Few of OOXML's Flaws Have Been Addressed

I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."

Corruption.

[twitter]

Why fix flaws when you can buy voters?

Re:Office 2007

[corsec67]

Or are they doing all this for show, and there is no real substance in OOXML?

The reason MS is bothering with ISO is because a few places have started to require that documents be stored in an ISO defined format.

The problem is that having a true ISO defined format means that you open yourself up to competition, so MS wants to get their format defined as ISO certified without allowing any competition.

Re:Office 2007

[Basilius]

There are no existing implementations of the proposed OOXML standard, so whether Office 2007 has the same defects or not is sort of irrelevant. MSFT has stated that they will not be implementing the standard as proposed, but will be going a different direction. And, given the nature of parts of the standard, nobody BUT Microsoft can fully implement it.

The mere fact that there ARE no implementations of OOXML, however, should be a giant, florescent, waving red flag. No standards body should adopt a standard that cannot and will not be implemented by the proposers.

Re:Small bias?

[Anonymous Coward]

A 100% ad hominem attack on Slashdot gets modded up unquestioned. Who would have thought?

Re:Office 2007

[belmolis]

Indeed. And the lack of existing implementations makes OOXML all the more inappropriate for the fast track process, which is intended for existing de facto standards, meaning (a) widely implemented and (b) with broad consensus in the relevant field.

Re:Small bias?

[cyxs]

Everyone has a bias but if he gives you the information that he used to form his opinion about something then you can read what he says and what he did and form your own opinions. He is giving detailed examples of what he found. He isn't just say "Everything is fine" or "They have WMD", he is giving how he comes to his opinion and showing you the facts.

Yes his company maybe bias in not wanting the format approved, but does that make what he says less true? The facts speak the truth.

What's the point? Who is going to follow this?

[pembo13]

As I understand it, Microsoft isn't going to follow this standard. If Microsoft isn't going to follow this standard, then it is useless for OpenOffice, NeoOffice, KOffice, etc. to follow this standard. Or is this going to be for Office 2k10 or something?

Re:Office 2007

[UnknowingFool]

As far as I know even Office 2007 can't do OOXML well.

So he wants security through obscurity...

[Rakishi]

Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text.

And how will the format magically produce the plain text password again when the database asks for it... oh wait it can't unless it's easily recoverable in plain text form. It's also not like the "encryption" mechanism would be documented and it's not like someone would have to read that very documentation to know even where the password is stored... oh wait.

Anyone who claims that it's more secure to obscure the password in a well known and trivially reversible way instead of simply storing it in plain text is not someone I trust to analyze security.

Re:Small bias?

[oGMo]

He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

So you won't verify anything, or even check, but rather you feel that the exact same thing from someone else would be more true. Essentially, despite the facts, you don't feel the truthiness is sufficient.

By your logic, you may well be right, but you may also just be a shill for Microsoft. I'd be more inclined to believe someone else who didn't have a corporate interesting in picking data points to disparage the argument you'd like to make. Or maybe if you had an argument to make not based on a well-known informal fallacy.

Re:Office 2007

[peragrin]

If MSFT fixed the flaws with OOXML then there wouldn't be a problem.

it's not that OOXML is bad, it is that OOXML is broken and MSFT is trying to ram it through anyways. there is nothing there that can't be fixed. MSFT however doesn't want it fixed because OOXML 2010 is just around the corner and it won't be the same as OOXML 2007. Also OOXML 2010 becomes a defaco standard even though it isn't ISO certified since it is marketed as OOXML.

this is how MSFT works if you don't know this then go back and look at the past 30 years of how MSFT treats it's customers, vendors, and slaves.

Implement first, standardize later.

[colmore]

Did we learn nothing from the 80s and early 90s? If you write the standard first, you're going to get the kitchen sink. Engineer a good system, then standardize it. Nothing sands the sharp edges like the real world.

MSOOXML is not standard quality

[Anonymous Coward]

During the BRM is has been shown that MSOOXML is not up to the quality for an international standard.

The only reason that this thing is considered in ISO is because Microsoft is being so bullish, trying to defend the monopoly.

Standards are not religons

[surfingmarmot]

Yet a lot of people treat them that way like this Slash Dot commenter: "He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw." Just why is that rated a 5? It is NOT about belief, but more about science--either the facts and peer review support Mr. Weir or they don't. Apparently they do and in Spades. The majority of "yes" votes on this "standard" are by Microsoft partners who have a vested interest in a dingle vendor, single application (the only full implementation read and write) solution they sell products and services for and can lock in business. Sure IBM is a commercial organization with a checkered past, but they don't own completely open ODF so they aren't doing this for gain. they jsut want a level playing field for formats. And it is a great idea.

Re:Office 2007

[Anonymous Coward]

Even if they fixed the flaws in the standard, they would not fix them in Office. They would still claim to support an open standard. Competitors would still have to support the actual format, rather than the one defined in the standard.

Re:What's the point? Who is going to follow this?

[MLCT]

MS doesn't care about anyone following it (since even they themselves aren't going to). All they are doing it for is so they can claim that MS Office uses an open ISO standard, OOXML (even though it won't use the ISO passed standard) so that governments, businesses and buyers are not scared away from their products.

