Stories with Tag 2008

• Windows Is Free for Business (2008)

  permalink

  Posted: 2025-03-03 20:38:23

  Verbose tl;dr

  The 2008 blog post argues that Windows wasn't truly "free" for businesses, despite the common perception. While the OS itself came bundled with PCs, the associated costs of management, maintenance, software licensing (especially for Microsoft Office and server products), antivirus, and dealing with malware significantly outweighed the initial cost of the OS. The author contends that these hidden expenses made Windows a more expensive option compared to perceived free alternatives like Linux, particularly for smaller businesses. Ultimately, the "free" Windows license subsidized other revenue streams for Microsoft, making it a profitable, albeit deceptive, business model.

  In a 2008 blog post titled "Windows Is Free for Business," author Dave Gutteridge elucidates a then-contemporary business strategy employed by Microsoft, arguing that the pervasive perception of Windows as a paid operating system was not entirely accurate. He posits that the actual cost of Windows for businesses was frequently absorbed, masked, or offset by other expenses and licensing agreements, effectively making it functionally free in many scenarios.

  Gutteridge begins by highlighting the bundled nature of Windows. He observes that most businesses acquire their Windows operating system pre-installed on new computer hardware. The cost of the OS, therefore, becomes integrated into the overall price of the machine, obscuring its individual value and contributing to the illusion of its non-gratuitous nature. This bundling, he argues, makes it difficult for businesses to discern the true cost of the operating system itself, as it’s not itemized separately.

  Further, Gutteridge elaborates on the role of software assurance agreements. These agreements, often purchased by businesses for access to updates, upgrades, and support for Microsoft products, frequently include Windows licenses. Thus, businesses perceive the cost as being associated with the ongoing support and maintenance, rather than the initial acquisition of the operating system itself. The perceived value proposition shifts from solely acquiring Windows to gaining access to a suite of services and ongoing software improvements.

  He also discusses the impact of large enterprise agreements. Large organizations often negotiate comprehensive licensing agreements with Microsoft that encompass a multitude of software products and services. Within these complex arrangements, the cost of individual Windows licenses can become diluted or even entirely absorbed into the overall contract cost. The overall economic benefit derived from the comprehensive agreement outweighs the focus on the individual cost of Windows.

  The author underscores that while businesses technically pay for Windows, either directly or indirectly, the actual cost is often obfuscated by these various purchasing mechanisms. The lack of a separate, visible charge for Windows creates the impression that it is, for all intents and purposes, free. He concludes that this “free” perception contributes significantly to Windows' dominance in the business market, as the apparent lack of direct cost removes a significant barrier to adoption. This effectively allows businesses to focus on the overall hardware and software ecosystem, rather than the operating system cost itself, further reinforcing Windows’ entrenched market position.

  • Windows
  • Microsoft Windows
  • Operating System
  • Business Software
  • Free Software
  • Open Source
  • Licensing
  • Proprietary Software
  • 2008
  • Cost of Ownership
  • TCO
  • Windows Server
  • Desktop Operating System
  • Server Operating System

  Summary of Comments ( 32 )
  https://news.ycombinator.com/item?id=43246403

  Verbose tl;dr

  Hacker News users discussed the complexities of Microsoft's "free" Windows licensing model for businesses. Several pointed out that while the OS itself might not have a direct upfront cost, it's bundled with hardware purchases, making it an indirect expense. Others highlighted the ongoing costs associated with Windows, such as Software Assurance for updates and support, along with the costs of managing Active Directory and other related infrastructure. The general consensus was that "free" is a misleading term, and the true cost of Windows for businesses is substantial when considering the total cost of ownership. Some commenters also discussed the historical context of the article (from 2008) and how Microsoft's licensing and business models have evolved since then.

  The Hacker News post titled "Windows Is Free for Business (2008)" linking to davegutteridge.com/windows_is_free_for_business has a modest number of comments, primarily focusing on the nuances of the original author's argument about the "free" nature of Windows for businesses.

