Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is MS security REALLY THAT bad Compared to Open S? 3

Status
Not open for further replies.
Spirit

Spirit

Technical User
Joined
Jul 12, 2002
Messages
1,150
Location
GB
Is MS security / coding rally as bad as the media try to make out and is Linux / Sum etc really that secure or is it a case of;

"I found this way to crash a server via a vulnerability in MS Exhchange 2003" Answer "you da man / you go go girl"
and
"I found this way to crash a server via a vulnerability in RedHat Linux" Answer "Redhat whatnow?"

Due to these "flaws" in MS I now have in place excellant patch management, firewalls with server locked down but should it be a case of opening it rather than locking it down?

Just a nice one to debate in the runup to xmas......

Iain
 
Sort by date Sort by votes
There's a difference between bugs and bad design. All software more complex than a hello-world program will have bugs.

If you want to see where Mi¢ro$oft's software engineering practices are flawed, you need look no further than any of their operating systems from Windows 3.11 and forward to XP. Full networking functionality cannot be effected on any of these machines without also running the GUI, because thanks to legacy code dating back to W3.11, they are all one big API. That's bad design.


It is not I who is making assumptions about why Mi¢ro$oft puts out a new version. It is not possible that an open-source project will put out a new version simply to drive sales. This is because the software, being free, generates no revenue through sales. All I've said is that the same definitive statement cannot be made about Mi¢ro$oft.

I can also make the statement that because Mi¢ro$oft has been found guilty of monopolistic practices in multiple courts of law, there is the very real possibility that as well as driving sales, the reason for successive software revisions could be to lock any vendor but themselves out of their OS.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Upvote 0 Downvote
You mean the same patch that
In addition, a review of the patch from the German online technology review publication, Heise Zeitschriften Verlag, claims the patch is poorly written and contains its own buffer overflow vulnerability, which could enable an attacker to take control of the machine that installs the patch.

IE users are better off waiting for Microsoft to issue an official patch for the URL problem than installing the Openwares.org fix, says Richard Smith, an independent security consultant in Boston.


And that proves Opensource has better software engineering how?
 
Upvote 0 Downvote
Actually, IMHO you won't find the evidence that MS security is worse then Opensource in the code. There are too many arguments and counter arguments on both sides. Th biggest problem with MS Security isn't in the quality of the code it is in the attitude of the coders. For years now people in boards like this one and in newsgroups have been shaking their heads at why MS tends to install everything defaulting to open rather then closed (i.e. the Guest account in winNT and 2k). It is far easier to break a MS product because of the default installation. It seems that starting with the XP sp2 MS is starting to rethink that philosophy, but we'll see.
 
Upvote 0 Downvote
Very interesting thread here.

I for one, prefer the Microsoft products, because of the seamless application functionality. It makes myself and others in my company more productive.
Not to mention, most apps and games I want to run are for MS OS's.

As far as the bugs go, they (M$) post fixes often enough.
Use windows update folks.

If your network is set up correctly, then viri in most cases will be "dropped" on the floor before they have a chance to enter the building.
A good hardware firewall with software firewall on PC combination, along with proper Email handling security settings will take care of most all problems.

Regular use of adware and spyware utilities will also assist in this.

Some will say doing these things on a regular basis is too much hassle, but for me, I don't mind at all.
I enjoy working on the machines more than using the apps anyway.

Personally, in the 15+ years I have been working with PC's, I have yet to be hit with any type of virus. (knocking loudly on wood as I type this! HAHA!)

I have also never been hacked to my knowledge.

This is not to say I will never have any problems, just to say so far so good. (lucky?)

Isn't it 5:00PM yet?
 
Upvote 0 Downvote
The skill of the administrator is as much a factor as the skill of the people designing the software. My background is in security, and so I see a LOT of shoddy administration on every kind of system. I have supplied consulting to numerous businesses, and have yet to find anyone running a network that I consider to meet *basic* security requirements.

Security is only as good as its weakest link, and despite how many holes Windows/*nix has, the weakest link is almost always the human factor. My former employer had a few unqualified people running their Solaris-based inventory system while I designed and administered the Windows-based accounting system. The inventory system was hacked into several times, while my accounting system, despite being on the same network, never suffered an outage due to a virus or exploit. I attributed that more to my skill as an a developer/administrator than to the design of the OS.
 
