Few of OOXML's Flaws Have Been Addressed 162
I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."
Corruption. (Score:5, Insightful)
Re: (Score:2)
Hey, if the voters are selling cheap, why not?
Re: (Score:2)
Office 2007 (Score:5, Interesting)
Do any of these flaws exist in Office 2007?
If not, why are they in the OOXML proposed standard. If the standard does not describe the OOXML format used by Microsoft, then what does it describe?
Why can't they just document the format that they use and get this over with? Or are they doing all this for show, and there is no real substance in OOXML?
Re:Office 2007 (Score:5, Insightful)
The reason MS is bothering with ISO is because a few places have started to require that documents be stored in an ISO defined format.
The problem is that having a true ISO defined format means that you open yourself up to competition, so MS wants to get their format defined as ISO certified without allowing any competition.
Re:Office 2007 (Score:5, Interesting)
You'll remember Stéphane Rodriguez who gave us Microsoft Office XML formats? Defective by design [blogspot.com] back in August, 2007?
Since then, in February, 2008 he produced The truth about Microsoft Office compatibility [blogspot.com] and Typical B.S. in technical articles about OOXML [blogspot.com] and now Bad surprise in Microsoft Office binary documents : interoperability remains impossible [blogspot.com] Thursday, March 13, 2008.
These blogs are at the same level of depth as Rob Weir's latest blog, and demonstrate that Microsoft's policies as detailed below continue to this day.
From OOXML is defective by design...
"Mr Bill Gates in person sent in 1998 a memo to the Office product group (led by Steven Sinofsky at the time), memo undisclosed to the public thanks to the IOWA consumer case :"
From: Bill Gates
Sent: Saturday, December 5 1998
To: Bob Muglia, Jon DeVann, Steven Sinofsky
Subject : Office rendering
One thing we have got to change in our strategy - allowing Office documents to be rendered very well by other peoples browsers is one of the most destructive things we could do to the company.
We have to stop putting any effort into this and make sure that Office documents very well depends on PROPRIETARY IE capabilities.
Anything else is suicide for our platform. This is a case where Office has to avoid doing something to destroy Windows.
I would be glad to explain at a greater length.
Likewise this love of DAV in Office/Exchange is a huge problem. I would also like to make sure people understand this as well.
-----------
Clearly the word is getting out about the problems in OOXML. Stéphane Rodriguez notes at the bottom of OOXML - Defective by design:
Update : this article was Slashdotted on Sunday 26 of August.
Update2 : this article is taking 300,000 hits a day, and is making it all around the world in all kinds of sites. My web host provider was so angry at the peak in traffic that he threatened to cut me off, so I had to redirect to a blog site such as Google's blogger to host the article.
Update3 : wednesday august 29, added a new section on Document security
Update4 : friday august 31, added more content to sections US English and Windows dates
Update5 : sunday september 2, added a quick comparison between ODF and ECMA 376
Re: (Score:2)
Re: (Score:2)
Stéphane Rodriguez lost all credibility when he edited an OOXML spreadsheet file by hand, changed the XML so that it was no longer legal according to the schema, and then proclaimed that it was a flaw in OOXML that Excel found an error in the document.
Brilliant piece of misrepresenting an experiment made to illustrate a point, then dismissing everything this man has said. Congratulations on your rhetoric! Or perhaps you aren't that brilliant, and simply did not understand the article. For those who
Re: (Score:2)
Incorrect. All that was required for the update he wanted to do was either (1) updating two locations, not one, or (2) removing one file. The spreadsheet file stores some extra information as an optimization to allow spreadsheets to load faster (basically, information on calculation chains).
Here is a thorough point-by-point response [slashdot.org] to Rodriguez's points.
BTW, it is interesting to note the comments when this was discussed [msdn.com] on Brian Jones' blog. Note that he lets Rodriguez comment, even though Rodriguez
Re: (Score:2)
ISO 8859 (Score:2)
There's your ISO right there! Oh, format
Re: (Score:2)
Heck, isn't just about everything stored in ISO 8859? I actually thought it was the same as ASCII until reading this: http://kb.iu.edu/data/ahfr.html [iu.edu].
