OSes absolutely are undercutting Windows. And they're doing it using tactics that MS ultimately can't defeat. Windows Starter Edition is a direct (albeit feeble) move to counter the effect of Free software. MS knows that if they leave a hole behind where pirated software used to be, FOSS will fill it. Your refusal to even consider FOSS in the equation is self-serving and silly.
The price of commercially available operating systems is very much Microsoft's fault - more specifically, their OEM licensing agreements until recently required exclusivity: If you want to sell Windows, you're not allowed to sell anything else. That's why computer manufacturers were glad to see MS hauled into court on anti-trust charges. If you think that removing these terms from the contract agreement means MS has given up on this tactic, think again. If they're willing to attack the state of Massachusetts and its staff for even thinking about alternatives, you can bet that they continue to fight diversity in the market place with every tactic they feel they can get away with.
One of the primary strategies that MS is pursuing today is to fight FOSS (especially Linux) on every front, and to conduct scorched earth campaigns where propaganda and existing dominance aren't enough. Windows Start Edition is in effect MS salting the earth on their way out.
And MS is right to be scared. Ultimately, the developing world will have little choice but to move to FOSS - the logistics of doing anything else are simply prohibitive.
How do I know? I work in international development, and I've seen more than one situation where a government or large organisation baulked at the price of licensing MS software. But as more and more nations accede to the WTO and live at the mercy of the World Bank et alia, they can no longer blithely use proprietary software without paying for it.
It's ironic that the very strongarm tactics that have served MS so well in the past are the petard on which they'll eventually be hoist. To claim that MS is faultless in this process is evidence either of self-deception or dishonesty of the highest order.
"I have a PhD in Neuroscience and while I could tell you a load of info on biological sciences and basic science in general, I am no more able to tell you of quantum physics than anyone else. This means that I must take this information on trust from people who I know more than I do: teachers or scientists. On the surface this trust is based on faith, and is the same as listening to the Clergy, but there is a major difference."
I take your point, but it's dangerous (and IMO foolish) to conflate trust with faith. They are not at all the same thing, especially when understood in the way the religious right intends.
I trust certain experts and authorities to provide me with the summaries and synthesis that I need to understand esoteric matters from cosmology to macro-economics, but only because they have demonstrated their accuracy in the past. New evidence to the contrary will affect the level of trust I'm willing to invest.
Faith works in exactly the opposite way; it insists on remaining unchanged no matter what external circumstance may dictate. Faith is antithetical to the kind of common-sense trust described in the previous paragraph.
"Newtons's phrase "standing on the shoulders of giants" was reference to the fact that all science can trace it's roots back to basic experiments that we can all do at home."
You're no doubt right on that point, but the statement too can be traced much further back than Newton. But don't take my word for it - check for yourself. Then check their sources, too. 8^)
"Basicly piracy is the last thing that keeps Free Software from world domination."
And that is precisely why I oppose software 'piracy'. I live in a country where I can buy any software I want for less than 20 bucks at the local CD store. The parliament here has yet to ratify the Berne Conventions on copyright, so we exist in a sort of a grey zone. There's no legal reason to respect software EULAs.
But the use of proprietary software has created many other difficulties, not the least of which is a cargo-cult mentality. Software is not something that one configures or, heaven forfend, writes; it's something you go down to the store to buy. If something goes wrong with it, you just buy something better. If there's nothing there that does what you want... well then, software can't do that.
That's all well and good as far as it goes, but it does absolutely nothing to develop the local economy, improve educational opportunities, or to impress on people just what kind of amazing things they could be doing with software in this country. This place is poor in resources, but doesn't lack for smart people. The only way people here will ever find really well-paid work is to sell their skills overseas, and the only way they can do that is to leverage the Internet, and the only way they can do that is if they understand the software, and the only way they can do that is if they wean themselves from the proprietary tit.
Free Software costs time and effort, and will always be more expensive (though ultimately more valuable) than pirated software.
A new ocean, you say? Jeepers, what's wrong with the oceans you've already got? You've got hot ones and cold ones and windy ones and... sheesh! Back in my day, we only had one ocean, and we all had to share it - 'cept for the Lankowitz kid. Never could be too sure about him. And it was small. Couldn't barely fit a ship into it. But did we complain? Hell no! Just made a canoe out of a hollowed out log and called it the Titanic. And we liked it that way. Didn't have no ice to sink it with, neither. Had to use up our only glacier just to keep the drinks cold in the summer time.
