Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Few of OOXML's Flaws Have Been Addressed

Zonk posted more than 6 years ago | from the digging-under-the-hood dept.

Microsoft 162

I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Corruption. (5, Insightful)

twitter (104583) | more than 6 years ago | (#22797654)

Why fix flaws when you can buy voters?

Re:Corruption. (2)

Anonymous Coward | more than 6 years ago | (#22798812)

Hey, if the voters are selling cheap, why not?

Re:Corruption. (1, Troll)

twitter (104583) | more than 6 years ago | (#22799376)

Getting caught will make it look like you have nothing good to offer. A worthwhile thing sells itself.

Whatever (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22797698)

You fucking nerd cocksuckers have no idea what you are talking about anyways.

Blah blah FUD bullshit. More of the same from a website that peaked a long time ago.

What "Open" format do you propose, ShitML? You fucking nerds are all the same with your bullshit backed up by no original ideas.

Re:Whatever (5, Funny)

Anonymous Coward | more than 6 years ago | (#22797748)

Ballmer is that you?

Re:Whatever (0)

Anonymous Coward | more than 6 years ago | (#22797796)

I doubt it - the poster repeated "blah" only one time.

Re:Whatever (1)

deepershade (994429) | more than 6 years ago | (#22797816)

Does the poster have a chair?

Re:Whatever (4, Funny)

el cisne (135112) | more than 6 years ago | (#22798198)

"Does the poster have a chair?"

Not any more.....

Small bias? (-1, Troll)

Mongoose Disciple (722373) | more than 6 years ago | (#22797724)

I'm sure, given the history and great love between IBM and Microsoft, that IBM's Rob Weir is completely impartial in evaluating a competing standard.

He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

Re:Small bias? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22797884)

A 100% ad hominem attack on Slashdot gets modded up unquestioned. Who would have thought?

Re:Small bias? (2, Informative)

misleb (129952) | more than 6 years ago | (#22798066)

Man, I'm really getting sick and tired of people abusing the "ad hominem" charge. Ad hom refers specifically to an attack on ones character which is used to discredit an argument. Simply questioning a persons motives and biases is not necessarily an ad hominem attack. It is important to make any potential biases clear. Though in this particular case, I'm not seeing it.

Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack. It might just mean I think the person is an asshole. It is a valid opinion. It just isn't relevant to any logical argument.

-matthew

Um, this is a perfect example of "ad hominem"... (1)

Joce640k (829181) | more than 6 years ago | (#22798244)

Did the poster say something like, e.g.:

"Rob Weir made the following mistakes in his methodology:
a) ...
b) ...
c) ... ...
"

Nope. He based his 'argument' on his perception of Rob Weir.

Re:Um, this is a perfect example of "ad hominem".. (1)

misleb (129952) | more than 6 years ago | (#22798498)

Nope. He based his 'argument' on his perception of Rob Weir.


He was simply pointing out a potential source of bias. I didn't even really see an argument either. Just an expressed opinion about how much the OP trust the author.

There are much better examples of ad hominem attacks. For example, if the OP had said "Rob Weir is an asshole and can't possibly be right". THAT would be a perfect example of ad hominem

-matthew

Re:Um, this is a perfect example of "ad hominem".. (3, Informative)

vtscott (1089271) | more than 6 years ago | (#22798612)

No, this is a perfect example of an ad hominem attack... This particular type of ad hominem is an ad hominem circumstantial [wikipedia.org] :

Ad hominem circumstantial involves pointing out that someone is in circumstances such that he is disposed to take a particular position. Essentially, ad hominem circumstantial constitutes an attack on the bias of a person. The reason that this is fallacious in syllogistic logic is that pointing out that one's opponent is disposed to make a certain argument does not make the argument, from a logical point of view, any less credible; this overlaps with the genetic fallacy (an argument that a claim is incorrect due to its source).

One example given by wikipedia is:

Tobacco company representatives should not be believed when they say smoking doesn't seriously affect your health, because they're just defending their own multi-million-dollar financial interests.

Just replace the relevant references with words like IBM, OOXML, etc. and it's basically the same.

Re:Um, this is a perfect example of "ad hominem".. (0)

clampolo (1159617) | more than 6 years ago | (#22799064)

This is why so many people look down on philosophy: it runs counter to common sense.

Following this train of logic, when I'm buying a new car I should ignore that the salesman only makes money if he sells me a car. So when he's busy telling me that the 1982 Volkswagon he's trying to sell me could out-accelerate a Porsche, I should just treat it as an impartial opinion

The poster is completely correct in pointing out that an IBM representative has an inherent bias against a Microsoft standard and it's wrong to label his post as a flame.

Re:Um, this is a perfect example of "ad hominem".. (1)

Omestes (471991) | more than 6 years ago | (#22799504)

I wouldn't blame this one on the discipline of philosophy, as it is an informal fallacy. I would put this more into the area of rhetoric.

I do see the point though, since just claiming potential bias is not enough to discredit a source. A potentially biased, or vested, individual can tell the truth as well. To turn your analogy around; a Porsche dealer tells you that this new Porsche is faster than you '68 Bug.

That said, I don't think the g-g-parent was off the mark, nor guilty of committing this informal fallacy. Pointing out potential bias isn't the same as discrediting someone for the same potential bias. The contested statement basically said "we should pay a wee more attention than we would, because IBM has a history of collaborating with Microsoft", this is not discrediting IBM, but just warranting caution in accord with inductive reasoning (it has been often previously observed that).

