Update: Microsoft is more at fault than I thought. Apparently MultiByteToWideChar decodes overlong forms of UTF-8, thus (irresponsibly, IMHO) violating RFC 3629 and allowing this problem to occur in the first place.
VMware should have been able to trust the OS to do proper UTF-8 decoding.
The Register also picked up on this story with a good review of who is going to have to pay for all this legal video streaming.
Here's a concept: How about the people who use the bandwidth pay for it? Well, unless their ISP was stupid enough to advertise "unlimited data transfer", but then that's the ISP's own damn fault.
I have never worked for MS, but I have many friends who do, or have, and they are neither living under a rock, gullible, sociopathic, nor incompetent. They are ordinary, decent nerds who are not very concerned about Microsoft's business practices, and want a challenging job in software engineering working with other talented people.
I would classify "harming others because you don't care not to" as sociopathic. At minimum, it's quite selfish.
"All it takes for evil to triumph is for good men to do nothing," as they say, and that more or less characterizes my friends.
Working for Microsoft, at minimum, constitutes doing nothing. I'm not sure what your point is.
Not to flame, but do you buy gasoline or eat meat?
I buy gasoline, and I don't like it, and I avoid it where I can. Your friends, if they're so smart, could easily get "a challenging job in software engineering working with other talented people" without supporting Microsoft's practices.
As for "bloodshed and death" being associated with eating meat, can I assume that you're talking about the bloodshed and death of the animals themselves? Humans must kill other life forms in order to survive, so on that front, I have no alternatives. Drawing a distinction between animals and plants (or worse, between red meat and fish) and even bacteria is arbitrary. My ethics aren't based upon the cuteness of the potential victim.
Microsoft couldn't do it without its employees, i.e. you. You're enabling Microsoft, and in my view, you are partly responsible for its continued ability to wreak havoc on the world. Don't you feel like a sociopath?
that there are real, non-evil people down in the trenches
I seriously doubt it. Microsoft is demonstrably a corrupt, evil company (see the irregularities wrt. the ISO OOXML debacle), and Microsoft couldn't do it without people who are willing to work there and support the company's actions. To still be a Microsoft employee today, you basically have to live under a rock, be totally gullible, be a sociopath, or be so incompetent that you can't get hired elsewhere (and thus don't have the luxury of ethics).
Every employee of Microsoft is responsible for supporting the company's actions. The only non-evil Microsoft employees today are former Microsoft employees.
Physical laws are mathematical expressions that describe observed phenomena. They usually form parts of theories. See, for example, Newton's law of universal gravitation, $F = G \frac{m_1 m_2}{r^2}$.
I don't know about this case in particular, and I'm sure the courts will sort it out if there was any fraud, but only the user is in the position to assess what they need in a cryptosystem (or any kind of software, for that matter). Until manufacturers start claiming specific security against specific kinds of attackers, there's no reason to start blaming them for not meeting certain users' unspecified needs.
It's like blaming Microsoft if you lost money because some bank decided to use Excel for their accounting. Banks are supposed to do decimal rounding in specific ways, and if they didn't bother to check the behaviour of some piece of software before they started to use it, they are the only ones at fault. The alternative is to hold software vendors liable for every possible misuse of their products, which would mean that everyone who doesn't need certain features or reliability factors would have to pay for the few who do (and it would raise huge barriers to entry into the market for software).
It's unethical and deceptive, but if psychics, accupuncturists and homeopaths can get away with what they claim, why should these manufacturers be treated any differently?
Gates said students will want to try Microsoft's tools because they're more powerful than the open-source combination of Linux-based operating systems, the Apache Web server, the MySQL database and the PHP scripting language used to make complex Web sites.
It doesn't take much to be better than MySQL and PHP. What about PostgreSQL and the various Python frameworks, like Pylons, Django, TurboGears, or even something heavy like Zope?
Oh, and what about freedom to run my business without interference? With free software, I don't have to trust that Microsoft doesn't really see me as a pawn.