But we never complained. We was proud then, didn't take guff from nobody. Why I remember when the bank came to repossess our desert. Fine desert it was. Some of the best damn Gila monsters ever came outa there. Craftsmanship, that's what we called it. But the bank didn't care. I still remember my pappy standing there with a big timber from our rain forest in his hand, telling that fat-ass banker that he'd come for the wrong desert.
Ocean! Feh! You kids don't even know what an ocean is any more. Buncha perfectly good ones here, and you still need another. Crybabies waste all the cod in one and then it's 'wah wah wah, gimme 'nother ocean!'
Tell yer mother to fetch me 'nother glass of my rheumatism medicine, boy. All this talk 'bout oceans is making me tetchy.
"Why is it to get rotten egged off the podium in this world, all you have to do is volunteer to help?"
Amen to that. As someone who works full time in a place that has been designated by the UN as a Least Developed Country, I have to say that this absurd, simplistic logic which decrees that food shortages can only be addressed by food makes me grind my teeth with frustration.
Scenario: A child has a boil in his nostril that's gone septic and is spreading into his sinuses and putting pressure on the brain, there are no doctors within 80 miles. How does the poorly trained but well-intentioned nurse get a proper diagnosis, and if necessary the authorisation to fly the child to the district hospital if communications and resource materials are not available?
Answer: She doesn't, and the child dies. From a boil. This really happened; that child was the eldest boy of a friend of mine.
The country where I work is limited in its development for three major reasons: Education, Health and Infrastructure. In terms of communications, there are some villages here that have waited for over 23 years to get phone service. The national telecom infrastructure relies on microwave transmission equipment so old that replacement parts are no longer available. Introducing simple devices capable of creating ad hoc mesh networks automatically would be an absolute godsend.
Just in case anyone has missed the message here: Improved communications, through low-cost devices such as this, save lives. They do so more effectively than any bag of flour or rice could do.
"http://msdn.microsoft.com/xml/rss/sse/ reads pretty much like an IETF RFC."
Okay, it looks like an RFC, but why isn't it an RFC?
Besides the fact that RSS doesn't appear to have been submitted to the IETF either, of course. Both the MS extension and original RSS spec were released under Creative Commons licenses. So what's the point of releasing a spec without going through the standards process? It depends on the motives of the issuer, doesn't it?
I personally am strongly opposed to this kind of unilateralism. I'm not a big fan of Dave Winer's approach to things, and I'm even less of a fan of MS'. Having worked on the web almost from the day it was born, I can speak from experience, and MS has been a divisive force from the moment they cottoned on to this Internet thing, almost single-handedly creating the security nightmare we have today by plying half-educated cargo-cult 'developers' with convenience and ease of use that turned out to be easy for anyone to exploit.
So please, when we look at this issue, let's not forget two things:
Specs exist for a reason - peer review, consultation and openness. MS has ensured none of these in this instance.
MS has created these pseudo-standards in the past, in effect, dressing itself up in black robes and saying, 'I belong on the Supreme Court too, 'cause I got the robes!'
The (false?) naivete that the parent espouses does nothing to change my suspicion that this new 'standard' from MS is any different from what came before. MS are relying on just this kind of cursory investigation ('He must be a judge; he's wearing a robe!') to insinuate these extensions into the mainstream.
I would trust them a lot more if they took the time to actually cooperate with the community, and to follow the well-established processes that exist. They've buckled down and done so in the past, so why can't they do it this time?
"For some time I've thought the future of automotive fuel lies in biodiesel rather than hydrogen."
The proper answer to that statement is maybe. It all depends on Energy Returned On Energy Invested (EROEI). If you try to run all the cars in the continental US on grain alcohol, for example, you'd have to use every single acre of arable land in the states. AND you'd use more energy planting, harvesting, transporting and processing the fuel than you would derive from the finished product.
There are some circumstances, though, where bio-fuel makes perfect sense. In the South Pacific, where coconut oil is a plentiful resource and fuel oil is not, it makes perfect sense. In fact, many of the service buses in Vanuatu are already running on it. Thanks to the effort of alternative energy geek and genuinely nice guy Tony Deamer, there's a coconut diesel pump right on the main road in the capital.
"We're putting together an architecture that's quite big for a short period, but that's how it works. We have around 10,000 desktops, 500 laptops, 400 Unix servers, plus another 450 Windows servers."
That's kind of interesting, because the linked story offers the following numbers:
The IT behind the Olympics is a massive operation involving some 1,200 IT team members, including 800 volunteers, who run 450 Intel-based servers and Unix boxes, 4,700 PCs and 700 printers.
