<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_03_02_1443210</id>
	<title>Over Half of Software Fails First Security Tests</title>
	<author>Soulskill</author>
	<datestamp>1267545720000</datestamp>
	<htmltext>An anonymous reader writes <i>"Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half <a href="http://www.darkreading.com/vulnerability\_management/security/app-security/showArticle.jhtml?articleID=223100875">failed to achieve a successful rating in their first round of testing</a>. And this data is based on software developers who took the time and effort to have their code tested &mdash; who knows about the others."</i>
Reader sgtrock pointed out another interesting snippet from the article: "'The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging,' Oberg says. And it was the quickest to remediate any flaws: 'It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,' he says."</htmltext>
<tokenext>An anonymous reader writes " Even with all of the emphasis on writing software with security in mind , most software applications remain riddled with security holes , according to a new report released today about the actual security quality of all types of software .
Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing .
And this data is based on software developers who took the time and effort to have their code tested    who knows about the others .
" Reader sgtrock pointed out another interesting snippet from the article : " 'The conventional wisdom is that open source is risky .
But open source was no worse than commercial software upon first submission .
That 's encouraging, ' Oberg says .
And it was the quickest to remediate any flaws : 'It took about 30 days to remediate open-source software , and much longer for commercial and internal projects, ' he says .
"</tokentext>
<sentencetext>An anonymous reader writes "Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software.
Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing.
And this data is based on software developers who took the time and effort to have their code tested — who knows about the others.
"
Reader sgtrock pointed out another interesting snippet from the article: "'The conventional wisdom is that open source is risky.
But open source was no worse than commercial software upon first submission.
That's encouraging,' Oberg says.
And it was the quickest to remediate any flaws: 'It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,' he says.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330874</id>
	<title>Re:Bolting On</title>
	<author>sopssa</author>
	<datestamp>1267550040000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>0</modscore>
	<htmltext><p>That's probably easy if it's just one guy, but what about when it's several, if not even hundreds of developers? Random patch code in OSS bug-tracking systems can make some other unrelated code insecure because the guy who submitted the patch didn't know everything about the code or didn't check it through and it slipped past the maintainers too. This is especially true in projects with really large codebase or several code branches and forks.</p></htmltext>
<tokenext>That 's probably easy if it 's just one guy , but what about when it 's several , if not even hundreds of developers ?
Random patch code in OSS bug-tracking systems can make some other unrelated code insecure because the guy who submitted the patch did n't know everything about the code or did n't check it through and it slipped past the maintainers too .
This is especially true in projects with really large codebase or several code branches and forks .</tokentext>
<sentencetext>That's probably easy if it's just one guy, but what about when it's several, if not even hundreds of developers?
Random patch code in OSS bug-tracking systems can make some other unrelated code insecure because the guy who submitted the patch didn't know everything about the code or didn't check it through and it slipped past the maintainers too.
This is especially true in projects with really large codebase or several code branches and forks.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332580</id>
	<title>Re:Firefox has too many developers</title>
	<author>Anonymous</author>
	<datestamp>1267556460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>too many <b>cocks</b> in the kitchen</p></div><p>Are you suggesting Firefox needs more women developers?</p></div>
	</htmltext>
<tokenext>too many cocks in the kitchenAre you suggesting Firefox needs more women developers ?</tokentext>
<sentencetext>too many cocks in the kitchenAre you suggesting Firefox needs more women developers?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332274</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330804</id>
	<title>Undefined requirements</title>
	<author>ClosedSource</author>
	<datestamp>1267549680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There is no requirements document for security that you can follow and guarantee that your application is secure. You're really trying to anticipate all the ideas other people may have about compromising your code. In general, this is impossible to achieve, so you do the best you can.</p></htmltext>
<tokenext>There is no requirements document for security that you can follow and guarantee that your application is secure .
You 're really trying to anticipate all the ideas other people may have about compromising your code .
In general , this is impossible to achieve , so you do the best you can .</tokentext>
<sentencetext>There is no requirements document for security that you can follow and guarantee that your application is secure.
You're really trying to anticipate all the ideas other people may have about compromising your code.
In general, this is impossible to achieve, so you do the best you can.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331390</id>
	<title>Re:Open source doesn't necessarily mean dangerous</title>
	<author>Lumpy</author>
	<datestamp>1267552320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's typically because whoever is in charge is incredibly under-educated.  Probably their CTO or CIO really knows nothing at all, and then filled the ranks below him with yes-men that knows as little as he does.</p><p>At the bottom you have the guys wanting to get things done and secure, they pound their heads against the wall.</p></htmltext>
<tokenext>It 's typically because whoever is in charge is incredibly under-educated .
Probably their CTO or CIO really knows nothing at all , and then filled the ranks below him with yes-men that knows as little as he does.At the bottom you have the guys wanting to get things done and secure , they pound their heads against the wall .</tokentext>
<sentencetext>It's typically because whoever is in charge is incredibly under-educated.
Probably their CTO or CIO really knows nothing at all, and then filled the ranks below him with yes-men that knows as little as he does.At the bottom you have the guys wanting to get things done and secure, they pound their heads against the wall.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331802</id>
	<title>60\% !!!</title>
	<author>NicknamesAreStupid</author>
	<datestamp>1267553940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Obviously, Veracode's tests aren't thorough enough.  But it raises the question, "who tests the testing software?"</htmltext>
<tokenext>Obviously , Veracode 's tests are n't thorough enough .
But it raises the question , " who tests the testing software ?
"</tokentext>
<sentencetext>Obviously, Veracode's tests aren't thorough enough.
But it raises the question, "who tests the testing software?
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331558</id>
	<title>Re:Well now</title>
	<author>eLore</author>
	<datestamp>1267552920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>For the most part I agree with you.  The caveat is that in certain circumstances, having an external party review your widgets is necessary from a regulatory compliance perspective.  Also, Marcus Ranum is famous for ranting on "bad management" which requires you to pay an outside consultant to tell you the same thing that your internal resources were telling you, but for more money.  Unfortunately, I've seen more than one organization suffer from this.</p></htmltext>
<tokenext>For the most part I agree with you .
The caveat is that in certain circumstances , having an external party review your widgets is necessary from a regulatory compliance perspective .
Also , Marcus Ranum is famous for ranting on " bad management " which requires you to pay an outside consultant to tell you the same thing that your internal resources were telling you , but for more money .