  Several commenters challenge the premise that Windows is truly "free," highlighting the associated costs like hardware, support, and software licensing for other necessary programs. One commenter points out that the total cost of ownership (TCO) for Windows includes not just the OS itself but also the ecosystem around it, which can be substantial. This is echoed by another who mentions that while the OS might be factored into other costs, the real expense lies in the necessary Microsoft Office suite and the compatibility constraints it imposes.

  Some comments discuss the shift in perception of software costs over time. One commenter reminisces about the days when software was a significant expense and how it's now often bundled or perceived as a less prominent part of the overall IT budget. This leads to a discussion about how hardware costs have comparatively decreased, making the software component seem more significant in some contexts.

  Another thread of discussion centers on the comparison between Windows and Linux in a business context. One commenter contends that the "free" argument for Windows is misleading, particularly when considering the potential cost savings and flexibility offered by Linux alternatives. This sparks a small debate about the practicalities of switching to Linux in established business environments, acknowledging the potential benefits but also the challenges of migration and compatibility.

  A few comments also touch upon the role of piracy in the perception of Windows' cost, suggesting that widespread illegal use might contribute to the idea that the OS is somehow "free" for businesses. However, this is not a dominant theme in the discussion.

  Overall, the comments offer a critical perspective on the original author's claim, emphasizing the hidden and indirect costs associated with Windows in a business environment. They explore the broader context of software costs, comparing them to hardware expenses and alternative operating systems, while also acknowledging the evolving perception of software value over time. The discussion remains largely focused on the financial aspects, without delving deeply into technical comparisons or specific use cases.

• Google does not want rights to things you do using Chrome (2008)

  permalink

  Posted: 2025-03-01 08:38:12

  Verbose tl;dr

  In 2008, amidst controversy surrounding its initial Chrome End User License Agreement (EULA), Google clarified that the license only applied to Chrome itself, not to user-generated content created using Chrome. Matt Cutts explained that the broad language in the original EULA was standard boilerplate, intended for protecting Google's intellectual property within the browser, not claiming ownership over user data. The company quickly revised the EULA to eliminate ambiguity and explicitly state that Google claims no rights to user content created with Chrome. This addressed concerns about Google overreaching and reassured users that their work remained their own.

  In a 2008 blog post titled "Google does not want rights to things you do using Chrome," former Google engineer Matt Cutts addresses concerns and misconceptions surrounding the initial version of the Google Chrome end-user license agreement (EULA). The controversy stemmed from language within the EULA that seemed to grant Google broad rights over user-generated content created or transmitted through the Chrome browser. This language, as Cutts meticulously explains, was unintentionally borrowed from other Google services and was not reflective of Google's intentions regarding Chrome usage.

  Cutts emphasizes that Google never desired or intended to claim ownership or control over content created by users while using the Chrome browser. He clarifies that the problematic clause was standard boilerplate language included in other Google product EULAs, particularly those related to services where user-generated content is a core component, such as Gmail or Google Docs. In those contexts, the clause serves to grant Google the limited licenses necessary to operate the service, for instance, allowing Google to transmit an email or display a document. However, applying this same language to the Chrome browser created the erroneous impression that Google sought similar rights over all content interacted with via the browser, including content created on third-party websites.

  The blog post details how the initial Chrome EULA caused understandable confusion and alarm among users and legal experts. Cutts acknowledges the seriousness of the issue and underscores Google's swift action to rectify the situation. He explains that Google promptly revised the Chrome EULA to eliminate the ambiguous language and clearly delineate that Google makes no claims whatsoever over user-generated content accessed or transmitted through Chrome. He further emphasizes that Google's sole interest is in providing a high-quality browsing experience and that the company has no desire to control or profit from user-created content viewed or transmitted through the browser. Cutts reinforces that the revised EULA accurately reflects Google's intentions from the outset and apologizes for the initial oversight and any resulting anxieties. He concludes by reiterating Google's commitment to user privacy and responsible data handling.

