Snyder chickens out

Story: Mozilla looks to Microsoft for securityTotal Replies: 48
Author Content
tuxchick2

Sep 23, 2006
12:20 PM EDT
But then, I've read comments from many supposed computer security experts who waffle and won't say anything definitive. They're either being non-committal on purpose, or they're so paranoid they can't be realistic. True, there is no such thing as perfect security, but it really isn't that hard to make informed comparisons and decisions. System and network administrators do it all the time. All threats are not the same severity, nor do they commit the same levels of collateral damage.

What's so hard about saying something like "the Mozilla codebase is open and auditable. Which is amusing, because IE is easily exploited with no access to the source code. Even more importantly, Mozilla/Firefox does not provide a big fat eight-lane expressway and open invitations into the heart of the operating system for every random bit of malware that strolls by."

Not hard at all.

jimf

Sep 23, 2006
4:49 PM EDT
You know, I really don't care much any more what Firefox does. I've been playing with Mozilla and then Firefox for years, and although it's far better and more secure than IE, I've never been very happy with it as a browser choice. Now they're giving Debian a hard time for unauthorized use of the 'Firefox' trade name. I guess that goes away if Debian packages it as 'crap', but still...

Opera is a just as secure, and far more usable in the real world. Konqueror is not far behind, and GPL'd to boot. Is it any wonder that many of us are quietly switching over to one of those.
tuxchick2

Sep 23, 2006
5:35 PM EDT
I adore both Opera and Konqueror. Opera is not libre, but it's the best web browser by a country mile in my needlessly humble opinion. Konqueror is my everyday web browser, and I use Mozilla when I hit a site that gags Konq. Firefox is OK, but I think Linux is the unwanted stepchild to the Firefox devs. Plus it has a fatal memory leak on my Kubuntu box, so after it runs about ten minutes the whole system locks up hard. (Yes, I've filed a bug report, which has been ignored as per usual.)

Even so, it has taken the winduhs world by storm, and that is a good thing, because IE is a horrible piece of poo and should be driven off the Internet for good. Honestly, how could anyone with half a brain design an application that runs over untrusted networks to welcome and run remote code? And put it on top of an operating system that does the same? It's hard to fathom the stupidity/greed/willful blindness behind that sort of design. I boggle.

jimf

Sep 23, 2006
5:55 PM EDT
You are much kinder than I am tuxchick :)

I have no sympathy any more for anything MS or anyone using it. Although they have other options, MS addicts continue to cling to their abuser, and as such, are on their own. Firefox in Windows doesn't cure anything, it just absorbs a little of the pain.
mvermeer

Sep 23, 2006
10:14 PM EDT
What I don't understand is how they hire people like this, apparently only on professional competence (which is OK) but without confronting their personal history with the culture of FOSS and its undeniably ethical roots. This is -- especially for a security expert -- about trust.

She should at least have been made to think about this and offered the "opportunity" to explain herself, if not downright apologise, while being hired. Here this apparently didn't happen and the interview shows the result.
dinotrac

Sep 23, 2006
10:24 PM EDT
Guys --

I am completely missing the point of peevishness here.

I think TC got it right the first time when she said that security folks (at least the good ones) are, by nature, paranoid. I think you really have to be (whether a matter of personal inclination or professional outlook) to do that job properly.

There is also a matter of tactics. As soon as you say that you are more secure, you lay down a challenge. How stupid would it to be -- especially for a security person -- to say "sure, we're more secure", in effect saying, "Hey guys -- crack us!"

Note what she did say: The best measure is days of risk, and that Mozilla had made that number incredibly small.

Now that's a lovely thing: We are really good at the metric that matters most and --get this -- the metric isn't that we can't be cracked, but that we close the door as soon as it gets open.





tuxchick2

Sep 24, 2006
10:15 AM EDT
dino, you are right to point out that she did actually say something of substance, which was the days-of-risk metric. You are right that is the one that matters most. My peeve is that Snyder and other supposed security experts do not give practical guidance. They make it sound like platforms or applications that are less than 100% secure are equally insecure, and that all risks carry equal consequences. Which is complete bushwah, and unhelpful.
Libervis

Sep 24, 2006
10:41 AM EDT
Quoting:Opera is a just as secure, and far more usable in the real world. Konqueror is not far behind, and GPL'd to boot. Is it any wonder that many of us are quietly switching over to one of those.