Unfortunately , I 've seen more than one organization suffer from this .</tokentext>
<sentencetext>For the most part I agree with you.
The caveat is that in certain circumstances, having an external party review your widgets is necessary from a regulatory compliance perspective.
Also, Marcus Ranum is famous for ranting on "bad management" which requires you to pay an outside consultant to tell you the same thing that your internal resources were telling you, but for more money.
Unfortunately, I've seen more than one organization suffer from this.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31420632</id>
	<title>What "convenitonal wisdom"?</title>
	<author>Hurricane78</author>
	<datestamp>1268136060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The conventional wisdom is that open source is risky.</p></div><p>No. The conventional wisdom is, that open source is much much safer!</p><p>Who wrote this? Some PHBtard?</p></div>
	</htmltext>
<tokenext>The conventional wisdom is that open source is risky.No .
The conventional wisdom is , that open source is much much safer ! Who wrote this ?
Some PHBtard ?</tokentext>
<sentencetext>The conventional wisdom is that open source is risky.No.
The conventional wisdom is, that open source is much much safer!Who wrote this?
Some PHBtard?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788</id>
	<title>Bolting On</title>
	<author>Chris Lawrence</author>
	<datestamp>1267549560000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>As Bruce Schneier has said, trying to bolt on security to an existing product or application can be very difficult and time consuming.  Sometimes you even have to redesign things.  Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.</p></htmltext>
<tokenext>As Bruce Schneier has said , trying to bolt on security to an existing product or application can be very difficult and time consuming .
Sometimes you even have to redesign things .
Designing for security and using secure coding practices from the beginning , however , makes it much , much easier .</tokentext>
<sentencetext>As Bruce Schneier has said, trying to bolt on security to an existing product or application can be very difficult and time consuming.
Sometimes you even have to redesign things.
Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331282</id>
	<title>Re:Open source doesn't necessarily mean dangerous</title>
	<author>Anonymous</author>
	<datestamp>1267551900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>That sort of thing really pisses me off.</p></div><p>Well then grow a pair and out them....  let us all get on the rage train!</p></div>
	</htmltext>
<tokenext>That sort of thing really pisses me off.Well then grow a pair and out them.... let us all get on the rage train !</tokentext>
<sentencetext>That sort of thing really pisses me off.Well then grow a pair and out them....  let us all get on the rage train!
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333928</id>
	<title>Re:Security is no selling point</title>
	<author>Lord Ender</author>
	<datestamp>1267561440000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>Security is the antagonist to comfort. [etc. etc. etc.]</p></div></blockquote><p>Your entire rant is based on a false premise. In most cases, security actually increases "comfort" or "convenience." It's damn inconvenient to use a system which crashes, misbehaves, and needs to be frequently rebuilt due to security problems. Removing buffer overflow vulnerabilities from your software in no way inconveniences your users.</p><p>Authentication is perhaps the only piece that sometimes is inconvenient. Just typing your username to log in is more convenient than having to type a password. But that's the exception to the rule. And systems which time you out while you're using them, and don't integrate with SSO, are actually not "more secure," they're just badly-implemented. So that's not a trade-off either.</p></div>
	</htmltext>
<tokenext>Security is the antagonist to comfort .
[ etc. etc .
etc. ] Your entire rant is based on a false premise .
In most cases , security actually increases " comfort " or " convenience .
" It 's damn inconvenient to use a system which crashes , misbehaves , and needs to be frequently rebuilt due to security problems .
Removing buffer overflow vulnerabilities from your software in no way inconveniences your users.Authentication is perhaps the only piece that sometimes is inconvenient .
Just typing your username to log in is more convenient than having to type a password .
But that 's the exception to the rule .
And systems which time you out while you 're using them , and do n't integrate with SSO , are actually not " more secure , " they 're just badly-implemented .
So that 's not a trade-off either .</tokentext>
<sentencetext>Security is the antagonist to comfort.
[etc. etc.
etc.]Your entire rant is based on a false premise.
In most cases, security actually increases "comfort" or "convenience.
" It's damn inconvenient to use a system which crashes, misbehaves, and needs to be frequently rebuilt due to security problems.
Removing buffer overflow vulnerabilities from your software in no way inconveniences your users.Authentication is perhaps the only piece that sometimes is inconvenient.
Just typing your username to log in is more convenient than having to type a password.
But that's the exception to the rule.
And systems which time you out while you're using them, and don't integrate with SSO, are actually not "more secure," they're just badly-implemented.
So that's not a trade-off either.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802</id>
	<title>Open source doesn't necessarily mean dangerous</title>
	<author>Pojut</author>
	<datestamp>1267549680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>I know of at least one rather large and well-known company that doesn't use OSS because of "security", yet voluntarily continues to use IE6.</p><p>That sort of thing really pisses me off.</p></htmltext>
<tokenext>I know of at least one rather large and well-known company that does n't use OSS because of " security " , yet voluntarily continues to use IE6.That sort of thing really pisses me off .</tokentext>
<sentencetext>I know of at least one rather large and well-known company that doesn't use OSS because of "security", yet voluntarily continues to use IE6.That sort of thing really pisses me off.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331504</id>
	<title>As misleading as 'Show all warnings'</title>
	<author>yalap</author>
	<datestamp>1267552740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>A customer just run their $10k scanner on our software and only found 3 problems. But it turned out the vendor had grabbed every 'security vulnerability' ever reported on any discussion board/mailing list and listed it as a problem. e.g. 'I tried this URL and my computer slowed down a bit. I think it is a denial of service attack.' Took a few days to research and disprove their claims.

Meanwhile, how many other such claims is it making? To me, it is analogous to switching on 'Show all warnings' - I've worked with managers and developers that want to eliminate all the warnings in the source. Apart from just rock polishing, I think it distracts them from focusing on the real issues like security and performance.

Like any job, you need to have the right tools and know how to use them. We do use Java  Findbugs and network scanners. But poor use of any tools only leads to cuts, bruises and visits to the emergency room.</htmltext>
<tokenext>A customer just run their $ 10k scanner on our software and only found 3 problems .
But it turned out the vendor had grabbed every 'security vulnerability ' ever reported on any discussion board/mailing list and listed it as a problem .
e.g. 'I tried this URL and my computer slowed down a bit .