Anyway, that leads me to the point I want to make:
I've been promoting FOSS on Linux professionally since 1998, but this kind of muddiness always makes me question the wisdom of change. Not from a quality or philosphical standpoint, mind you, but from the perspective of protecting the clients from themselves.
See, here we are at the end of 2005, and the IOC is thinking about moving to FOSS and Linux by 2008. If they intend to move all 10,500 PCs and the functionality of ~900 servers to from proprietary software FOSS and run a 24-7 terrorist-proof operation with global reach, hooking into countless other data systems... They are, not to put too fine a point on it, terminally stupid. Any system-wide change this large should be the result of very careful study. Note especially the part where it says the IT system has approximately 2 volunteers for every single paid staff member. Try to imagine what the training would be like if the software isn't spot-on in its interface design.
BUT... if they're looking at re-working a few key systems in order to improve their robustness and lower their costs, then I would say that they've made an inspired choice that shows perceptiveness and leadership. 8^)
And that's the problem with much tech industry 'journalism' these days. We are given almost no useful details. I long for the days when a journalist's response to an ignorant readership was to educate them rather than to gloss over details.
"But these are legitimate problems we HAVE to deal with. These aren't issues really in the Microsoft world; but they are in the Linux world."
Sorry, what exactly are 'these issues' that you refer to? My understanding is that the problem arose from sysadmins being forced to upgrade glibc, a binary integral to the system.
If that's correct, then suggesting that Windows is somehow free from the upgrade treadmill is either terribly disingenuous or completely blind. The number of times I've been told by software manufacturers that my only option for fixing a fundamental problem is an OS or application upgrade is... well plenty.
This is actually one of the reasons that I stopped working with Windows servers altogether. The painful dependancy on someone else's development (or worse, product) cycle was enough to drive me crazy. While dependancy issues are no less common in Linux, they are infinitely more workable.
The fact that the Linux admins in this one scenario took the most ill-advised approach is demonstrative only of the fact that people are sometimes stupid - whether you believe it's by choice or circumstance depends on whether you trust the study or not.
"Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded?"
Yes, I do. I also think that there's evidence that asserts exactly this. If your assertion were true, then CentOS (free, re-packaged RHEL) would be one of the most popular server distros in the corporate world. It's not.
RedHat is a very profitable company because they see beyond the logical fallacy in your statement. You beg the question that people pay for software, not the services provided and the benefits accrued from it. RedHat very clearly saw that customers were not fundamentally interested in paying for the tool. Rather they were interested in investing in a process that they would profit from.
Others in this thread have already argued the case that Nessus' problems derive from its business model, and that closing the source will ultimately do little to address this. It will have some effect, no doubt, but will likely do nothing more than alleviate some of the symptoms.
I would liken this approach to the way Microsoft has tried to fend off the Samba folks by tweaking the implementation from one release to the next. It ensures that the Samba team will always play follow-the-leader, but has negative implications on their future. If they change the protocol too little, they make it easy for Samba to maintain compatibility. If they change it too much, they encourage the uptake of Samba by those who don't want to cope with the effects of disruptive change in their systems.
Even Eric Raymond (whose filament hasn't received the full wattage for some time) was able to perceive that FOSS make certain software marketing fallacies unsustainable. The biggest of these is that something infinitely (okay, trivially) replicable makes an economy of scarcity unworkable.
Ron Gula is trying to re-create the impression of scarcity. Having concluded that there actually was a scarcity (i.e. no one else was contributing to the project), he decided to trade on that by mandating that he (and his staff) should be the only one allowed to input into it. Ultimately, he will have to deal with the tension caused by the degree to which Nessus drifts from its established base. Too far, and he will lose customers. Too close, and... he will lose customers.
"Previous records, from an ice core drilled at the Russian Antarctic station Vostok, extended back 440,000 years. Extracting and analyzing that core was a major achievement, but the core stopped short of a time period scientists are anxious to study because it was like today's.
"Climate scientists called the analysis of the older records spectacular because they were so clear and said they would become "canonical" additions to the climate record. "It's really important," Ed Brook, an ice core expert at Oregon State University said of the new research. 'Those 200,000 years were a lot harder to get than the previous 400,000 -- and those were hard enough.'"
So there you have it. Drilling through miles of ice is... hard work. Imagine that.
"Perhaps I'm cynical from MS-marketing "studies", but the point in time seems to be too convienient as compared to the results."
