Microsoft Unveils Open Source Exploit Finder 310
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Open Source?! Wait for it... (Score:3, Funny)
'hellfrozeover' tag in 3... 2... 1...
Re: (Score:3, Insightful)
Definitely not.
Microsoft doesn't have anything about open source actually. They're perfectly fine with the BSD for instance, which they can incorporate in their products. They're also fine with their own "shared source" deal, which goes from "non commercial" to "you can only look at it".
What MS really despises is the GPL. They can't use it, and can't buy the source out in many cases. Of course they could technically use it, but they could apply the "embrace and extend" tactics, and would have to give out an
really? (Score:3, Informative)
Are you sure, Coward?
http://www.opensource.org/licenses/ms-pl.html [opensource.org]
Or you say it won't be released under ms-pl?
Re: (Score:2, Funny)
Are you sure, Coward?
Please, no need for the formality. You can call me Anonymous...
Re: (Score:2, Interesting)
Wrong? Maybe... Note that MS-PL is not compatible with GNU GPL. That may have been just a coincidence from other requirements they had, but it may also have been #1 requirement for all MS-* licenses.
As far as I can tell MS-PL is exactly like BSD license, except it has a clause that makes it GPL-incompatible. MS-RL is very much like GPL plus a clause that makes it GPL-incompatible. I notice a trend here and it fits parents comment quite well.
Note that I'm not saying everything needs to be GPL-incompatible, I
Re:Open Source?! Wait for it... (Score:4, Interesting)
So what? The viral GPL license is not the only one that makes your software free.
What you say is factually correct yet it misses the point entirely. I like benefit of doubt so I'll assume that you were not being deliberately obtuse. If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL. They know very well that the vast majority of Free Software, especially that which is available for Unix-like operating systems, is GPL.
So a developer who maintains GPL software has two choices regarding the code that Microsoft releases. The first choice is to ignore it and avoid using it, because I would certainly expect Microsoft to vigorously pursue anyone who violates their license. The second choice is to abandon the GPL and release the software under the Microsoft license so that Microsoft's code could be incorporated into the project. This has two benefits for Microsoft. At the very least, they can talk a good game about how "open" they are becoming while actually doing very little for the community. At the most, they can tempt people to stop using the GPL.
The GPL and Free Software in general is perhaps Microsoft's first experience with a potential competitor that they cannot buy out and cannot embrace-and-extend, so their huge resources and preferred tactics are rendered useless. Either they just give up or they realize that they cannot use the "direct approach". I would not expect them to just give up. The saying that comes to mind is "if you get into bed with Microsoft, you're going to get fucked." Anyone who really believes that Microsoft has had a change of heart and is now a trustworthy ally of Free Software is frankly rather naive. You're dealing with an entity that became so dominant in its industry by means of shrewd business decisions and Machiavellian strategy. I would expect a close-source software company with even half of their willingness and ability to dominate to see Free Software as an implacable enemy that requires new tactics. If anyone believes it could possibly be otherwise, the evidence against you is strong but I'd like to know why you feel that way.
Re:Open Source?! Wait for it... (Score:5, Insightful)
If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL.
Oh bullshit. Something doesn't have to be GPL to be useful for the community - take FreeBSD for instance. Demons, GPL zealots are as bad as Apple zealots!
Re: (Score:3, Insightful)
If you believe that recognizing the strategic aspects of Microsoft's business decisions makes one a zealot, then you are fortunate. You are fortunate because you have never seen a real zealot.
The same thing that would happen if a Free Software developer were found using Microsoft's non-GPL code in their GPL software: a legal problem. The incompatibility of the licenses is mutual
Re: (Score:3, Insightful)
demonizing me and calling me "zealot" and other names because I dared to make observations and support them with reason
Sorry, your long winded response isn't going to convince me otherwise. The article and summary simply stated that Microsoft had released open-source software, which they did. You're an evangelist of a particular open source license that has all sorts of religion behind it, preaching down other licenses that don't align themselves with your principles. To say that nobody will find this useful is ridiculous. Sure, your "community" might not have any use for it. What is it with your community and their sense of entitlement?