Re:Um, this is a perfect example of "ad hominem".. (2, Interesting)

Skrapion (955066) | more than 6 years ago | (#22799574)

Here's the difference, though. You're assuming the OP said:

"Rob Weir can't be trusted because it's in his best interest for OOXML to fail."

But the spirit of what the OP said was actually closer to this:

"I don't trust Rob Weir, because it's in his best interest for OOXML to fail."

It's actually a pretty big difference. The first statement is a logical fallacy, but the second one is just explaining his personal bias. And keep in mind that the OP specifically stated that Rob Weir "might well be right".

Re:Um, this is a perfect example of "ad hominem".. (0)

Anonymous Coward | more than 6 years ago | (#22800146)

Yeah, except that's Wikipedia and I just wrote that entire thing myself on a guess...

or did I? Do you really know?

Re:Small bias? (0)

Anonymous Coward | more than 6 years ago | (#22798504)

Can you read?

"He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw."

translated ,

"His argument may be valid, but I am doubting it because of who he is."

Re:Small bias? (1)

dedazo (737510) | more than 6 years ago | (#22798536)

I am doubting it because of who he is

No, he is doubting it because of what he is.

Re:Small bias? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22799236)

The article says that the data was randomly selected, right? So if you want to suggest selection bias, a first step would be to show that the page umbers were indeed not random.

Re:Small bias? (2, Informative)

LoyalOpposition (168041) | more than 6 years ago | (#22798614)

Ad hom refers specifically to an attack on ones character which is used to discredit an argument. Simply questioning a persons motives and biases is not necessarily an ad hominem attack.

You started to get it right, but then you fell by the wayside. The entire phrase is argumentum ad hominem which means "argument to the man." It includes any attempt to discredit an argument based on characteristics of the person advancing the argument. In the instant case, the argument goes something like--OOXML should be rejected if it's a bad standard. OOXML is a bad standard because it has many shortcomings that haven't been addressed. Therefore OOXML should be rejected. Mongoose Disciple chose not to dispute any of the premisses of the argument or the inference, but rather to claim that Rob Weir stands to gain if the conclusion is accepted. Thus Mongoose Disciple presented us with an excellent example of an argumentum ad hominem.

Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most common misuse of the term. For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack.

Completely correct. However, it's irrelevant to the instant argument.

-Loyal

Re: ad hominem (2, Interesting)

ozbird (127571) | more than 6 years ago | (#22798784)

You mean like the slur [nzoss.org.nz] made by a Microsoft employee against a Standards New Zealand representative?

Re:Small bias? (2, Funny)

pembo13 (770295) | more than 6 years ago | (#22797912)

Sucks that you can't read the article and assess the level of the bias he displays for yourself.

Re:Small bias? (0)

Mongoose Disciple (722373) | more than 6 years ago | (#22797984)

Sucks that you can't read the article and assess the level of the bias he displays for yourself.

I did. He's not shy about his hatred and utter contempt for OOXML and all things Microsoft.

Which, fine, he's entitled to his opinion, but I'm not dumb enough to think that his pseudo-scientific Nth post about why OOXML is trash is less biased than the (N-1)th post.

Re:Small bias? (1)

setagllib (753300) | more than 6 years ago | (#22798684)

Ah, but can you prove it via induction? :)

Re:Small bias? (0)

Mongoose Disciple (722373) | more than 6 years ago | (#22799152)

I sure wish "Overrated" mods had to face meta-moderation. It's not "-1, Disagree", and I'm not posting anything that isn't completely obvious to anyone who RTFA.

Cowardice around here isn't always limited to posting anonymously, I guess.

Re:Small bias? (0)

Anonymous Coward | more than 6 years ago | (#22799528)

Your post, in lolcat form:
"lol biased man is biased" (insert kitteh picture here)

Why on earth would you think you *deserve* to be highly rated for your post? If it's completely obvious, it's (-1, Redundant). Also, it's a tangent that ignores the facts of the matter, thus (-1, Offtopic). Not to mention, you seem to be taking Microsoft's side, which would be (-1, Flamebait). The only appropriate mod that addresses all the problems with the post you graced us all with is (-1, Overrated).

Re:Small bias? (5, Insightful)

cyxs (242710) | more than 6 years ago | (#22797954)

Everyone has a bias but if he gives you the information that he used to form his opinion about something then you can read what he says and what he did and form your own opinions. He is giving detailed examples of what he found. He isn't just say "Everything is fine" or "They have WMD", he is giving how he comes to his opinion and showing you the facts.

Yes his company maybe bias in not wanting the format approved, but does that make what he says less true? The facts speak the truth.

Double plus bias (1, Insightful)

dedazo (737510) | more than 6 years ago | (#22798678)

Whenever this comes up here I always get a big chuckle because IBM is just doing what it does best (much like Microsoft), except that they've amusingly managed to do it completely out in the open. So while Rob Weir might be nothing more than a shill, he actually admits he's a shill by virtue of being a full-time salaried employee of IBM, a company that just happens to be offering a range of products (including an office suite) that compete with Microsoft Office. Everyone else just puts their fingers in their ears and goes la-la-la-la-la.

Remember Peter Torr? He wrote a blog post [msdn.com] not long after Firefox hit 1.0 where he questioned why the Firefox installer was not digitally signed. What he said was completely true - so true in fact that not long after that Mozilla started signing the installer. That didn't prevent few thousand raving lunatics from descending on his blog and calling him a shill and an idiot. To paraphrase you, yes his company maybe bias in not wanting the [browser to succeed], but does that make what he says less true? The facts speak the truth.

So essentially we have situations where the source of income and ulterior motives of one person should not be questioned because the topic is unpopular and everybody knows he must be right. On the other hand we have people whose motives *must* be automatically questioned solely because of their source of income and ulterior motives.

The truth is that Weir should have recused himself from all this a long time ago. That he hasn't done that tells you a lot about him and his employers.

You might argue that Microsoft had all this coming. You might argue that OOXML is not a good standard. You might argue a lot of things, but none of them make IBM's conduct in all this (including the whole ISO thing) any less dishonest.

Re:Small bias? (1)

misleb (129952) | more than 6 years ago | (#22797956)

Just because there's no love between MS and IBM as corporations doesn't mean that an IBM employee can't do an unbiased assessment. Also, it isn't like IBM is trying to compete directly with OOXML or something. So what's the basis for this suggestion of bias?

Re:Small bias? (1, Offtopic)

Mongoose Disciple (722373) | more than 6 years ago | (#22798006)

So what's the basis for this suggestion of bias?

Spend five minutes looking at the article and the page it's on. To his credit, it's not something he tries to hide.

Exhibit A: a link in his sidebar to an article which refers to OOXML as "the document format from Hell." [noooxml.org]

Re:Small bias? (1)

octopus72 (936841) | more than 6 years ago | (#22798690)

If that kind of statement is drawn from a detailed review of the documentation,
than his "bias" will reflect quality of OOXML format very well.

If something is garbage, it should be said loud and clear.

Re:Small bias? (2, Funny)

setagllib (753300) | more than 6 years ago | (#22798734)

What's wrong with publicly stating the religious body backing OOXML development? Microsoft is very fortunate to have so much support from Hell. Why, if they had to supply their own evil or go through commercial channels, the global evil reserves would dry up overnight.

Re:Small bias? (0)

Anonymous Coward | more than 6 years ago | (#22798740)

See the comment above [slashdot.org] about "ad hominem".

For example, I can call someone an asshole and it wouldn't necessarily be an "ad hominem" attack. It might just mean I think the person is an asshole. It is a valid opinion. It just isn't relevant to any logical argument.

In the same way, his calling OOXML names has no bearing on the logical validity or lack thereof of his arguments.

Re:Small bias? (3, Insightful)

oGMo (379) | more than 6 years ago | (#22798100)

He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

So you won't verify anything, or even check, but rather you feel that the exact same thing from someone else would be more true. Essentially, despite the facts, you don't feel the truthiness is sufficient.

By your logic, you may well be right, but you may also just be a shill for Microsoft. I'd be more inclined to believe someone else who didn't have a corporate interesting in picking data points to disparage the argument you'd like to make. Or maybe if you had an argument to make not based on a well-known informal fallacy.

Re:Small bias? (2, Insightful)

rhizome (115711) | more than 6 years ago | (#22798600)

He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

Nobody is asking you to "believe" anything. Bias does not change facts, and it is a fallacy to suggest that he should be a perfectly impartial critic if he is to be taken seriously. If he makes observations of deficiencies in the format they are just as valid as if they were made by Bill Gates himself.

Re:Small bias? (0)

Anonymous Coward | more than 6 years ago | (#22799482)

Everything has deficiencies. You present the deficiencies and ignore all positive points and now your factual analysis is worthless because it doesn't lead to any reasonable conclusion.

Mod parent up (2, Insightful)

shrikel (535309) | more than 6 years ago | (#22800134)

I find it unfortunate that so much of public debate today has degenerated into a knee-jerk contest. "Oh, that guy works for X company, so he cannot possibly have a good point." When did people decide that thoughtful analysis of articulate, well-composed arguments is unnecessary to reaching a good understanding? Who can better speak out for a product/idea/standard/whatever than those who are most passionate about its qualities (i.e. its developers, backers, etc)? Who can better point out its flaws than those who are most motivated to FIND and EXPOSE those flaws?

Arguments should be accepted based on their validity and their accuracy. What if Einstein (or any other scientist, for that matter) were not allowed to defend his own theories?

Office 2007 (4, Interesting)

number6x (626555) | more than 6 years ago | (#22797738)

Do any of these flaws exist in Office 2007?

If not, why are they in the OOXML proposed standard. If the standard does not describe the OOXML format used by Microsoft, then what does it describe?

Why can't they just document the format that they use and get this over with? Or are they doing all this for show, and there is no real substance in OOXML?

Re:Office 2007 (4, Insightful)

corsec67 (627446) | more than 6 years ago | (#22797800)

Or are they doing all this for show, and there is no real substance in OOXML?

The reason MS is bothering with ISO is because a few places have started to require that documents be stored in an ISO defined format.

The problem is that having a true ISO defined format means that you open yourself up to competition, so MS wants to get their format defined as ISO certified without allowing any competition.

Re:Office 2007 (5, Interesting)

TropicalCoder (898500) | more than 6 years ago | (#22798418)

You'll remember Stéphane Rodriguez who gave us Microsoft Office XML formats? Defective by design [blogspot.com] back in August, 2007?

Since then, in February, 2008 he produced The truth about Microsoft Office compatibility [blogspot.com] and Typical B.S. in technical articles about OOXML [blogspot.com] and now Bad surprise in Microsoft Office binary documents : interoperability remains impossible [blogspot.com] Thursday, March 13, 2008.

These blogs are at the same level of depth as Rob Weir's latest blog, and demonstrate that Microsoft's policies as detailed below continue to this day.

From OOXML is defective by design...

"Mr Bill Gates in person sent in 1998 a memo to the Office product group (led by Steven Sinofsky at the time), memo undisclosed to the public thanks to the IOWA consumer case :"

From: Bill Gates

Sent: Saturday, December 5 1998

To: Bob Muglia, Jon DeVann, Steven Sinofsky

Subject : Office rendering

One thing we have got to change in our strategy - allowing Office documents to be rendered very well by other peoples browsers is one of the most destructive things we could do to the company.

We have to stop putting any effort into this and make sure that Office documents very well depends on PROPRIETARY IE capabilities.

Anything else is suicide for our platform. This is a case where Office has to avoid doing something to destroy Windows.

I would be glad to explain at a greater length.

Likewise this love of DAV in Office/Exchange is a huge problem. I would also like to make sure people understand this as well.

-----------


Clearly the word is getting out about the problems in OOXML. Stéphane Rodriguez notes at the bottom of OOXML - Defective by design:

Update : this article was Slashdotted on Sunday 26 of August.

Update2 : this article is taking 300,000 hits a day, and is making it all around the world in all kinds of sites. My web host provider was so angry at the peak in traffic that he threatened to cut me off, so I had to redirect to a blog site such as Google's blogger to host the article.

Update3 : wednesday august 29, added a new section on Document security

Update4 : friday august 31, added more content to sections US English and Windows dates

Update5 : sunday september 2, added a quick comparison between ODF and ECMA 376

ISO 8859 (1)

jbeaupre (752124) | more than 6 years ago | (#22798550)

Heck, isn't just about everything stored in ISO 8859? I actually thought it was the same as ASCII until reading this: http://kb.iu.edu/data/ahfr.html [iu.edu] .

There's your ISO right there! Oh, format ... right ...

Re:Office 2007 (1)

Naughty Bob (1004174) | more than 6 years ago | (#22797820)

Let's not look a gift horse in the mouth. If MSFT had corrected the flaws, they'd probably be able to crowbar their 'standard' through the relevant hoops.

As it is, a true, open, unencumbered standard will instead prevail.

Re:Office 2007 (4, Insightful)

peragrin (659227) | more than 6 years ago | (#22798172)

If MSFT fixed the flaws with OOXML then there wouldn't be a problem.

it's not that OOXML is bad, it is that OOXML is broken and MSFT is trying to ram it through anyways. there is nothing there that can't be fixed. MSFT however doesn't want it fixed because OOXML 2010 is just around the corner and it won't be the same as OOXML 2007. Also OOXML 2010 becomes a defaco standard even though it isn't ISO certified since it is marketed as OOXML.

this is how MSFT works if you don't know this then go back and look at the past 30 years of how MSFT treats it's customers, vendors, and slaves.

Re:Office 2007 (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22798524)

Even if they fixed the flaws in the standard, they would not fix them in Office. They would still claim to support an open standard. Competitors would still have to support the actual format, rather than the one defined in the standard.

Re:Office 2007 (1)

Naughty Bob (1004174) | more than 6 years ago | (#22798952)

If MSFT fixed the flaws with OOXML then there wouldn't be a problem.
Pop quiz, hot shot! Reconcile your statement above with your statement below.

this is how MSFT works if you don't know this then go back and look at the past 30 years of how MSFT treats it's customers, vendors, and slaves.
For bonus points, explain how what you say is a reply to my post.

Standards need to be open, unencumbered by patents, and as easy to implement by third parties as they are by the originators. MSFT has failed in these basic requirements.

Re:Office 2007 (0)

Anonymous Coward | more than 6 years ago | (#22799378)

it's not that OOXML is bad,

Jury is still out regarding that part. But OOXML definitely is unnecessary: there is already OpenDoc (OOo) which is a standard that is implemented and supported by multiple vendors, and seems to do rather good a job in what it's meant to do. Really, it's one of better document format standards I have read through (and this was 4 years ago or so, which means it has had chance to further mature). It's implement by almost _all_ vendors, save one big one...

So here's hoping that OOXML will get recognized obsolete as it is.

Re:Office 2007 (5, Insightful)

Basilius (184226) | more than 6 years ago | (#22797848)

There are no existing implementations of the proposed OOXML standard, so whether Office 2007 has the same defects or not is sort of irrelevant. MSFT has stated that they will not be implementing the standard as proposed, but will be going a different direction. And, given the nature of parts of the standard, nobody BUT Microsoft can fully implement it.

The mere fact that there ARE no implementations of OOXML, however, should be a giant, florescent, waving red flag. No standards body should adopt a standard that cannot and will not be implemented by the proposers.

Re:Office 2007 (3, Insightful)

belmolis (702863) | more than 6 years ago | (#22797932)

Indeed. And the lack of existing implementations makes OOXML all the more inappropriate for the fast track process, which is intended for existing de facto standards, meaning (a) widely implemented and (b) with broad consensus in the relevant field.

Re:Office 2007 (1)

prshaw (712950) | more than 6 years ago | (#22798346)

>> The mere fact that there ARE no implementations of OOXML, however, should be a giant, florescent, waving red flag.

Using this logic C++ would never have become the language it is today. It may never have become a language at all.

Re:Office 2007 (1)

flymolo (28723) | more than 6 years ago | (#22797874)

Some of these are flaws in the specification. Like not explaining ranges or the description of a field being a URL, but the type any string. It comes down to the spec was written post hoc, and Office 2007 probably isn't run through a spec compliance test suite.

The database connection flaw may not be in Office either, because Office may force System DSNs rather than real connection strings.

Re:Office 2007 (2, Insightful)

UnknowingFool (672806) | more than 6 years ago | (#22797962)

As far as I know even Office 2007 can't do OOXML well.

Who said said OOXML is a "superb standard" ?? (1)

Dara Hazeghi (1076823) | more than 6 years ago | (#22797740)

I can't remember that guy's name , but it just occurred to me that Microsoft could have paid him big $$$ to say that. Think about it... a highly respected member of the open source community says that OOXML is a superb standard! What a great way to garner support! Think it's not possible? We know that Microsoft heavily bribed all the banana republics that joined ISO as voting members.

Re:Who said said OOXML is a "superb standard" ?? (1)

Naughty Bob (1004174) | more than 6 years ago | (#22797868)

It was Miguel 'The Mexican quisling' de Icaza.

I don't think payment is necessary though, given enough people in any subset, you'll always be able to find the one that doesn't get it.

Re:Who said said OOXML is a "superb standard" ?? (3, Informative)

pipatron (966506) | more than 6 years ago | (#22797952)

It was Miguel de Icaza [wikipedia.org] , and he is paid money indirectly from Microsoft since he works for Novell.

One of the reasons I stopped using GNOME, I don't want anything to do with the Mono project.

He is not involved in GNOME anymore (0)

Anonymous Coward | more than 6 years ago | (#22799090)

see title.

huh? (4, Interesting)

trybywrench (584843) | more than 6 years ago | (#22797764)

This may be off topic but why exactly are there database connection strings in a document format?

Re:huh? (4, Informative)

Shados (741919) | more than 6 years ago | (#22797858)

Because people actually do work with Office Suites, and they are an integral part of the workflow and ecosystem of significant companies IT.

For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.

People like me and (probably) you tend to use documents as just that: documents. But in the big boy's world, they're far more important than that.

Re:huh? (2, Informative)

RobBebop (947356) | more than 6 years ago | (#22798230)

But in the big boy's world, they're far more important than that.

I acknowledge that hooking documents into databases to subvert them into workflow process template beasties is a common practice, but I think the simple question "Why are there database passwords in the document?" kind of highlights that this is a bad practice.

If security is a concern, "Document Applications" are a mistake.

This also violates the (good) Model/View/Controller [wikipedia.org] software architectural model by kludging the view and controller together in the same product. And - despite claims that it cuts development time in half and saves a business money - it is a disaster to maintain and costs significantly more to re-write when opportunities to upgrade to better Office Productivity Suites arise.

Unless you WANT to periodically rewrite your companies homespun IT applications, you should probably avoid hitching your Office Documents to Databases.

Re:huh? (1)

Simon (S2) (600188) | more than 6 years ago | (#22798454)

This also violates the (good) Model/View/Controller software architectural model by kludging the view and controller together in the same product.

No, not really. Think a simple mailmerge with data from the database. There is no Controller, only a model (the DB) and the View (the document). You fetch the data from the database and mailmerge it.

Re:huh? (2, Interesting)

RobBebop (947356) | more than 6 years ago | (#22798714)

This also violates the (good) Model/View/Controller software architectural model by kludging the view and controller together in the same product.

No, not really. Think a simple mailmerge with data from the database. There is no Controller, only a model (the DB) and the View (the document). You fetch the data from the database and mailmerge it.

Yes, I have read that a compelling reason to stick to Microsoft Office is the ability to Mailmerge, which is fine. I have never gone through the hoops to perform a Mailmerge, so bare with me. My belief is that the whole purpose to send the date (in the database) through the document (which is the controller) to a printer (where it can be viewed). This simple/trivial application actually does separate Data/View/Controller.

Saying there is no controller is like saying there is no spoon. Just because it is disguised amongst the cruft of a larger, more complicated application doesn't mean it isn't there.

Re:huh? (1)

trybywrench (584843) | more than 6 years ago | (#22798354)

For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.

I guess so but i figured the document itself would name the data resources it needs and it would be up to the application to actually connect and retrieve the data. I wonder if the document itself can initiate a connection and execute a command. It basically does a "select" to pull data in, can it do a "drop" as well? Seems it wouldn't be hard to put something together that appends a 'drop table' to the document. ..maybe this is the root of all the office macro security issues, i have no idea, these kinds of integrated documents aren't my specialty obviously.

Re:huh? (0)

Anonymous Coward | more than 6 years ago | (#22799078)

Using VB, VBA, and now .NET, anything the user can do, the code in the worksheet can do. It defaults to not running them in the newer versions of Office, but that can be easily bypassed by the user turning off all the warnings. Create a filesystem object, and start deleting stuff. Create a database object and start screwing with the data. This is fairly useful for a lot of people, but it has lots and lots and lots of drawbacks involving malicious programs and such. At my office, we do road/bridge/building work. The easiest way to keep track of things like rebar/conduit/water pipe/etc in a design is to store it in a database and use excel to import/export the data, calculate quantities, create summaries of quantities and then display them on our drawings.

Re:huh? (0)

Anonymous Coward | more than 6 years ago | (#22799406)

That would make sense, wouldn't it? A credential vault associated with the application, separate from the document. Otherwise you are mixing database credentials with mobile documents and code on an application platform which is periodically attacked by macro viruses on a global scale.

Re:huh? (0)

Anonymous Coward | more than 6 years ago | (#22797866)

Because MSSQL Server connection strings are too big to be memorized.

Re:huh? (2, Informative)

jfclavette (961511) | more than 6 years ago | (#22797870)

They're there for data bindings to databases, which can be used for anything from mass mailing clients to generate a list of items with pricing.

I'd be interested in what is the alternative to storing them in plaintext in the document format. See, the database is going to be wanting that password, and it must be stored somewhere in the document in a stand-alone way or remembered by the user. If you encrypt it, you need to provide the keys in the same document or use a constant well-known key across all instance of the software. Hardly good security. The users might be willing to remember them, and I'm sure that's an option. In a lot of instances, credentials stored as plaintext with read-only permissions on specific tables is a fine solution, and you can do the security at the file access rights level. I would hardly call that a 'security hole'.

Re:huh? (1)

Ed Avis (5917) | more than 6 years ago | (#22797934)

+1

It is not a security flaw to store passwords in plain text - or at least, 'encrypting' them with some fixed algorithm gives no security benefit. At best it's security through obscurity.

In fact, it's surprisingly sensible of Microsoft to recognize this, given the 'compressible encryption' and other non-security security nonsense they provide in other products.

Not how should it be done, but why it shouldn't be (1)

g2devi (898503) | more than 6 years ago | (#22798400)

I think you're missing something important. The document format should not store this information at all -- it's the job of the keyring password manager. The document may define an alias for the database connection string, but it shouldn't provide the actual connection details since that would be a security hole.

Look at it from another angle. Imagine that I need to connect to the database using the connection string, a@mycompany.com:mypass. I send you the document, but you're on another network. You don't see my database, but you do see a proxy database that maps to my database, so the proper connection string would be: b@proxyserver:mypass2. If we send each other the document, we'll be in an edit war. Every time you get the document, you'll want to change it to your password and every time I get it, I'll change it to mine. If however, we leave it up to the keyring manager, there's no problem.

Re:Not how should it be done, but why it shouldn't (1)

jfclavette (961511) | more than 6 years ago | (#22798672)

Not a bad idea but now you need to graft a standard interface to a keyring password manager in the standard. Is it worth it ? Like has been mentionned in other posts, it is very possible to attain more security trough relying on Kerberos or Active Directory for authentication and that's trivially implemented with a custom connection string. My point is merely that I consider it a 'less secure but more practical option for the little guy', not a security vulnerability. It's a viable option when your data's not exactly national secrets.

Re:huh? (1)

Simon (S2) (600188) | more than 6 years ago | (#22798412)

I'd be interested in what is the alternative to storing them in plaintext in the document format.

We use Kerberos to authenticate the user with the database, and something like Row Level Security or/and Database Roles for authorization on the actual data. That's actually the only secure way I know of (and that I use) to connect to a database from an office document.

Re:huh? (1)

Rich0 (548339) | more than 6 years ago | (#22798548)

I think it depends on your needs. If the access is read-only and the data isn't sensitive then the embedded string isn't a problem.

I'd say that in my experience users actually having accounts on database servers is pretty uncommon. Most applications just connect to the database using an obfuscated password, or they have a business-logic tier that does the data manipulation.

I agree completely that single-user database accounts are far more secure, but they can be a lot more difficult to maintain and as a result they don't get used much.

Re:huh? (1)

Simon (S2) (600188) | more than 6 years ago | (#22799022)

I'd say that in my experience users actually having accounts on database servers is pretty uncommon.

I agree. Usually users in an enterprice are stored on an LDAP server.

Most applications just connect to the database using an obfuscated password, or they have a business-logic tier that does the data manipulation.

That's also true, but in a sane environment you have your users/accounts on an LDAP server and Authenticate them against it (usually with Kerberos tickets).

ctrl+c ctrl+v from Oracle Security and Identity Management:
"If your infrastructure is like most, you have an LDAP server that stores your user identities, roles and privileges for the purpose of authenticating your users against their application. The LDAP server also gives you a place to centrally manage your users and the ability to apply a consistent security policy to all of your applications. The LDAP server also gives you the ability to easily delegate administration tasks to others.
Traditionally, database authentication is done by creating database schema users in the database itself. These schema users have their user identities, passwords, roles and privileges stored in the database. When the user logs into the database either directly using SQLPlus or through some application, the users credentials and privileges are checked inside the database. This model creates fragmented administrative control of users that access their applications. Every database you have creates a new administrative management point and a potential for fragmented administration and security policies in your corporate infrastructure.
A better model would be to have these users created as "Enterprise Users" in the OID LDAP server. This model allows you to have your users authenticate against the LDAP server and to apply a consistent security policy for all of your users accessing your databases and database applications. It is also an easier way of managing users and their access to applications. This model also limits the number database schema user accounts in the database to just those that are actually administering the database."

Re:huh? (0)

Anonymous Coward | more than 6 years ago | (#22797888)

It certainly is on-topic. If you have ever dug around through a Microsoft API, you will be surprised by the amount of obscure or redundant features. I would expect unusual things to be found in a format created in Redmond.

(note: not trying to be flame bait, I'm sure the other guys have bloat. I just see an unusually large amount of bloat when doing programming work with Microsoft technology on my windows box)

Re:huh? (1)

Yetihehe (971185) | more than 6 years ago | (#22797894)

Just in case you need to pull data from database to calculate some data in your document (for example presentation which shows a list of current clients, not list of clients available at the moment of making this presentation).

Plaintext passwords (0)

Anonymous Coward | more than 6 years ago | (#22797806)

They're stored in plaintext.

So what?

http://developer.pidgin.im/wiki/PlainTextPasswords [pidgin.im]

The fact that it's plaintext is meaningless. If the computer is encrypting them and can decrypt them for use, they're as good as plaintext anyway.

There isn't even security through obscurity. Seriously.

enough is enough (4, Interesting)

BroadbandBradley (237267) | more than 6 years ago | (#22797900)

how long will it take people to shrug off this death grip of MS and realize that it's costing billions in productivity? I received an XLS file of contacts yesterday and I figured I'd try using Outlook to import it into an address book so I could then sync to other things like Gmail. Outlook choked and recommended assigning values to the columns using another MS product - MS Excel. SO, I saved the file as CSV, and imported using Thunderbird which gave me an easy dialog to match up name,email, phone, website..and so on. Worked great! then I used thunderbird to open the second file and it remembered the previous adjustments and everything was already lined up! Awesome stuff and I wasn't prompted to buy any other products!

I'm seriously considering wiping all the PC's in my office and advising the staff to just learn Ubuntu to avoid this whole MS deathgrip. None of the staff are advanced users except my web guy who codes in a text editor anyhow. FMS.

test (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22797924)

test

Re:test (0, Funny)

Anonymous Coward | more than 6 years ago | (#22797964)

failed

What's the point? Who is going to follow this? (3, Insightful)

pembo13 (770295) | more than 6 years ago | (#22797960)

As I understand it, Microsoft isn't going to follow this standard. If Microsoft isn't going to follow this standard, then it is useless for OpenOffice, NeoOffice, KOffice, etc. to follow this standard. Or is this going to be for Office 2k10 or something?

Re:What's the point? Who is going to follow this? (4, Insightful)

MLCT (1148749) | more than 6 years ago | (#22798590)

MS doesn't care about anyone following it (since even they themselves aren't going to). All they are doing it for is so they can claim that MS Office uses an open ISO standard, OOXML (even though it won't use the ISO passed standard) so that governments, businesses and buyers are not scared away from their products.

As with everything MS does it is all about control and money. They have observed the fights that took/are taking place at various governmental and state levels over the mandatory use of an open standard - and they see that it is a threat to their monopoly, hence they have strategised to nullify the problem without giving up any of their control. The whole thing is a rate 10 sham. And if anyone ever wants to know why a lot of people don't trust MS then this is a perfect example of it - the process and the mockery they are making of it is frankly satirical.

Re:What's the point? Who is going to follow this? (0)

Anonymous Coward | more than 6 years ago | (#22799748)

I still don't get it. Right now, MS doesn't support an ISO certified standard, and they are trying to get an ISO certificate for OOXML. If they manage to do that, since they don't support OOXML nor plan to, they still won't support any ISO certified standard. So, what's the point? They can as easily claim "hey, we support ODF, and it's ISO certified" while twiddling their thumbs.

So he wants security through obscurity... (2, Insightful)

Rakishi (759894) | more than 6 years ago | (#22798018)

Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text.
And how will the format magically produce the plain text password again when the database asks for it... oh wait it can't unless it's easily recoverable in plain text form. It's also not like the "encryption" mechanism would be documented and it's not like someone would have to read that very documentation to know even where the password is stored... oh wait.

Anyone who claims that it's more secure to obscure the password in a well known and trivially reversible way instead of simply storing it in plain text is not someone I trust to analyze security.

no kidding, that would make things worse (1)

r00t (33219) | more than 6 years ago | (#22798192)

It adds complexity, which is generally bad for security, and makes the format harder to understand, which is also bad.

The word that comes to mind is "dumbass".

I do hope there is an option to have an "ask the user" password. (not stored in file)

Re:So he wants security through obscurity... (1)

tigre (178245) | more than 6 years ago | (#22798956)

The one thing it does help prevent is accidental disclosure of passwords. If the contents of the file are exposed, but not the key to unobfuscating the contents, then there is a significant security benefit.

Re:So he wants security through obscurity... (0)

Anonymous Coward | more than 6 years ago | (#22799014)

And how will the format magically produce the plain text password again when the database asks for it...
It could prompt for another password that could be used to decrypt the database password or the entire connection string. Not providing an option to do so is a clear flaw in the format.

No he doesn't! (1)

Xenographic (557057) | more than 6 years ago | (#22799286)

You're putting words in his mouth. He never recommended obfuscation as a "fix" for this issue, now did he? That was YOUR idea.

Personally, I would require the user to supply the password, or else I would create something where the document was signed cryptographically and presented itself to the database for authentication. I'm sure there are other, better ways of doing this than just "who cares? store it in plain text because we're lazy and don't care!"

Re:So he wants security through obscurity... (1)

Mista2 (1093071) | more than 6 years ago | (#22799626)

If you don't want to use password for authentication, then you'd need to support certificates, but I don't think ODBC in windows can do this, so I guess it's not in MS's format. Certificates could also be minted and added to the document and then used to encrypt the password using PGP or similar, but MS continues down the x.400 certificate route meaning getting signed certs is expensive, or you have to set up a PKI infrastructure. Makes it harder. Nothing about adding security is simple or without complexity 8) Hell MS managed to encrypt WMA, and all the HD video content in memory, and then use tilt-bits to detect tampering in video drivers, but I guess it would be too much to ask for them to protect my data as well as Hollywoods.

Re:So he wants security through obscurity... (1)

BlueParrot (965239) | more than 6 years ago | (#22800098)

Here's the encrypted key to one of my documents. It is stored in the document itself:

$2$gJT/A1qk$CyM4Z4UleBaoMyruOx9Ku

Now you may start to guess what pass phrase to use to recover the plain text. Have fun...

Implement first, standardize later. (2, Insightful)

colmore (56499) | more than 6 years ago | (#22798196)

Did we learn nothing from the 80s and early 90s? If you write the standard first, you're going to get the kitchen sink. Engineer a good system, then standardize it. Nothing sands the sharp edges like the real world.

MSOOXML is not standard quality (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22798276)

During the BRM is has been shown that MSOOXML is not up to the quality for an international standard.

The only reason that this thing is considered in ISO is because Microsoft is being so bullish, trying to defend the monopoly.

Standards are not religons (3, Insightful)

surfingmarmot (858550) | more than 6 years ago | (#22798342)

Yet a lot of people treat them that way like this Slash Dot commenter: "He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw." Just why is that rated a 5? It is NOT about belief, but more about science--either the facts and peer review support Mr. Weir or they don't. Apparently they do and in Spades. The majority of "yes" votes on this "standard" are by Microsoft partners who have a vested interest in a dingle vendor, single application (the only full implementation read and write) solution they sell products and services for and can lock in business. Sure IBM is a commercial organization with a checkered past, but they don't own completely open ODF so they aren't doing this for gain. they jsut want a level playing field for formats. And it is a great idea.

And now for some selective quotations! (2, Funny)

peacefinder (469349) | more than 6 years ago | (#22798598)

OOXML's Flaws Have Been Addressed

"IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw [...] there were no mistakes on [...] the [...] pages he reviewed."

There. Doesn't that sound better? :-)

Database??? (1)

DoofusOfDeath (636671) | more than 6 years ago | (#22798970)

OOXML stores passwords in database connection strings in plain text.

Am I the only person who's wondering WTF a database connection string is doing in a word processing document?

I'm starting to understand why the spec is 6000 pages long.

Passwords in plain text (1)

bluefoxlucid (723572) | more than 6 years ago | (#22799068)

How the hell would YOU store passwords? With an encrypted text using a fixed key? Or with a randomly generated key stored in the file (key union ciphertext == plaintext)? Or maybe use an NTLMv2 hash that connects ONLY to a proprietary database (MSSQL) with a proprietary setting, which you can happily replay (we call this a secondary password...)? The only solution is to password-lock the file and use the password to encrypt a master key that encrypts A) the whole file; or B) a master password list embedded in the file. Neither of these will satisfy point-and-click easy access requirements; and if you implement (B) the password becomes common knowledge among many individuals (bad).

Re:Passwords in plain text (1)

SCHecklerX (229973) | more than 6 years ago | (#22799186)

If the doc requires a connection to a database, surely requiring a connection to a standard authentication mechanism (kind of like how firefox does it if you assign a master password for your stored passwords). Yes, a PITA, and maybe silly, but no more so than allowing a word processor document to connect to a database in the first place.

Re:Passwords in plain text (1)

bluefoxlucid (723572) | more than 6 years ago | (#22799700)

Yes, but then the auth mechanism would require all kinds of things, an encryption key for each user, etc.. it's a hard problem.

Financial blogs getting heavily shilled (0)

Anonymous Coward | more than 6 years ago | (#22799178)

Take a few minutes off of Slashdotting to look here [seekingalpha.com] . IMHO, Dennis Byron [seekingalpha.com] is a one-man Microsoft promotion machine, specializing in OOXML. He sometimes writes on the same blog as "Research 2.0" [seekingalpha.com] , going so far as occasional visits to the make-believe world of SCO [seekingalpha.com] .

OOXML approved by NIST (3, Informative)

seandiggity (992657) | more than 6 years ago | (#22799188)

Even though none of the substantial problems have been addressed, NIST has approved OOXML [nist.gov] .

Compare against 'How to Write Unmaintainable Code' (0)

Anonymous Coward | more than 6 years ago | (#22799940)

Never mind other ISO standards, just compare the flaws listed against How to Write Unmaintainable Code!

[Main page] http://mindprod.com/jgloss/unmain.html [mindprod.com]

I'd only got as far as item 3 on Rob Weir's list, "... The allowed values of this type express the measurement units to be used: Auto, Twentieths of a point, Nil (no width), Fiftieths of a percent. I find these choices to be capricious and not based on any sound engineering principle..." and from the HowTo, in the section on Coding Obfuscation, item 6: "Foolish Consistency Is the Hobgoblin of Little Minds When you need a character constant, use many different formats: ' ', 32, 0x20, 040..."

Is this resemblance coincidence? I doubt it.

[Coding Obfuscation section] http://mindprod.com/jgloss/unmainobfuscation.html [mindprod.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>