Ah and so it is absolutely necessary to use Opera, the non-libre program, because it is so much better. I mean, you don't have any other choice for web surfing. Of all the libre browsers you have to choose the nonfree one.

Someone may wonder how much do you really care about Free Software when you give the whole principle up for something proprietary just because it is a little bit more shiney.

Sorry, I am aware this post could be construed as slightly inflamatory (I suppose calling on someones conscience and conviction should be banned on open forums). To be honest I'm getting quite tired of it all, the fight, the debate, the constant controversy. It's great to be part of the Free Software community, but if you have slightly unpopular and untrendy views (views often called "purism" as if pure was bad), want to be vocal, participate and not merely bystand, it can be tough and threaten to lead you to cynism. :

EDIT: Hmh.. ok now you can delete this post if you wish..
jimf

Sep 24, 2006
12:58 PM EDT
Oh, Please don't delete it...

OK, let's discuss freedoms. Is FOSS a preferable solution? well, in nearly all situations, it probably is. But, is proprietary software evil per se?. Absolutely not. Even RMS agrees with that. So do programmers have a right to produce apps that are under proprietary license? Absolutely. And, do users have the right to use that software? Again, without question. User freedom trumps the GPL every time on that point, and to say otherwise is to erode the basic freedoms set out in the GPL. So who is being 'dishonest' here?

It's unethical to support outfits like MS and their partners because of their bad business practices, bad/bloated code, and, lousy treatment of customers. It's not unethical per se for them to be producing proprietary code. There are in fact many small outfits that produce proprietary software that are doing a good job of it, and violating no ethical principals.

Do I think that FOSS and GPLv2 are a preferable and superior way of doing things. Yes I do, but, only if it proves to be superior to the proprietary stuff, i.e., competitive in the market. Overall, Linux is a fine example of open source being a superior developmental model and one that will prevail, but it would be very wrong to 'mandate' it's use. People have to discover the advantages on their own. Again, freedom is the key.
GDStewart

Sep 24, 2006
2:25 PM EDT
TC: Plus it has a fatal memory leak on my Kubuntu box, so after it runs about ten minutes the whole system locks up hard.

I've had no such problems with Firefox running SuSE 10.1, Windows XP (I like to play games OK?, It's the ONLY thing I use it for I promise), or Windows 2K (It came with the Thinkpad T20 that I now have set up to dual-boot SuSE 10.1). Especially considering the last two, maybe it's not a Firefox problem ?
tuxchick2

Sep 24, 2006
3:35 PM EDT
GDStewart, it only happens when I run Firefox. I haven't cared enough to try to track down the source of the problem, but if you have some suggestions I'll give them a try. It's really not all that helpful to tell someone "mine works fine." :)

dinotrac

Sep 24, 2006
3:41 PM EDT
TC -

Frear not, you are not insane. Firefox on my 64 bit SuSE 10.1 box leaks memory like a sieve.
Libervis

Sep 24, 2006
4:32 PM EDT
Jimf:

Quoting:But, is proprietary software evil per se?. Absolutely not. Even RMS agrees with that. So do programmers have a right to produce apps that are under proprietary license?


Aren't you the one knowing RMS so well to speak of what he agrees with and calling him a dictator in another thread. Reality says otherwise though: http://www.gnu.org/philosophy/freedom-or-power.html

Read that and then we might continue the discussion, if that is even necessary considering that we've already had it quite a few times. Some people just prefer convenience over the greater ideal of freedom and there's nothing I can nor have to do about that except maybe voice my apparently unpopular view when I feel I have to.

Thank you.

EDIT: Btw, this may do you good (a comment): http://opensource.apress.com/article/78/software-choice-poli...

It addresses exactly the kind of thinking you bear.
jimf

Sep 24, 2006
6:39 PM EDT
Libervis:

So all you can do is feed me more of the party line? No one denys that RMS is a valuable resource as a thinker and a philosopher, but he's so absolutist that he makes a terrible leader. You treat him and his 'theories' like god's word, and that's just wrong.

Oh, and after doing a quick check you, are correct. RMS does say proprietary software is unethical... Another value judgement from his pulpit, and, another place where he got it wrong...

> Some people just prefer convenience over the greater ideal of freedom

Personally, I could be perfectly happy with what GPL'd Linux offers, and I really give a damn about DRM. I don't use DVD's on my computer, and, I have enough songs to last my lifetime. So don't ever pull that 'convenience over freedom' crap on me.