I don't think it's convenient at all to create the largest ice core in the world, adding over 200,000 years to the body of evidence. Note also that they went back to get that extra 200,000+ years' worth of data for the very reason that you accuse them of 'conveniently' ignoring.
"Travel a little. You'll see that computers are used pretty much everywhere now. No, I don't mean the rural outback of a developing country, but I do mean all the cities (however poor) in that same country."
Yes, computers are becoming critical even in the 'rural outback' as well. I just spent a week running a laptop from a truck battery and a solar panel on a South Pacific island that has no power and only 6 telephones. The result of this is that the national Rural Training Centre Association now has the full minutes for their AGM ready in time for a meeting with the Australian Aid agency only one week after the meeting wound up. That kind of thing is simply not possible on paper, so it was worth a few hundred bucks in materials and freight fees to be ready in time for the next stage of a major national education initiative.
I'm not contradicting you, by the way, I'm actually expanding on your point. These days, computers are to communication what the internal combustion engine was (and is) to transport - Indispensable no matter where you go.
Slashdot Mirror
"If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."
I'm with you so far....
"So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."
Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.
The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.
And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.
Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.
I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.
"...the company had possibly overbilled the Transportation Security Administration by as much as 171,000 hours of labor and overtime."
Uh-oh.
Look, I don't really know how to tell you this, but those 171,000 hours? That's... uh, well, that'd be my fault. Back in '99, somebody asked me to get Windows ME running stable, and I haven't left my desk since.
Sorry. Should be done any day now.
Bob Metcalfe has been so consistently wrong in so many pronouncements that I have long since given up on him. I respect him for his work in developing ethernet, and I'm glad that he made whacks of money at 3Com.
Since he became a geek pundit, though, he's done worse than the Dvoraks of the world, who natter endlessly and (for the most part) harmlessly. Bob's great sin is that people actually listened to him. He is in no small part responsible for the abysmally unenlightened business tactics that defined the dot com boom.
Nowadays, I tend to assume that anything attributed to him is wrong by definition. I know it's not right to do that (heck, even Dvorak's been right at least once), but I can't help it. It's because of him and a few others that the Web became such a weird (and useless) place in the late 90s.
"I don't think that Churchill or FDR spent much time worrying about legacy, yet history counts them as great men."
Churchill cared so much about his legacy that he wrote a 6 volume memoir of his actions during the war, modestly entitled "The Second World War." It's good reading, but make no mistake about its purpose. From start to finish it's an apologia for his every action during that time.
And when talking about Roosevelts, I'm more prone to remember Eleanor Roosevelt as the modest one. This is a woman who, in the dark days of segregation, drove through southern towns with a pistol on the seat beside her, to address groups like the NAACP. When a bunch of up uptight matrons refused to allow a black soprano to perform at Constitution Hall in Washington, she arranged to have the concert at the Lincoln Memorial. 70,000 people attended.
Eleanor Roosevelt was also the driving force behind one of the most important documents since Hammurabi - the Universal Declaration of Human Rights.
Churchill and Roosevelt were both extremely dynamic personalities who knew exactly how to present themselves to the public, and whose private faces were sometimes strikingly different from their public ones. That said, they both made important - critical, even - contributions to world history.
"I wrote to them asking where I could send $100 to sponsor the creation of the laptop.. I was automailed a response."
While you're waiting, why not consider supporting other IT-related work that's changing lives in the developing world? Take a look at the GeekCorps, a volunteer sending agency that specialises in short-term volunteer work in the developing world. I find their Mali Project, where they're building a nationwide wireless network for peanuts, especially interesting. I'm on their mailing list, and if I weren't already doing the same kind of work in another part of the developing world, I'd be working for them.
Or you could do what I'm doing and spend a couple of years working as a VSO volunteer. VSO Canada recruits across North America, and VSO international recruits throughout the EU. If you're tied down by other commitments and don't have a couple of years to devote to development, you could think about a short-term stint with BESO, which provides tactical assistance with business and technology skills development.
Young Canadians with nominal IT experience can give a hand too, through the NetCorps programme, operated by the government of Canada through VSO Canada and CUSO. I've worked with a few of them, and they all love what they're doing.
I can say from experience that this kind of work does save lives, and it's incredibly gratifying. In fact, I like the work so much I've extended my contract for an extra two years, and I've decided on a career in international development.
"Sounds like a job for everyone's favorite do-everything markup language, XML! Seriously, why isn't it used to structure everything?"
Because it's not the right tool for every job. XML is explicitly a data interchange format. I've worked with material like this in the past, and I can tell you from experience that processing large volumes of XML (or any text-based markup format, for that matter) is extremely expensive in terms of processor and memory resource usage.