Upvote 0 Downvote
"It is not possible that an open-source project will put out a new version simply to drive sales" Where do you get this idea. Open-source get sales too. Don't equate Open-Source = No sales. Many Open-Source projects have sales.

sleipnir214 where are you getting the idea that Open Source projects do not earn any revenue?


Large companies like IBM and HP also have Open Source products that they sell.

Sorry to burst your bubble but I don't think you fully understand the "Open Source" concept.
 
Upvote 0 Downvote
SemerFiDownUnda:
I have never stated that the companies that base their business on open-source software do not make money. I have never said they do not make money from the sale of software.

I have said that they cannot put out a new version simply to drive sales. Please direct your attention to these links:


RedHat is the odd man out here, since they are going to abandon a free version of the distribution. But RedHat's enterprise products are based on GPL software, which means that by definition they must provide the source code.


wbg34:
Don't confuse bugs with bad engineering. The two are different. A programmer can perfectly implement a bad design, and what you will get out of it is a bug-free piece of software that is ill-behaved.

Again, I direct your attention to the "Outlook preview pane worm" issue. I'm not talking about bugs. What we have here is a flawed design that provided too much functionality through insufficiently sandboxing an internet application.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Sleipnir 214 - can you explain what you mean by your statement of
"This is because the software, being free, generates no revenue through sales." and
"But open source projects put releases more often because no one has to pay for the new versions of software."
in regards to your last statement of
"I have never said they do not make money from the sale of software"

I interpreted those lines as you saying that the "software, being free, generates no revenue"

"I have said that they cannot put out a new version simply to drive sales"

They can put out a new version simply to drive sales if they want. Nothing stops them from putting out a new version and charging for it if they want based on a new license that states you must pay for it for what ever reason they choose to put in the license.

"What we have here is a flawed design that provided too much functionality through insufficiently sandboxing an internet application."

I don't know if I agree with it being a flawed design when you look at the intended usage of the functionality. You say it is to much but others may say its just what they want to do a particular job. The security flaw is no different then the vunerabilities they find in different components of Smooth wall and have to patch.

Just because you don't use the functionality doesn't mean it shouldn't be there for others to use. Its like me and cricket....I don't like cricket as a sport but that doesn't mean it isn't a sport.

Check out MS isn't the only one that gets hit by these things. Is Apache not designed well because of this? No! It is designed well. But you put any product out there like this and someone is bound to find holes in it.

We used to have a saying in our secure archives safe "The only secure data is data that has been melted with an incinary grenade"
 
Upvote 0 Downvote
SemperFiDownUnda:
There are a few facts that I assumed we both understood. The first is that you cannot sell what you do not own.

RedHat, for example, owns very little of the code that makes up their distribution. They do not own the Linux kernel, the KDE or Gnome desktops, the Apache web server, the MySQL and PostgreSQL database servers, the GIMP image processor, or much else of the software that is bundled with their product. That code is owned by the various programmers, groups of programmers, and companies that created the programs. They do own the rights to rpm ("rpm" being the "RedHat package manager"), but not much else -- and RedHat has GPLed rpm.

So RedHat is selling service, not product. They are selling the service of gathering up all those myriad pieces of code, making sure they all play well together, and writing them to a CD. They also sell the service of support for all that. This is the same model used by SuSE, Mandrake, and other commercial Linux distributors.

RedHat can't drive sales by adding features to the Linux kernel -- Linux Torvalds and his lieutenants decide what new features will be added to each kernel revision, not RedHat. RedHat can't drive sales by adding features to MySQL -- MySQL AB owns that code. Etc. Etc. Etc.


The second fact is that you can't drive sales through feature addition when you give the product away. MySQL and StarOffice fall into this group. They can add all the features they want, but if they also license the product under the GPL, users have a choice -- pay for support for the new features or use them for free. Again, MySQL AB and Sun are not selling any feature they don't also give away for free. They sell the service of supporting their respective software.

If I were so inclined, I could download the MySQL source code, modify it to create my own database server, and give away my new product. I must simply fulfill one requirement: I must distribute my new product under the GPL, since the license of the source code is GPL. Mandrake got their start as a Linux distributor by taking the RedHat distribution and adding features users wanted.


The third fact is that you can't sell what you only give away. Apache falls under this category. What would drive the Apache programmers to take the 3 years necessary to re-engineer Apache from the ground up to add new features and make the product work under a more flexible paradigm? Certainly not sales -- Apache is not sold, only given away. It's because there were things their users wanted to do with the product that either could not be done or could not be done efficiently.