Perhaps, when you bring RMS down off his pedestal, and, treat the GPL as a legal document rather that a Holy Scroll we can indeed continue the conversation.
Libervis

Sep 24, 2006
6:58 PM EDT
You are deliberately exaggerating my stance, almost putting words into my mouth. Just because I am a "purist" as some would like to call me doesn't mean I worship RMS or treat GPL as a holly scroll. You can sell those stories to someone else.

It is apparently hard for you to believe that someone might actually within his own reasoning find the GNU philosophy and RMS's stance on Free Software a favorable one to follow.

I really don't have much more to say to you. Out of decency I am pulling a "free to disagree" line here.

dinotrac

Sep 24, 2006
7:04 PM EDT
Jimf -

It would appear that Libervis is strutting across his own pedestal today.

It is a very different thing to defend an act and to do it yourself.

As a clear example:

My father was an interceptor pilot killed in the line of duty. Before he was laid to rest in Arlington cemetery, the American flag that draped his coffin was handed to my mother.

As you can imagine, I would never burn an American flag. I would, however, defend your right to burn as many flags as you wish because that is a freedom I believe in, and it is a freedom my father died to defend.

To accuse of putting convenience over ethics simply because you dare to speak out for freedom in a way that doesn't fit his own definition is an exercise in pomposity, not principle.



jimf

Sep 24, 2006
7:13 PM EDT
> I am pulling a "free to disagree" line here.

And I certainly do.
Libervis

Sep 24, 2006
7:17 PM EDT
OK dinotrac, maybe I should rephraze. In my view, the definition of freedom I believe in, he is putting convenience over ethics. Is that fine?

Besides, didn't I just pull the "free to disagree" string? What does that mean?

Probably that I don't let others have their own opinions, right..

jimf

Sep 24, 2006
7:43 PM EDT
> In my view, the definition of freedom I believe in, he is putting convenience over ethics. Is that fine?

If I were grouch, that would be pistols at ten paces... Tomorrow morning? :)
dinotrac

Sep 25, 2006
3:32 AM EDT
Libervis --

I'm not so sure it's a matter of re-phrasing your view. Your view is fine. Mine differs, but that is an essential part of freedom.

The thing we all need to be careful about is making too many assumptions about -- stereotyping -- others simply because they disagree.

And here's the red flag -- not just for you and not just for free software, but for everybody WRT everything -- jimf ain't the enemy. He's a friend who sees some things differently. In society at large, lots of good goes undone because so many people see friends and enemies when they should see people who disagree. The problem with friends and enemies is that people rarely disagree completely, or on every issue. It's easy to shake hands with a friend and work together on something you both hold dear. It's not so easy to shake hands with the devil.
Libervis

Sep 25, 2006
6:33 AM EDT
With that I can agree.

I just couldn't resist posting about the way I view choosing one proprietary program when there actually is an abundance of other free choices and considering my belief in importance of avoiding *all* proprietary software. This view is not unfounded and certainly doesn't come from the mere merit of admiration for RMS. I am within my own reasoning capacity truly convinced that this is important and this is what is motivating me to post about it.

In my view, when someone thinks that proprietary licensing is ok and that certain proprietary stuff is ok to be used he or she doesn't view it from an ethical perspective which I believe matters more than a practical one. If he or she professes that he or she does then I suspect that there is a lack of understanding of the scope of the proprietary software problem, from an individual application such as Opera to the whole operating system like Windows.

But I suppose I should be more explicit about the fact that this is the view I hold, so that it doesn't get misconstrued as an imposition of one view over all others or treating someone else an enemy.

That means I or anyone else with any views should not just cease talking about it and targeting that which we believe is wrong - just do it with more tact I suppose.

The actual point of disagreement is a very big discussion which we already had a few times and ultimately weren't able to agree so I am ok with just dropping the issue here for now.
tuxchick2

Sep 25, 2006
7:19 AM EDT
"Opera is a just as secure, and far more usable in the real world. Konqueror is not far behind, and GPL'd to boot. Is it any wonder that many of us are quietly switching over to one of those."

That is a simple statement of fact. Why attack statements of fact? You're reading all sorts of assumptions into it that doesn't exist. Maybe go back to bed and try getting up on the other side? Because fatigue or a bad day might explain how you got

"so it is absolutely necessary to use Opera..." "... you give the whole principle up for something proprietary just because it is a little bit more shiney."