Eh let's make one observation that should be fairly obvious: if not for the success of Open Source software under the GNU Public License, of which the most prevalent expression is the GNU/Linux operating system and its associated applications, then Microsoft would not now show any interest in publically releasing any code of theirs. As much as they talk of innovation, and as many new things as they have genuinely innovated, Microsoft is just following someone else's lead on this one.
So, Microsoft sees
Re: (Score:3, Insightful)
That's quite trivial, though "holy" is your word, not mine. You just can't get over the fact that someone can appreciate freedom, including software freedom, without being a zealot and so you feel the need to insert words that I clearly never used. Feel free to perform a text search on this thread if you don't believe me; you won't find me calling it "holy" anywhere, nor
Re: (Score:3, Insightful)
So Microsoft can't use GPL code, and you're totally cool with that.
What an asinine assertion! Of course MS can use GPLed code, just like anyone else can. They just have to abide by the terms of the license... you know, just like anyone else.
Re:Libre? (Score:5, Informative)
It's released under the Ms-PL, which is OSI-approved.
Re: (Score:2)
The proper way to say it is "it's not open source compatible (gpl/others)", and even OSI knows that.
Just because its close in name, doesn't mean it's still not as proprietary as possible.
This is like putting an open source bumper sticker on a car and saying it's open source.
Re:Libre? (Score:5, Informative)
Re:Libre? (Score:4, Interesting)
The GPL maximises protection against software patents and forbids distribution as proprietary-only software. The Ms-PL minimizes protection against software patents and forbids distribution as libre-only software. The Ms-PL formally fulfills the requirements for an OSI approval but apart from that it is everything what you would expect a license from Microsoft to be. To understand the Ms-PL just imagine the Venn diagram for the following equation: MsPL = ( OSI - GPL ) & Microsoft
Re: (Score:2)
In other words, the GP is right.
Re: (Score:3, Insightful)
The definition of Open Source compatible is not: a license which can be used interchangeably with any other Open Source license.Some licenses are compatible with each other and others aren't. It is called freed
Re: (Score:3, Insightful)
The GPL license is just about protecting individuals who want to develop and use software in freedom. It's up to you to take advantage of this protection or not
The best protection is public domain. Retaining ownership to force an ideological end is silly. The GPL was born out of emacs getting "ripped off" by other people... but did that stop emacs at all? Nope, we're still stuck with it, even though everyone knows vi is better....
Re:Libre? (Score:4, Insightful)
You mean, "It's from Microsoft! It must not be labeled as open source, even if it is!"
If you aren't saying this, then maybe you can say in what aspect the license doesn't meet the Open Source Definition [opensource.org]
.
Re:Libre? (Score:5, Informative)
Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?
No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.
Re: (Score:3, Informative)
Or is that a senseless question anyway since it runs under Windows?
SVN runs under Windows. GCC runs under Windows. Gimp runs under Windows. Apache runs under Windows. Hell, just about any project with a configure script will either compile for Windows as-is, or will after slight modifications. FOSS has nothing to do with whether it runs under Windows or not.
Re: (Score:3, Insightful)
Also, your suicide joke wasn't funny.
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
Re:This is M$ double speak for "Finding Free Sofwa (Score:4, Insightful)
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
Re: (Score:2)
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker". It's really just an irrelevant and off-topic device unless the conversation is specifically about cost of software.
It would be like constantly referring to RMS as "The Great Unwashed Guru" in a discussion that had nothing to do with personal hygiene or delusions of Godhood.
Re: (Score:3, Insightful)
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker".
You don't agree that text in bold is HIS opinion? I don't agree with your disagreement :P
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Re: (Score:2)
I don't generally use "M$" but I wanted to tell you how I see it. I see it as a way to separate the petty members of the audience who cannot overlook a small and harmless "transgression" (even that word is too strong for it) from those who are less superficial. I prefer to directly deal with wrong responses so this does not tempt me, but this is something that I wish more people understood. If
Re:This is M$ double speak for "Finding Free Sofwa (Score:2)
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
Re: (Score:2)
Re: (Score:2)
If you don't connect your computer to the net it does not count :)
Alternatively, it's a bit like a poker game, if you don't know who the idiot is, it's you. In other words, the chances are big that you were at some point virused, trojanned or malwared but you did not detect it.
