INAL either, but I talk to them a lot. It's different when you ship a linux distribution. Selling proprietary software for linux isn't the same. But when you ship the Linux kernel, modified or not, you need to obey the GPL and provide source code.
If they're using Linux, they need to make sure the source code is available under GPL terms. I hope that's the case - has anyone bought one and does it include source code or a written offer for source code ?
I'm on HP's Open Source review board, and one of the things we make damn sure of before shipping any HP product with GPL code in it is that the product includes source code or an offer for the customer to get it.
That's the really important thing all these embedded Linux using compaies need to understand.
Seriously though, I appreciate the support but please don't send more email. I'm trying to separate out all the RC1 bug reports and fix them at the moment:-).
If you want to do something useful, complain to the SEC about SCO's obvious stock manipulation strategy.
Why do you think it's my place to "force Microsoft to fix their code" ?
When someone reports a bug to us we try and fix it asap. If it's a security bug we rush a release out - sometimes with great embarressment (this past week has not been fun for me). That's how we respond. It is *NOT OUR PLACE* to tell others what to do with their code. We report security bugs in the way we would like others to do for us (simple kindergarten stuff - treat others as you would like to be treated yourself - your Mom was right all along, see:-).
If you are worried about Microsoft not fixing their code then why are you using Microsoft products ?
As I have argued below, it is not the place of anyone in the Samba Team to write and distribute exploit code.
If you are of the opinion that your vendor must be 'pushed' to do something about a vulnerability then why are you using a vendor you trust so little on your network ?
As for the idea that Microsoft is being "blackmailed" by us not disclosing problems give me a break ! Blackmail would be "fix these problems *now* or I'll release exploit code".
Yes, we go out to dinner with Microsoft engineers when they turn up at CIFS conferences (they seem to have stopped bothering these days btw:-). And it's because they're usually nice people who just want to fix interop bugs (as are most engineers). Microsoft as a corporate entity aren't very helpful to Samba anymore (I think that stopped when Samba got the ability to become a PDC:-).
I treat Microsoft in the way I want people to treat Samba. I want to be told about security holes so I can fix them and not be threatened by someone behaving like an asshole insisting "I'll release an exploit if you don't fix it *now*".
If someone trusts Microsoft and they don't fix their security holes then it is not my place to damage their networks just to prove how misplaced that trust is.
Crackers in the wild may be the primary motivation for fixing bugs by proprietary companies, but don't ascribe the same motivations to Open Source/Free Software developers.
Imagine you were designing a bridge, but got it wrong. The bridge gets built, but you know a certain pattern of cars going accross in a certain order could cause it to collapse.
Would you tell the local authority and accept the blame ? If you didn't, how could you sleep at night ?
Not irresponsible, I am just responding to an AC claim that Microsoft has no bugs that are this severe that have not been fixed for this long. I know this to be false. I don't really care if you believe me or not.
I'm glad Microsoft works for you. I don't care if you doubt my statement without backup.
I know the problem in the code I wrote for Samba is bad, I am simply pointing out that I am aware of bugs within Windows that are as severe, and have persisted for 8 years also. I pointed this out because of an AC comment that Microsoft code quality is higher (although unless they are able to look at it I wonder how they know:-).
I will mail you the code when you request it from your security@microsoft.com address, otherwise I'm assumung you're a script kiddie.
We had a fix within 1 hour of the problem being reported, and that was mainly due to mail propagation delays from Australia ! We had to co-ordinate the release with all the Samba vendors, that's what took the time.
Your point about code auditing is incorrect. No company pays the sort of money needed to do the amount of code auditing a major OSS project gets *for free* by the vendor community. Yes, they could do this, but proprietary software companies simply don't spend the money on engineering resources to be used in this way. Not even Microsoft.
No, we're not keeping them secret. Microsoft know, we told them. The flaws are in their code. If you had access to Microsoft source code and could fix them, I'd tell you.
But you don't, that's the problem. All you could do is create mischief with the knowledge. I don't see why I have any professional obligations to help you with that.
Well, as I posted above, I think the reason no one looked at the code is because it worked as written with the most common clients (Microsoft ones).
We, the Linux vendors and just about everyone else who uses Samba audits the code regularly, but this one got missed by everyone but the bad guys. Sometimes that happens. Life just *sucks* sometimes.
Everytime we get a problem we always go through and look for instances of this class of problem (that's how I spent my weekend) but I'm afraid no code is perfect.
Well I don't want to describe them as I don't want to give any crackers ideas on how to exploit them.
Microsoft know and they are the only people who can do anything about it, it's *their* code, not mine
Me describing the problem to you will make the problem worse, not better.
If people find bugs in my code I want them to tell me and I fix them asap. If they are security related I want them to give me warning first before going public.
