Exactly. MS has a well-documented monthly patch cycle. Give them until the next patch release date if you don't think there are exploits in the wild. Give them 1-week if there are already exploits. Similar rules for any other vendor depending on their patch cycles etc. Little common sense is all it takes.

They won't -- because you are obscure -- get it?

Be more careful how? Know that it exists how? I am Joe Public and I do not read Slashdot, Arstechnica or the other places where this bug will be mentioned. The black hats do and they are in the know and actively creating exploits. 99% of users have no idea that this happened, and therefore are not being 'more careful'.

Why? Remember people do not even know if this event! Second -- you will recommend people disconnect from the internet before you censure Ormandy for precipitating the event that would make that necessary? Am I in the twilight zone?

Another practical solution -- wonderful! Pause to remember for a second that responsible disclosure can lead to getting a patch before such drastic measures are needed.

What does Joe Public mean to you, and what do you think Joe Public's proficiency level is with debuggers and machine code?

TFA states nothing about him giving MS 4 weeks. AFAIK that was the previous time he went public on MS's ass; this time he just went out guns blazing as soon as he discovered the issue.

In terms of obligations (to release secure software), I disagree. You don't even need to look at EULAs (for Windows or for commercial Linux distros). There is no such thing as "absolutely secure" software. You simply cannot release X software and make the statement "X is secure -- I guarantee it". What you can do (and what Microsoft does better than most -- this is documented -- here's a random citation in support of that) is you can follow secure development practices, use defense in depth, and have a good patching mechanism.

This is plain incorrect. You have a responsible disclosure mechanism for Linux just as much as you do for MS/Windows (or any other product/entity/whatever). Disclosing an exploit on Linux without first giving the maintainers a chance to patch, is fucking them over just the same as this is fucking MS over. The fact that's he's done this twice now just shows that he's doing it out of spite.

Except that he's right. The "Security through obscurity is no security at all" mantra is the first thing that people who know nothing about security fall back on again and again. Asymmetric keys are merely *better* obscurity than most other means. You're still just counting on not being a sufficiently interesting target that your keys are not going to be put to the test by somebody with access to a proper compute cluster (or maybe a quantum computer), or that they won't bypass that and exploit you some other way.

You should know this already. Speaking generally, all security mechanisms can be broken, so you need to ensure the cost of exploiting is greater than the thing you get access to after exploiting.

Really? And what do you expect Joe Public to do differently now that they are informed? Travis Ormandy, and you, have zero regard for the party at risk, so please drop the veneer. You (and he) are only interested in damaging MS -- MS's users are collateral damage that's all.

Poor analogy. Your billy-club company is making something anyone can make -- it's common knowledge how to make one, and it's even easily replaced with other objects. Ormandy found the exploit -- making his knowledge of it unique. By publishing it, he made it common knowledge. There was not even anything that could be used to substitute it. People are running to defend Ormandy in their glee that he did something to hurt MS. If MS had published an exploit in the Linux kernel without first submitting a patch and waiting for it to be accepted, I guarantee you your stance would be the exact opposite of what it is now.

True..

I think Skype was around quite a bit longer, so you'd have to put it the other way around -- Google realized Skype's potential and came up with a competitor. Microsoft realized Skype's potential as well, and purchased them.

As of today's announcement from Google, they would have done all that work in vain. Perhaps MS realized that Google's commitment to XMPP was not something that could be relied upon?

Right, MS developed ActiveSync, filed patents, and licenses ActiveSync (licenses = requires fees). Google licensed it, used it for quite a while, and decided to migrate away. Nothing wrong with any of that. It's how that's done that's at issue here -- Google tried to fuck Windows Phone users over. It's really that simple.

If that's your interpretation then you've prostituted your brain to your employer. Google has willfully prevented MS from making a TOS-compliant Youtube app that compares to the apps on iOS and Android. Google refuses to make such an app themselves. Google repeatedly suggests that WP8 users "use the browser" (it's even in their official cease-and-desist letter). Google would never for a second release an Android phone that follows that suggestion.

Larry Page is probably involved in the decisions to block MS on the YouTube app. He's blowing sunshine up your ass and you're opening wider.

Dude, that's the tip of the iceberg... you should see the things they've been doing to try to prevent windows phone from developing apps that use google services.. A couple of recent examples:

1) They tried to prevent WPs from syncing Gmail calendar and contact data (link). Note that this involves deliberately breaking something that wasn't broken. Making changes/improvements is cool -- but why not work with MS to ensure users don't get affected? How about a little heads up for a major change like that?
2) They've been hindering the development of a youtube app on WP (link). They've even deliberately broken third party youtube apps on WP more than once before this latest spat.

At least Apple and MS are honest about their intentions... I can't stand the doublespeak the comes out of Google's top leaders.

It's not just that tech industry viciousness is here to stay -- it's also that Google is a pretty strong participant in it. Google's been pretty good at appropriating the language of open source when it suits them, and using EEE tactics once they have the upper hand.

Still no substance then?

Please never assume you are even capable of evaluating design, never mind telling people who should and should not be involved in it. Even your comments are worthless -- it's not even possible to discuss a design properly with you because your comments only contain smugness and snarkiness, but no substance.

Back to being snarky because you've run out of substance? If you have a point, and any conviction in it, don't be afraid to make it. Sometimes it takes more than half a sentence.

OP's post was about finding Control Panel -- which assumes knowledge of this abstract concept in Windows (from having used previous versions of it). You were unable to defend your initial stance so you decided to move the goal posts by considering a user who is not familiar with this abstract concept, and your accusation of it being "undiscoverable" still fails. Whether it's by using the old flow (windows key, and start typing) or whether you "discover" that swiping in from the edges brings you various menus, then "discovering" that one of those will always have a cog icon with the word "settings" below it, or "discovering" that same menu also has this thing called "control panel" above it that sounds like it just might have something to do with configuring your computer -- your assertion fails, and fails hard!

You want to discover? Explore the UI for 5 minutes and you will discover tons! But no -- you want to spout nonsense about power users preferring Unix (god knows which 'discoverability genius' designed the various Unix UIs over the years), reply with snarky one-liners, skirt the issue by saying you can't explain shit to someone like me (by which you mean anybody that doesn't agree with you). Fucking fool!

What setting were you trying to change? Try typing that. Little more intuitive. Perhaps even discoverable. Even saves a step. You're clutching at straws. GTFO indeed!