Few of OOXML's Flaws Have Been Addressed 162
I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."
Re:huh? (Score:5, Informative)
For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.
People like me and (probably) you tend to use documents as just that: documents. But in the big boy's world, they're far more important than that.
Re:huh? (Score:3, Informative)
I'd be interested in what is the alternative to storing them in plaintext in the document format. See, the database is going to be wanting that password, and it must be stored somewhere in the document in a stand-alone way or remembered by the user. If you encrypt it, you need to provide the keys in the same document or use a constant well-known key across all instance of the software. Hardly good security. The users might be willing to remember them, and I'm sure that's an option. In a lot of instances, credentials stored as plaintext with read-only permissions on specific tables is a fine solution, and you can do the security at the file access rights level. I would hardly call that a 'security hole'.
Re:Who said said OOXML is a "superb standard" ?? (Score:4, Informative)
It was Miguel de Icaza [wikipedia.org], and he is paid money indirectly from Microsoft since he works for Novell.
One of the reasons I stopped using GNOME, I don't want anything to do with the Mono project.
Re:Small bias? (Score:3, Informative)
Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack. It might just mean I think the person is an asshole. It is a valid opinion. It just isn't relevant to any logical argument.
-matthew
Re:huh? (Score:3, Informative)
I acknowledge that hooking documents into databases to subvert them into workflow process template beasties is a common practice, but I think the simple question "Why are there database passwords in the document?" kind of highlights that this is a bad practice.
If security is a concern, "Document Applications" are a mistake.
This also violates the (good) Model/View/Controller [wikipedia.org] software architectural model by kludging the view and controller together in the same product. And - despite claims that it cuts development time in half and saves a business money - it is a disaster to maintain and costs significantly more to re-write when opportunities to upgrade to better Office Productivity Suites arise.
Unless you WANT to periodically rewrite your companies homespun IT applications, you should probably avoid hitching your Office Documents to Databases.
Re:Um, this is a perfect example of "ad hominem".. (Score:4, Informative)
One example given by wikipedia is:
Just replace the relevant references with words like IBM, OOXML, etc. and it's basically the same.
Re:Small bias? (Score:2, Informative)
You started to get it right, but then you fell by the wayside. The entire phrase is argumentum ad hominem which means "argument to the man." It includes any attempt to discredit an argument based on characteristics of the person advancing the argument. In the instant case, the argument goes something like--OOXML should be rejected if it's a bad standard. OOXML is a bad standard because it has many shortcomings that haven't been addressed. Therefore OOXML should be rejected. Mongoose Disciple chose not to dispute any of the premisses of the argument or the inference, but rather to claim that Rob Weir stands to gain if the conclusion is accepted. Thus Mongoose Disciple presented us with an excellent example of an argumentum ad hominem.
Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack.
Completely correct. However, it's irrelevant to the instant argument.
-Loyal
OOXML approved by NIST (Score:3, Informative)
There are a number of problems with this post (Score:2, Informative)
On the other hand, the statistics used by Rob Weir are shoddy according to my local statistics semi-expert (my girlfriend who finished 2nd year BA stats A. with a perfect 100 score). Specifically his sample is incredibly small: 25 random pages out of a random selection of 200 pages out of 5220 pages of the original standard document, out of 6045 pages actually in the original document (not the amended document), of which he doesn't know how many defects where actually reported against each page (we know how many were reported totally, but we don't know what is their percentage in the first sampling or subsequent sampling), and as Rob Weir found new defects that were not reported to Microsoft in time for the BRM, he has no idea what is the actual density of (pre-BRM) reported defects in the total "defect population" (defects discovered before BRM, after BRM and defects that are yet undiscovered).
As such a confidence interval of 1.5% +-3% (i.e. at worst 4.5%, which is not what the post reports) seems highly suspect. To clarify for non-statistics students, a confidence interval of 1.5% +-3% in a result of 0 hits out of a random sample, means that Rob Weir is at worst 95.5% confident and at best 100% confident that there were no defects addressed by Microsoft.
This is awfully presumptuous, even if its Microsoft that we are talking about.
Re: ad hominem (Score:3, Informative)