So what I meant is that open-source products cannot arbitrarily add features, call it innovation, and scare users into upgrading under fear of removal of future support. Mi¢ro$oft is facing a growning problem with their software -- people are upgrading less often than before. And if Mi¢ro$oft can't increase their user base (which they cannot do indefinately -- the population of the planet is, after all, finite) or convince their users to upgrade regularly on Mi¢ro$oft's schedule, then Mi¢ro$oft's income based on sale of software must, by definition, decline over time. I think Mi¢ro$oft must have seen this, too. It would explain all the FUD they've been spreading about open source software for the last several years.




On the subject of software engineering problems with Mi¢ro$oft...
You're confusing implementation errors with design errors. No ethical programmer is going to intentionally design a buffer overflow into a program.

And that functionality (execution of code in the Outlook preview pane) doesn't look to be very useful to users. The fix was to re-engineeer the way Outlook uses the HTML rendering objects so that code could not execute in the preview pane. All versions of Outlook since that patch are now set up this way out of the factory, and I haven't heard any complaints from users.

So it doesn't sound to me like a case of "preferred functionality". It sounds to me like a case of "closing the barn door after the horse had gotten out".

The bug you'v pointed out was not a bug in Apache -- it was a bug in the OpenSSL libraries used by Apache, not in Apache itself. And it was a buffer overflow error, which is an implementation flaw, not a design flaw. Unless one wants to believe that the OpenSSL programmers deliberately put that exploitable overflow in the code. And I believe that the time between the discovery of the bug and a release of an updated version of OpenSSL to fix the bug was on the order of hours.



Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
"The first is that you cannot sell what you do not own."
True but many open source projects do own and sell their code. RedHat doesn't own the kernal true.

MySQL do own their code.

Smoothwall is Linux based but not bound to putting out new versions only when the linux kernal is changed.

"RedHat can't drive sales by adding features to the Linux kernel"
Agreed but the kernel isn't the only part of RedHat.
"The second fact is that you can't drive sales through feature addition when you give the product away."
Disagree. They can and do drive sales by the addition features and services they provide and they do. Do you think they get their revenue from people that like the artwork on the box? At an enterprise level, where many open source project get money from sales, lower cost is one incentive but when faced with a few products of similar cost they look at the vendor specific features that set them apart.

"If I were so inclined, I could download the MySQL source code..."
Agreed, I've never said you couldn't. I understand GPL very well. But you could also purchase the code, modify it, and SELL it if you so desired. Just because you wouldn't buy a product like that doesn't mean others don't think that the "value add" that companies provide isn't worth the money.

"The third fact is that you can't sell what you only give away"
Agreed. I never said ALL Open Source project earn revenue from sales. Most don't, but many do. Thus I didn't include Apache or Jigsaw in my list.

Apache has a different revenue model. There is nothing wrong with that. Some groups use Open Source to obtain grants and fund the project. I've never claimed different.

"Mi¢ro$oft's income based on sale of software must, by definition, decline over time."
I don't think MS's sales have capped and won't any time soon. Though our world might only be able to hold a finite amount of people but to bound yourself to todays thinking is just locking yourself into a paradigm. We are not bound by this world. Computers are not going to cap out either. I don't believe that MS will go on forever but then I don't know if they human race will either. But for the course of my lifetime, hopefully another 60+ years, the human race will expand, there will be more computers, thus I'd say MS will have an expanding customer base.

"You're confusing implementation errors with design errors. No ethical programmer is going to intentionally design a buffer overflow into a program."
I'm not confused. I wouldn't call missing some bounds checking code as a design error. It is a coding bug. You can design the best software in the world but us being human we are prone to make mistakes and a bug != bad design all the time.

"And that functionality (execution of code in the Outlook preview pane) doesn't look to be very useful to users"
And you get this info from where? I agree that executing code automatically was a bad design flaw but agian other Open Source projects have had bad design flaws. I know a few places where preview panes are used to manage skim over large amounts of data to try to help pick out important KPIs. I'm trying to keep my personal opinions out of this. For the record my personal opinion is that there are a ton of great Open Source Programs out there. That there are a ton of crap writen program out there that aren't Open Source. Some to bad design some to bad coding many to both. I don't thing Windows is a bad operating system. I don't think that it is better or worse then OpenBSD, Linux, etc. I think it just has its place. Sometimes better sometimes worse.