Microsoft: Call me back once you've had a clean record for a decade. Until then, bugger off.
Unless you care enough to count the Iraqi casualties (though, of course, I am given to understand that they're terrorists, every one of 'em, and had it coming anyway).
Iraqi casualties are not mentioned in the linked article. Nor are the Kurds who died under Saddam's regime.
Or, you know, the 29,000 reported American wounded. I'm sure they'd also love being referred to more or less as currency.
Is that an argument? It looks more to me like crying about how I worded things.
War always costs lives. It sucks to think about, but these decisions have to be made one way or another, and it's best for everyone that they be made on a rational basis. shma pointed out the number of casualties in the Iraq war as if it were a disproportionately large number. It is not.
How did it go last time they tried to make a country realize the blessings of liberty?
According to your link, there have been 3,963 American deaths in the war in Iraq as of February 18, 2008. According to Wikipedia, there were 416,800 American deaths in World War II. Even the American Revolutionary War had between 8,000 and 50,000 casualties, depending on how you count.
Liberty is expensive, but it's cheaper than ever. There are many reasons to criticize the Iraq war, but the number of casualties is not one of them.
For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? I guess their next product will use advanced ROT13 encryption technology. Why? Because you saw "AES" and assumed it was secure against unspecified attacks? AES is a block cipher, not a hard drive cryptosystem. If you want LUKS (which isn't perfect, but is probably the current state of the art; see the paper New Methods in Hard Disk Encryption), then you have to ask for it.
There is some responsibility on the part of users to ensure that computer systems actually perform the tasks they expect them to. "Uses AES somewhere inside this box" is not the same thing as "provides confidentiality and non-malleability of the bulk data against adaptive chosen ciphertext attack up to 2**128 operations and 2**64 blocks of ciphertext".
I'm tired of this stupid meme! People were saying this back in the 1990s, and they were just as wrong then as they are now.
Guess what? Linux is still in its early-adoption phase in a lot of markets. As for any early-adoption phase, there will be plenty of people who do not act as early-adopters, and who will have all sorts of reasons for this. There is no need to mess with a good product just because some people are not early adopters.
If you can't fathom how something that has zero or near-zero marginal cost might be offered at zero or near-zero price, then your opinion does not matter in the long run. You will eventually be forced to adapt, or your competitors (who invariably scored higher in Economics 101) will eat your lunch.
any open router could record everything including passwords and perform man-in-the-middle attacks to bypass SSL It's that sort of misinformation that makes it hard to take valid privacy concerns seriously. How exactly would a router bypass SSL?
You shouldn't be able to, but you probably can, especially if you are close (network-wise) to the target.
Step 1. Intercept the cleartext TCP session of some piece of "auto-updating" crapware that doesn't perform cryptographic signature checking
Step 2. Run arbitrary code on the user's machine to add your own SSL CA to the user's trusted CA list
Step 3. Intercept the SSL connection, and replace the real certificate with one you issued.
Step 4. Profit.
Or, skip steps 1 and 2, and simply substitute your own "self-signed" certificate. Microsoft has done a good job of training users to just click "accept" whenever they see a dialog box (and enough idiots legitimately use self-signed certs on their servers) that the user probably won't notice until it's too late.
Why bother? If a script can read stuff (e.g. your Firefox password list, your cookies file) from the host computer and send it back to a remote machine, you're screwed.
Did you read my economic paper? I really do make a point of talking about it in terms of free markets.
No, I didn't, and neither have most people who talk about "open source". That's the problem; The term "open source" diverts attention away from its greatest strengths.
The other problem is that people focus on getting vendors to release "open source Linux drivers" for hardware, instead of on getting the documentation that gives everyone the freedom to write and improve drivers for any platform.
I don't mean to belittle your other contributions, but in my view, the term "open source" is a liability.