That said, I agree that in this case XML-formatted plain text is the right format, specifically because it is very suitable as a data interchange format. When one is archiving large volumes of data for intedeterminate periods of time (possibly decades), then it's worth the extra pain to maintain the source in the most flexible format.
I do not want to suggest, though, that this is the best format for accessing or processing the data. I'd suggest a source repository where text data is fielded with the proper metadata which can be updated periodically if necessary. Data can then be drawn from there and stored in a more accessible (e.g. database) format and that data store can be accessed by researchers, lawyers and lawmakers, etc. This has the double benefit of keeping the source material safe because we're not interacting with it constantly and making it accessible in the most appropriate technology of the day.
As someone has already stated, this is not exactly rocket science. It does require a certain simplicity and elegance of design, so I have very little hope that it will be implemented as I've described. 8^)
"Your argument basically is that:"
Sounds reasonable, except that the threshold should be measurable. This is relatively easily achieved, even in very complex applications, if responsible coding practices and code management are used. I refuse to work for companies that do less than that, and avoid recommending any software that wasn't developed using that method. Which, of course, is why I've only supported *nix servers from about 1999 onwards.
I don't want to put words in the GP's mouth (it's unsanitary), but IMO software should be warrantable just like any number of other products. There is a de facto expectation of suitability to use, EULAs notwithstanding, and it only remains for law to catch up to consumer expectations.
My preference would be to see financial liability for software vendors measured as a proportion of the sale price, except in cases where software failure directly caused death, disability or significant loss of property.
"In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it."
Not at all. Under the model I've described above, only those companies who package and sell the software would be responsible for maintaining a certain degree of quality. Hackers in the FOSS community would not be directly liable for releasing a no-cost application, unless it actually kills people, which is somewhat unlikely. 8^)
I think that decent software quality is achievable. I've seen it done. One company I worked for not so long ago ran a network operations centre whose management software had a six week development cycle. Two weeks of design, followed by two weeks of development, followed by two weeks of testing.
This had a very salutary effect on code quality, not the least of which was that stupid errors (e.g. syntax mistakes, border conditions, fencepost errors etc.) never saw the light of day. But the biggest benefit was that the cost of failure was low. We deliberately worked in small increments for this very reason. Even if a new feature turned out to be a steaming pile, we'd typically find out before release. But even if we didn't, the cost of rolling back was very low.
Now, I realise that this particular model doesn't apply directly to a number of areas, not the least of which are desktop client applications. But consider that if this incremental development approach were used internally (i.e. without constant public releases), the same practices could be used. This is only one example, though, of the many ways in which code quality can be improved without undue effort or expense.
One key to ensuring quality is frequent review and auditability of the code. This of course puts developers of proprietary applications at a bit of a deficit, but heck, them's the breaks. 8^)
""Kye-U also has released a filter for proxomitron that will block wmf file downloads[....]"
Careful, The folks at the Internet Storm Center are warning that Windows often ignores the file extension and reads the 'magic bits' at the beginning of the file to decide how to process it. This means that someone could rename a .wmf to .jpg, for example, in order to get it past that filter.
The best workaround currently available is to un-register the shimgvw.dll as suggested above.
"The real question is, is the open source community against it?"
Actually, I think the real question is 'How could everyone miss the point so completely?'
Look, I think that government does have a place in enforcing standards, especially with regards to safety and security, but those have to be standards of behaviour. The difference between saying 'nobody is allowed to run software that does X' and 'nobody is allowed to run software X' is critical.
Taken to its logical extreme, it's the difference between saying:
and saying:
Another example: I don't give a hoot who made the truck that pollutes my lungs with reeking black clouds of exhaust, nor do I care who the owner is. I just want it to stop. The best way to do this is to set standards for behaviour and punish or reward them as society sees fit.
Gee, when we put it that way, it almost sounds like what laws are for, huh? 8^)
In that sense, I have no objection to making malware quarantine compulsory, provided that malware is defined by its actions and not its name.
"Microsoft has also started selling Windows Starter Edition in developing countries. Just because other OSes aren't undercutting Microsoft and may understand economics more than you do doesn't mean it's Microsofts fault."
Wow, what a tour de force of disingenuousness. I hardly know where to start....
One of the primary strategies that MS is pursuing today is to fight FOSS (especially Linux) on every front, and to conduct scorched earth campaigns where propaganda and existing dominance aren't enough. Windows Start Edition is in effect MS salting the earth on their way out.