  • Google
  • chrome
  • License
  • Intellectual Property
  • Copyright
  • browser
  • Software
  • User Rights
  • 2008
  • Matt Cutts
  • Web History
  • privacy

  Summary of Comments ( 16 )
  https://news.ycombinator.com/item?id=43217309

  Verbose tl;dr

  HN commenters in 2023 discuss Matt Cutts' 2008 blog post clarifying Google's Chrome license agreement. Several express skepticism of Google, pointing out that the license has changed since the post and that Google's data collection practices are extensive regardless. Some commenters suggest the original concern arose from a misunderstanding of legalese surrounding granting a license to use software versus a license to user-created content. Others mention that granting a license to "sync" data is distinct from other usage and requires its own scrutiny. A few commenters reflect on the relative naivety of concerns about data privacy in 2008 compared to the present day, where such concerns are much more widespread. The discussion ultimately highlights the evolution of public perception regarding online privacy and the persistent distrust of large tech companies like Google.

  The Hacker News post discussing Matt Cutts' clarification on the Google Chrome license agreement from 2008 has a substantial number of comments, many of which delve into the nuances of software licensing and the concerns surrounding Google's data collection practices.

  Several commenters express skepticism about Google's motivations, despite Cutts' explanation. They argue that while the license agreement might not grant Google explicit rights to user-created content, Google still collects vast amounts of user data through Chrome and other services. This data collection, they contend, is the real concern, regardless of the specifics of the license agreement. They see the license clarification as a way to address a specific criticism without acknowledging the broader issue of data privacy.

  Some comments highlight the distinction between the Chrome license agreement and Google's terms of service. They point out that the terms of service, which users agree to when using Google's services, likely grant Google broader rights to user data. This distinction is crucial, they argue, because users might be misled into thinking the Chrome license agreement covers all of Google's data practices.

  A few commenters offer more technical analyses of the license agreement itself. They discuss the specific clauses and compare them to other software licenses. These comments provide a deeper understanding of the legal implications of the agreement.

  Some commenters draw parallels to other Google products and services, noting how Google has handled user data in those contexts. They use these past practices to support their skepticism about Google's current assurances.

  There's also a thread discussing the importance of open-source software and how it provides greater transparency and control to users. These comments suggest that using open-source browsers might be a better option for users concerned about data privacy.

  Finally, a few commenters express a general distrust of large tech companies and their data collection practices. They see the Chrome license agreement controversy as another example of how these companies prioritize profit over user privacy.

  Overall, the comments reflect a complex and nuanced understanding of the issues surrounding software licensing and data privacy. While some commenters accept Cutts' explanation, many remain skeptical and express deeper concerns about Google's overall approach to user data. The discussion highlights the importance of carefully reviewing software licenses and understanding the implications of using online services.

• An illustrated guide to the Kaminsky DNS vulnerability (2008)

  permalink

  Posted: 2025-02-25 10:54:37

  Verbose tl;dr

  The Kaminsky DNS vulnerability exploited a weakness in DNS resolvers' handling of NXDOMAIN responses (indicating a nonexistent domain). Attackers could forge responses for nonexistent subdomains, poisoning the resolver's cache with a malicious IP address. The small size of the DNS response ID field (16 bits) and predictable transaction IDs made it relatively easy for attackers to guess the correct ID, allowing the forged response to be accepted. This enabled them to redirect traffic intended for legitimate websites to malicious servers, facilitating phishing and other attacks. The vulnerability was mitigated by increasing the entropy of transaction IDs, making them harder to predict and forged responses less likely to be accepted.

  Dan Kaminsky's 2008 DNS vulnerability exploited a critical weakness in the DNS protocol, specifically its susceptibility to cache poisoning. This comprehensive guide illustrates the mechanics of this attack and its severity. The fundamental issue stems from the limited number of ports used for DNS queries (port 53 UDP) and the predictable, incremental nature of transaction IDs. When a client requests a domain name resolution, the DNS resolver queries an authoritative nameserver for the correct IP address. This query includes a transaction ID, which the resolver uses to match the response from the nameserver to the original request.

  Kaminsky discovered that an attacker could exploit this system by flooding a DNS resolver with spoofed responses to the client's original query, each with a different, guessed transaction ID. Due to the limited range of these IDs (16 bits, allowing for 65,536 possibilities) and the speed at which responses could be generated, an attacker had a reasonable chance of guessing the correct ID before the legitimate response arrived.