FWIW the 8859 section of that page is in bad need of an upgrade (the tables go beyond 8858-8, for example western Europe uses 8859-15 which adds € and completes character tables that were left unfinished in -1)...
You might want to check Wikipedia which appears to be much more complete (for once).
Re: (Score:2)
As it is, a true, open, unencumbered standard will instead prevail.
Re:Office 2007 (Score:5, Insightful)
it's not that OOXML is bad, it is that OOXML is broken and MSFT is trying to ram it through anyways. there is nothing there that can't be fixed. MSFT however doesn't want it fixed because OOXML 2010 is just around the corner and it won't be the same as OOXML 2007. Also OOXML 2010 becomes a defaco standard even though it isn't ISO certified since it is marketed as OOXML.
this is how MSFT works if you don't know this then go back and look at the past 30 years of how MSFT treats it's customers, vendors, and slaves.
Re: (Score:2)
Pop quiz, hot shot! Reconcile your statement above with your statement below.
For bonus points, explain how what you say is a reply to my post.
Standards need to be open, unencumbered by patents, and as easy to implement by third parties as they are by the originators. MSFT has failed in these basic
Re: (Score:2)
I'm not sure how Microsoft is trying to "ram it through" - Microsoft are following the ISO process for standards that are developed externally (i.e. not developed inside ISO). That process is called fast track, and it's how ISO deals with "existing" standards.
Re: (Score:2)
Re:Office 2007 (Score:5, Insightful)
The mere fact that there ARE no implementations of OOXML, however, should be a giant, florescent, waving red flag. No standards body should adopt a standard that cannot and will not be implemented by the proposers.
Re:Office 2007 (Score:4, Insightful)
Indeed. And the lack of existing implementations makes OOXML all the more inappropriate for the fast track process, which is intended for existing de facto standards, meaning (a) widely implemented and (b) with broad consensus in the relevant field.
Re: (Score:2)
Re: (Score:2)
The database connection flaw may not be in Office either, because Office may force System DSNs rather than real connection strings.
Re: (Score:3, Insightful)
huh? (Score:5, Interesting)
Re:huh? (Score:5, Informative)
For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.
People like me and (probably) you tend to use documents as just that: documents. But in the big boy's world, they're far more important than that.
Re: (Score:3, Informative)
But in the big boy's world, they're far more important than that.
I acknowledge that hooking documents into databases to subvert them into workflow process template beasties is a common practice, but I think the simple question "Why are there database passwords in the document?" kind of highlights that this is a bad practice.
If security is a concern, "Document Applications" are a mistake.
This also violates the (good) Model/View/Controller [wikipedia.org] software architectural model by kludging the view and controller together in the same product. And - despite claims that it cuts
Re: (Score:2)
No, not really. Think a simple mailmerge with data from the database. There is no Controller, only a model (the DB) and the View (the document). You fetch the data from the database and mailmerge it.
Re: (Score:3, Interesting)
This also violates the (good) Model/View/Controller software architectural model by kludging the view and controller together in the same product.
No, not really. Think a simple mailmerge with data from the database. There is no Controller, only a model (the DB) and the View (the document). You fetch the data from the database and mailmerge it.
Yes, I have read that a compelling reason to stick to Microsoft Office is the ability to Mailmerge, which is fine. I have never gone through the hoops to perform a Mailmerge, so bare with me. My belief is that the whole purpose to send the date (in the database) through the document (which is the controller) to a printer (where it can be viewed). This simple/trivial application actually does separate Data/View/Controller.
Saying there is no controller is like saying there is no spoon. Just because it
Re: (Score:2)
Who or what is "you" in this case? That's the Controller. Something has to control which data is selected from the model and how it is viewed. There's always a controller, but sometimes it's horribly intertwined with one or both of the other parts.
Re: (Score:2)
Re: (Score:2)
I think we are really getting philosophical here, but there is no controller. You (the office document) fetch the data from the DB. So, office document = view and DB = model. There is no controller. The definition of controller I have is: "Processes and responds to events, typically user actions, and may invoke changes on the model." - The office document does not do that. It only displays the data.
I disagree. There's a Controller. It's the trivial default one implemented by the viewing application. (Of course, it only really gets interesting when you start pushing changes in the document back at the database; that's when you start to build a controller of substance...)