"So it doesn't sound to me like a case of "preferred functionality". It sounds to me like a case of "closing the barn door after the horse had gotten out"."
I don't know if they, MS, labeled this as "preferred functionality". I don't know where you got this quote. MS are pretty straight forward in their patches saying there is a vunerability when fixing something. They don't try to hide the mistakes.

"...And it was a buffer overflow error, which is an implementation flaw,..."
Exactly! But don't you see how when applied to Apache you call it a "implementation flaw" but when you talk about MS you are categorising many of the same type of "implementation flaw"s as "design flaws"

The outlook preview implimented a IE functionality just like Apache implimented a SSL functionality. Just as OpenSSL programmers didn't deliberately put that exploitable overflow in the code. MS programmers don't deliberately put exploitable code in their programs.

"And I believe that the time between the discovery of the bug and a release of an updated version of OpenSSL to fix the bug was on the order of hours."
Actually the fix for this vunerability was fixed about 3 months before the virus actually was discovered.


 
Upvote 0 Downvote
I have never discussed Mi¢ro$oft's buffer overflows as design flaws. I have not, in this thread, talked about buffer overflows in Mi¢ro$oft's software at all. Regardless of where it happens, a buffer overflows is an implementation error.

However, making the deliberate decision to expose dangerous functionality to the internet is a design flaw. That Outlook preview pane scripting fault is an example.

You seem to be assuming that the Oulook preview pane scripting fault exploited a buffer overflow, which it did not. If an HTML email arrived in Outlook, then Oulook invoked the HTML scripting object to render the email. That HTML scripting object exposed the VBScript scripting engine. Thus an HTML email with embedded VBScript would run from the preview pane. This behavior was intentional, or in other words "by design". Thus it was a design flaw.

The flaw you brought up in OpenSSL [again, the fault was in OpenSSL, not Apache. The fault affected many products that use the OpenSSL libraries, not just Apache] was a buffer overflow, which we agree is an implementation flaw. For it to be a design flaw, we would have to assume that someone deliberately decided to add that overflows to the code. If this were so, then we'd be talking about a design flaw. But since it isn't, we're talking about an implementation flaw.


As far as the GPL is concerned, you have to remember that if I modify MySQL to my ends, yes, I can sell it. But the GPL requires that I make the source code available, too. And the fact that I must make my code available severely limits my ability to leverage my product through creeping featurism. The GPL requires that everyone must be able to get a copy for free from me.


And you also seem to be assuming that RedHat writes a lot of the code in their distribution. They don't. They may find implementation flaws which they patch (and turn the patch over to the product's project manager), but they do not add features. RedHat does have some people on the payroll who are full-time contributors to various projects (the kernel being a prime example), but that code is handed over to the project managers for bundling, not bundled by RedHat themselves. The only code to which RedHat may add features is rpm and their install programs. So by definition, feature enhancements to RedHat's distribution are out of their control. If the sendmail programmers don't come out with a new version, for example, RedHat can't just invent one for RedHat 9.1. I suppose you could leverage market share by claiming to have the easiest install interface, but that will only take you so far -- look at MandrakeSoft as an example of that.

Again, what RedHat, SuSE, and MySQL are selling is support services, not software. This is because they give the source code away.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I never meant or said that the outlook issue was a buffer overflow problem. What I said was "The outlook preview implimented a IE functionality just like Apache implimented a SSL functionality" Meaning it is an issue with IE that caused the problem. You might deem it as a sinister plot my MS programmers to impliment dangerious components into their application. I look at it as a problem where Outlook team implimented IE functionality but because of the way IE works the true security zone of the item was not recognised thus letting it run potentially dangerous code. IE made its functionality available. Outlook team utilised that. They should have tested more granted and the problem might have been caught. The larger and more complex a system is the harder it is to test everything. I'm not excusing them from their mistake but it is a mistake that can happen in Open Source as well as MS software.

I didn't say that the apache SSL problem was a design flaw. I've made it quiet clear before that the problem was by incorperating SSL functionality into Apache without fully realising the pro's and con's just like implementing IE DHTML rendering into Outlook was not done with fully realising the pro's and con's.

