Fog Creek Software
g
Discussion Board

You have to love OSS developers

http://www.theage.com.au/articles/2003/12/18/1071337072117.html


....thats just cheeky....

FullNameRequired
Thursday, December 18, 2003

http://slashdot.org/article.pl?sid=03/12/19/0135211&mode=nested&tid=113&tid=126&tid=128&tid=172&tid=95

Of course, the "patch" is absolutely awful quality code and has many bugs and even a potential buffer overrun security vulnerability.

I mean, it really sucks.  Wow.  You're an idiot if you install their patch.

I hope this isn't representative of the typical quality of OSS code.

Ha ha
Thursday, December 18, 2003

IE patch from some strange company? Thanks, but no thanks. I'll stick to my Proxomitron filter until Microsoft releases the real thing.

Amon
Thursday, December 18, 2003

More specific link in case you don't want to look at the code:

http://slashdot.org/comments.pl?sid=89854&cid=7760430

This code has other bugs and potential security issues.  They don't even try to use safe string functions or do proper error handling.

And what's with the 256 char buffer?  Haven't they heard of INTERNET_MAX_URL_LENGTH?

Ha ha
Thursday, December 18, 2003

of course the joys of OSS means that you lot can fix the bits you dont like :)

<g> seriously though, I bet the developers who released it are feeling stupid now.....maybe its not so easy to write secure code afterall, huh...

FullNameRequired
Friday, December 19, 2003

looks like its not even a patch, more of a tool thingie.

best patch of all is to use mozilla I guess :)

FullNameRequired
Friday, December 19, 2003

MyIE2 from http://www.myie2.com also fixes some security bugs of IE.

jerome
Friday, December 19, 2003

Do I change my windows update to oss.windowsupdate.com for that patch.

Probably not good code and any documentation will be scattered to the four winds.  Then I also imagine they had to somehow reverse engineer a bunch of stuff and probably are up to there asses in EULA violations.  Way to go open source.  Way to show the world that you are a bunch of amatuer malcontents.  Like you couldn't find any problems in Linux to fix.

Termy
Friday, December 19, 2003

Good move OSS.  Now Microsoft can support their claims that you are a bunch of shoot from the hip, careless, wannabee's. 

Like you couldn't have spent the time fixing something in Linux.

Mike
Friday, December 19, 2003

As a good security exploit, I have to give them major props.  A lot of people probably are going to install this patch without looking at or understanding the source code.  It's great social engineering.  An open source trojan horse is a brilliant piece of work.

The code is, of course, crap and a competent programmer can see the buffer overrun from a mile away.  These guys aren't really worried though if your computer gets compromised by this.  It's their intention to have already compromised you by getting bank and credit card information, and leaving you none the wiser.

Anyone who's thinking that this is typical OSS had better step back and take another look.  These are black hats looking for a joy ride, not legitimate programmers solving a real world problem.

Clay Dowling
Friday, December 19, 2003

If you read the code you can see they promote themself by using one of their own addresses to tell you the URL was spoofed. OSS does not mean ethical.

Their code lacks comments. YOU SHOULD ALWAYS DOCUMENT YOUR CODE.

I wouldn't dare show this to another coder.

Milton
Friday, December 19, 2003

Erm, you can't exactly colour all open source programmers by the actions of one company which claims to be open source.

Whilst the "one-in-the-eye" attitude of the majority of posters on Slashdot is dismaying, it's hardly less dismaying in its current incarnation here.

Interestingly, the problems in the Openwares code were discovered almost as soon as they released it, which is a reasonably nice vindication of the "many eyes" theory.

JP
Friday, December 19, 2003

JP is right on this one.  It is like saying look at those conservatives, they are all drig addicts.  Just look at Rush. Or obviously all Democrats have sex in their office like Clinton.

Hardly a fair painting of anything with such sweeping and unsupported generalizations. 

Or was it just a troll?

MSHack
Friday, December 19, 2003

Having just popped across to the other place - it seems that the majority view there is "do not touch with a barge-pole" as well.  (I will admit I browse at +2 to keep the filth down.)

Interestingly at least one person posted up the licence ( http://slashdot.org/comments.pl?sid=89854&cid=7760018 ), which if true means it would fail the OSI definition of OSS. 

It appears to be an attempt to use OSS and the security failures of Microsoft (whether perceived or real) as a marketing ploy.  It doesn't appear to be the winning strategy that they hoped for.

A cynic writes
Friday, December 19, 2003

"IE patch from some strange company? Thanks, but no thanks. I'll stick to my Proxomitron filter until Microsoft releases the real thing."
---------------------------------

I can't fathom why somebody would even use IE, as insecure as its proven to be.  People download all sorts of patches, filters, proxies, wrappers, etc in order to fix IE's gaping holes instead of just using browsers that have proven to be more secure.

Why not just use Opera or Mozilla (or Firebird)?  Even if you don't buy that these browsers are intrinsically more secure by design, you can't argue with the fact that they're targeted a heck of a lot less by attacks.

Compatibility-wise, I have zero problems with Mozilla/Firebird.  Of course I keep IE handy for testing my sites, and I know there are some bank sites that demand IE. 

John Rose
Friday, December 19, 2003

" hope this isn't representative of the typical quality of OSS code."

God, this app I keep using crashes. Hope it isn't representative of the typical quality of  proprietary code.

fw
Friday, December 19, 2003

"I can't fathom why somebody would even use IE"

um. maybe because it is installed by default?


Friday, December 19, 2003

Apart from IE I use Opera and Firebird as well and I've set up ALL of them to use Proxomitron as a http proxy. Being able to modify the page before it displays is just too cool a feature. For example, Joel uses Georgia font all over his site, which I don't like. I wrote a filter that replacecs Georgia with Arial and no matter which browser I use, joelonsoftware.com always appears in Arial to me.

The ability to create filters that prevent bugs from surfacing in a browser is just a nice side feature and definitely not the reason why I use this proxy.

Amon
Friday, December 19, 2003

OSS sucks! I mean, this code is awful!

I think I'll stop using Linux, Apache, OpenBSD, and JBoss now. Oh, I'll also stop using all of those handy open source Java libraries that make my life easier, such as iText.

Sam
Friday, December 19, 2003

And why is this a new threat. I remember some friends a few years ago showing me how to do this... or am I missing something??

Tapiwa
Friday, December 19, 2003

"I can't fathom why somebody would even use IE"
um. maybe because it is installed by default?
--------------
To clarify: I can't fathom why somebody who is knowledgable enough to know that IE is amazingly insecure, as well as being knowledgable enough to run proxies and filters out the wazoo, would continue to willingly use IE for reasons other than testing purposes.

John Rose
Friday, December 19, 2003

*  Recent Topics

*  Fog Creek Home