And MS is right to be scared. Ultimately, the developing world will have little choice but to move to FOSS - the logistics of doing anything else are simply prohibitive.
How do I know? I work in international development, and I've seen more than one situation where a government or large organisation baulked at the price of licensing MS software. But as more and more nations accede to the WTO and live at the mercy of the World Bank et alia, they can no longer blithely use proprietary software without paying for it.
It's ironic that the very strongarm tactics that have served MS so well in the past are the petard on which they'll eventually be hoist. To claim that MS is faultless in this process is evidence either of self-deception or dishonesty of the highest order.
"I have a PhD in Neuroscience and while I could tell you a load of info on biological sciences and basic science in general, I am no more able to tell you of quantum physics than anyone else. This means that I must take this information on trust from people who I know more than I do: teachers or scientists. On the surface this trust is based on faith, and is the same as listening to the Clergy, but there is a major difference."
I take your point, but it's dangerous (and IMO foolish) to conflate trust with faith. They are not at all the same thing, especially when understood in the way the religious right intends.
I trust certain experts and authorities to provide me with the summaries and synthesis that I need to understand esoteric matters from cosmology to macro-economics, but only because they have demonstrated their accuracy in the past. New evidence to the contrary will affect the level of trust I'm willing to invest.
Faith works in exactly the opposite way; it insists on remaining unchanged no matter what external circumstance may dictate. Faith is antithetical to the kind of common-sense trust described in the previous paragraph.
"Newtons's phrase "standing on the shoulders of giants" was reference to the fact that all science can trace it's roots back to basic experiments that we can all do at home."
You're no doubt right on that point, but the statement too can be traced much further back than Newton. But don't take my word for it - check for yourself. Then check their sources, too. 8^)
Just reboot and see if the problem goes away. 8^)
"Basicly piracy is the last thing that keeps Free Software from world domination."
And that is precisely why I oppose software 'piracy'. I live in a country where I can buy any software I want for less than 20 bucks at the local CD store. The parliament here has yet to ratify the Berne Conventions on copyright, so we exist in a sort of a grey zone. There's no legal reason to respect software EULAs.
But the use of proprietary software has created many other difficulties, not the least of which is a cargo-cult mentality. Software is not something that one configures or, heaven forfend, writes; it's something you go down to the store to buy. If something goes wrong with it, you just buy something better. If there's nothing there that does what you want... well then, software can't do that.
That's all well and good as far as it goes, but it does absolutely nothing to develop the local economy, improve educational opportunities, or to impress on people just what kind of amazing things they could be doing with software in this country. This place is poor in resources, but doesn't lack for smart people. The only way people here will ever find really well-paid work is to sell their skills overseas, and the only way they can do that is to leverage the Internet, and the only way they can do that is if they understand the software, and the only way they can do that is if they wean themselves from the proprietary tit.
Free Software costs time and effort, and will always be more expensive (though ultimately more valuable) than pirated software.
A new ocean, you say? Jeepers, what's wrong with the oceans you've already got? You've got hot ones and cold ones and windy ones and... sheesh! Back in my day, we only had one ocean, and we all had to share it - 'cept for the Lankowitz kid. Never could be too sure about him. And it was small. Couldn't barely fit a ship into it. But did we complain? Hell no! Just made a canoe out of a hollowed out log and called it the Titanic. And we liked it that way. Didn't have no ice to sink it with, neither. Had to use up our only glacier just to keep the drinks cold in the summer time.
But we never complained. We was proud then, didn't take guff from nobody. Why I remember when the bank came to repossess our desert. Fine desert it was. Some of the best damn Gila monsters ever came outa there. Craftsmanship, that's what we called it. But the bank didn't care. I still remember my pappy standing there with a big timber from our rain forest in his hand, telling that fat-ass banker that he'd come for the wrong desert.
Ocean! Feh! You kids don't even know what an ocean is any more. Buncha perfectly good ones here, and you still need another. Crybabies waste all the cod in one and then it's 'wah wah wah, gimme 'nother ocean!'
Tell yer mother to fetch me 'nother glass of my rheumatism medicine, boy. All this talk 'bout oceans is making me tetchy.
"Epilogue: Miss CSS is now in a 12 step program - CSS Purists Anonymous; where she is recovering from her addiction, one day at a time."
Bill Schlake, is that you?
... This will only be funny to HTML entusiasts from UseNet days. I expect both of them will be rolling on the floor within seconds. 8^)
"Why is it to get rotten egged off the podium in this world, all you have to do is volunteer to help?"
