lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: jan.m.clairmont at citigroup.com (Clairmont, Jan M)
Subject: RE: MS should re-write code with security in mind. lame bitching about xpsp2

M$ should just bite the bullet and re-write windows with 
security in mind, give it a true process scheduler, multiuser
with windows as a client server processes.  Build in 256 bit encryption and secure communications between processes and external communication with no unencrypted traffic.  That would shut down a lot of these mindless bugs.  All mail should be encrypted and point-to-point, with the mail servers only able to re-direct and broadcast mail with authentication.   Maybe we could slow a lot of  the hacking down  and spam.  But again until the market place demands it M$, Linux and everybody else it's business as usual.

Keeps us employed I guess.

Jan Clairmont
Firewall Administrator/Consultant


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Barry
Fitzgerald
Sent: Tuesday, August 17, 2004 2:34 PM
To: joe
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] lame bitching about xpsp2


joe wrote:

>
>I didn't say that they didn't use BSD pieces, I said that he wasn't as
>accurate as he likes to think for the statement where he was naming specific
>tools and pieces. Use of BSD pieces doesn't mean that it was used in its
>entirety or even a lot, just that it was used in some manner, it could
>possibly be limited to #define statements in a header file. If that is done
>they still have to acknowledge the source. It can even be to acknowledge IP.
>I've looked at most of the components the poster spoke of, not the release
>notes, I am familiar with what companies and orgs the pieces came from.
>
>  
>
That's not entirely accurate.  Copyright law clearly states that there 
has to be a noticable portion of the work copied such that the work is a 
derived work.  If only a #define statement were copied they wouldn't be 
obligated to disclose it's source.  In fact, I'm struggling to find a 
reason why someone would simply copy a #define statement and nothing 
else -- much less give credit for it.   In fact, if the whole thing were 
over a #define statement, I can't imagine who'd ever come knocking at 
their door looking for credit for it. 

SCO has the source code for the Linux kernel and for SysV Unix -- the 
sad thing is that they seem to claim that public domain code is owned by 
them and is their proprietary property.  Having the code doesn't lead to 
an understanding of its lineage.  I think you're exerting knowledge 
where you don't have a clear path of knowledge.  Hey, we all do it at 
some point -- I just don't want non-factual data to get out in the public.

>I know I didn't even start to imply that MS had written all of Windows from
>scratch. Actually I think that is one of the issues in that many pieces they
>didn't completely write gets thrown together with other pieces they did
>write. However if you can buy a tcp/ip stack or a zip implementation or a
>SQL Server or metadirectory for less than it takes to build it and grow the
>experience in-house, it makes business sense to do so. Microsoft is a
>business. Once you realize that, you understand idealism and religion have
>no place here. 
>
>  
>
Idealism always has a place -- it drives people to be better and do 
better things.  Business without idealism is parasitic in nature.  I 
know that you're making a point about the state of business in corporate 
America, I just hate the point and think people need to stop propagating 
that neo-Smithian drivel.  (And no, before you say it, it hasn't worked 
for us.)  Keynes is dead, my friend; and so are his theories.

Having said that, copying is not a problem.  Even if Microsoft based 
their Win2k TCP/IP stack code off of BSD code it's still within their 
right to do so according to the BSD license.  The only problem I see 
there is that the BSD people didn't have the foresight to license their 
code under the GNU GPL -- but that's a professional disagreement and I 
have no real gripe with them.  :)

>But there are, that is the point. There would be more companies doing so if
>there was a market and a profit to be had in this space. i.e. If everyone
>hated MS and Windows as much as you would like to think, other options would
>be used. This isn't electricity where you get it through one company or
>can't get it at all. This isn't oil where you only have one company
>processing it. You don't have no choice but to use a computer loaded with MS
>Software. 
>
>  
>
That's not accurate either.  You and I can build a system or throw 
together a parts PC from a shop that'll build one for us.  The average 
person can't (won't?) do that.

Two years ago, I bought a laptop from IBM with GNU/Linux pre-loaded 
(they wouldn't sell me a bare laptop).  The laptop I got was on a 
product line that was being discontinued.  Why was it being 
discontinued?  You guessed it -- poor sales.

There's one problem with the statement above:  I had to call IBM and go 
through a couple of different sales people before I got the right 
model.  The laptop was not advertised on their website (I couldn't find 
any GNU/Linux-based laptop on it at the time) and I had to inquire for 
it.  Once I got there, the laptop was mid-grade and cost me almost 3,000 
USD.   Hmm... Gee... I wonder why it's sales were poor.  Maybe it was 
because no one knew it existed?!?  (I had come asking because through 
hearsay I'd heard they had them to sell...)

The situation is much better than it was 2 years ago -- but finding an 
alternative for the average person is still relatively difficult.  The 
vast majority of people are not going to take the time.  And even then, 
the lack of software support and official hardware support from vendors 
scares average users.  So, yes, there is a lock-in.  It's just very 
complex to diagnose what the cause of it is.

The existance of an alternative does not make the alternative readily 
available.  You need a readily available alternative to prove your 
point, and right now that doesn't exist.

Is that solely Microsoft's fault?  Of course not.  But, some of it is -- 
their OEM agreements (cited in the antitrust suit) are one example of that.

>>So most people end up buying MS software even if they don't want it.
>>    
>>
>
>Those people are flipping idiots. If they did that I could be how they would
>be so mad. Easier to blame someone else than themselves for being a moron.
>
>  
>
No they aren't -- see above.

Or, are you going to call Ma and Pa Kettle morons simply because they 
don't choose to call up IBM or HP or Dell and ask for something that 
they don't know exists?

mm-hm.

>>And have you tried getting the refund for the cra^H^H^Hunwanted software?
>>    
>>
>
>No, because I don't buy things I don't want. Buying something you don't want
>and then whining for a refund is a bit silly don't you think?
>
>  
>
Yeah, but you and I aren't average people.  What we do doesn't count in 
that equation.


>
>I see, so Microsoft is exercising control over the price and output of other
>Operating Systems? How much did they make you pay for your last copy of
>Linux or BSD or ? Define what abnormal profits are? Because one company only
>makes 1% on their gross does that mean anyone making 10% on their gross is
>close to be called a monopoly?
>
>  
>
Your argument is moot.

They've already been declared a monopoly.  That court case is over and 
has been over for years.  Your argument lost in a court of law.  I don't 
see any reason to revisit it.


             -Barry

p.s. Sorry for continuing this OT blather -- but I hate seeing this kind 
of disinformation in public forums.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists