Seriously - its a good thing that there's a patent on this. The more heavily patented (with associated royalties, etc) something is, the less likely it is that industry will actually use it...
Remember the G4 iMac? Remember seeing it on the cover of Time?
For those of you who don't remember - you can see the cover (with steve jobs looking quite sexy, iMac in background) here (I kid, I kid, real cover here)
Apple got that cover story because 1) it was news, and 2) they were able to promise Time an exclusive on the story. You can't buy the cover of Time as an ad placemement, but if you could, it's probably worth about a hundred million bucks.
No - Apple got the cover story because the iMac looked damn sexy - it was different from the vast majority of PCs that came before it.
If you really think Apple would stop getting this sort of publicity if their was pre leaks (with photoshopped mockup pics), then consider the car industry (the car/computer analogy never gets old).
When any high end car maker announces a new/cool model, it will make the front pages of all the car mags, in spite of the fact that the specs, look of the body, etc etc have all been known for months if not years. Why? Because they look cool - and the product launch is the first time the public knows for sure that this is what the product will be.
Apple will continue to get Time covers as long as it continues to make good looking products. It is nonsensical to suggest that these leaks will cost Apple hundreds of millions of dollars worth of publicity.
Would you care to guess what product secrecy is worth to Apple, in dollar terms?
Would you care to guess what the free cheerleading Apple gets from fanboys like you and me is worth to Apple in dollar terms?
I'd guess it's a helluva lot more then a leak (that in itself promotes excitement & buzz). Apple are jeapodising the very fanbase that supports them most.
Lets take you as an example - you've posted 5178 times on slashdot, I'm going to presume (conservatively) that 1/2 your posts are "Apple are great" posts. Lets also assume (again conservatively) that you average 2 minutes composing a post. Do the maths & you've spent 86 hours (3 1/2 days!) cheering Apple on.
I'm not sure what profession or country you're in, but let say you're on $50 US / hr.
Apple would have to spend over $4000 - just for your time on slashdot - now multiply that by the thousands of Apple fanboys out there & the thousands of sites and you get a pretty hefty dollar value (and frankly, that sort of grass-roots publicity is almost impossible to buy at any price)
Apple gets so much attention, publicity & free defense from the bloggers.
It would be stupid of them to alienate their biggest fanbase - but that's precisely what they're doing. Seems more like a personal vendetta then a business....
If you read the discussion rather then have a knee-jerk-pro-MS reaction, you would realize that this is about disclosure after the patch has been released.
Please, please, even if you can't be assed reading TFA, read the discussion before posting.
When a government official tries to extend their own authority, they are way out of line. This stupid cow needs to be dismissed from the taxpayers' payroll, immediately.
As a Mac user and advocate I find this sort of language quite offensive.
If you crawl out of the male-dominated windows world you inhabit for just one second and try joining the Apple community, you'll realise that women use computers and are quite offended by words like 'bitches' used in such a manner.
One cannot expect Yahoo! to turn away from such a lucrative market any more than one can expect a scorpion not to sting. It's what they do.
You're quite right (and using a scorpion as an example is a great one - as neither a scorpion nor a company are capable of understanding morality)
You seem to be implying however, that a company should not be criticised for its actions within China anymore then a scorpion should be criticised for stinging. Am I correct in thinking this?
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.
B) Do you realize even *nix vendors do this, including Linux distributions?
Could you please provide an example of this (for linux vendors)?
Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).
You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.
Perhaps this practice isn't just limited to Microsoft.
I completely agree - I'm sure Oracle, Apple, Sun (and other closed source vendors) all do this.
But since Microsoft is perceived as the big bully on the block this makes better fodder.
Microsoft is the big bully on the block, but that's not what makes this better fodder - what makes this better fodder is the sheer weight of Microsoft users. The number of people affected by a patch to the most widely distributed oracle product is miniscule compared to a the amount of people affected by a typical MS patch.
If you had read the article rather than rushing to point out slashdot's supposed hypocrisy, you would know that they're talking about releasing information about flaws after the patch is released.
"Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:"
I'm not really sure how the statement you posted really refutes it.
Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.
All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
So what Microsoft is actively hampering administrators and not hindering attackers.
Why should Microsoft tell people about security flaws which are not known about in the public domain? It makes sense to fix them, issue a patch, and then make a statement.
If you had read the article rather than rushing to get first post, you would know that they're talking about releasing information about flaws after the patch is released.