Re: (Score:2)
I have seen more programming errors in spreadsheets being used a database management systems than in any other code. And I don't know how many times I've seen the exact same analysis being done by two different secretaries (in the same office!) using spreadsheets they wrote themselves. Each of them. Separately. "Oh, it only took me a couple of weeks."
I think calling it the "big-boys wor
Re: (Score:2)
That
Re: (Score:2)
I guess so but i figured the document itself would name the data resources it needs and it would be up to the application to actually connect and retrieve the data. I wonder if the document itself can initiate a connection and execute a command. It basically does a "select" to pull data in, c
Re: (Score:2)
Re: (Score:3, Informative)
I'd be interested in what is the alternative to storing them in plaintext in the document format. See, the database is going to be wanting that password, and it must be stored somewhere in the document in a stand-alone way or remembered by the user. If you encrypt it, you need to provide the keys in the same document or use a constant well-known key across all ins
Re: (Score:2)
It is not a security flaw to store passwords in plain text - or at least, 'encrypting' them with some fixed algorithm gives no security benefit. At best it's security through obscurity.
In fact, it's surprisingly sensible of Microsoft to recognize this, given the 'compressible encryption' and other non-security security nonsense they provide in other products.
Not how should it be done, but why it shouldn't be (Score:2)
Look at it from another angle. Imagine that I need to connect to the database using the connection string, a@mycompany.com:mypass. I send you the document, but you're on another network. You don't s
Re: (Score:2)
Re: (Score:2)
We use Kerberos to authenticate the user with the database, and something like Row Level Security or/and Database Roles for authorization on the actual data. That's actually the only secure way I know of (and that I use) to connect to a database from an office document.
Re: (Score:2)
I'd say that in my experience users actually having accounts on database servers is pretty uncommon. Most applications just connect to the database using an obfuscated password, or they have a business-logic tier that does the data manipulation.
I agree completely that single-user database accounts are far more secure, but they can be a lot more difficult to maintain and as a r
Re: (Score:2)
I agree. Usually users in an enterprice are stored on an LDAP server.
That's also true, but in a sane environment you have your users/accounts on an LDAP server and Authenticate them against it (usually with Kerberos tickets).
ctrl+c ctrl+v from Oracle Security and Iden
Re: (Score:2)
enough is enough (Score:5, Interesting)
I'm seriously considering wiping all the PC's in my office and advising the staff to just learn Ubuntu to avoid this whole MS deathgrip. None of the staff are advanced users except my web guy who codes in a text editor anyhow. FMS.
What's the point? Who is going to follow this? (Score:4, Insightful)
Re:What's the point? Who is going to follow this? (Score:5, Insightful)
As with everything MS does it is all about control and money. They have observed the fights that took/are taking place at various governmental and state levels over the mandatory use of an open standard - and they see that it is a threat to their monopoly, hence they have strategised to nullify the problem without giving up any of their control. The whole thing is a rate 10 sham. And if anyone ever wants to know why a lot of people don't trust MS then this is a perfect example of it - the process and the mockery they are making of it is frankly satirical.
Re:What's the point? Who is going to follow this? (Score:4, Interesting)
Then we will tell them that Microsoft is actually not implementing their own damn standard correctly, and we will be laughed away - after all, Microsoft *IS* the standard, so how could it be incorrect?
And it will all be business as usual...
The whole thing makes me intensely sad. By the way, we had some articles about the Dutch government requiring open formats a while ago. I professed severe scepticism at the time. Let me give you a little update on that one, then: as it is, the new desktops are required to support a very wide range of technologies that can ONLY be fullfilled by having MS Office on MS Windows. So although the government requires open standards, it also requires Active Directory, for example. And guess what they are buying? Yes, that's right: MS Office on MS Windows. But, we are told, in the next round (in 2011 or so), there will definitely be an opportunity for Linux "because in this round we are already ensuring compatibility".
As I said, business as usual.
Re: (Score:2)
They've explicitly committed to supporting it in whatever form it is in if/when ISO approves it.