When adaware first came out I ran it on the machines of some friends and it was quite surprising how much crap there was on these so-called clean machines.
Probably you install very little software on your machines, that alone would be
Re:This is M$ double speak for "Finding Free Sofwa (Score:4, Insightful)
Every time I hear anyone using any system say, "I've never had a virus or trojan or malware," I always think, "there is a guy who doesn't know how to detect malware on his machine." And it's usually true.
I'm not saying you don't know how, but you said a genuinely stupid thing right there. It's possible that right now you're computer has been rooted, covered up, and you don't even know it. Because Microsoft sure wasn't protecting you for the last 20 years.
auto-hack or brute force? (Score:5, Insightful)
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
Re:auto-hack or brute force? (Score:5, Informative)
Re: (Score:2, Informative)
The article mentions it does fuzz testing, so it'd be the former.
Actually, the article says it's used during fuzz testing, not that it does fuzz testing.
It sounds more like an automated crash dump analyzer used after a fuzzer has caused the program to crash.
AFAICT, Neither (Score:3, Informative)
Re: (Score:2)
Am I the only one that thinks it's ridiculous we still have programs crash? It's 2009, why are we still programming in C? It's certainly possible to have the same speed and low level expressiveness and include assurances against crashes and buffer overflows.
Re: (Score:2)
That's why I am very happy to completely steer around C/C++. I never liked its messy syntax anyway. ^^
I used Pascal, Java, and now Haskell. And in 20 years of experience, I never have seen such an impressive beast of a compiler as the GHC (Glasgow Haskell Compiler).
Sure, you can fuck up things in Haskell too. But you have fuck up explicitely. By doing something very stupid. Not by not doing tons of checks right and left.
I also found the tradeoff of slowness for stability in Java, a good thing. But Haskell s
Re: (Score:2)
Yeah, there isn't really an alternative to C for low level things, which is what bothers me. It seems like an alternative language is the obvious solution to huge classes of security problems.
ATS [ats-lang.org] looks interesting, they even have a paper on writing linux device drivers in ATS. Maybe the alternative will turn out to be ATS [ats-lang.org], or maybe BitC [bitc-lang.org], but it needs to hurry up and people need to start abandoning C/C++.
Re:auto-hack or brute force? (Score:5, Informative)
Sup Goth, this *is* Dan.
!exploitable isn't about finding bugs -- it's not a fuzzer, it's not a static analyzer, etc. It's about looking at a crash and saying, "Heh, this isn't just a Null Pointer Deref, you got EIP." Sure, that's obviously exploitable to you, but to some junior tester, that's not obvious at all.
That's why it's a game changer. The dev writing the buggy code can't just say, meh, prove it's exploitable. Now the tester can point out the output of !exploitable and say, prove Microsoft is wrong. Shifts the burden of proof in the exact direction you'd want.
I'm feeling quite dizzy... (Score:4, Funny)
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Re: (Score:2, Funny)
Things that make you go hmmm... (Score:5, Funny)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
Direct link to explanation (Score:5, Informative)
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx [microsoft.com]
Re: (Score:3, Insightful)
Naturally, that's an OOXML file that OpenOffice doesn't quite display properly. Outline view seems to be the best.
It's nice to see... (Score:3, Funny)
Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...
Re:It's nice to see... (Score:4, Funny)
with baited breath...
Speaking of Microsoft and security, I think you've picked up a worm.
Re: (Score:3, Funny)
pronounced 'bang exploitable crash analyzer' (Score:2, Funny)
interesting excerpt from bang source code (Score:5, Funny)
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
There's already proof that this can't work (Score:2)
Re:There's already proof that this can't work (Score:5, Informative)
Re: (Score:3, Insightful)
Re:There's already proof that this can't work (Score:5, Funny)
Exactly. That's why I'm also against railroad crossing gates, smoke detectors, and those silly "Bridge Out" warning signs.
Re: (Score:3, Insightful)
Has anybody every told you "'Perfect' is the enemy of 'good enough'."? Perhaps after listening to you explain why your project is behind schedule, then sighing and face-palming?