"As far as the GPL is concerned, you have to remember that if I modify MySQL to my ends, yes, I can sell it. But the GPL requires that I make the source code available, too."
I think you need to reread what I've been saying all along.
as you can see here you can modify the code and sell it under GPL BUT you don't have to. MySQL, and other Open Source GPL project, provide other licenses that organisations can work under.

You seem to think all Open Source Project = GPL
Many projects are Open Source but fall under other licensing line CPL. IBM, Oracle, SAP and many other large organisation fund Open Source projects. These projects are commersially driven. The companies above don't do it out of the goodness of their heart. They see the value in Open Source and decide to invest in it. But if the Open Source projects don't deliver results you'll see that companies will pull away from said products. If these open source projects can not prove that they are providing enough benifit in new functionality and inovations to those funding them they will soon see that funding removed. Just like if MS don't show that they are providing new functionality and inovations then they will loose their funding by loosing market share to other companies.

What I'm saying is Open Source project CAN and DO make money. Some by selling directly to users. Some by selling to Developers of 3rd party or derivative works. Some by receiving funding from large consortium that pour millions of dollars into these projects to make their other products more marketible.

RedHat deside what goes into their distribution, how it will intergrate etc. Distribution is far from out of their control. They can do influence other open source projects by direct contribution via support and or funding. Some of the applications shipped with red hat are licensed to them and they PAY for those licenses. They may not own the copyrights to the source code but these applications make Redhat stand out a bit more from other distributions that don't ship with these applications.

So its not just redhat RPM manager install that makes them different. Its all the applications, both Open Source and closed source, that make RedHat more or less desirable for any giving implimentation.

Redhat's contribution to the kernal is not minimal. They provide over a dozen developers and payroll Alan Cox and David Miller. Is RedHat doing this out of the kindness of their heart? No RedHat does this to further their own means. They do this to help get functionality they deem as needed for their future development of their distribution. A large part of this is their enterprise products.

Open Source is a HUGE business. It is commercially driven. It doesn't matter how ideal you are the fact is when you have companies like IBM investing over 1 billion dollars annually (lets look at that in numbers $1,000,000,000.00) it makes Open Source BIG business (that 1 billion dollars is just IBM's investment and this doesn't include things like investment in the open source development lab). Linus Torvalds might not be rolling millions of dollars a year but I can assure you others are because of open source.

oh and "RedHat, SuSE, and MySQL are selling is support services, not software."
RedHat and MySQL DO sell software. Redhat may not own the copyrights to all the software they sell but they do own a license to sell the software. MySQL DO sell their software under other licenses besides GPL. Sorry I don't know enough about SuSE to comment on them.
 
Upvote 0 Downvote
The Outlook preview pane design flaw existed before IE ever had any kind of zone security system. Excess functionality was exposed. This was in the day when Mi¢ro$oft's engineers, despite that fact that a majority of virii found in the wild infected Mi¢ro$oft's systems, seemed to be under the impression that the internet was necessarily a safe place. Even with IE's security zones, Outlook at the time was instantiating the HTML rendering object itself -- IE's zones wouldn't have helped.

The flaw in OpenSSL was not a designed exposure of excess functionality, but rather exposure of correct functionality. You can't implement HTTPS without SSL, and you need an SSL library to implement SSL on Apache. OpenSSL is the most commonly-used library for that purpose. It's just that the library was implmented with a buffer that could be overflowed.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Sleipnir214 - I understand the outlook preview pane issue. I understand that it was a mistake that should have been caught. etc etc etc.

This does not mean that their software isn't designed etc. It just means they've made mistakes. I fully agree that they need to focus more on security but now as they do that holes will be found with MS and other Operating Systems.

Your arguement of
"Mi¢ro$oft is in the business of selling software, so they are constantly adding features, necessary or not, to their software."
while I'll agree that marketing has a big part in their software doesn't was when you are meaning it agianst statements like
"The first is that you cannot sell what you do not own."
and
[/color #008000]"Again, what RedHat, SuSE, and MySQL are selling is support services, not software. This is because they give the source code away."[/color]
etc
While it is true the first statement in a way the context was misleading. Organisations like MySQL DO own their code and they DO sell their code. Not all Open Source Projects are GPL projects. Not all Open Source Projects that are GPL only distribute under GPL.

