Forgot your password?
typodupeerror

Microsoft Port 25 interviews Miguel de Icaza 202

Posted by CmdrTaco
from the something-to-read dept.
Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."
This discussion has been archived. No new comments can be posted.

Microsoft Port 25 interviews Miguel de Icaza

Comments Filter:
  • Worthless drivel (Score:5, Insightful)

    by Anonymous Coward on Friday August 11, 2006 @05:18PM (#15891657)
    What the fuck kind of insane summary is that? Even for Slashdot, that steps over the line.
  • revelaed (Score:5, Funny)

    by Anonymous Coward on Friday August 11, 2006 @05:18PM (#15891659)
    miguel is the liebermann of open source
  • by RingDev (879105) on Friday August 11, 2006 @05:19PM (#15891663) Homepage Journal
    Just goto http://port25.technet.com/ [technet.com] and click the link on the front page.

    -Rick
  • by Anonymous Coward on Friday August 11, 2006 @05:20PM (#15891679)
    Server Error in '/' Application.
    They forgot to put a '.' after the '/' !
  • by dskoll (99328)
    Miguel makes no secret of his admiration for Microsoft and is really a MSFT-employee-wannabe. All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

    Yawn...
    • by Burz (138833) on Friday August 11, 2006 @06:16PM (#15891985) Journal
      And he takes abuse from MS too:

      http://linux.sys-con.com/read/124218.htm [sys-con.com]

      Interesting bit of history there. It really disturbs me that Miguel is leading a column of FOSS enthusiasts into the maw of MS patent enforcement, especially when he could have used his talent on something unencumbered like Parrot.

      • Considering his track record, that's actually an improvement. C#/.NET is at least somewhat standardized and thought out. GNOME is a complete mess. Had that effort gone into GNUStep (which is standardized and thought out), OS X users would be envious of Linux.
    • That isn't normally a problem - but writing things off on the platform you are developing on is, as is not really understanding why the platform does the things it does. Let me first say there is a lot about gnome I like before I get into heavy criticism below.

      I think a large part of at least early gnome was to try to do an MS Windows on linux - complete with the registry (extremely stupid idea) but far worse since you get one per user, and you have a mix of config files and this registry thing. If a use

    • by adolfojp (730818) on Friday August 11, 2006 @08:40PM (#15892516)
      The MSFT-employee-wannabe that you speak of is the father of the GNOME desktop. Without GNOME, QT might not have been open sourced in the first place. Without a man like Miguel to give GNOME a forward direction, we might still be using Motif. When your contributions to the open source movement become a tenth of what Miguel has done then your rant might have more merit.

      If there is one Microsoft technology that deserves admiration is the .NET framework. If there is one man who has the objectivity to look beyond the zealotry to see technologies for their merits is Miguel. MONO is an excellent development environment for Linux. It bridges the gap between high performance but difficult to use languages like C++ and low performance high RAD languages like Python.
      • Why does .net deserve admiration? It's just another VM. There are lots of them out there. It's not even that great of a VM.

        Sure the fanbois love it because it's better then the crap they are used to but it's nothing remarkable. Just a ripoff of java with a couple of additions. Yawn. Who cares.
        • Would you care to enlighten me as of why is .NET a "not even that great of a VM"?

          C# is Java with the power of hindsight. Java is Smalltalk with the syntax of C. Guido Van Rossum has stated that Python owes a lot to ABC. Every computer language has borrowed features from others. It is the way that computer language development work. If you can make a better product by taking features from another and adding and improving then you should do it.
          • "Would you care to enlighten me as of why is .NET a "not even that great of a VM"?"

            Because it doesn't support multiple inheritance like the python VM does.

            "If you can make a better product by taking features from another and adding and improving then you should do it."

            Yes but that doesn't make it admirable does it.
    • He's probably done more for open source before noon then you've done in your whole life. Prove me wrong and I'll take it back.