The halting problem says that there cannot be a GENERAL ALGORITHM that works in all cases, for any of the infinity of possible programs that can exist.
That proves ZERO about, say, whether I can write an algorithm that covers 99% of the common cases. The lack of a general solution doesn't imply that it can't be done often enough, in
Re: (Score:2)
What part of the word "common" are you unable to comprehend?
Re: (Score:2)
Re: (Score:2)
Since you're mentally challenged I'll spell this out for you. The set of common cases is not infinite, especially since the creator of the algorithm gets to define "common".
Did you flunk the part of automata where they explained that not all sets are infinite and there exist such a thing as a finite subset of an infinite set?
Re: (Score:2)
Re: (Score:2)
You incorrectly assume that "an infinite number of different programs" and "all possible programs" are the same set. They are not.
Turing's proof shows that no algorithm can solve the Halting Problem for *all possible* programs. But there ARE proven algorithms that solve the the Halting Problem for certain classes of programs, that is, subsets of "all possible" programs.
Many of those subsets (all the interesting ones, really) containg an infinite number of possible programs. Not *all* possible programs, m
Re: (Score:2)
The halting problem is solvable in the general case if you restrict the inputs to finite programs running on finite inputs (any such program can be represented by a DFA, and then you just have a graph colouring algorithm to find non-terminating states). Although this is a tiny subset of the infinite number of possible programs, it does include all programs that can run on computers that will fit inside the universe, which is a sufficiently large set for most uses (of course, in some cases, you will need a
Re: (Score:2)
No, all it states is that it cannot prove the program is bug free. It can, however, keep running and finding as many bugs as possible.
If you get to a stage where you don't find bugs after a long enough period of time, you've probably reached the limits of that particular testing method's ability to provide any useful data about the application. That or the bugs are now awkward to find and probably won't be found by the majority of user input either.
On the halting problem basis, users will never find every b
Re: (Score:2)
A bounty for first exploit of !exploit (Score:2)
!static code analyzer (Score:2)
I would be more impressed if they released a free and open static code analyzer to include for their compilers that may also compile to native code (e.g. Visual C++).
That said, I'll be nice and applaud this effort. But if anywhere possible, use managed code (scripting or a secure VM) instead of relying on this kind of analysis. With this rate, it will take centuries to get rid of all the buffer overflows and other rather inexcusable code out there. I would be very amazed if this tool would (help to) remove
Re: (Score:2)
It's not "free and open" but do you mean a source code analyzer like this one [microsoft.com] which is available in Visual Studio 2005?
Open Source Exploit Finder? (Score:2)
So...let me get this straight...they're open sourcing their Windows code base?
I'm here all week. The veal is amazing!
windbg needs PDB so app must compile in MSVS (Score:5, Informative)
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
bang exploitable or unexploitable? (Score:2)
Not that this is important, but was it really pronounced "bang exploitable" when it started its life? It sounds to me like some top brass (or a journalist) wanted to show off that they know how "!" was pronounced in old UNIX speak, but without a real understanding of what it meant. You know, as in, "I am one of you, but I have no idea what the hell I am talking about".
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
In other words, irrelevant bullshit but it's their stuff so they get to pick the name.
Wow. Awesome headline. (Score:2)
Did anyone else misread this (before reading the summary) as Microsoft is working on an automated program to find *security exploits in open-source projects*?
Man, I had to readjust my tinfoil hat for a second there.
--
Toro
A related interesting project (Score:2)
Here is the code (Score:3, Funny)
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
#ifdef WIN32
fprintf(stderr, "Your system is not secure\n");
#else
fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
#endif
return 0;
}
Re:Bang exploitable (Score:5, Informative)
"bang" is ancient history.
http://en.wikipedia.org/wiki/Special_Characters [wikipedia.org]
http://www.catb.org/~esr/jargon/html/A/ASCII.html [catb.org]
Re:Bang exploitable (Score:5, Funny)
Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.
No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.
Rules of Open Source club (Score:5, Funny)
1. Fork the project
2. Change the name
Re: (Score:2, Funny)
Bang Exploitable Crash Analyzer, programmed in C Pound Point Net.
Re: (Score:2)
Re: (Score:2)
Here's a better idea... Fix all the bugs and then you're sure you've fixed all the big bugs.
