The human nature of sharing vs. felony on the high seas

This recent article in Coding Horror (linked from TechBlog) at first glance appears to be at first about murder and theft on the high seas. Oh wait, sorry, need to take a closer look. Let’s change that last part to “programmers getting ripped off by unauthorized copying.”

Surprisingly, the lead-in is a quote from letter from none other than Bill Gates to the Homebrew Computer Club, way back in 1976, when we were still about three to four years away from the first popular video games, and I was probably still learning to walk. The quote (which I am retyping from the image):

The feedback we have goten from the hundreds of people who say they are using BASIC has all been positive. Two surprising things are apparent, however. 1) Most of these “users” never bought BASIC (less than 10% of all Altair owners have bought BASIC), and 2) The amount of royalties we have received from sales to hobbyists makes the time spent of Altair BASIC worth less than $2 an hour.

The blog post then goes on to make numerous other dubious comparisons with theft and murder on the high seas and unauthorized copying of software, citing a more recent example (World of Goo) where a similar 90% rate of unauthorized copying is claimed. (The only accurate part of that is ten different IP addresses are posting a high score for every purchased copy of the game, so this could be anywhere from 25% to 99.5% of unauthorized copies, of those choosing to post their high scores online, or possibly even higher or lower.)

For titles such as World of Goo, I think any divide-and-conquer, no-sharing, don’t-you-dare-help-your-neighbor license agreement is probably a mistake. This title should have been released as free software (as in GPL v3), selling copies and related merchandise to help fund further development.

Let’s face it, there’s a reason it’s a bad idea to equate the natural human desire to share with nautical felonies. The FSF has already said something about this and the way “piracy” gets thrown around in articles like the one in Coding Horror linked above just underscores that.

The roots of Internet Explorer’s security problems

About a day ago Zack Whittaker posed the question: Has Internet Explorer ever been safe?

Overall I think this is a pretty good write-up on the history of Internet Explorer for those who don’t understand its faults and/or are actually still using IE for serious Web browsing.

I think on a greater scale, it’s a great example of Microsoft’s utter failure in terms of security, and quite possibly a testament to the problems facing non-free software.

Non-free software is defined here as software licensed under terms which do not grant at least one of the four freedoms in the FSF’s Free Software Definition. This includes most of the shrink-wrapped boxes on the shelf at your local computer/electronics retailer.

This class of software, particularly software made available without human-comprehensible source code (like just about all of Microsoft’s products),  starts at a significant security disadvantage. The users are stuck waiting on the maintainer’s patch, and in the case of some remotely exploitable holes, are “sitting ducks” until one is available.

The FSD’s freedoms 1 and 3 are particularly important for getting security fixes out on the users’ timetable instead of the maintainer’s timetable, with freedom 2 playing a strong supporting role in the case where the maintainer refuses to even acknowledge the problem. This is how the teardrop vulnerability in the kernel, Linux, made it out in a matter of hours, instead of days or weeks like the corresponding patch for Windows. Unfortunately for the Windows users in 1997, Microsoft’s stance on security had much more room for improvement than it does today. Even if there was a fix which came from a user or group of users, it could not be legally distributed due to Microsoft’s end-user license agreement (EULA).

Note that this is only an example. The issues are still just as relevant in 2008 (or soon 2009) as it was in 1997. They apply to the recent zero-day IE exploit the same as they do to the teardrop vulnerability.

It is possible Microsoft’s programming staff may one day, finally, match the speed at which Firefox’s development team (which includes users capable of fixing security holes in Firefox)  on a consistent basis. In fact I would like to see that happen in the near future.

However, I’ll be honest here and say I’d also like to win a multi-million dollar lottery jackpot in the near future. Casting wishful thinking aside and sticking to strict realism, I don’t see either happening soon.

[Edit 2020-12-15: dead link updated]