Many Open Source Projects are commercially driven. That is my arguement. Saying "Mi¢ro$oft developed its client-side scripting language, VBScript, but never got around to sufficiently sandboxing it." while true is misleading when you neglect to meantion that MS isn't alone here that other scripting languages on other platforms have had similiar problem to include PHP, Python, JSP etc. These Scripting languages to have had/have sandboxing issues.

You could say things like "Well if someone controls the access like they should the scripts won't be able to delete important files etc" Well.....you can say the same for Windows. The fact that some administrators don't secure their file system as much as they can on a Windows server is not a windows issue.

Believe me I was around and yelling at Microsoft back in 1994 when ActiveX controls where popping up on the web. We saw that you could automate programs like Quicken from the web. We showed that you could, after they put zones in, get a activeX component to set the zone to "none". etc etc etc

Saying all this is microsofts fault is true. Microsoft opened up a can of worms when they put in OLE. ActiveX was actually a step in the right direction. It added RSA security to OLE. The problem for some is benifit for others. In a secured environment automation is a god send. I can design system in a matter of a month to do things that would take other years to do if the automation wasn't there. I fully agree that in a unsecure environment that these automation feature (that you obviously don't like) can cause problems. Packages like MYOB, SyBiz, Quicken etc have to be controled. Spam mail worms while a pain utilise functionality that you don't think is needed but others do. The fact that the functionality might be set on by default is an annoyance. The cases where they didn't give you an option to turn it off was stupid agreed.

I'm not saying MS does no wrong. They do plenty wrong. I'm not a Bill Gates lover. I recognise him for what he is, a very shrewd business man. He's not a great programmer. He's not a man with exceptional ideas. He is a man that has clawed his way to the top stabbing a few people in the back along the way. What I'm saying is that there are pro's and con's to MS software. They have inovated in some ways in others they have stifled inovation. But to try to have a blanket statement that Open Source is better because their designers don't make mistakes because their software isn't sold but only given away make zero sense.

You have to take each case and look at it. Buffer overflow errors on both sides of the fence are stupid. We know where the data is coming into the system and its a matter of applying standard checks at those points to insure that the overflow can not occur.

Even Open Source projects like Netscape still have security problems that in hind sight are stupid. Some of them even in foresight.

I'm not trying to change your view that microsoft are crap programmers and designers. I'm not saying they are secure (they are getting better tho). I'm saying that there are problems on both sides of the fence and that people all to often tend to be one eyed when it comes to MS. I personally like to step back and get a big picture, weigh up risk and benifits and make descisions.

 
Upvote 0 Downvote
I have looked at the big picture. Mi¢ro$oft has had a long habit of adding kitchen sink functionality, only to have it bite them on the butt from time to time.

My discussions of lack of language sandboxing, I have been very careful to talk about their use as client-side programming languages with web clients. PHP, Python, and JSP all run on the server side, not the client side. So they don't have to be sandboxed. If a hostile programmer wants to tear up his own server, more power to him.

The reason why IE has to support the idea of security zones for websites is because though VBScript and ActiveX, a program can do anything it wants on the machine. This functionality is great for intranets, where you know what you're getting into. But it ignores the entire reality that the internet is not necessarily a friendly place. This is poor engineering, particularly from a security standpoint.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I agree partly but the topic isn't strictly client side. The topic is a general "MS security REALLY THAT bad Compared to Open Source"

The issue of you saying "Mi¢ro$oft has had a long habit of adding kitchen sink functionality, only to have it bite them on the butt from time to time." is true. From your earlier statements like [COLOR=#00800]"Mi¢ro$oft is in the business of selling software, so they are constantly adding features, necessary or not, to their software."[/color] your tone is that the features are not necessary. I'll tell you that they might not be necessary to you but they are to other developers.

Open Source projects put in features that I don't need that bite them in the butt from time to time to. Doesn't mean that they are unnecessary. You obviously have not seen systems that utilise automation to the fullest and stream line processes. If you have you wouldn't say the features are unnecessary.

Lets take Word Processors as an example. 95% of the features in a modern word processor probably go unused by the average person. This goes for Open Source projects like AbiWord. I don't hear you say that these projects are bloated even though most of the features we wouldn't even need. The fact that you can automate word may be useless to you but to me not having to write spell check, grammer check, from scratch is a huge help. The fact that I don't have to cut open an open source project to get at its spell checker then figure out how to integrate it with my ASP application is a big time saver too.

I'll take your silence on the issues of many Open Source not being driven by commercial forces as a sign that you see that Open Source isn't what you indicated it was in your early posts.