  • Maybe there is some validity in saying they (Port 25) are untrusted, but what excuse is it that Redhat ceased updates for v9 in 2004, a mere year after the product was released (March 31 2003). Seriously, is a single year of updates good enough? I think they actually have a valid point on that one at least, a year isnt long enough to even be considered stable server software in my book.
    • Consumers were expected to move to Fedora, which replaced the free version of Redhat. RHEL continued its five-year support arrangement, so for enterprise customers, there was no change.

      What's the big deal? If yours is a small business, you can get basic support for $350. Larger, $2500 gets you a full contract. That's hardly taxing to a company that also has the option of running an unsupported RHEL, or an alternative of choosing another support company.
      • But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money (since RHEL was basically 9 with minor changes), or to goto something else that will require another huge developer investment. That is unacceptable, and Microsoft has every reason to bash them over the head for it. Bad business practice, if anything Redhat should have said 9 was the last release and we will support our paid customers who made
        • "That is unacceptable, and Microsoft has every reason to bash them over the head for it"

          Microsoft? Bashing Red Hat over licensing? Wow. That's rich. I wonder where they find salesdroids with absolutely no ability whatsoever to think critically, so they can spout this stuff with a straight face.

        • But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money

          If someone did that I guess they made a really dumb decision putting all that money into a product that never had any support guarantees in it. You should have ponied up the few extra bucks and standardized on RHEL 2.1, or even the previous "Redhat Advanced Server".

          (since RHEL was basically 9 with minor changes)

          Actually RHEL 2.1 was based on Redh
      • Consumers were expected to move to Fedora, which replaced the free version of Redhat.

        I think you got that wrong. It should read "Consumers were expected to become unpaid beta testers of RHEL on all of their desktop systems."

        It's not like they're the minions of satan or anything, but Redhat pulled a classic bait-and-switch on the Linux community and I for one am astounded at how many people are willing to make apologies for them.

        • Well, given that RH9 never really had a strong support regime (commercial customers who wanted long-term support were pointed at RHEL), I don't think that this would have been a big shock... This is more like getting people who downloaded the Vista Betas being pissed off that they're expected to actually install and ooooh! pay for the commercial version when it comes out in 200[678].
  • I was reading the death of red hat support slashdot comments from a few years ago. I think it's interesting that so many people thought that would be the death of red hat. In fact, they are stronger than ever. Even with strong competition from large corporate entities that weren't in the linux game a few years ago, red hat remains the market leader.
  • Re: Article Text (Score:3, Insightful)

    by Mongoose Disciple (722373) on Friday August 11, 2006 @05:27PM (#15891729)
    From the article:

    Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

    I'd be curious to hear what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD, and what kind of metrics/data support this. Amount of exploits patched? Amount of money spent on security?

    I mean, even if you think Windows is one giant yawning security hole, that really only says that they have the most room for improvement. I'd be surprised if they're not patching the most holes, affecting the largest number of users, and spending the most money on security -- even if the results are often sad.

    • Exactly. You don't usually hand the MVP and the Most Improved trophies to the same person...
    • what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD

      Just about every linux/bsd distro and probably apple too on the desktop.

      and what kind of metrics/data support this. Amount of exploits patched?
      The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox
      • If you're going to convince people you're all about security, you don't do "port23". You do "port22".

        If anyone's confused, take a look at /etc/services on your local *nix. Failing that, take a look at the IANA assigned port numbers reference [iana.org].

      • The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox style. As a matter of principal I don't think it's okay. At all.

        The problem with your mindset is that it's only correct if security is always the most important thing. It's not. The world doesn't work that way.

        Microsoft always plays a losing game of catch-up to
      • I wouldn't agree that Linux is insanely robust - today I'm upgrading my kernel becuase of security flaws in the one I'm currently running. Again. Then, almost every time I type "yum upgrade" I get updated packages with security fixes in them. So linux is insanely secure? no way, just stop with the bigoted posts ok.

        Back to the article comment - they said MS was doing th emost to improve security. Well, fair enough - they have made great inroads on fixing loads of stuff, it is not a big priority at MS, so yes
  • by Future Man 3000 (706329) on Friday August 11, 2006 @05:33PM (#15891766) Homepage

    Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

    Which vendors are doing more to improve their security?