Re: (Score:2)
So he wants security through obscurity... (Score:3, Insightful)
Anyone who claims that it's more secure to obscure the password in a well known and trivially reversible way instead of simply storing it in plain text is not someone I trust to analyze security.
no kidding, that would make things worse (Score:2)
The word that comes to mind is "dumbass".
I do hope there is an option to have an "ask the user" password. (not stored in file)
Re: (Score:2)
No he doesn't! (Score:2)
Personally, I would require the user to supply the password, or else I would create something where the document was signed cryptographically and presented itself to the database for authentication. I'm sure there are other, better ways of doing this than just "who cares? store it in plain text because we're lazy and don't care!"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
$2$gJT/A1qk$CyM4Z4UleBaoMyruOx9Ku
Now you may start to guess what pass phrase to use to recover the plain text. Have fun...
Re: (Score:2)
Oh, and your passphrase is:
$2$gJT/A1qk$CyM4Z4UleBaoMyruOx9Ku
I don't understand s
Re: (Score:2)
But Rob Weir didn't make that claim. He just pointed out that plain text passwords were being stored in the document format, and that this is a security risk - which it is. It may be fine in some circumstances - but in all the other ones, where it isn't fine, there is no other mechanism provided by the standard.
Now, if a password were to
Re: (Score:2)
Putting the password in the document file in any form is the problem.
A car analogy is obviously called for. The OOXML standard describes a method for taping your car keys to the driver's side window where your co-worker can easily find them when he wants to take your car for a spin.
There are secure methods of managing passwords, especially in an "Office Suite" environment, but none of these are in MS' bag of tricks.
Personalized database accounts. (Score:2)
There should be *NO* passwords in documents. Period. What you should do is make personalized user accounts in the database for all users that actually require access to this data, then have that username automatically filled in from the logged on user, then prompt the user to type in their own password.
This provides a solid authentication model, will deny all users who have nothing to do with this data to access it, and will also create a personal audit trail.
ps. This is my
Implement first, standardize later. (Score:3, Insightful)
MSOOXML is not standard quality (Score:2, Insightful)
The only reason that this thing is considered in ISO is because Microsoft is being so bullish, trying to defend the monopoly.
Standards are not religons (Score:3, Insightful)
And now for some selective quotations! (Score:3, Funny)
"IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw [...] there were no mistakes on [...] the [...] pages he reviewed."
There. Doesn't that sound better?
Database??? (Score:2)
Am I the only person who's wondering WTF a database connection string is doing in a word processing document?
I'm starting to understand why the spec is 6000 pages long.
Passwords in plain text (Score:2)
Re: (Score:2)
Re: (Score:2)
OOXML approved by NIST (Score:3, Informative)
I hope y'all are gentle with them... (Score:3, Funny)
There are a number of problems with this post (Score:2, Informative)
On the other hand, the statistics used by Rob Weir are shoddy according to my local statistics semi-expert (my girlfriend who finished 2nd year BA stats A. with a perfect 100 score). Specifically his sample is incredibly small: 25 random pages out of a random selection of 200 pages o
Re:Whatever (Score:5, Funny)
Re:Whatever (Score:4, Funny)
Not any more.....
Re: (Score:2)
I don't think payment is necessary though, given enough people in any subset, you'll always be able to find the one that doesn't get it.
Re:Who said said OOXML is a "superb standard" ?? (Score:4, Informative)
It was Miguel de Icaza [wikipedia.org], and he is paid money indirectly from Microsoft since he works for Novell.
One of the reasons I stopped using GNOME, I don't want anything to do with the Mono project.
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most co
Um, this is a perfect example of "ad hominem"... (Score:2)
"Rob Weir made the following mistakes in his methodology:
a)
b)
c)
"
Nope. He based his 'argument' on his perception of Rob Weir.
Re:Um, this is a perfect example of "ad hominem".. (Score:2)
He was simply pointing out a potential source of bias. I didn't even really see an argument either. Just an expressed opinion about how much the OP trust the author.
There are much better examples of ad hominem attacks. For example, if the OP had said "Rob Weir is an asshole and can't possibly be right". THAT would be a perfect example of ad hominem
-matthew
Re:Um, this is a perfect example of "ad hominem".. (Score:4, Informative)
One example given by wikipedia is:
Just replace the relevant references with words like IBM, OOXML, etc. and it's basically the same.