And all the remaining diatribe from an innocuous statement. I wouldn't call that purist, but plain old grumpy.
dcparris

Sep 25, 2006
7:30 AM EDT
> Oh, and after doing a quick check you, are correct. RMS does say proprietary software is unethical... Another value judgement from his pulpit, and, another place where he got it wrong...

Whether he "got it wrong" seems to be a matter of opinion. RMS accepts a special case of "proprietary software", namely software developed "in-house" and not distributed. The reason he considers that to be "o.k." is that the user is also the developer.

The case RMS (and Khun) makes in the Freedom or Power essay is a fairly strong one, imo. What is it that you disagree with in that essay?

As for Libervis' position, I generally do not use anything that is non-libre, except where I am not the one choosing the solution (i.e., my full-time job). Even there, I use OOo and Firefox. Thus, Opera is not an option for me. Having been burned by the non-libre option in the past, I am resolved not to allow that to happen again in the future.
Libervis

Sep 25, 2006
7:52 AM EDT
Quoting:And all the remaining diatribe from an innocuous statement. I wouldn't call that purist, but plain old grumpy.


I'll admit I was a little bit grumpy last night so I may have misdirected the comment. Of course, as you're probably aware by now that doesn't change my overall stance towards proprietary software, whichever program we're talking about.

I frankly don't care if Opera is the best browser in the world. It is not libre software and Firefox is an excellent browser still. So yeah.

I'm pretty much on the same line as dcparris. Yesterday I just lost a little bit of my tact temporarily. Accept my apology for that, and only that. ;)

tuxchick2

Sep 25, 2006
8:24 AM EDT
Libervis, no worries, you're one of the calmer homies here. The official LXer quota is one bad mood per month.
dcparris

Sep 25, 2006
8:49 AM EDT
We all have our days. But what I like about our community is that we generally manage to get along quite well, despite our various differences.
dinotrac

Sep 25, 2006
9:16 AM EDT
Rev -

What I like best is an extension of what you like best...

We've created an atmosphere in which people can express themselves without walking on eggshells.

Even the best intended people are going to go off the reservation now and then. It lies in the very nature of freedom. Around here, we tend to give folks a chance to say, "Garsh -- I didn't mean to say you were the root of all evil, I just meant..."
Libervis

Sep 25, 2006
2:12 PM EDT
Hehe, thanks guys. :)

Not sure what to say now.. er.. let's wish that new gal in Mozilla all the best with improving Mozilla security. I think that Microsoft has alot of talented employees who are just being held back by its management. That said, just because she is from MS doesn't mean she'll do a poor job at Mozilla. It may turn out to be quite a big gain actually. :)

dcparris

Sep 25, 2006
2:43 PM EDT
I agree with you, Libervis. Hopefully she'll succeed with Mozilla. MS hires some good people; it's what they do with them afterwards that is so scary. ;-)
tuxchick2

Sep 25, 2006
3:52 PM EDT
Oh gag me with a group hug already.

Don, that is so true about MS hiring good people, then wasting them. Fortunately not everyone becomes Stepford-ized, and some even escape back into the real world.
dcparris

Sep 25, 2006
5:54 PM EDT
Group hug? Really?? Oh wow! My first LXer group hug!

Ok, you can gag now. :-D
jdixon

Sep 25, 2006
6:56 PM EDT
Jimf:

> f I were grouch, that would be pistols at ten paces... Tomorrow morning? :)

So, were you offerring to host the first LXer paint gun battle?

I can see it now: "And in a hard fought battle, the Pragmatists outlast the Idealists with only one man standing" :)
dinotrac

Sep 25, 2006
7:05 PM EDT
jdixon -

*paint* guns?

Man, you take the fun out of everything!
dcparris

Sep 25, 2006
7:07 PM EDT
I'm surprised there wasn't a WoW challenge in there somewhere.

Don ducking and running...
jdixon

Sep 25, 2006
7:11 PM EDT
Dino:

> Man, you take the fun out of everything!

Well, I've never really considered get shot at "fun", but that may be a personal quirk. :)
dinotrac

Sep 25, 2006
7:14 PM EDT
>Well, I've never really considered get shot at "fun", but that may be a personal quirk. :)

Oh. I hadn't considered the possibility of somebody shooting back....