I'd care to say that if you had many Open Source project try to do as much as MS does in some of their apps you would see more security problems too. Does that mean we should stifle inovation by preventing things like client side scripting (of which I've seen java applets break out of their little sandbox on apps like Netscape and be able to delete files on the local machine)? No, we need to learn the problems and how to get a good intergration of the 2. Security and the ability to have these features.

So to the original question of is MS coding really worse then Open Source codeing I say no. They just try to do more which means they are exposed more. This topic is as much about buffer overflow problems as the topic you want to turn it into "Evils of Client Side Scripting". Of which products like star office with javascript capability is a potential target to and that is opensource. Many of the same issues the MS office suite has could be ported over to do similar things on Star Office on Linux. Yet I hear nothing from you saying Sun is crap designers because they allow client side scripting in their applications too.


 
Upvote 0 Downvote
Okay, let's go back to the subject of open-source projects. You have pointed to a couple of open-source projects which may have sales-driven reasons to add features -- RedHat as an example. But you did not answer the question of how RedHat could have driven sales by adding features to every open-source project that was bundled with its distribution. Yes, RedHat does contribute greatly to the Linux kernel development -- but what about Apache, fetchmail, KDE, Gnome, Xwindow? Few of the 400+ other products bundled with RedHat is distributed in a for-pay form. None of these products is developed, even in part, by RedHat. How could the addition of features in these projects be influenced by sales-driven creeping featurism? RedHat has influence over the development of around 1.5% of the code that makes up their distribution.


I assume the Java problem you mention is described here:
Again, you have confused by-design security failures with implementation faults. Unless, of course, you are saying that the Netscape JIT developers intentionally designed the JIT compiler to exhibit the behavior described. Because that is the difference between an implementation failure and a design flaw. If the software does something stupid because a software engineer intended for it to behave that way, then the software was badly designed. If the software does the smart thing except when properly abused by users, such as expoiting a buffer overflow, then it's an implementation flaw.

But since you brought up Java, let's talk about the differences in the security model between it and ActiveX. Java was created with a Security Manager as a part of its design. The security manager decides which interfaces should be available to an applet. ActiveX depends solely on code-signing, which Java includes. Here's an article form May, 1997:
But of course, if we're going to talk about code signing, we also must talk about Mi¢ro$oft's inability to protect their code-signing keys. As I recall, there is an update to IE which includes new keys to replace the ones they let get out of their control.


And let's talk about word processors, specifically AbiWord [a good product, by the way]. I don't know how the features which 95% of users don't use got there. But the reason could not be to drive sales -- AbiWord is only distributed freely. No sales = no sales-driven creeping featurism. Which, of course, is my point.

But an open-source project is trying to do what Mi¢ro$oft does, at least in terms of integrating apps. It's called StarOffice/OpenOffice. Interestingly, they have already given more thought to security, as JavaScript is designed from the get-go with sandboxing. But even if they extend JavaScript to their own ends and kill the sandboxing, we're not talking about security design flaws in web applications. We're talking about desktop applications, and a different set of rules apply. Otherwise, we'd have to ban c-language and VisualBasic, as neither language has any kind of sandboxing at all.

The difference, though, between StarOffice and Mi¢ro$oft Office, in terms of development, is the fact that Sun's application programmers don't have the option to diddle with the operating system to make their application programming easier. Which is what Mi¢ro$oft's application programmers must do -- otherwise you wouldn't have to reboot a Win32 box after installing Word to get the OS to use the newly-updated libraries. Which is, of course, a design problem in and of itself -- the entire design of the monolithic pseudo-API that Mi¢ro$oft calls Win32.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
RedHat big push isn't in the 400 odd misc programs it provides but the enterprise level servers it produces. It is true that the features RedHat gets into the kernel are useable by all but they are targeting a market and doing quiet well as they are quite large when it comes to enterprise level servers.

So to your question of
"how RedHat could have driven sales by adding features to every open-source project that was bundled with its distribution"

They drive sales because they provide a total package that is different from others. The fact that they don't write most of the code in their package is not relavant. They drive sales by combining features available and effecting the future features.

Lets talk about MySQL. A product that is really starting to mature because of the features they are putting in. Do you really think MySQL could keep up if they where still no more then a large Access 2 database? Stored Procedures, sub queries, transactions, triggers and views are just now coming into play. Features that drive sales. Features that in my opinion are needed but still they drive sales even though most of MySQL installations are free.