I think it is a denial of service attack .
' Took a few days to research and disprove their claims .
Meanwhile , how many other such claims is it making ?
To me , it is analogous to switching on 'Show all warnings ' - I 've worked with managers and developers that want to eliminate all the warnings in the source .
Apart from just rock polishing , I think it distracts them from focusing on the real issues like security and performance .
Like any job , you need to have the right tools and know how to use them .
We do use Java Findbugs and network scanners .
But poor use of any tools only leads to cuts , bruises and visits to the emergency room .</tokentext>
<sentencetext>A customer just run their $10k scanner on our software and only found 3 problems.
But it turned out the vendor had grabbed every 'security vulnerability' ever reported on any discussion board/mailing list and listed it as a problem.
e.g. 'I tried this URL and my computer slowed down a bit.
I think it is a denial of service attack.
' Took a few days to research and disprove their claims.
Meanwhile, how many other such claims is it making?
To me, it is analogous to switching on 'Show all warnings' - I've worked with managers and developers that want to eliminate all the warnings in the source.
Apart from just rock polishing, I think it distracts them from focusing on the real issues like security and performance.
Like any job, you need to have the right tools and know how to use them.
We do use Java  Findbugs and network scanners.
But poor use of any tools only leads to cuts, bruises and visits to the emergency room.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333644</id>
	<title>Re:Undefined requirements</title>
	<author>tjarrett</author>
	<datestamp>1267560540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the <a href="http://cwe.mitre.org/" title="mitre.org" rel="nofollow">Common Weakness Enumeration</a> [mitre.org] at MITRE and the SANS Institute, the <a href="http://developers.slashdot.org/story/10/02/17/2327253/The-25-Most-Dangerous-Programming-Errors" title="slashdot.org" rel="nofollow">SANS Top 25</a> [slashdot.org] (full listing <a href="http://cwe.mitre.org/top25/" title="mitre.org" rel="nofollow">here</a> [mitre.org]) is being used as a requirements document for the security of purchased applications by the <a href="http://www.sans.org/appseccontract/" title="sans.org" rel="nofollow">State of New York</a> [sans.org], among others.</p><p>It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.</p><p>Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.</p></htmltext>
<tokenext>There is an industry effort to define a " watch list " for common mistakes that lead to security flaws .
Co-led by the folks behind the Common Weakness Enumeration [ mitre.org ] at MITRE and the SANS Institute , the SANS Top 25 [ slashdot.org ] ( full listing here [ mitre.org ] ) is being used as a requirements document for the security of purchased applications by the State of New York [ sans.org ] , among others.It 's not perfect--it omits backdoors and other intentional security flaws , among other categories--but it 's better than nothing , by a long shot.Disclaimer : I work at Veracode and was a co-author of the report that the original article was about .</tokentext>
<sentencetext>There is an industry effort to define a "watch list" for common mistakes that lead to security flaws.
Co-led by the folks behind the Common Weakness Enumeration [mitre.org] at MITRE and the SANS Institute, the SANS Top 25 [slashdot.org] (full listing here [mitre.org]) is being used as a requirements document for the security of purchased applications by the State of New York [sans.org], among others.It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330868</id>
	<title>Slashvertisement</title>
	<author>wintercolby</author>
	<datestamp>1267550040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Veracode offers the service of finding security flaws in your source.  By definition organizations and developers that submit their source to them are going to have more secure software (according to Veracode) when it's released, after it's been certified.
<br> <br>
All this shows is that there are developers using a company that specializes in finding security bugs to . . . find security bugs.  It's just like using any other debugging tool, you rarely get a clean compile with no bugs on the first try.</htmltext>
<tokenext>Veracode offers the service of finding security flaws in your source .
By definition organizations and developers that submit their source to them are going to have more secure software ( according to Veracode ) when it 's released , after it 's been certified .
All this shows is that there are developers using a company that specializes in finding security bugs to .
. .
find security bugs .
It 's just like using any other debugging tool , you rarely get a clean compile with no bugs on the first try .</tokentext>
<sentencetext>Veracode offers the service of finding security flaws in your source.
By definition organizations and developers that submit their source to them are going to have more secure software (according to Veracode) when it's released, after it's been certified.
All this shows is that there are developers using a company that specializes in finding security bugs to .
. .
find security bugs.
It's just like using any other debugging tool, you rarely get a clean compile with no bugs on the first try.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331148</id>
	<title>Re:That's great.</title>
	<author>Anonymous</author>
	<datestamp>1267551240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Testing the users might make sense if the Operating System had a reasonable security model. If you can't easily restrict a program to a small subset of your machine, you're forced to trust code you didn't write to get anything done.</p><p>Nobody should blame the users, if the OS sucks.</p></htmltext>
<tokenext>Testing the users might make sense if the Operating System had a reasonable security model .
If you ca n't easily restrict a program to a small subset of your machine , you 're forced to trust code you did n't write to get anything done.Nobody should blame the users , if the OS sucks .</tokentext>
<sentencetext>Testing the users might make sense if the Operating System had a reasonable security model.
If you can't easily restrict a program to a small subset of your machine, you're forced to trust code you didn't write to get anything done.Nobody should blame the users, if the OS sucks.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31336032</id>
	<title>Re:Not a shocker</title>
	<author>ducomputergeek</author>
	<datestamp>1267525980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Mod parent up.  I come from the same SI background and now running a programming shop.  What dumbfounded me were the folks with CS degrees that really had no idea how the networking/systems side worked.  I can remember a few times they'd call me over after working half a day or more trying to figure out why something in their code wasn't working only to have me take a look and in less than 30 seconds figure out it something on the server wasn't running or there was a network configuration problem.</p></htmltext>
<tokenext>Mod parent up .
I come from the same SI background and now running a programming shop .
What dumbfounded me were the folks with CS degrees that really had no idea how the networking/systems side worked .
I can remember a few times they 'd call me over after working half a day or more trying to figure out why something in their code was n't working only to have me take a look and in less than 30 seconds figure out it something on the server was n't running or there was a network configuration problem .</tokentext>
<sentencetext>Mod parent up.
I come from the same SI background and now running a programming shop.
What dumbfounded me were the folks with CS degrees that really had no idea how the networking/systems side worked.
