So you can't think of other problems that might arise? Do you think we should let the WoW connection API out into the public?
I of course do not want other people to just have a WoW connection without putting their time and work into it. A lot of people contributed to it, but I of course think that malicious things might come out of people having access to it. I can think of potential malicious things happening to War's CMS if he publically releases it too.
I can't think of anything a well coded CMS would be vulnerable to if the source was provided.
No, I completely agree with obfuscating the WoW connection API. I'm not saying closed source is wrong in all cases, I am saying that open source makes more sense to me on a global scale.
I think you're absolutely right that they don't document all of their features, but the proportion is to be judged by what you call a "feature." Their API is only supposed to be used, it's 100%-documented, and that's the only thing that is guaranteed to be cross-platform compliant along Windows versions. Arguably you could say there are undocumented Windows API functions, but they're not really part of the API are they; they're simply calls that you can make. However, they're not guaranteed to be there in future versions, so it's not a good idea to rely on them.
Other things, like hyperlinks in rich text, are notorously difficult to deal with. For instance, the Rich Edit control allows you to set the EM_LINK style to make a \v...\v0 field a hyperlink with the specified data, but it doesn't *tell* you that it's \v...\v0, nor the format of the rich text. Then they also have a Rich Edit 5.1 control MSFTEDIT_CLASS ("RICHED51W") that is entirely undocumented (in a separate DLL no less).
That still begs the question about whether you're supposed to use it. Almost all of the kernel exports haven't changed in NT 4.0 to XP, aside from adding some no doubt, and the APIs are primarily thunks to the kernel calls. However, the API is there to provide a consistent interface to the kernel, because the kernel implementations or exports may change.
This problem pops up when you try to use different Linux kernels (like I pointed out earlier about the one #define being different so symbols in 30 different files are off).
Yes, of course. I'm arguing that open source provides large amounts more insight than closed source; that is obvious.
. I've been ranting on and on about how great open source is. I truly feel this way, but closed source definitely has its place. I'm making my argument against warrior. Handing him pieces of information that would help his argument wouldn't be a wise move in the case of my argument.
I think the problem with patching is that there are so many different codebases. Microsoft must make sure a patch is persistent in all of its codebases that it currently supports. What does that mean for us right now? Windows 98 SE, Windows "Me", Windows NT 4.0 SP6a Workstation, Windows NT 4.0 SP6a Server, Windows NT 4.0 SP6a Terminal Server, Windows NT 4.0 SP6a Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Terminal Server, Windows 2000 Datacenter Server, Windows XP Home, Windows XP Professional, Windows XP Media Center 2004, Windows XP Media Center 2005, (I'm getting cramps) Windows Server 2003 - Web Edition, Standard Edition, Enterprise Edition, Terminal Server Edition, Datacenter Edition, all of the above in IA64 and x64 flavors as well. That's just one product line. Let's talk then about checking for the same vulnerability in Internet Explorer, Windows Media Player, and Microsoft Office.
Haha, yeah. They do have a lot of work to do, but how many people do they have to do it? How many programmers does Microsoft employ? Seeing as it's a software company, I would wager a considerable amount.
Now you're just picking at straw.
He wanted me to do it! What's wrong with asking him to do the same thing?
So do other companies. You don't complain about Macromedia or Adobe.
I'm unaware of any significant security exploits that Macromedia and Adobe should be working on instead of furthering their projects. I'm fully impressed with Flash and Photoshop (to give two examples). I'm complaining about Microsoft for a reason.
I truly believe the only people who REALLY want to cause damage *are* the script kiddies. I think it's therefore irresponsible for security people to post these kinds of explots publically, ever. If you're not comfortable using an operating system, then don't use it. If people start migrating, I promise Microsoft will notice. At the end of the day that's infintely more responsible than posting to Full-Disclosure.
I think FD is a great idea. As iago mentioned, Microsoft isn't the only entity capable of providing remedies for the problems at hand. If they're made publicly known, the chances of the hole getting patched increase enormously. People already have started migrating. It's happening slowly, but more and more, I see people buying Macs, giving other OS's a try and going anti-Microsoft.
Again, I'd like to explicitly state my opinion of Microsoft: I'm not anti-Microsoft. I have numerous complaints regarding several different things (as I've made apparent in this topic), but I do respect that their products are very good. They have their flaws, but I definitely don't think they suck because they have those flaws.
I don't see how I can write a project, work hard on it RELEASE it for free and still be called selfish. I guess anyone who doesn't comply with your OSS way of thinking is automaticly selfish.
It definitely is selfish in some aspects. In other ways, it's very generous. Unless you admit to some other reason you don't want to release the source, I don't see a reasonable point in puting yourself and your users through the trouble of encoding it.
I fix CMS bugs as I encounter them and usually within the hour or within the day. I think I even discussed how I would implement the error subsystem into the core to allow easy bug reporting.
What if the user wants to make a specific change that would only benefit their situation? Would you be willing to code that for them? Or would you just say "No, it's a waste of my time." I'm not saying that you should feel inclined to meet all of your customer's application; I recognize that you'd probably just want them to choose another product that allowed this sort of thing. However, I do wish to make you aware of such situations to be certain.
Back on the topic of Linux: Linux cannot run every windows driver. Linux depends off windows. I don't understand how you can't see that. Until you strike exclusive deals with OSes and get specifications under an NDA, I don't think you should be dissing an OS you take so much from .
In retrospect, Windows depends on Linux. Most of the internet runs on Linux. Without the internet, Windows would be huge amounts less useful. They're part of a global scene: technology. All of technology has a very high possibility have having dependancies or at least having some sort of encounter with another arbitrary piece of technology. I'm not saying Linux can run every Windows driver. In fact, I'm fairly certain that it can't run any Windows driver (literally, anyway). There are generally alternatives that work just as well, though. I'm not saying for every Windows driver, there is an equally well functioning Linux driver, but I am saying that Linux can be just as functional as Windows (driver-wise), given you have compatable devices (which are most devices on the market).