This is what we have done with Microsoft, it's the responsible, professional thing to do. What gets done about it is *their* decision, not mine (or yours).
No, I'm not a joke, just a software engineering professional. I have to catalogue Microsoft bugs as Samba has to interoperate with some of them (if you'd ever looked at Samba code you'd know what we sometimes have to do to work around Microsoft bugs).
Yes, I sometimes screw up and write bad code, as does every software engineer I've ever worked with.
With Open Source, you get to see such things in public, rather than being hidden. Even though this was my problem I know which way of developing code I prefer, and I've developed my share of proprietary code in my time...
So tell me when the last time was you sued Microsoft, Oracle or Sun for your losses in the real world and won any damages ?
In Open Source you know who messed up. You have their email address and phone number. You have a basis for trust or not based on past reputation/performance.
You have *no idea* who wrote any of the Microsoft code, or any other proprietary code - and no recourse to fix problems that cause you losses other than to beg the vendor for a fix.
And you'd better ask nicely, in case you don't give them enough money.
Good luck on getting your damages from Microsoft for the last virus outbreak, you're going to need it:-).
Slashdot Mirror
INAL either, but I talk to them a lot. It's different when you ship a linux distribution. Selling proprietary software for linux isn't the same. But when you ship the Linux kernel, modified or not, you need to obey the GPL and provide source code.
Jeremy Allison,
Samba Team.
If they're using Linux, they need to make sure the source code is available under GPL terms. I hope that's the case - has anyone bought one and does it include source code or a written offer for source code ?
I'm on HP's Open Source review board, and one of the things we make damn sure of before shipping any HP product with GPL code in it is that the product includes source code or an offer for the customer to get it.
That's the really important thing all these embedded Linux using compaies need to understand.
Jeremy Allison,
Samba Team.
Very true. Capital is free to move anywhere, people are not.
This is the main problem with globalism.
Jeremy.
So that they can use undocumented DCE/RPC calls to
communicate and do the things you can do over IMAP
of course !
What, you thought Microsoft *wanted* to let Outlook
do it's "special things" over a published protocol ?
How would they force you to install Exchange then ?
Jeremy.
But I don't drink beer... ! :-).
:-).
Seriously though, I appreciate the support but please
don't send more email. I'm trying to separate out all
the RC1 bug reports and fix them at the moment
If you want to do something useful, complain to the SEC
about SCO's obvious stock manipulation strategy.
Cheers,
Jeremy Allison,
Samba Team.
No all of SMB is not known. Trust me on this....
Jeremy.
Yes, but they didn't publish *all* of it....
Jeremy Allison,
Samba Team.
Why not, after all we have "the Best Democracy Money can Buy" :
(see
http://www.gregpalast.com/contents.htm
for details).
stratjakt wrote :
:-).
:-) :-).
"Oh Gee, we're out of business. The SAMBA team decided not to work on it anymore, they're writing a Pokemon clone now".
Naaah. Won't happen. None of us likes Pokemon anyway
Now if you're talking Unreal Tournament.....
Jeremy Allison,
Samba Team.
Why do you think it's my place to "force Microsoft to
:-).
fix their code" ?
When someone reports a bug to us we try and fix it asap.
If it's a security bug we rush a release out - sometimes
with great embarressment (this past week has not been
fun for me). That's how we respond. It is *NOT OUR PLACE*
to tell others what to do with their code. We report security
bugs in the way we would like others to do for us (simple
kindergarten stuff - treat others as you would like to be
treated yourself - your Mom was right all along, see
If you are worried about Microsoft not fixing their code
then why are you using Microsoft products ?
Jeremy Allison,
Samba Team.
As I have argued below, it is not the place of anyone in
:-). And it's because :-).
the Samba Team to write and distribute exploit code.
If you are of the opinion that your vendor must be
'pushed' to do something about a vulnerability then
why are you using a vendor you trust so little on
your network ?
As for the idea that Microsoft is being "blackmailed" by
us not disclosing problems give me a break ! Blackmail
would be "fix these problems *now* or I'll release exploit
code".
Yes, we go out to dinner with Microsoft engineers when
they turn up at CIFS conferences (they seem to have
stopped bothering these days btw
they're usually nice people who just want to fix interop
bugs (as are most engineers). Microsoft as a corporate
entity aren't very helpful to Samba anymore (I think
that stopped when Samba got the ability to become a
PDC
Jeremy Allison,
Samba Team.
It is not my job to 'move Microsoft to action'.
I treat Microsoft in the way I want people to treat Samba.
I want to be told about security holes so I can fix them and
not be threatened by someone behaving like an asshole
insisting "I'll release an exploit if you don't fix it *now*".
If someone trusts Microsoft and they don't fix their security
holes then it is not my place to damage their networks
just to prove how misplaced that trust is.
Jeremy Allison,
Samba Team.