Amen to that. As someone who works full time in a place that has been designated by the UN as a Least Developed Country, I have to say that this absurd, simplistic logic which decrees that food shortages can only be addressed by food makes me grind my teeth with frustration.
Scenario: A child has a boil in his nostril that's gone septic and is spreading into his sinuses and putting pressure on the brain, there are no doctors within 80 miles. How does the poorly trained but well-intentioned nurse get a proper diagnosis, and if necessary the authorisation to fly the child to the district hospital if communications and resource materials are not available?
Answer: She doesn't, and the child dies. From a boil. This really happened; that child was the eldest boy of a friend of mine.
The country where I work is limited in its development for three major reasons: Education, Health and Infrastructure. In terms of communications, there are some villages here that have waited for over 23 years to get phone service. The national telecom infrastructure relies on microwave transmission equipment so old that replacement parts are no longer available. Introducing simple devices capable of creating ad hoc mesh networks automatically would be an absolute godsend.
Just in case anyone has missed the message here: Improved communications, through low-cost devices such as this, save lives. They do so more effectively than any bag of flour or rice could do.
"Fark cliche. He means 'moran'."
That may well be, but Irishmen around the world are still itching to kick the sh*t out of him.
8^)
"http://msdn.microsoft.com/xml/rss/sse/ reads pretty much like an IETF RFC."
Okay, it looks like an RFC, but why isn't it an RFC?
Besides the fact that RSS doesn't appear to have been submitted to the IETF either, of course. Both the MS extension and original RSS spec were released under Creative Commons licenses. So what's the point of releasing a spec without going through the standards process? It depends on the motives of the issuer, doesn't it?
I personally am strongly opposed to this kind of unilateralism. I'm not a big fan of Dave Winer's approach to things, and I'm even less of a fan of MS'. Having worked on the web almost from the day it was born, I can speak from experience, and MS has been a divisive force from the moment they cottoned on to this Internet thing, almost single-handedly creating the security nightmare we have today by plying half-educated cargo-cult 'developers' with convenience and ease of use that turned out to be easy for anyone to exploit.
So please, when we look at this issue, let's not forget two things:
The (false?) naivete that the parent espouses does nothing to change my suspicion that this new 'standard' from MS is any different from what came before. MS are relying on just this kind of cursory investigation ('He must be a judge; he's wearing a robe!') to insinuate these extensions into the mainstream.
I would trust them a lot more if they took the time to actually cooperate with the community, and to follow the well-established processes that exist. They've buckled down and done so in the past, so why can't they do it this time?
"For some time I've thought the future of automotive fuel lies in biodiesel rather than hydrogen."
The proper answer to that statement is maybe. It all depends on Energy Returned On Energy Invested (EROEI). If you try to run all the cars in the continental US on grain alcohol, for example, you'd have to use every single acre of arable land in the states. AND you'd use more energy planting, harvesting, transporting and processing the fuel than you would derive from the finished product.
There are some circumstances, though, where bio-fuel makes perfect sense. In the South Pacific, where coconut oil is a plentiful resource and fuel oil is not, it makes perfect sense. In fact, many of the service buses in Vanuatu are already running on it. Thanks to the effort of alternative energy geek and genuinely nice guy Tony Deamer, there's a coconut diesel pump right on the main road in the capital.
"We're putting together an architecture that's quite big for a short period, but that's how it works. We have around 10,000 desktops, 500 laptops, 400 Unix servers, plus another 450 Windows servers."
That's kind of interesting, because the linked story offers the following numbers:
Anyway, that leads me to the point I want to make:
I've been promoting FOSS on Linux professionally since 1998, but this kind of muddiness always makes me question the wisdom of change. Not from a quality or philosphical standpoint, mind you, but from the perspective of protecting the clients from themselves.
See, here we are at the end of 2005, and the IOC is thinking about moving to FOSS and Linux by 2008. If they intend to move all 10,500 PCs and the functionality of ~900 servers to from proprietary software FOSS and run a 24-7 terrorist-proof operation with global reach, hooking into countless other data systems... They are, not to put too fine a point on it, terminally stupid. Any system-wide change this large should be the result of very careful study. Note especially the part where it says the IT system has approximately 2 volunteers for every single paid staff member. Try to imagine what the training would be like if the software isn't spot-on in its interface design.
BUT... if they're looking at re-working a few key systems in order to improve their robustness and lower their costs, then I would say that they've made an inspired choice that shows perceptiveness and leadership. 8^)
And that's the problem with much tech industry 'journalism' these days. We are given almost no useful details. I long for the days when a journalist's response to an ignorant readership was to educate them rather than to gloss over details.
