Microsoft Port 25 interviews Miguel de Icaza

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Worthless drivel

What the fuck kind of insane summary is that? Even for Slashdot, that steps over the line.

Re:Worthless drivel

More a slam on Port 25 than a summary of the interview

revelaed

miguel is the liebermann of open source

Link to interview doesn't work.

Just goto http://port25.technet.com/ [technet.com] and click the link on the front page.

-Rick

Re:Link to interview doesn't work.

The -- (two hyphens) is resolving to %E2%80%94

The link should be: http://port25.technet.com/archive/2006/08/11/Let_2 700_s-talk-Mono_3A00_--Sam-interviews-Miguel-de-Ic aza.aspx [technet.com]

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

-Rick

Server Error in '/' Application.

Server Error in '/' Application.

They forgot to put a '.' after the '/' !

Microsoft employee-wannabe

Miguel makes no secret of his admiration for Microsoft and is really a MSFT-employee-wannabe. All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Yawn...

Re:Microsoft employee-wannabe

My favorite thing to bash Linux bigots with:

OLE Automation.

(Or whatever they're calling it these days; I think it was absorbed into the ActiveX branding.)

Just about every Unix vendor had this dream of turning their entire desktop environment into a sea of programmable objects.[1] The one I got to laugh at was Sun, with DOE, although you formerly-MacOS-bigots got to see it replayed in AppleScript and OpenDoc.[2]

Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code.

It's really amazing what you can script this way. OK, yes, there's a reason I'm typing this on a Linux box, and why I have cygwin installed on any Win32 box I care about. But through marketing muscle and a desire to create opportunities for small VARs, Microsoft let little software authors poke around inside big applications. And created some nice tools for those little authors to write code with.

Shame it breaks in such obscure ways.

[1]: ARexx doesn't count. That's just DDE.

[2]: Obligatory joke about whether "the" is optional at some point in hypercard syntax here. Apple has been getting better, though.

Re:Microsoft employee-wannabe

And he takes abuse from MS too:

http://linux.sys-con.com/read/124218.htm [sys-con.com]

Interesting bit of history there. It really disturbs me that Miguel is leading a column of FOSS enthusiasts into the maw of MS patent enforcement, especially when he could have used his talent on something unencumbered like Parrot.

Re:Microsoft employee-wannabe

The MSFT-employee-wannabe that you speak of is the father of the GNOME desktop. Without GNOME, QT might not have been open sourced in the first place. Without a man like Miguel to give GNOME a forward direction, we might still be using Motif. When your contributions to the open source movement become a tenth of what Miguel has done then your rant might have more merit.

If there is one Microsoft technology that deserves admiration is the .NET framework. If there is one man who has the objectivity to look beyond the zealotry to see technologies for their merits is Miguel. MONO is an excellent development environment for Linux. It bridges the gap between high performance but difficult to use languages like C++ and low performance high RAD languages like Python.

Ceasing support after a year is a valid excuse?

Maybe there is some validity in saying they (Port 25) are untrusted, but what excuse is it that Redhat ceased updates for v9 in 2004, a mere year after the product was released (March 31 2003). Seriously, is a single year of updates good enough? I think they actually have a valid point on that one at least, a year isnt long enough to even be considered stable server software in my book.

related links

I was reading the death of red hat support slashdot comments from a few years ago. I think it's interesting that so many people thought that would be the death of red hat. In fact, they are stronger than ever. Even with strong competition from large corporate entities that weren't in the linux game a few years ago, red hat remains the market leader.

Re: Article Text

From the article:

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

I'd be curious to hear what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD, and what kind of metrics/data support this. Amount of exploits patched? Amount of money spent on security?

I mean, even if you think Windows is one giant yawning security hole, that really only says that they have the most room for improvement. I'd be surprised if they're not patching the most holes, affecting the largest number of users, and spending the most money on security -- even if the results are often sad.

Speaking of FUD...

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

Which vendors are doing more to improve their security?

Given what they had to start with, I think it's very difficult to claim anybody's done what they've accomplished between 95 and XP SP2. You tell me one other vendor that's gone so far as using tools like authentication and WGA to combat the worst offenders of security -- the users themselves? Linux users, Mac users, even the *BSD user is free to boot their operating systems without the slightest arbitrary challenge to their right to do so and from there go on to face any number of potential security issues; but with Windows, you need only upgrade your CD drive emulator a handful of times or use Windows Update as directed to find yourself relieved of the concerns users of lesser operating systems face.