If you still don't understand why they should release information, consider the following from the article:
"Microsoft's customers depend on that information to figure out how to respond to Patch Tuesday. The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren't included, he won't install that patch"
Anyone remember the (deeply flawed) Cert statistics where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed.
Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
"I don't buy the argument that they are aiding attackers. The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
While snobs can be encountered for just about any OS you care to name, the Linux snobs are particularly shrill. This shrillness may be attributed to a variety of causes, including social ineptitude, feelings of intellectual/moral/fiscal superority, attempted concealment of their own limited knowledge, etc.,
I think the qualities that you're attributing to Linux snobs can be attributed to $OS snobs.
The real reason linux n00bs run into trouble with the shriller elements of the community is simply because they're exposed to them.
You see, if you have a problem with a Microsoft OS, you go to the MS website, where people paid not insult you answer your questions. Same goes for Apple, Sun, etc.
With linux, if you have trouble, its just $random_hacker (or $random_slightly_less_n00by_then_you) who's going to help you - this can be both good (you find people are more willing to disclose software bugs, actually know how to support you, etc) & bad (the problems mentioned in the article).
Full list of members can be found here (and FAQ here)
I note that Apple is not a member - I suggest all slashdotters write to Apple to support ODF & join this alliance. After all, Apple is no longer relying on MS for a browser - why rely on MS for an office suite?
Define "distributed." If I distribute the source code to the Linux kernel, and only a loadable module (no source) does that make my module fall under the GPL? If so, why?
FSF thinks yes, Linus thinks no - I agree with the FSF, you seem to agree with Linus, if they can't sort it out I doubt we can.
Slashdot Mirror
With an exclusive a Mac isn't even *on* the news agenda for Time.
Bzzzzzzzzzzzzzzzzzzt.
Wrong.
Look at the date on the cover that I linked to. (Jan 14th 2002)
Now, look at the date of the macworld expo where the iMac was announced and demod (Jan 7th, 2002).
I think you need to understand how the publishing industry works (or perhaps the definition of the word 'exclusive').
Will I still have to watch the ads?
Seriously - its a good thing that there's a patent on this. The more heavily patented (with associated royalties, etc) something is, the less likely it is that industry will actually use it...
Remember the G4 iMac? Remember seeing it on the cover of Time?
For those of you who don't remember - you can see the cover (with steve jobs looking quite sexy, iMac in background) here (I kid, I kid, real cover here)
Apple got that cover story because 1) it was news, and 2) they were able to promise Time an exclusive on the story. You can't buy the cover of Time as an ad placemement, but if you could, it's probably worth about a hundred million bucks.
No - Apple got the cover story because the iMac looked damn sexy - it was different from the vast majority of PCs that came before it.
If you really think Apple would stop getting this sort of publicity if their was pre leaks (with photoshopped mockup pics), then consider the car industry (the car/computer analogy never gets old).
When any high end car maker announces a new/cool model, it will make the front pages of all the car mags, in spite of the fact that the specs, look of the body, etc etc have all been known for months if not years. Why? Because they look cool - and the product launch is the first time the public knows for sure that this is what the product will be.
Apple will continue to get Time covers as long as it continues to make good looking products. It is nonsensical to suggest that these leaks will cost Apple hundreds of millions of dollars worth of publicity.
Would you care to guess what product secrecy is worth to Apple, in dollar terms?
Would you care to guess what the free cheerleading Apple gets from fanboys like you and me is worth to Apple in dollar terms?
I'd guess it's a helluva lot more then a leak (that in itself promotes excitement & buzz). Apple are jeapodising the very fanbase that supports them most.
Lets take you as an example - you've posted 5178 times on slashdot, I'm going to presume (conservatively) that 1/2 your posts are "Apple are great" posts. Lets also assume (again conservatively) that you average 2 minutes composing a post. Do the maths & you've spent 86 hours (3 1/2 days!) cheering Apple on.
I'm not sure what profession or country you're in, but let say you're on $50 US / hr.
Apple would have to spend over $4000 - just for your time on slashdot - now multiply that by the thousands of Apple fanboys out there & the thousands of sites and you get a pretty hefty dollar value (and frankly, that sort of grass-roots publicity is almost impossible to buy at any price)
That's what Apple is risking with these lawsuits.
Apple gets so much attention, publicity & free defense from the bloggers.
It would be stupid of them to alienate their biggest fanbase - but that's precisely what they're doing. Seems more like a personal vendetta then a business....
Good god!
*sighs*
If you read the discussion rather then have a knee-jerk-pro-MS reaction, you would realize that this is about disclosure after the patch has been released.