Slashdot Mirror
Update: Microsoft is more at fault than I thought. Apparently MultiByteToWideChar decodes overlong forms of UTF-8, thus (irresponsibly, IMHO) violating RFC 3629 and allowing this problem to occur in the first place.
VMware should have been able to trust the OS to do proper UTF-8 decoding.
Only Windows hosts are vulnerable. Linux hosts aren't. Why is that?
Answer: On Linux, no MultiByteToWideChar conversion is necessary, so the VMware developers can't screw it up.
VMware developers are at fault, but Microsoft's complicated design shares some of the blame.
Microsoft boasts a great user interface, but the interface they provide to developers (developers, developers, Steve!) is utter crap.
Yeesh.
Cut the man some slack. He is the reason why Unix is still relevant today.
How much wealthier would they be if they didn't have to sink as much money/time/resources into Microsoft's (or anyone's) software?
Your reasoning is a classic example of the broken window fallacy.
People pick crappy passwords. Use Diceware (or the password-generation algorithm at the end of the Diceware PDF).
Here's a concept: How about the people who use the bandwidth pay for it? Well, unless their ISP was stupid enough to advertise "unlimited data transfer", but then that's the ISP's own damn fault.
I would classify "harming others because you don't care not to" as sociopathic. At minimum, it's quite selfish.
"All it takes for evil to triumph is for good men to do nothing," as they say, and that more or less characterizes my friends.Working for Microsoft, at minimum, constitutes doing nothing. I'm not sure what your point is.
Not to flame, but do you buy gasoline or eat meat?I buy gasoline, and I don't like it, and I avoid it where I can. Your friends, if they're so smart, could easily get "a challenging job in software engineering working with other talented people" without supporting Microsoft's practices.
As for "bloodshed and death" being associated with eating meat, can I assume that you're talking about the bloodshed and death of the animals themselves? Humans must kill other life forms in order to survive, so on that front, I have no alternatives. Drawing a distinction between animals and plants (or worse, between red meat and fish) and even bacteria is arbitrary. My ethics aren't based upon the cuteness of the potential victim.
What?
Was that an argument?
And it's going to take everyone else decades to recover from what we've lost in revenue because we had to deal with the company you support.
You're supporting a company that apparently manipulates a balloting process, views developers as pawns and one-night stands, is pretty much trying to replace the OLPC (an educational platform) with Windows laptops (which have nothing to do with education), and does many, many other evil things. You're indirectly supporting the Gates Foundation, which looks like it's going to be as good for science as Microsoft has been for software.
Microsoft couldn't do it without its employees, i.e. you. You're enabling Microsoft, and in my view, you are partly responsible for its continued ability to wreak havoc on the world. Don't you feel like a sociopath?
I seriously doubt it. Microsoft is demonstrably a corrupt, evil company (see the irregularities wrt. the ISO OOXML debacle), and Microsoft couldn't do it without people who are willing to work there and support the company's actions. To still be a Microsoft employee today, you basically have to live under a rock, be totally gullible, be a sociopath, or be so incompetent that you can't get hired elsewhere (and thus don't have the luxury of ethics).
Every employee of Microsoft is responsible for supporting the company's actions. The only non-evil Microsoft employees today are former Microsoft employees.
Physical laws are mathematical expressions that describe observed phenomena. They usually form parts of theories. See, for example, Newton's law of universal gravitation, $F = G \frac{m_1 m_2}{r^2}$.
I don't know about this case in particular, and I'm sure the courts will sort it out if there was any fraud, but only the user is in the position to assess what they need in a cryptosystem (or any kind of software, for that matter). Until manufacturers start claiming specific security against specific kinds of attackers, there's no reason to start blaming them for not meeting certain users' unspecified needs.
It's like blaming Microsoft if you lost money because some bank decided to use Excel for their accounting. Banks are supposed to do decimal rounding in specific ways, and if they didn't bother to check the behaviour of some piece of software before they started to use it, they are the only ones at fault. The alternative is to hold software vendors liable for every possible misuse of their products, which would mean that everyone who doesn't need certain features or reliability factors would have to pay for the few who do (and it would raise huge barriers to entry into the market for software).