Well, that's a nice idea, but it takes a finite nonzero amount of time to do so.
You both make good points. MS's security culture is fairly awful in that when developers find bugs that are potential security issues, they have to fight the system to get them prioritized for fixes and most are considered "low risk" and ignored. Anything that helps prioritize bug fixes is good, provided it is not used a an automated way to ignore a huge number of bugs in an effort to produce a mediocre and "good enough" product in terms of security.
Re:THOUSANDS OF BUGS? (Score:5, Insightful)
How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?
Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?
And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
Re: (Score:3, Interesting)
Shipping a large project with 1,000 bugs might be a perfectly valid decision
Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision
I don't ship crap.
And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there
Re: (Score:2)
While I agree that people could do better, your overall attitude of EVERY BUG MUST GO BEFORE WE RELEASE is probably why you have to say "if I had a big project" rather than "the big project I'm on now..."
"Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use."
Agreed, we're not talking about bugs that prevent use of the software here. Your inability to distinguish possibly hinders you professionally.
Re: (Score:3, Insightful)
Not all software is a product for sale, and in the real world there are deadlines and budgets. Users can deal with bugs, business owners can't deal with late, over-budget projects.
Re: (Score:3, Interesting)
I don't ship crap. And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
There's a balance, there are also those people that think that perfect software can be created in some kind of bubble and you might be one of them, I think. In a large project I can assure, with 100% certainty, that between the start of the project and the final release the requirements have changed. A lot. It does not matter if you design up a perfect software development method, not that I think such a thing exists, because people are very poor at specifying in an abstract specification what it is they wa
Re: (Score:2)
You don't ship *anything*.
Also, !exploitable can check for bugs in beta software. And it can check for bugs in internal builds. You do *not* need to have released to get bug reports on major projects -- testers, fellow developers, and even yourself can run into bugs to investigate later.
Firefox 3.5 is supposed to have fixed over 1000 bugs so far in its release cycle, and that was supposed to be a short-cycle release -- and there are still bugs that are WONTFIX or even still active from years and years ago
Re: (Score:2)
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
I forgot to address this. Yes, early adopters and capturing your market are important. I can see where "version 1" could be considered beta for the purposes of getting your foot in the door. I don't think anyo
Re: (Score:2)
Who said we were talking about MS and Windows? You just brought that up, right now. I don't think it proves anything, one way or another, that one company has a crappy process.
Honestly, it seems like you just tried to "move the goalposts", redefining the terms of an argument you were losing so you can feel like you're winning.
That's lame, and I'm calling you out on it.
Re: (Score:2)
Thousands of bugs? They must have tested it against their office suite :)
But seriously, Microsoft must have loads of legacy code lying around, so thousands of bugs are to be expected. Office just happens one of them (and the number of Word related crashes on my office computer is just about hopeless).
Re: (Score:3, Informative)
This is Dan.
OK, my DNS bug took two days to find, and six months to fix. I'm not sure what universe you're in; in mine, we have to actually test.
Re: (Score:3, Informative)
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing
Re:Enough problems of their own (Score:5, Insightful)
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.
Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.
As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.
Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.
Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.
Re: (Score:2)
I wish i could mod you up.. i'm not sure what high horse the OP was on, but i'd like some of what he is smoking!
Re: (Score:2)
MODS: how is this flamebait?
It can validly be considered flamebait because it starts with, "Are you retarded?" This is unfortunate because, it is factual and corrects the misconceptions of a highly modded post that is, well a little retarded. That's a harsh way to phrase it as well as offensive. In truth the original poster was not retarded, just uninformed and "ranty".
WinDbg (Score:2)
So, why doesn't Microsoft produce these tools for Windows
The tool in question is a debugger extension for WinDbg. I'm not sure how many people are debugging their Unix/Linux applications with WinDbg, but I'm guessing it's not a large number.
Mod down please (Score:2)
Could somebody please mod this clown down? He couldn't be more wrong.
Or, in short:
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits?
This tool is for Windows you dumbshit.
Re: (Score:2)
Microsoft Unveils Open Source Exploit Finder? (Score:3, Funny)
What! You mean they Open Sourced Windows!??!