Crackers in the wild may be the primary motivation
for fixing bugs by proprietary companies, but don't
ascribe the same motivations to Open Source/Free
Software developers.
Imagine you were designing a bridge, but got it
wrong. The bridge gets built, but you know a certain
pattern of cars going accross in a certain order could
cause it to collapse.
Would you tell the local authority and accept the
blame ? If you didn't, how could you sleep at night ?
Jeremy Allison,
Samba Team.
There is *never* a good reason to release exploit code (IMHO).
It only allows those with no talent (the script kiddies)
to cause trouble for people trying to maintain systems.
Inform the vendor, if the vendor does nothing, tell the
world it is broken, demo your exploit to some journalists
if you like.
But releasing exploit code is the programming equivalent
to leaving a pile of fully loaded weapons outside a school.
Jeremy Allison,
Samba Team.
Not irresponsible, I am just responding to an AC claim
that Microsoft has no bugs that are this severe that have
not been fixed for this long. I know this to be false. I
don't really care if you believe me or not.
Jeremy Allison,
Samba Team.
I'm glad Microsoft works for you. I don't care if you
:-).
doubt my statement without backup.
I know the problem in the code I wrote for Samba
is bad, I am simply pointing out that I am aware of bugs
within Windows that are as severe, and have persisted
for 8 years also. I pointed this out because of an AC
comment that Microsoft code quality is higher (although
unless they are able to look at it I wonder how they know
I will mail you the code when you request it from your
security@microsoft.com address, otherwise I'm assumung
you're a script kiddie.
Jeremy Allison,
Samba Team.
Oh no - you've discovered my secret. And it took
:-).
8 years to come to fruition.....
Now I'll have to kill you
Jeremy.
We had a fix within 1 hour of the problem being
reported, and that was mainly due to mail propagation
delays from Australia ! We had to co-ordinate the
release with all the Samba vendors, that's what took
the time.
Your point about code auditing is incorrect. No company
pays the sort of money needed to do the amount of code
auditing a major OSS project gets *for free* by the
vendor community. Yes, they could do this, but proprietary
software companies simply don't spend the money on engineering
resources to be used in this way. Not even Microsoft.
Jeremy Allison,
Samba Team.
No, we're not keeping them secret. Microsoft know, we
told them. The flaws are in their code. If you had access
to Microsoft source code and could fix them, I'd tell you.
But you don't, that's the problem. All you could do is
create mischief with the knowledge. I don't see why I have
any professional obligations to help you with that.
Jeremy Allison,
Samba Team.
Nice try dude ! If I had any mod points I'd give you :-) :-).
some
Jeremy.
Well, as I posted above, I think the reason no one
looked at the code is because it worked as written
with the most common clients (Microsoft ones).
We, the Linux vendors and just about everyone else
who uses Samba audits the code regularly, but this
one got missed by everyone but the bad guys. Sometimes
that happens. Life just *sucks* sometimes.
Everytime we get a problem we always go through and
look for instances of this class of problem (that's
how I spent my weekend) but I'm afraid no code is
perfect.
Jeremy Allison,
Samba Team.
Yes, Apple are working on this. I ported the fix to
their codebase this morning and mailed it to them.
Jeremy Allison,
Samba Team.
Well I don't want to describe them as I don't want
to give any crackers ideas on how to exploit them.
Microsoft know and they are the only people who can
do anything about it, it's *their* code, not mine
Me describing the problem to you will make the problem
worse, not better.
If people find bugs in my code I want them to tell me
and I fix them asap. If they are security related I
want them to give me warning first before going public.
This is what we have done with Microsoft, it's the
responsible, professional thing to do. What gets done
about it is *their* decision, not mine (or yours).
Jeremy Allison,
Samba Team.
No, I'm not a joke, just a software engineering professional.
I have to catalogue Microsoft bugs as Samba has to
interoperate with some of them (if you'd ever looked
at Samba code you'd know what we sometimes have to
do to work around Microsoft bugs).
Yes, I sometimes screw up and write bad code, as does
every software engineer I've ever worked with.
With Open Source, you get to see such things in public,
rather than being hidden. Even though this was my
problem I know which way of developing code I prefer,
and I've developed my share of proprietary code in
my time...
Jeremy Allison,
Samba Team.
So tell me when the last time was you sued Microsoft,
:-).
Oracle or Sun for your losses in the real world and
won any damages ?
In Open Source you know who messed up. You have their
email address and phone number. You have a basis for
trust or not based on past reputation/performance.
You have *no idea* who wrote any of the Microsoft code,
or any other proprietary code - and no recourse to fix
problems that cause you losses other than to beg the
vendor for a fix.
And you'd better ask nicely, in case you don't give
them enough money.
Good luck on getting your damages from Microsoft for
the last virus outbreak, you're going to need it
Jeremy Allison,
Samba Team.