May have to re-evaluate.
dcparris

Sep 25, 2006
7:20 PM EDT
Oh jdixon, you've just never been exposed to a live fire down on the Mohengis (however they spell it) River in Panama. There's just nothing quite as exhilarating as 7.62mm rounds cutting through the trees, oh, about a foot or two over your head because the Army riverboat crew decided to be a bunch of smart alecks. I'll leave it as an exercise to the reader to figure out whether we were too crazy, or to stupid, to duck. Yep! Loads of fun that was! ;-)

Of course, I haven't actually tried out getting hit by the 7.62 rounds. I don't think it's recommended though.
jimf

Sep 25, 2006
7:21 PM EDT
> Oh. I hadn't considered the possibility of somebody shooting back....

Yeah, it does up the stakes considerably...
jdixon

Sep 25, 2006
7:27 PM EDT
DC:

> Oh jdixon, you've just never been exposed to a live fire down on the Mohengis ...

Nope, I can thankfully say I've never had the pleasure.

Unfortunateyly, Just being in the woods at hunting season puts one at enough risk it seems.
dinotrac

Sep 25, 2006
7:33 PM EDT
>Unfortunateyly, Just being in the woods at hunting season puts one at enough risk it seems.

Unless, of course, you're in Michgan's Upper Peninsula during deer season and you're a deer. In that case, you're pretty safe.
dcparris

Sep 25, 2006
9:18 PM EDT
In West Virginia, a guy had a truck accident, and was thrown from his vehicle, breaking his leg in the process. As he was trying to crawl back up to the road to seek help, he was 'mistaken' for a deer and shot. All I could say to my Pa and brother at the time was, "I guess it just wasn't his day".

In another case, a guy was jailed after he told police he "heard" a groundhog in the woods. As long as I lived in WV, I never saw - or "heard" a groundhog out romping in the December snow.
tuxchick2

Sep 25, 2006
9:38 PM EDT
You should visit here for the annual Bow Season Camo Parade. Dorks in full camoflage and face paint strut around the stores in town for no purpose other than showing off. Some even douse themselves with buck scent. I like to go "hey, look, an elk! Over there by the beer!" Since they're heading for the beer anyway.
jimf

Sep 25, 2006
9:50 PM EDT
In the Catskill mountains where I grew up, It was SOP for all the farmers to paint 'COW' in red paint on the side of all the Jerseys during hunting season. Even then, they were likely to loose a few. My first exposure to gunfire ripping through the trees was when at 12 my Dad took me out hunting for quail. Apparently some don't realize that if you miss, the shot just keeps on going.
dcparris

Sep 25, 2006
10:16 PM EDT
We were required to take a gun/hunting safety course in the 8th grade - a new requirement at that time. I had to sit through lectures and videos - we even had a video test where we had to decide whether the situation was safe to shoot or not. Fortunately, Pa and our family doctor - not to mention about every relative in my family had stressed gun safety down through the years. You can never be too careful though.
jdixon

Sep 26, 2006
2:07 PM EDT
> I had to sit through lectures and videos - we even had a video test where we had to decide whether the situation was safe to shoot or not.

Hmm, I must have a few years on you. We didn't have the video test. Of course, Mt. Storm isn't exactly the high tech center of WV.

> You can never be too careful though.

Ain't it the truth.
dcparris

Sep 26, 2006
2:37 PM EDT
Mt. Storm? How far is that from Lost Creek? Well, ok, how about Clarksburg? Or Huntington, or Morgantown. I know where Mt. Hope is, down near Beckly.

As for high tech, I used to tell all my Marine buddies that Lost Creek was kind of like the Andy Griffith Show - you know, Pa was one of the first in the southern part of the county to own an 'automobile'. The funny part is, some of 'em believed me. ;-)
jimf

Sep 26, 2006
2:47 PM EDT
Lol Don,

My Dad used to tell me about riding a mule to school. My grandmother backed his story :)
jdixon

Sep 26, 2006
4:29 PM EDT
> Well, ok, how about Clarksburg?

Take Route 50 due east from Clarksburg until you hit the top of the highest peak, probably about 60-70 miles. It's roughly half way between Grafton and Romney.
dcparris

Sep 26, 2006
5:13 PM EDT
Jdixon: Oh! Yeah, went right by it on my way to Ohio from Pa's place. Musta blinked. ;-)

jimf: > My Dad used to tell me about riding a mule to school. My grandmother backed his story :)

I told my wife I fell under the horse on my way to school one icy winter morning. She actually called my Pa, rather dubious of my story. When she told him what I had said, he replied, "I thought that was his brother!" He then told me not to tell such stories anymore - he didn't want her to think they didn't make me wear my seatbelt. :-D She's a little gullible about "country" stuff.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!