Please, please, even if you can't be assed reading TFA, read the discussion before posting.
I'll view it precisely as the OP posted it. Here it is again for you, with relevant bit bolded:They talk about hardware drivers & equipment. Nowhere do they mention confining to x86.
When a government official tries to extend their own authority, they are way out of line. This stupid cow needs to be dismissed from the taxpayers' payroll, immediately.
As a Mac user and advocate I find this sort of language quite offensive.
If you crawl out of the male-dominated windows world you inhabit for just one second and try joining the Apple community, you'll realise that women use computers and are quite offended by words like 'bitches' used in such a manner.
For shame.
Hmmmn,
Fair enough. I guess we'll have to rely on external regulation to keep companies in check.
One cannot expect Yahoo! to turn away from such a lucrative market any more than one can expect a scorpion not to sting. It's what they do.
You're quite right (and using a scorpion as an example is a great one - as neither a scorpion nor a company are capable of understanding morality)
You seem to be implying however, that a company should not be criticised for its actions within China anymore then a scorpion should be criticised for stinging. Am I correct in thinking this?
Please reread my post.
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
Do BSD variants run as much hardware & drivers for as many varied equipment types as Windows 2000/XP/Server 2003?
NO??
*snort*
netBSD refutes you troll.
A) Who in the tech world didn't aleady know this?
The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.
B) Do you realize even *nix vendors do this, including Linux distributions?
Could you please provide an example of this (for linux vendors)?
Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).
You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.
Perhaps this practice isn't just limited to Microsoft.
I completely agree - I'm sure Oracle, Apple, Sun (and other closed source vendors) all do this.
But since Microsoft is perceived as the big bully on the block this makes better fodder.
Microsoft is the big bully on the block, but that's not what makes this better fodder - what makes this better fodder is the sheer weight of Microsoft users. The number of people affected by a patch to the most widely distributed oracle product is miniscule compared to a the amount of people affected by a typical MS patch.
Doesn't SLASH have a similar policy?
If you had read the article rather than rushing to point out slashdot's supposed hypocrisy, you would know that they're talking about releasing information about flaws after the patch is released.
Nothing to with responsible disclosure at all.
Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.
All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
So what Microsoft is actively hampering administrators and not hindering attackers.
If you had read the article rather than rushing to get first post, you would know that they're talking about releasing information about flaws after the patch is released.
If you still don't understand why they should release information, consider the following from the article:
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
While snobs can be encountered for just about any OS you care to name, the Linux snobs are particularly shrill. This shrillness may be attributed to a variety of causes, including social ineptitude, feelings of intellectual/moral/fiscal superority, attempted concealment of their own limited knowledge, etc.,
I think the qualities that you're attributing to Linux snobs can be attributed to $OS snobs.
The real reason linux n00bs run into trouble with the shriller elements of the community is simply because they're exposed to them.
You see, if you have a problem with a Microsoft OS, you go to the MS website, where people paid not insult you answer your questions. Same goes for Apple, Sun, etc.
With linux, if you have trouble, its just $random_hacker (or $random_slightly_less_n00by_then_you) who's going to help you - this can be both good (you find people are more willing to disclose software bugs, actually know how to support you, etc) & bad (the problems mentioned in the article).
Full list of members can be found here (and FAQ here)
I note that Apple is not a member - I suggest all slashdotters write to Apple to support ODF & join this alliance. After all, Apple is no longer relying on MS for a browser - why rely on MS for an office suite?
The monkey-like antics of ACs do not bother me :-)
However
1) Yes - I did mean affected. I guess I should reread my posts more affectively....
2) Thanks for the tip! I was wanting the plural however - so subsidiary is also incorrect.
You too - nice to see someone on /. who's less then a troll then me :-)
When I described longhorn as the biggest failure, I'm speaking in terms of the money down the drain.
You should have said biggest financial failure then.
Copland was big, but it was much smaller even than Office Vision.
Aaaah, I always forget that you work at Apple - where you invovled in the failed Copland project?
Tsk. I read and re-read your comment, but I STILL can't see the words 'frist p0st!' in it anywhere... ;)
:-)
Fixed
Define "distributed." If I distribute the source code to the Linux kernel, and only a loadable module (no source) does that make my module fall under the GPL? If so, why?
FSF thinks yes, Linus thinks no - I agree with the FSF, you seem to agree with Linus, if they can't sort it out I doubt we can.
*Blows avxo a kiss*
You are now my friend!