They had the most potential with regards to security and they've finally met it, and I say kudos.

Why would you trust Port 25?

At the very least, they should be using Port 465 [rickk.com] (SMTP over SSL/TLS). It's no wonder they feel insecure, using plain-test. Honestly!

Why Port 25

On of the POP or IMAP prottocols would have seemed much more friendly. Using the SMTP port seems like all they want is to tell us what to think and couldn't care less about us. Probably a Freudian slip. Seriously, someone at Microsoft must have at least had some clue as to what this meant. Then again, mabye not.

Anyone using Red Hat 9?

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

Enlighten me

Can someone explain to me why strcpy is insecure? No sarcasm here, I really would like to know.

Please let us know when it's video.

Please let us know, in the summary, when an interview is a video file. Some of us don't have time at work to watch videos (today, actually, I've been busy watching specific videos for work, and trying to clean them up so they don't look like crap, at which I have failed) and would like to know before we have to click down into them - especially when you can't just click the link, and have to visit the site, because the primary article link is malformed.

This is one of the crappiest story submissions I've seen in a long time.

not FUD

"claiming Microsoft is doing more to improve security than any other vendor"

That is not FUD, they started so far behind everybody else that they have to do more than anybody else just to keep Windows running

Doing more for security?

I'm working with Microsoft right now, and I don't think I've ever met a firm that takes security so seriously as they do when it comes to "normal" software, especially in the field I work in. So that claim might not be as much FUD as some would like it to be.

strcpy ok sometimes

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

    char buf[6];
    strcpy(buf, "hello");

In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

strcpy?

Can you think of a sillier thing to criticize MSFT about? Really?

I looked at (some) of the code. They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo. THERE IS NO VOODOO MAGIC IN STRNCPY TO MAKE IT SAFER IN THIS SITUATION.

Really. There isn't.

MS Linux Labs?

Isn't that like "Jews for Jesus," "Rock Against Drugs," or "McDonald's New Healthy Menu?"

FUD?

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and...

I'm sorry, how does this qualify as "fear", "uncertainty" or "doubt?" Maybe FUD means something else to you? That sounds more like CCS, "calming", "certainty", and "surety" than FUD. I'm not saying their statements are true, simply that it's not FUD.

Interesting - used MP3 encoding

found it interesting Microsoft is using MP3 encoding for this and not Windows Media... hmm...

RH9 (non) support no big deal.

There are a few reasons why Redhat not continuing support for RH9 isn't a big deal...

1. Linux is open source. That means that, if there's a problem that's a show stopper for somebody, a company can (or a group of them can get together to) take the (available) source code, and put in the fix themselves... If there's actually a large body of companies that are using RH9 for important applications, then all sorts of company can (and will) pop up to provide that support (as happend when 7.3 lost support -- One friend of mine that still has a machine or two running 7.3 still has a choice of companies to get support from.)

   I would note that, while people who were using 7.3, way back when they still have access to third party support, while people who paid good money for windows ME and 2000 are gonna be completely SOL if they need something done, and Microsoft refuses to do it.

   There's been a coupl of times when I dug out the sources to a Red Hat RPM, added functionality that dealt with a problem that a customer was having, and offered the changes back to Red Hat. Anybody can do that.... Unlike Israel who almost had to go to war to get Microsoft to (ahem) 'graciously offer' to fix the Hebrew support in Microsoft's OSX version of Office.

Full interview

helo
501 Syntactically invalid HELO argument(s)
hello
500 unrecognized command
hey gnome boy
500 unrecognized command
sod off
500-unrecognized command
500 Too many syntax or protocol errors
Connection closed by foreign host.

Text version

Does someone have a link to a transcription?

interview != commenting and rambling

doing an interview is about asking questions and letting the person you interview talk.
I get annoyed a lot by stuff like this where the interviewer comments all the time or
talks about his own agenda rather than giving the spotlight to the person interviewed.

Re:Ahh .NET in action

...Microsoft Windows NT version 5.5; Microsoft Toaster version 4.5; BSD network stack version 0.5b; gnuutils version 2.1; Microsoft Bob sp3 version 2.356287; Screensaver directory C:/Windahz/; ADMINISTRATOR password: rock0u7; BZFlag version 2.1; VirtualDancer version 2.4b; stupid troll jpardey version 1.2; PHP.NET version 1.2.867.5309...