I can remember a few times they'd call me over after working half a day or more trying to figure out why something in their code wasn't working only to have me take a look and in less than 30 seconds figure out it something on the server wasn't running or there was a network configuration problem.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331424</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335554</id>
	<title>Re:That's great.</title>
	<author>Anonymous</author>
	<datestamp>1267524180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>No wonder given all the frameworks and assorted languages that make application development so easy a caveman can do it. And the influx of cheap and/or inept software developers from the Third World only adds to the problem.</p></htmltext>
<tokenext>No wonder given all the frameworks and assorted languages that make application development so easy a caveman can do it .
And the influx of cheap and/or inept software developers from the Third World only adds to the problem .</tokentext>
<sentencetext>No wonder given all the frameworks and assorted languages that make application development so easy a caveman can do it.
And the influx of cheap and/or inept software developers from the Third World only adds to the problem.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31340286</id>
	<title>Re:That's great.</title>
	<author>Anonymous</author>
	<datestamp>1267549440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'd like to stress test some user skulls with a hydraulic press . . .</p></htmltext>
<tokenext>I 'd like to stress test some user skulls with a hydraulic press .
. .</tokentext>
<sentencetext>I'd like to stress test some user skulls with a hydraulic press .
. .</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330820</id>
	<title>The other half</title>
	<author>maxume</author>
	<datestamp>1267549740000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>And the other half isn't even tested.</p></htmltext>
<tokenext>And the other half is n't even tested .</tokentext>
<sentencetext>And the other half isn't even tested.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330956</id>
	<title>80-20</title>
	<author>gmuslera</author>
	<datestamp>1267550400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>That is 50-50 is good news if the sample was broad enough . Could be interesting to match that numbers with amount of users... could be a lot of those programs that their userbase coincide (or is even lower) with the amount of developers, and see how insecure are programs with more than 100,1000 or even more users (i.e. if the top 20 \% of top safe applications have the 80 \% or more of users,or the distribution is better than that).</htmltext>
<tokenext>That is 50-50 is good news if the sample was broad enough .
Could be interesting to match that numbers with amount of users... could be a lot of those programs that their userbase coincide ( or is even lower ) with the amount of developers , and see how insecure are programs with more than 100,1000 or even more users ( i.e .
if the top 20 \ % of top safe applications have the 80 \ % or more of users,or the distribution is better than that ) .</tokentext>
<sentencetext>That is 50-50 is good news if the sample was broad enough .
Could be interesting to match that numbers with amount of users... could be a lot of those programs that their userbase coincide (or is even lower) with the amount of developers, and see how insecure are programs with more than 100,1000 or even more users (i.e.
if the top 20 \% of top safe applications have the 80 \% or more of users,or the distribution is better than that).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332642</id>
	<title>I am a professional softwaredeveloper myself.....</title>
	<author>Tanuki64</author>
	<datestamp>1267556640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>...and I don't give a **** for security. I am working as freelancer. As such there a two possibilities: I calculate correctly including all costs for proper design and tests, or I get the contract. Customers pay ****, customers want ****,  customers get ****.</htmltext>
<tokenext>...and I do n't give a * * * * for security .
I am working as freelancer .
As such there a two possibilities : I calculate correctly including all costs for proper design and tests , or I get the contract .
Customers pay * * * * , customers want * * * * , customers get * * * * .</tokentext>
<sentencetext>...and I don't give a **** for security.
I am working as freelancer.
As such there a two possibilities: I calculate correctly including all costs for proper design and tests, or I get the contract.
Customers pay ****, customers want ****,  customers get ****.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332082</id>
	<title>Re:Security is no selling point</title>
	<author>clone53421</author>
	<datestamp>1267554900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The better your security, the more your potential customer will be put off by it.</p></div><p>If, by &ldquo;better&rdquo;, you mean more intrusive, controlling, cumbersome, slow, and restrictive... then yes. Of course they will be.</p><p>But if, by &ldquo;better&rdquo;, you mean <em>less</em> intrusive, controlling, cumbersome, slow and restrictive...</p></div>
	</htmltext>
<tokenext>The better your security , the more your potential customer will be put off by it.If , by    better    , you mean more intrusive , controlling , cumbersome , slow , and restrictive... then yes .
Of course they will be.But if , by    better    , you mean less intrusive , controlling , cumbersome , slow and restrictive.. .</tokentext>
<sentencetext>The better your security, the more your potential customer will be put off by it.If, by “better”, you mean more intrusive, controlling, cumbersome, slow, and restrictive... then yes.
Of course they will be.But if, by “better”, you mean less intrusive, controlling, cumbersome, slow and restrictive...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333386</id>
	<title>Sample sizes, testing</title>
	<author>tjarrett</author>
	<datestamp>1267559580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You can check out the full report online from the <a href="http://www.veracode.com/reports/index.html" title="veracode.com" rel="nofollow">Veracode.com website</a> [veracode.com] (requires registration).</p><p>We disclose the sample size in the appendix (1591 applications).</p><p>You can test the quality of code you are developing yourself with a simple source code scanner, but testing third party code is a little more challenging. I don't know too many significant applications that are entirely created in house, with no dependency on third party libraries.</p><p>Disclaimer: I work for Veracode and was a coauthor of the study.</p></htmltext>
<tokenext>You can check out the full report online from the Veracode.com website [ veracode.com ] ( requires registration ) .We disclose the sample size in the appendix ( 1591 applications ) .You can test the quality of code you are developing yourself with a simple source code scanner , but testing third party code is a little more challenging .
I do n't know too many significant applications that are entirely created in house , with no dependency on third party libraries.Disclaimer : I work for Veracode and was a coauthor of the study .</tokentext>
<sentencetext>You can check out the full report online from the Veracode.com website [veracode.com] (requires registration).We disclose the sample size in the appendix (1591 applications).You can test the quality of code you are developing yourself with a simple source code scanner, but testing third party code is a little more challenging.
I don't know too many significant applications that are entirely created in house, with no dependency on third party libraries.Disclaimer: I work for Veracode and was a coauthor of the study.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331340</id>
	<title>In other news...</title>
	<author>GuruBuckaroo</author>
	<datestamp>1267552140000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>More than 90\% of all software tested fails to compile the first time.

Seriously, that's what security testing is for - finding holes so they can be filled.</htmltext>
<tokenext>More than 90 \ % of all software tested fails to compile the first time .