Re: (Score:2, Interesting)
"Rob Weir can't be trusted because it's in his best interest for OOXML to fail."
But the spirit of what the OP said was actually closer to this:
"I don't trust Rob Weir, because it's in his best interest for OOXML to fail."
It's actually a pretty big difference. The first statement is a logical fallacy, but the second one is just explaining his personal bias. And keep in mind that the OP specifically stated that Rob Weir "might well be right".
Re: (Score:2)
I do see the point though, since just claiming potential bias is not enough to discredit a source. A potentially biased, or vested, individual can tell the truth as well. To turn your analogy around; a Porsche dealer tells you that this new Porsche is faster than you '68 Bug.
That said, I don't think the g-g-parent was off the mark, nor guilty of committing this informa
Re: (Score:2, Informative)
You started to get it right, but then you fell by the wayside. The entire phrase is argumentum ad hominem which means "argument to the man." It includes any attempt to discredit an argument based on characteristics of the person advancing the argument. In the instant case, the argument goes something like--OOXML should
Re: ad hominem (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
To: [name]@microsoft.com
Re: (Score:2)
Heh, well the short answer is "no".
The long answer is that if I post the contact then it will get out of my control and it's likely that the Microsoft person could get disgusting or threatening emails which, quite honestly, I don't want. As much as I find this Microsoft persons' behaviour as quite repugnant I'm going via the official channels. If I get a satisfactory result via that then I'll be happy. As of yet however I have not received anything that would constitute a sincere apology.
In the meantime
Re: (Score:2)
Oh yeah, and thanks for Docvert
Re: (Score:3, Funny)
Re: (Score:2)
Re:Small bias? (Score:5, Insightful)
Yes his company maybe bias in not wanting the format approved, but does that make what he says less true? The facts speak the truth.
Re: (Score:2)
But it is only fair to understand Microsoft's point of view as well: http://www.microsoft.com/interop/letters/ChrisCapOpenLetter.mspx [microsoft.com]
I have considered both viewpoints. IMO: the OOXML standard is just another msft scam. Msft is continuing to abuse its monopoloy position, and aggress
Who else? (Score:5, Insightful)
At what point has IBM been dishonest? Rob Weir is an employee of IBM. They have a distinct interest in making sure that whatever format is approved, they are able to implement it. Therefore, it is in their best interest to make sure it is a good standard. As they have determined that it isn't a good standard, what should they do? Not talk about it?
The fact that his bias is out in the open is perfectly fine, as is the example you give from Peter Torr. That allows people to judge their statements, and account for possible bias.
The problem with Weir recusing himself is this: nobody else seems to be doing this. Nobody else is standing up to a corrupted process, where the intended and stated results are sidelined for political expediency. If it takes one corrupt company to stand up to another corrupt company, then so be it. At least they are standing up to a corrupt company. (Yes, I'd prefer if neither were corrupt.)
Re: (Score:2)
Re: (Score:2, Offtopic)
Spend five minutes looking at the article and the page it's on. To his credit, it's not something he tries to hide.
Exhibit A: a link in his sidebar to an article which refers to OOXML as "the document format from Hell." [noooxml.org]
Re: (Score:2)
than his "bias" will reflect quality of OOXML format very well.
If something is garbage, it should be said loud and clear.
Re: (Score:3, Funny)
Re:Small bias? (Score:4, Insightful)
So you won't verify anything, or even check, but rather you feel that the exact same thing from someone else would be more true. Essentially, despite the facts, you don't feel the truthiness is sufficient.
By your logic, you may well be right, but you may also just be a shill for Microsoft. I'd be more inclined to believe someone else who didn't have a corporate interesting in picking data points to disparage the argument you'd like to make. Or maybe if you had an argument to make not based on a well-known informal fallacy.
Re: (Score:3, Insightful)
Nobody is asking you to "believe" anything. Bias does not change facts, and it is a fallacy to suggest that he should be a perfectly impartial critic if he is to be taken seriously. If he makes observations of deficiencies in the format they are just as valid as if they were made by Bill Gates himself.
Mod parent up (Score:3, Insightful)
Re: (Score:2)
Stop twisting reality so much, it makes my head hurt.