"But these are legitimate problems we HAVE to deal with. These aren't issues really in the Microsoft world; but they are in the Linux world."
Sorry, what exactly are 'these issues' that you refer to? My understanding is that the problem arose from sysadmins being forced to upgrade glibc, a binary integral to the system.
If that's correct, then suggesting that Windows is somehow free from the upgrade treadmill is either terribly disingenuous or completely blind. The number of times I've been told by software manufacturers that my only option for fixing a fundamental problem is an OS or application upgrade is... well plenty.
This is actually one of the reasons that I stopped working with Windows servers altogether. The painful dependancy on someone else's development (or worse, product) cycle was enough to drive me crazy. While dependancy issues are no less common in Linux, they are infinitely more workable.
The fact that the Linux admins in this one scenario took the most ill-advised approach is demonstrative only of the fact that people are sometimes stupid - whether you believe it's by choice or circumstance depends on whether you trust the study or not.
"Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded?"
Yes, I do. I also think that there's evidence that asserts exactly this. If your assertion were true, then CentOS (free, re-packaged RHEL) would be one of the most popular server distros in the corporate world. It's not.
RedHat is a very profitable company because they see beyond the logical fallacy in your statement. You beg the question that people pay for software, not the services provided and the benefits accrued from it. RedHat very clearly saw that customers were not fundamentally interested in paying for the tool. Rather they were interested in investing in a process that they would profit from.
Others in this thread have already argued the case that Nessus' problems derive from its business model, and that closing the source will ultimately do little to address this. It will have some effect, no doubt, but will likely do nothing more than alleviate some of the symptoms.
I would liken this approach to the way Microsoft has tried to fend off the Samba folks by tweaking the implementation from one release to the next. It ensures that the Samba team will always play follow-the-leader, but has negative implications on their future. If they change the protocol too little, they make it easy for Samba to maintain compatibility. If they change it too much, they encourage the uptake of Samba by those who don't want to cope with the effects of disruptive change in their systems.
Even Eric Raymond (whose filament hasn't received the full wattage for some time) was able to perceive that FOSS make certain software marketing fallacies unsustainable. The biggest of these is that something infinitely (okay, trivially) replicable makes an economy of scarcity unworkable.
Ron Gula is trying to re-create the impression of scarcity. Having concluded that there actually was a scarcity (i.e. no one else was contributing to the project), he decided to trade on that by mandating that he (and his staff) should be the only one allowed to input into it. Ultimately, he will have to deal with the tension caused by the degree to which Nessus drifts from its established base. Too far, and he will lose customers. Too close, and... he will lose customers.
"Which begs the point, why stop at that point and declare results? Sounds a bit convienient. Why not dig a bit further?"
I suspect it had something to do with the 3700 metres they'd already dug to get the first 650,000 years' worth of data. In the Antarctic.
But don't take my word for it. Let's ask the researchers:
So there you have it. Drilling through miles of ice is... hard work. Imagine that.
"Perhaps I'm cynical from MS-marketing "studies", but the point in time seems to be too convienient as compared to the results."
I don't think it's convenient at all to create the largest ice core in the world, adding over 200,000 years to the body of evidence. Note also that they went back to get that extra 200,000+ years' worth of data for the very reason that you accuse them of 'conveniently' ignoring.
"... [T]he superconducting threshold of whatever their Johnson capacitor is made from might in fact be that cold."
As a Canadian, I can vouch for this. In extremely cold temperatures, my Johnson shrinks significantly and becomes much easier to measure.
... But what exactly is a 'Johnson capacitor'? Is that like Viagra or something?
"Travel a little. You'll see that computers are used pretty much everywhere now. No, I don't mean the rural outback of a developing country, but I do mean all the cities (however poor) in that same country."
Yes, computers are becoming critical even in the 'rural outback' as well. I just spent a week running a laptop from a truck battery and a solar panel on a South Pacific island that has no power and only 6 telephones. The result of this is that the national Rural Training Centre Association now has the full minutes for their AGM ready in time for a meeting with the Australian Aid agency only one week after the meeting wound up. That kind of thing is simply not possible on paper, so it was worth a few hundred bucks in materials and freight fees to be ready in time for the next stage of a major national education initiative.
I'm not contradicting you, by the way, I'm actually expanding on your point. These days, computers are to communication what the internal combustion engine was (and is) to transport - Indispensable no matter where you go.