"Again, you have confused by-design security failures with implementation faults"
No I'm not confused. Once agian you are twisting my words. What I'm saying is you have a product here that impliments another products functionality without fully knowing the ramifications. Netscape included functionality into their app via the java compiler just like the Outlook team included functionality into their application via IE.

Lets take OpenOffice as another example. You keep saying stuff like "No sales = no sales-driven creeping featurism. Which, of course, is my point"
For some reason you think box sales is the only revenue for software. Sun and IBM are 2 HUGE organisations with significatant investments in open source projects. Do you think that their design and programming teams operate differently if it is a closed source or open source project? Both these companies use the Open Source projects on multiple levels to include making money on support. If you don't think features plays into it do you think OpenOffice would be as widely used if it didn't have the features of MS Office? If it wasn't as widely used do you think they would have as many support contracts. Features effect their income. Some projects just enhance other products and may not have any direct revenue streams but in the big picture that is not a big deal. You've got alot of other factors playing into it.

I'm not going to change your mind. It is obvious to me you don't fully realise the level of commercialism in the Open Source market. For the others out there I don't expect to change their mind either but the fact is that many open source projects are funded by large businesses. These businesses are in the BUSINESS of making money. All of these big businesses have stockholders to answer to. Money .... its about money. Do you think companies like IBM do R&D for the kicks? No they do it because of the long term financial benifits. Open Source is alot like that in terms of projects that don't have direct revenue streams. End users want features if one project doesn't provide the features you need and another does then you change products.

You can have the best written software in the world but if most people don't use it because it doesn't have features you need then who cares if there are a few people that use it just because it is free. MySQL is a great example. Sure 98% of their users don't pay for the product but their massive base means that the 2% that do make them money. If they stopped putting features in then you would see their entire base switch and more importantly a larger % of the paying customers would switch because they actually have a finacial interest. Would you pay for a car built by a local mechanic if it didn't have breaks or some other feature you deemed needed?

Just because YOU don't need the features in many MS products doesn't mean others don't.

I'm sick of saying the same thing over and over so I am done with this thread until someone else has something to say worth commenting on.

Happy New Years.
 
Upvote 0 Downvote
I think you don't understand the extend of the number of open-source projects. The overwhelming majority of open-source projects are ones like Apache, AbiWord, PostgreSQL, fetchmail, qmail, postfix, and exim, which have no sales methods. My single point has been that for these products and their similar no-sales bretheren, it is not possible for the authors to simply employ creeping featurism, call it "innovation", and market the hell out of them for the sake of increasing sales.

MySQL can't just add useless features and market them as innovation to drive sales. If MySQL adds a feature that reduces the stability or speed of their product, their customer base will either refuse to upgrade or switch to a competing product, such as PostgreSQL. PostgreSQL has many more features than MySQL -- stored procedures, subqueries, transactions, triggers and views, for example [actually, MySQL already has transactions]. Yet MySQL's simplicity and speed have made it the most commonly-installed database server in the world. Speed and stability, not creeping featurism, drive its install base.

And RedHat, since it is based on the Linux kernel and other products over which it has no control, can't employ creeping featurism to drive sales. What are they going to market? The kernel revision it uses? Slackware and Debian are using the same kernel. The version of KDE or Gnome? Slackware and Debian are using the same versions. And Slackware and Debian have both been free since the days they released their respective first distributions -- in the case of Slackware, that day was more than 10 years ago.

So what is RedHat selling in their enterprise product? Their service of selecting a group of software that will play well together, and their service of supporting their distribution.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sysadmin10
  • Locked
  • Question Question
Onboarding a new MSP customer
Replies
0
Views
687
sysadmin10
sysadmin10
Mountainbear
  • Locked
  • Question Question
Tech tools
Replies
0
Views
2K
Mountainbear
Mountainbear
audaxviator
  • Locked
  • Question Question
Is Microsoft burrying CIL/MSIL?
Replies
2
Views
1K
audaxviator
audaxviator
johnherman
  • Locked
  • News News
Privacy battle(s)
Replies
0
Views
627
johnherman
johnherman
johnherman
  • Locked
  • Question Question
Is Privacy Dead?
Replies
0
Views
706
johnherman
johnherman

Part and Inventory Search

Sponsor

Back
Top