  The attack is further facilitated by the open nature of UDP and the lack of authentication in standard DNS. This allows the attacker to send spoofed responses from any source address, masquerading as the authoritative nameserver. If a spoofed response with the correct transaction ID arrives first, the resolver caches this false information, effectively poisoning the cache. Subsequent requests for the same domain name will then resolve to the attacker's malicious IP address, potentially redirecting users to phishing sites or other malicious servers.

  The guide meticulously details the steps involved, starting with the client's initial query and the resolver's subsequent query to the authoritative nameserver. It then illustrates the attacker's strategy of sending multiple spoofed responses with varying transaction IDs and forged information pointing to a malicious server. The critical moment occurs when one of these spoofed responses matches the original transaction ID, leading the resolver to accept the forged data as legitimate. The illustration clearly shows the poisoned cache entry, highlighting the potential for widespread impact as other clients querying the same resolver are also directed to the malicious server.

  The gravity of this vulnerability stemmed from its potential for large-scale attacks targeting any DNS resolver. This could have allowed attackers to redirect vast swathes of internet traffic to malicious destinations, severely compromising online security and trust. The illustrated guide effectively conveys the technical intricacies of the attack, emphasizing the vulnerability's simplicity and potentially devastating consequences, which prompted a swift and widespread patching effort across the internet infrastructure. The guide concludes by highlighting the importance of patching DNS servers and implementing security measures to mitigate the risk of similar vulnerabilities in the future.

  • dns
  • Kaminsky
  • Vulnerability
  • DNS Cache Poisoning
  • Security
  • networking
  • Illustrated Guide
  • 2008
  • Dan Kaminsky
  • DNSSEC

  Summary of Comments ( 2 )
  https://news.ycombinator.com/item?id=43170343

  Verbose tl;dr

  The Hacker News comments on the illustrated guide to the Kaminsky DNS vulnerability largely praise the clarity and helpfulness of the guide, especially its visual aids. Several commenters reminisce about dealing with the vulnerability when it was discovered, highlighting the urgency and widespread impact it had at the time. Some discuss technical details, including the difficulty of patching all affected DNS servers and the intricacies of the exploit itself. One commenter points out that the same underlying issue (predictable transaction IDs) has cropped up in other protocols besides DNS. Another emphasizes the importance of the vulnerability's disclosure and coordinated patching process as a positive example of handling security flaws responsibly. A few users also link to related resources, including Dan Kaminsky's own presentations on the vulnerability.

  The Hacker News post titled "An illustrated guide to the Kaminsky DNS vulnerability (2008)" has several comments discussing various aspects of the vulnerability and its impact.

  Several commenters praised the clarity and helpfulness of the illustrated guide, finding it much easier to understand than other explanations they had encountered. They appreciated the visual approach and how it broke down a complex topic into digestible parts. One commenter mentioned how valuable this guide was for educational purposes, making it easier to teach the vulnerability to others.

  A significant portion of the discussion revolved around the practical implications of the vulnerability and the scramble to patch systems in 2008. Commenters shared anecdotes about the urgency of the situation and the widespread effort required to mitigate the risk. Some discussed the challenges of patching diverse systems and the pressure to act quickly. One commenter recounted their experience of being called in on a weekend to apply emergency patches. Another highlighted the importance of DNSSEC as a long-term solution.

  Some comments delved into the technical details of the vulnerability, exploring aspects like the birthday paradox, the role of source port randomization, and the specific techniques used in the exploit. One commenter provided a more concise summary of the vulnerability, focusing on the key elements of the attack. Another discussed the difficulty of predicting transaction IDs due to the birthday paradox. Several commenters corrected or clarified technical details mentioned in other comments, ensuring accuracy in the discussion.

  A few comments touched on Dan Kaminsky's role and contribution. They acknowledged his responsible disclosure and the collaborative effort to patch the vulnerability before it was widely exploited.

  There's a thread discussing how the vulnerability highlighted the fragility of the internet infrastructure and the importance of security best practices. Some users discussed the implications for other protocols and the need for ongoing vigilance against similar vulnerabilities.

  Finally, a few comments mentioned related vulnerabilities and attacks, expanding the scope of the discussion beyond the specific Kaminsky DNS vulnerability. One commenter pointed out how this incident paved the way for improvements in DNS security and served as a valuable learning experience for the industry.