As with everything MS does it is all about control and money. They have observed the fights that took/are taking place at various governmental and state levels over the mandatory use of an open standard - and they see that it is a threat to their monopoly, hence they have strategised to nullify the problem without giving up any of their control. The whole thing is a rate 10 sham. And if anyone ever wants to know why a lot of people don't trust MS then this is a perfect example of it - the process and the mockery they are making of it is frankly satirical.

Re:Small bias?

[rhizome]

He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

Nobody is asking you to "believe" anything. Bias does not change facts, and it is a fallacy to suggest that he should be a perfectly impartial critic if he is to be taken seriously. If he makes observations of deficiencies in the format they are just as valid as if they were made by Bill Gates himself.

Double plus bias

[dedazo]

Whenever this comes up here I always get a big chuckle because IBM is just doing what it does best (much like Microsoft), except that they've amusingly managed to do it completely out in the open. So while Rob Weir might be nothing more than a shill, he actually admits he's a shill by virtue of being a full-time salaried employee of IBM, a company that just happens to be offering a range of products (including an office suite) that compete with Microsoft Office. Everyone else just puts their fingers in their ears and goes la-la-la-la-la.

Remember Peter Torr? He wrote a blog post [msdn.com] not long after Firefox hit 1.0 where he questioned why the Firefox installer was not digitally signed. What he said was completely true - so true in fact that not long after that Mozilla started signing the installer. That didn't prevent few thousand raving lunatics from descending on his blog and calling him a shill and an idiot. To paraphrase you, yes his company maybe bias in not wanting the [browser to succeed], but does that make what he says less true? The facts speak the truth.

So essentially we have situations where the source of income and ulterior motives of one person should not be questioned because the topic is unpopular and everybody knows he must be right. On the other hand we have people whose motives *must* be automatically questioned solely because of their source of income and ulterior motives.

The truth is that Weir should have recused himself from all this a long time ago. That he hasn't done that tells you a lot about him and his employers.

You might argue that Microsoft had all this coming. You might argue that OOXML is not a good standard. You might argue a lot of things, but none of them make IBM's conduct in all this (including the whole ISO thing) any less dishonest.

Re:Small bias?

[Anonymous Coward]

The article says that the data was randomly selected, right? So if you want to suggest selection bias, a first step would be to show that the page umbers were indeed not random.

Mod parent up

[shrikel]

I find it unfortunate that so much of public debate today has degenerated into a knee-jerk contest. "Oh, that guy works for X company, so he cannot possibly have a good point." When did people decide that thoughtful analysis of articulate, well-composed arguments is unnecessary to reaching a good understanding? Who can better speak out for a product/idea/standard/whatever than those who are most passionate about its qualities (i.e. its developers, backers, etc)? Who can better point out its flaws than those who are most motivated to FIND and EXPOSE those flaws?

Arguments should be accepted based on their validity and their accuracy. What if Einstein (or any other scientist, for that matter) were not allowed to defend his own theories?

Who else?

[Tony]

Riiight. We should have one of the few people willing and able to examine the standard for flaws just not do it. That's an excellent idea.

At what point has IBM been dishonest? Rob Weir is an employee of IBM. They have a distinct interest in making sure that whatever format is approved, they are able to implement it. Therefore, it is in their best interest to make sure it is a good standard. As they have determined that it isn't a good standard, what should they do? Not talk about it?

The fact that his bias is out in the open is perfectly fine, as is the example you give from Peter Torr. That allows people to judge their statements, and account for possible bias.

The problem with Weir recusing himself is this: nobody else seems to be doing this. Nobody else is standing up to a corrupted process, where the intended and stated results are sidelined for political expediency. If it takes one corrupt company to stand up to another corrupt company, then so be it. At least they are standing up to a corrupt company. (Yes, I'd prefer if neither were corrupt.)

Re:Office 2007

[Anonymous Coward]

Why? Because ODF is competition, and the only response MS knows to competition is to extinguish it wherever they see it. When organisations the world over start look as if they're going to mandate use of ODF because it's a standard, that means they're also mandating the use of non-MS products. MS aren't going to add meaningful ODF support to Office until they've *really*, *really* lost this fight, because that would be the thin end of a very big wedge indeed, allowing people to start to move off Windows seats and onto alternatives, and they *really* don't want people thinking that way, because the amount of money they stand to lose is astronomical. So MS want to keep the softwear seats, come what may, and they're not remotely interested in helping their customers meet their business needs if that threatens MS profits.

In summary, whenever ODF rears its head as a threat, MS want to be able to point to OOXML and say "OOXML is a standard already, and all your people are already using it - you don't need another". They don't care that it's a standard that no-one else will be able to support even if they want to, because they know that most of the people making the actual decisions not only won't remotely understand the technical issues, but also will have no interest doing so - after all, "a standard is a standard, isn't it?". And MS will point to all the "extra" money that moving to a "different" standard will cost. And the guys who understand what total BS the argument really is, and why it means that, say, ten years from now the organisation won't be able to read the documents it produces today, will have a massively difficult job on their hands to even make the execs understand what the arguments are, let alone to actually win them. And meanwhile, MS will carry on raking the money in from their monopoly, and doing whatever they can to keep it that way.