It's unethical and deceptive, but if psychics, accupuncturists and homeopaths can get away with what they claim, why should these manufacturers be treated any differently?
It doesn't take much to be better than MySQL and PHP. What about PostgreSQL and the various Python frameworks, like Pylons, Django, TurboGears, or even something heavy like Zope?
Oh, and what about freedom to run my business without interference? With free software, I don't have to trust that Microsoft doesn't really see me as a pawn.
Microsoft: Call me back once you've had a clean record for a decade. Until then, bugger off.
Developers are pawns ... if they can't or won't help [Microsoft], Screw `em! Help their competitors instead.
In your mind, was the American revolutionary war worth it? It was basically a war over taxes.
Iraqi casualties are not mentioned in the linked article. Nor are the Kurds who died under Saddam's regime.
Or, you know, the 29,000 reported American wounded. I'm sure they'd also love being referred to more or less as currency.Is that an argument? It looks more to me like crying about how I worded things.
War always costs lives. It sucks to think about, but these decisions have to be made one way or another, and it's best for everyone that they be made on a rational basis. shma pointed out the number of casualties in the Iraq war as if it were a disproportionately large number. It is not.
Iraqui casualties are not mentioned in the linked article.
According to your link, there have been 3,963 American deaths in the war in Iraq as of February 18, 2008. According to Wikipedia, there were 416,800 American deaths in World War II. Even the American Revolutionary War had between 8,000 and 50,000 casualties, depending on how you count.
Liberty is expensive, but it's cheaper than ever. There are many reasons to criticize the Iraq war, but the number of casualties is not one of them.
There is some responsibility on the part of users to ensure that computer systems actually perform the tasks they expect them to. "Uses AES somewhere inside this box" is not the same thing as "provides confidentiality and non-malleability of the bulk data against adaptive chosen ciphertext attack up to 2**128 operations and 2**64 blocks of ciphertext".
I'm tired of this stupid meme! People were saying this back in the 1990s, and they were just as wrong then as they are now.
Guess what? Linux is still in its early-adoption phase in a lot of markets. As for any early-adoption phase, there will be plenty of people who do not act as early-adopters, and who will have all sorts of reasons for this. There is no need to mess with a good product just because some people are not early adopters.
If you can't fathom how something that has zero or near-zero marginal cost might be offered at zero or near-zero price, then your opinion does not matter in the long run. You will eventually be forced to adapt, or your competitors (who invariably scored higher in Economics 101) will eat your lunch.
You shouldn't be able to, but you probably can, especially if you are close (network-wise) to the target.
Step 1. Intercept the cleartext TCP session of some piece of "auto-updating" crapware that doesn't perform cryptographic signature checking
Step 2. Run arbitrary code on the user's machine to add your own SSL CA to the user's trusted CA list
Step 3. Intercept the SSL connection, and replace the real certificate with one you issued.
Step 4. Profit.
Or, skip steps 1 and 2, and simply substitute your own "self-signed" certificate. Microsoft has done a good job of training users to just click "accept" whenever they see a dialog box (and enough idiots legitimately use self-signed certs on their servers) that the user probably won't notice until it's too late.
Do you actually think people don't make money from works in the public domain?
Huh? Rates are only going to drop if advertising was overvalued before.
Why bother? If a script can read stuff (e.g. your Firefox password list, your cookies file) from the host computer and send it back to a remote machine, you're screwed.
No, I didn't, and neither have most people who talk about "open source". That's the problem; The term "open source" diverts attention away from its greatest strengths.
The other problem is that people focus on getting vendors to release "open source Linux drivers" for hardware, instead of on getting the documentation that gives everyone the freedom to write and improve drivers for any platform.
I don't mean to belittle your other contributions, but in my view, the term "open source" is a liability.