Seriously , that 's what security testing is for - finding holes so they can be filled .</tokentext>
<sentencetext>More than 90\% of all software tested fails to compile the first time.
Seriously, that's what security testing is for - finding holes so they can be filled.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333352</id>
	<title>Re:What emphasis on security?</title>
	<author>Anonymous</author>
	<datestamp>1267559400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>I thought the only measure of a project was whether it makes the deadline.</p></div><p>No, it's whether you pay Always the Lowest Price. Always.</p></div>
	</htmltext>
<tokenext>I thought the only measure of a project was whether it makes the deadline.No , it 's whether you pay Always the Lowest Price .
Always .</tokentext>
<sentencetext>I thought the only measure of a project was whether it makes the deadline.No, it's whether you pay Always the Lowest Price.
Always.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330778</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332706</id>
	<title>Security</title>
	<author>QuoteMstr</author>
	<datestamp>1267556820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Back when I was in charge of hiring new programmers for a web development shop, the very first thing I'd do when I got a resume would be to load up the applicant's personal website, if he had one.</p><p>No, I didn't look at the aesthetics of the site. I didn't care about the cleanliness of the HTML. The implementation language and web framework didn't matter. I had more important things on my mind: I would find a form, and type <tt>hello world' -- ; SHOW TABLES</tt>. If the site misbehaved, I'd toss the resume in the trash and adamantly refuse to reconsider it.</p><p>Management thought I was nuts --- these were guys with degrees! They came with great recommendations! And they're cheap! What does one bug matter? But with SQL injection being the now <a href="http://www.sans.org/top25-programming-errors/" title="sans.org">#2 security vulnerability</a> [sans.org], who's whining now?</p><p>Attention to correctness is <i>the</i> bedrock trait of a good developer. Everything else comes second; security is just one property of correct code.</p></htmltext>
<tokenext>Back when I was in charge of hiring new programmers for a web development shop , the very first thing I 'd do when I got a resume would be to load up the applicant 's personal website , if he had one.No , I did n't look at the aesthetics of the site .
I did n't care about the cleanliness of the HTML .
The implementation language and web framework did n't matter .
I had more important things on my mind : I would find a form , and type hello world ' -- ; SHOW TABLES .
If the site misbehaved , I 'd toss the resume in the trash and adamantly refuse to reconsider it.Management thought I was nuts --- these were guys with degrees !
They came with great recommendations !
And they 're cheap !
What does one bug matter ?
But with SQL injection being the now # 2 security vulnerability [ sans.org ] , who 's whining now ? Attention to correctness is the bedrock trait of a good developer .
Everything else comes second ; security is just one property of correct code .</tokentext>
<sentencetext>Back when I was in charge of hiring new programmers for a web development shop, the very first thing I'd do when I got a resume would be to load up the applicant's personal website, if he had one.No, I didn't look at the aesthetics of the site.
I didn't care about the cleanliness of the HTML.
The implementation language and web framework didn't matter.
I had more important things on my mind: I would find a form, and type hello world' -- ; SHOW TABLES.
If the site misbehaved, I'd toss the resume in the trash and adamantly refuse to reconsider it.Management thought I was nuts --- these were guys with degrees!
They came with great recommendations!
And they're cheap!
What does one bug matter?
But with SQL injection being the now #2 security vulnerability [sans.org], who's whining now?Attention to correctness is the bedrock trait of a good developer.
Everything else comes second; security is just one property of correct code.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842</id>
	<title>Well now</title>
	<author>Monkeedude1212</author>
	<datestamp>1267549920000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>That's extrapolating a bit much, isn't it? And scanning through the article, they don't even name the sample size, just percentages.</p><p>And yes, they mention that its only the stuff that they test, "so imagine what the rest is like". Well - thats it though, if someone is professionally developing with security in mind, they probably know how to test it in office or know somebody who can. Thus - no need to pay this corporation to test something you can do yourself.<br>If you are developing with security in mind - but aren't sure exactly what you're looking to protect against - THATS when you go to companies like these.</p><p>This is a pretty much skewed data source (probably a slashvertisement for them, too), and is the only study of its type. Take it with a weeks worth of salt.</p></htmltext>
<tokenext>That 's extrapolating a bit much , is n't it ?
And scanning through the article , they do n't even name the sample size , just percentages.And yes , they mention that its only the stuff that they test , " so imagine what the rest is like " .
Well - thats it though , if someone is professionally developing with security in mind , they probably know how to test it in office or know somebody who can .
Thus - no need to pay this corporation to test something you can do yourself.If you are developing with security in mind - but are n't sure exactly what you 're looking to protect against - THATS when you go to companies like these.This is a pretty much skewed data source ( probably a slashvertisement for them , too ) , and is the only study of its type .
Take it with a weeks worth of salt .</tokentext>
<sentencetext>That's extrapolating a bit much, isn't it?
And scanning through the article, they don't even name the sample size, just percentages.And yes, they mention that its only the stuff that they test, "so imagine what the rest is like".
Well - thats it though, if someone is professionally developing with security in mind, they probably know how to test it in office or know somebody who can.
Thus - no need to pay this corporation to test something you can do yourself.If you are developing with security in mind - but aren't sure exactly what you're looking to protect against - THATS when you go to companies like these.This is a pretty much skewed data source (probably a slashvertisement for them, too), and is the only study of its type.
Take it with a weeks worth of salt.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335088</id>
	<title>Re:Code has bugs... so don't trust it.</title>
	<author>Xtifr</author>
	<datestamp>1267522560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Code has bugs, it always will.</p></div><p>Really?  I defy you to find a bug in my implementation of<nobr> <wbr></nobr>/bin/false.<nobr> <wbr></nobr>:)</p><p>What is true is that the chance of a bug appearing grows exponentially as the code increases in complexity, so that for any program of moderate or greater complexity, the chance that one or more bugs exist is near certainty, but I wouldn't be posting on slashdot if I didn't enjoy the occasional moment of nitpicking pedantry...<nobr> <wbr></nobr>:)</p></div>
	</htmltext>
<tokenext>Code has bugs , it always will.Really ?
I defy you to find a bug in my implementation of /bin/false .
: ) What is true is that the chance of a bug appearing grows exponentially as the code increases in complexity , so that for any program of moderate or greater complexity , the chance that one or more bugs exist is near certainty , but I would n't be posting on slashdot if I did n't enjoy the occasional moment of nitpicking pedantry... : )</tokentext>
<sentencetext>Code has bugs, it always will.Really?
I defy you to find a bug in my implementation of /bin/false.
:)What is true is that the chance of a bug appearing grows exponentially as the code increases in complexity, so that for any program of moderate or greater complexity, the chance that one or more bugs exist is near certainty, but I wouldn't be posting on slashdot if I didn't enjoy the occasional moment of nitpicking pedantry... :)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331230</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758</id>
	<title>That's great.</title>
	<author>Anonymous</author>
	<datestamp>1267549500000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>Now they need to test the users.....</p></htmltext>
<tokenext>Now they need to test the users.... .</tokentext>
<sentencetext>Now they need to test the users.....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330880</id>
	<title>Security firm says security is an issue</title>
	<author>Anonymous</author>
	<datestamp>1267550040000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Hmmm . . . there's a word for that . . . XKCD, can you help me?</p><p> <a href="http://www.xkcd.com/703/" title="xkcd.com">http://www.xkcd.com/703/</a> [xkcd.com] </p></htmltext>
<tokenext>Hmmm .
. .
there 's a word for that .
. .
XKCD , can you help me ?
http : //www.xkcd.com/703/ [ xkcd.com ]</tokentext>
<sentencetext>Hmmm .
. .
there's a word for that .
. .
XKCD, can you help me?
http://www.xkcd.com/703/ [xkcd.com] </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331362</id>
	<title>Re:Security is no selling point</title>
	<author>Anonymous</author>
	<datestamp>1267552200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why is there no discussion of the fundamental trade offs inherent in all forms of engineering not only software. That is security is only another facet of software performance that includes features, reliability, cost, flexibility, ease of use etc. All software in fact all human defenses are insecure in the sense that a determined attacker can overcome them. There is a wide spectrum of users who can trade off perceived security risks versus benefits. No one choice is better than another. I leave my 89 Plymouth unlocked so what.</p></htmltext>
<tokenext>Why is there no discussion of the fundamental trade offs inherent in all forms of engineering not only software .
That is security is only another facet of software performance that includes features , reliability , cost , flexibility , ease of use etc .
All software in fact all human defenses are insecure in the sense that a determined attacker can overcome them .
There is a wide spectrum of users who can trade off perceived security risks versus benefits .
No one choice is better than another .
I leave my 89 Plymouth unlocked so what .</tokentext>
<sentencetext>Why is there no discussion of the fundamental trade offs inherent in all forms of engineering not only software.
That is security is only another facet of software performance that includes features, reliability, cost, flexibility, ease of use etc.
All software in fact all human defenses are insecure in the sense that a determined attacker can overcome them.
There is a wide spectrum of users who can trade off perceived security risks versus benefits.
No one choice is better than another.
I leave my 89 Plymouth unlocked so what.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31337272</id>
	<title>Re:What about commercial open source software</title>
	<author>Tanuki64</author>
	<datestamp>1267530600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others.</p></div><p>And what does this mean? Paid = better programmers? Funny, very funny. I experienced much more bad programmers who were paid that bad programmers who do their stuff because they like what they do. Paid programmers, who initially were hardware developers, 	physicist, even biologists, then the business changed and they were told they are now softwaredevelopers. Here is a C++ book, start reading. Some of the  computer science guys were not much better. Never coded more than 100 lines of code, but they are the experts with a degree. <br> <br>

So I don't care how many developers in an open source projects are actually paid to contribute. This is not necessarily a sign of expertise or quality.</p></div>
	</htmltext>
<tokenext>In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat , IBM , Intel and others.And what does this mean ?
Paid = better programmers ?
Funny , very funny .
I experienced much more bad programmers who were paid that bad programmers who do their stuff because they like what they do .
Paid programmers , who initially were hardware developers , physicist , even biologists , then the business changed and they were told they are now softwaredevelopers .
Here is a C + + book , start reading .
Some of the computer science guys were not much better .
Never coded more than 100 lines of code , but they are the experts with a degree .
So I do n't care how many developers in an open source projects are actually paid to contribute .
This is not necessarily a sign of expertise or quality .</tokentext>
<sentencetext>In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others.And what does this mean?
Paid = better programmers?
Funny, very funny.
I experienced much more bad programmers who were paid that bad programmers who do their stuff because they like what they do.
Paid programmers, who initially were hardware developers, 	physicist, even biologists, then the business changed and they were told they are now softwaredevelopers.
Here is a C++ book, start reading.
Some of the  computer science guys were not much better.
Never coded more than 100 lines of code, but they are the experts with a degree.
So I don't care how many developers in an open source projects are actually paid to contribute.
This is not necessarily a sign of expertise or quality.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330914</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330914</id>
	<title>What about commercial open source software</title>
	<author>weeble</author>
	<datestamp>1267550160000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>So lots of comparisons between open source and commercial software; however there is a lot of open source software that is sold, i.e. commercial.  In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others.  Does that mean that the Linux Kernel is commercial software.</p><p>May be the article should refer to closed source proprietary and open source software.</p><p>The article reads as if the author does not fully understand the how Open Source software is developed and is just a large advert (a.k.a. press release) for the auditing software.</p></htmltext>
<tokenext>So lots of comparisons between open source and commercial software ; however there is a lot of open source software that is sold , i.e .
commercial. In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat , IBM , Intel and others .
Does that mean that the Linux Kernel is commercial software.May be the article should refer to closed source proprietary and open source software.The article reads as if the author does not fully understand the how Open Source software is developed and is just a large advert ( a.k.a .
press release ) for the auditing software .</tokentext>
<sentencetext>So lots of comparisons between open source and commercial software; however there is a lot of open source software that is sold, i.e.
commercial.  In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others.
Does that mean that the Linux Kernel is commercial software.May be the article should refer to closed source proprietary and open source software.The article reads as if the author does not fully understand the how Open Source software is developed and is just a large advert (a.k.a.
press release) for the auditing software.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</id>
	<title>Security is no selling point</title>
	<author>Opportunist</author>
	<datestamp>1267549980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>It just is not. Actually, quite the opposite: The better your security, the more your potential customer will be put off by it.</p><p>Users do not care about security until it is too late (i.e. until after they got infected), and only then they will bitch and rant and complain how insecure your piece of junk is. If you, otoh, take security serious and implement it sensibly, they will bitch and rant already at install because they hate the hoops to jump through and the obstacles to dodge to make your software "just work".</p><p>Security is the antagonist to comfort. By its very definition. No matter where you look, security always means "additional work". Either to the user, which means overhead to his work, or to the program, which means it will invariably be slower than its competing products.</p><p>Thus security is not only an "unnecessary evil" when selling your product. It is actually hurting you when you try to convince someone to buy your stuff. Your software will be slower due to its security "burden", and it will be less comfortable to the user. The user does not see the glaring security holes when he buys the product. Only after, when the product bites him in the ass because it opened him up to an attack. But by then, he will already have paid for your product. And he will have bought your product instead of the more secure product your competitor offered, because yours was faster and easier to use.</p></htmltext>
<tokenext>It just is not .
Actually , quite the opposite : The better your security , the more your potential customer will be put off by it.Users do not care about security until it is too late ( i.e .
until after they got infected ) , and only then they will bitch and rant and complain how insecure your piece of junk is .
If you , otoh , take security serious and implement it sensibly , they will bitch and rant already at install because they hate the hoops to jump through and the obstacles to dodge to make your software " just work " .Security is the antagonist to comfort .
By its very definition .
No matter where you look , security always means " additional work " .
Either to the user , which means overhead to his work , or to the program , which means it will invariably be slower than its competing products.Thus security is not only an " unnecessary evil " when selling your product .
It is actually hurting you when you try to convince someone to buy your stuff .
Your software will be slower due to its security " burden " , and it will be less comfortable to the user .
The user does not see the glaring security holes when he buys the product .
Only after , when the product bites him in the ass because it opened him up to an attack .
But by then , he will already have paid for your product .
And he will have bought your product instead of the more secure product your competitor offered , because yours was faster and easier to use .</tokentext>
<sentencetext>It just is not.
Actually, quite the opposite: The better your security, the more your potential customer will be put off by it.Users do not care about security until it is too late (i.e.
until after they got infected), and only then they will bitch and rant and complain how insecure your piece of junk is.
If you, otoh, take security serious and implement it sensibly, they will bitch and rant already at install because they hate the hoops to jump through and the obstacles to dodge to make your software "just work".Security is the antagonist to comfort.
By its very definition.
No matter where you look, security always means "additional work".
Either to the user, which means overhead to his work, or to the program, which means it will invariably be slower than its competing products.Thus security is not only an "unnecessary evil" when selling your product.
It is actually hurting you when you try to convince someone to buy your stuff.
Your software will be slower due to its security "burden", and it will be less comfortable to the user.
The user does not see the glaring security holes when he buys the product.
Only after, when the product bites him in the ass because it opened him up to an attack.
But by then, he will already have paid for your product.
And he will have bought your product instead of the more secure product your competitor offered, because yours was faster and easier to use.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331378</id>
	<title>Re:Security is no selling point</title>
	<author>digitalhermit</author>
	<datestamp>1267552260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's not an either/or thing.  Secure software is often the *easiest* to configure. It's when configuration is difficult and prone to error that people make mistakes or start using default configurations.</p><p>For example, when a service is installed on a system many installers do not have procedures for configuring the firewall.  It may be a range of ports that's needed, or some access to a particular IP address. So people install the software and it doesn't work. They read something on the Internet that it's a firewall issue. So what do most people do?  They turn off the firewall.  I know at least three people who did this because they couldn't get NTP updates to work on their systems.</p></htmltext>
<tokenext>It 's not an either/or thing .
Secure software is often the * easiest * to configure .
It 's when configuration is difficult and prone to error that people make mistakes or start using default configurations.For example , when a service is installed on a system many installers do not have procedures for configuring the firewall .
It may be a range of ports that 's needed , or some access to a particular IP address .
So people install the software and it does n't work .
They read something on the Internet that it 's a firewall issue .
So what do most people do ?
They turn off the firewall .
I know at least three people who did this because they could n't get NTP updates to work on their systems .</tokentext>
<sentencetext>It's not an either/or thing.
Secure software is often the *easiest* to configure.
It's when configuration is difficult and prone to error that people make mistakes or start using default configurations.For example, when a service is installed on a system many installers do not have procedures for configuring the firewall.
It may be a range of ports that's needed, or some access to a particular IP address.
So people install the software and it doesn't work.
They read something on the Internet that it's a firewall issue.
So what do most people do?
They turn off the firewall.
I know at least three people who did this because they couldn't get NTP updates to work on their systems.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331230</id>
	<title>Code has bugs... so don't trust it.</title>
	<author>ka9dgx</author>
	<datestamp>1267551660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Code has bugs, it always will. You need to reduce the attack surface, why not reduce it all the way down to the kernel of the OS? If you don't need to trust any of the users programs with the security of the whole system, you've solved a lot of problems.</p><p>Don't trust the users?  Not a good idea.  The users are the administrators these days.</p><p>Don't trust the internet?  Well... it's a communications medium, just a set of tubes.</p><p>Don't trust the programs?  Great idea!</p></htmltext>
<tokenext>Code has bugs , it always will .
You need to reduce the attack surface , why not reduce it all the way down to the kernel of the OS ?
If you do n't need to trust any of the users programs with the security of the whole system , you 've solved a lot of problems.Do n't trust the users ?
Not a good idea .
The users are the administrators these days.Do n't trust the internet ?
Well... it 's a communications medium , just a set of tubes.Do n't trust the programs ?
Great idea !</tokentext>
<sentencetext>Code has bugs, it always will.
You need to reduce the attack surface, why not reduce it all the way down to the kernel of the OS?
If you don't need to trust any of the users programs with the security of the whole system, you've solved a lot of problems.Don't trust the users?
Not a good idea.
The users are the administrators these days.Don't trust the internet?
Well... it's a communications medium, just a set of tubes.Don't trust the programs?