    Given what they had to start with, I think it's very difficult to claim anybody's done what they've accomplished between 95 and XP SP2. You tell me one other vendor that's gone so far as using tools like authentication and WGA to combat the worst offenders of security -- the users themselves? Linux users, Mac users, even the *BSD user is free to boot their operating systems without the slightest arbitrary challenge to their right to do so and from there go on to face any number of potential security issues; but with Windows, you need only upgrade your CD drive emulator a handful of times or use Windows Update as directed to find yourself relieved of the concerns users of lesser operating systems face.

    They had the most potential with regards to security and they've finally met it, and I say kudos.

  • by jd (1658) <.moc.oohay. .ta. .kapimi.> on Friday August 11, 2006 @05:35PM (#15891777) Homepage Journal
    At the very least, they should be using Port 465 [rickk.com] (SMTP over SSL/TLS). It's no wonder they feel insecure, using plain-test. Honestly!
  • by also-rr (980579) on Friday August 11, 2006 @05:41PM (#15891811) Homepage
    Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.
    • Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

      One of two things comes to mind:

      1) Yes. There's a 30% discount for anyone who doesn't install Windows on any machine.

      2) Yes. RMS will personally throw money at you if you use GPL 3.0.
  • Enlighten me (Score:4, Interesting)

    by BlueScreenOfTOM (939766) on Friday August 11, 2006 @06:00PM (#15891905)
    Can someone explain to me why strcpy is insecure? No sarcasm here, I really would like to know.
    • Re:Enlighten me (Score:3, Informative)

      by dyamkovoy (993805)
      strcpy copies one string into a location without caring about how much space there actually is. Meaning a hacker (or careless programmer) can write too much into that location and overwrite important data (such as the stack). See Buffer Overflow [wikipedia.org].
    • Re:Enlighten me (Score:2, Informative)

      by tankbob (633230)
      strcpy works by reading the source string and copying to the destination until it encounters a null character.

      If the source string is longer than the allocated destination buffer then data can overflow into your program code. This could be exploited to execute arbitary code.

      strncpy should be used instead as it allows you to specify the maximum number of chars to copy.
    • No bounds checking. Instead, always use strncpy.
    • The C Standard Library function strcpy copies strings, which simply are arrays of characters terminated with a binary zero (NULL, NUL, \0). Strcpy doesn't check if there's enough space in the destination buffer, so depending where and how big your destination buffer is, strcpy will happily overwrite precious data. This flaw can be used for several severe attacks against OS security. An alternative to strcpy is strncpy, which relies on the programmer to provide the size of the destination buffer so that it k
  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Friday August 11, 2006 @06:05PM (#15891933) Homepage Journal

    Please let us know, in the summary, when an interview is a video file. Some of us don't have time at work to watch videos (today, actually, I've been busy watching specific videos for work, and trying to clean them up so they don't look like crap, at which I have failed) and would like to know before we have to click down into them - especially when you can't just click the link, and have to visit the site, because the primary article link is malformed.

    This is one of the crappiest story submissions I've seen in a long time.

  • not FUD (Score:4, Funny)

    by McGiraf (196030) on Friday August 11, 2006 @06:08PM (#15891945) Homepage
    "claiming Microsoft is doing more to improve security than any other vendor"

    That is not FUD, they started so far behind everybody else that they have to do more than anybody else just to keep Windows running
    • It's not what you say, it's the way you say it. The statement may be true but it's misleading. It's like saying that 25% of companies would not consider using Linux. Sounds bad for Linux, right? But really it means 75% of companies would considering using Linux. So even though their statement is true, it's still a deliberate attempt at FUD.
  • by Caine (784) * on Friday August 11, 2006 @06:13PM (#15891969)
    I'm working with Microsoft right now, and I don't think I've ever met a firm that takes security so seriously as they do when it comes to "normal" software, especially in the field I work in. So that claim might not be as much FUD as some would like it to be.
  • strcpy ok sometimes (Score:5, Informative)

    by KidSock (150684) on Friday August 11, 2006 @06:15PM (#15891979)
    I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

        char buf[6];
        strcpy(buf, "hello");

    In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

    It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.
    • It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

      <rant>
      Programmers are human and they screw up. It is easier to simply outlaw 'strcpy' in favor of 'strncpy' or 'strlcpy' than it is to re-educate the programmers. If you place the code that guarantees the string length does not exceed your predefined maximum buffer size and the code where you do the actual 'strcpy' in different places the chance of a screw up are greater than if you do what th

    • I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else.

      Because variables never get overwritten with garbage, either intentionally or not. Also, only one programmer ever works on a piece of code, and would never change the length of either the buffer or the input, let alone the content. /sarcasm

      In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To sa

      • In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To save a few characters?

        Yes, it is important to know why strcpy should not be used. And then you should never use it, even when it's "safe", because it's a bad habit. Humans are much more habitual than logical, even programmers. Especially programmers at 2am after they've been on a caffiene-induced all-night coding session.

        I disagree with this- that somehow

    • Just wait until "hello" is translated.
    • Microsoft's PREfast stuff lets you mark up code to say how the parameters to functions work. If you accidentally put a "5" instead of "6" as your array size, the compiler would notice a violation of the rules and issue a warning. It won't pick up everything (see "halting problem") but at least it'll find the obvious things.

      There are performance reasons to use strcpy.

      I personally feel that strcpy on a buffer allocated by the same function is okay, but doing this across functions is bad because someone else
  • strcpy? (Score:5, Interesting)

    by ENOENT (25325) on Friday August 11, 2006 @06:28PM (#15892061) Homepage Journal
    Can you think of a sillier thing to criticize MSFT about? Really?

    I looked at (some) of the code. They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo. THERE IS NO VOODOO MAGIC IN STRNCPY TO MAKE IT SAFER IN THIS SITUATION.

    Really. There isn't.
    • And don't forget this [msdn.com]!

      (meant to be mildly humorous in a nerdy sort of way)
  • FUD? (Score:3, Insightful)

    by Pedrito (94783) on Friday August 11, 2006 @07:34PM (#15892312) Homepage
    Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and...

    I'm sorry, how does this qualify as "fear", "uncertainty" or "doubt?" Maybe FUD means something else to you? That sounds more like CCS, "calming", "certainty", and "surety" than FUD. I'm not saying their statements are true, simply that it's not FUD.
    • Re:FUD? (Score:3, Insightful)

      by WilliamSChips (793741)
      It's implicit FUD. Saying that Windows is doing the most about security is saying that everyone else is doing less and therefore is less secure. This isn't even Alanis FUD and you're complaining!
  • found it interesting Microsoft is using MP3 encoding for this and not Windows Media... hmm...
    • Because there is no windows media player for Linux. Mplayer doesn't count. It is third party.

      Windows Media Player for OS X is half dead too. What they did is acquire global license of a great small companies product, telestream flip4mac and they distribute it as "windows media components for quicktime". While it works better than Wmedia for OS X (surprise!) can't be counted as a true dedicated player.

      I wrote these details to show another minor proof that MS didn't change. If they have changed, let them rele
  • There are a few reasons why Redhat not continuing support for RH9 isn't a big deal...
    1. Linux is open source. That means that, if there's a problem that's a show stopper for somebody, a company can (or a group of them can get together to) take the (available) source code, and put in the fix themselves... If there's actually a large body of companies that are using RH9 for important applications, then all sorts of company can (and will) pop up to provide that support (as happend when 7.3 lost support -- One f
    • Holy crap. Do you actually expect somebody to buy that? Well, if anybody is going to, it will be the "power users" like you and me, who have very little on the line, in terms of money. I don't know what planet you think you're on, but here, when the executives at a company find out that they're gonna have to write their own fixes for critical bugs in a piece of software they already paid for (or, alternately, have to rely on fixes written by someone they don't even know, or simply pay again for the same sof
  • helo
    501 Syntactically invalid HELO argument(s)
    hello
    500 unrecognized command
    hey gnome boy
    500 unrecognized command
    sod off
    500-unrecognized command
    500 Too many syntax or protocol errors
    Connection closed by foreign host.
  • Does someone have a link to a transcription?

You don't have to know how the computer works, just how to work the computer.

Working...