Great idea!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332020</id>
	<title>Re:Open source doesn't necessarily mean dangerous</title>
	<author>clone53421</author>
	<datestamp>1267554720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And let me guess... their IT department would claim that open-source software is too difficult to test and administer patches remotely and <em>keep updated?</em></p></htmltext>
<tokenext>And let me guess... their IT department would claim that open-source software is too difficult to test and administer patches remotely and keep updated ?</tokentext>
<sentencetext>And let me guess... their IT department would claim that open-source software is too difficult to test and administer patches remotely and keep updated?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335436</id>
	<title>So Veracode is missing about 40\%</title>
	<author>the eric conspiracy</author>
	<datestamp>1267523700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It seems to me that a through test would initially flunk pretty close to 100\% of all software. So this means Veracode is too lenient by about 40\%.</p></htmltext>
<tokenext>It seems to me that a through test would initially flunk pretty close to 100 \ % of all software .
So this means Veracode is too lenient by about 40 \ % .</tokentext>
<sentencetext>It seems to me that a through test would initially flunk pretty close to 100\% of all software.
So this means Veracode is too lenient by about 40\%.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333506</id>
	<title>Over Half of Software Fails First Security Tests</title>
	<author>f0rk</author>
	<datestamp>1267560000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Over Half of Software Fails First Security Tests. Well that good, now i want the second half to be tested to.</p></htmltext>
<tokenext>Over Half of Software Fails First Security Tests .
Well that good , now i want the second half to be tested to .</tokentext>
<sentencetext>Over Half of Software Fails First Security Tests.
Well that good, now i want the second half to be tested to.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331986</id>
	<title>Encouraging?</title>
	<author>clone53421</author>
	<datestamp>1267554600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging</p></div><p>...um, I&rsquo;d have started with the opposite premise, that open-source is <em>safer</em>. In light of that premise, I think their findings are somewhat <em>discouraging</em>... except,</p><p><div class="quote"><p>It took about 30 days to remediate open-source software, and much longer for commercial and internal projects</p></div><p>Now <em>that&rsquo;s</em> encouraging.</p></div>
	</htmltext>
<tokenext>The conventional wisdom is that open source is risky .
But open source was no worse than commercial software upon first submission .
That 's encouraging...um , I    d have started with the opposite premise , that open-source is safer .
In light of that premise , I think their findings are somewhat discouraging... except,It took about 30 days to remediate open-source software , and much longer for commercial and internal projectsNow that    s encouraging .</tokentext>
<sentencetext>The conventional wisdom is that open source is risky.
But open source was no worse than commercial software upon first submission.
That's encouraging...um, I’d have started with the opposite premise, that open-source is safer.
In light of that premise, I think their findings are somewhat discouraging... except,It took about 30 days to remediate open-source software, and much longer for commercial and internal projectsNow that’s encouraging.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332932</id>
	<title>Re:Well now</title>
	<author>julesh</author>
	<datestamp>1267557840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>That's extrapolating a bit much, isn't it? And scanning through the article, they don't even name the sample size, just percentages.</i></p><p>I was wondering about selection bias, and, yes, investigating the company that did the research they appear to specialise in analysing native code (e.g. C or C++ applications) running under Windows.  My guess is that a lot of the more security-conscious developers have moved to other environments (interpreted or JIT-compiled code and/or Linux), so they're left analysing the dregs...</p></htmltext>
<tokenext>That 's extrapolating a bit much , is n't it ?
And scanning through the article , they do n't even name the sample size , just percentages.I was wondering about selection bias , and , yes , investigating the company that did the research they appear to specialise in analysing native code ( e.g .
C or C + + applications ) running under Windows .
My guess is that a lot of the more security-conscious developers have moved to other environments ( interpreted or JIT-compiled code and/or Linux ) , so they 're left analysing the dregs.. .</tokentext>
<sentencetext>That's extrapolating a bit much, isn't it?
And scanning through the article, they don't even name the sample size, just percentages.I was wondering about selection bias, and, yes, investigating the company that did the research they appear to specialise in analysing native code (e.g.
C or C++ applications) running under Windows.
My guess is that a lot of the more security-conscious developers have moved to other environments (interpreted or JIT-compiled code and/or Linux), so they're left analysing the dregs...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331450</id>
	<title>"remediate"?</title>
	<author>Voline</author>
	<datestamp>1267552560000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Try "remedy", or does that not sound pseudo-technical enough?</htmltext>
<tokenext>Try " remedy " , or does that not sound pseudo-technical enough ?</tokentext>
<sentencetext>Try "remedy", or does that not sound pseudo-technical enough?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332946</id>
	<title>uhhh</title>
	<author>buddyglass</author>
	<datestamp>1267557840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>"Conventional wisdom" depends on who you ask.  The convention wisdom I've heard is that OSS is actually <b>more</b> secure.  More eyes, etc.  The flip side of his analysis is that while OSS was no <i>more</i> vulnerable than closed source it was also no <i>less</i> vulnerable, which would  suggest the closed source model is equally capable of producing secure code.</htmltext>
<tokenext>" Conventional wisdom " depends on who you ask .
The convention wisdom I 've heard is that OSS is actually more secure .
More eyes , etc .
The flip side of his analysis is that while OSS was no more vulnerable than closed source it was also no less vulnerable , which would suggest the closed source model is equally capable of producing secure code .</tokentext>
<sentencetext>"Conventional wisdom" depends on who you ask.
The convention wisdom I've heard is that OSS is actually more secure.
More eyes, etc.
The flip side of his analysis is that while OSS was no more vulnerable than closed source it was also no less vulnerable, which would  suggest the closed source model is equally capable of producing secure code.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330778</id>
	<title>What emphasis on security?</title>
	<author>Jurily</author>
	<datestamp>1267549500000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>I thought the only measure of a project was whether it makes the deadline.</p></htmltext>
<tokenext>I thought the only measure of a project was whether it makes the deadline .</tokentext>
<sentencetext>I thought the only measure of a project was whether it makes the deadline.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331228</id>
	<title>Re:Bolting On</title>
	<author>Anonymous</author>
	<datestamp>1267551660000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p><i>Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.</i></p><p>Sure it does... but that sort of design takes money and expertise.  More often software is dreamed up and planned in ad hoc meetings. For example, a person in marketing decides it would be a great idea if their customers can get updates on their phones and Nitwitter accounts. In a 4PM meeting the marketer proposes it to his boss as a necessary value-add function without which the competition would eat us alive (1).</p><p>The next day, a "planning" meeting is called. The marketing manager tells (note, I say "tells" not "asks for input") the programming manager that the company needs mobile updates. The company needs (note, it's changed from the "Marketer wants" to "company needs") it before the next peak retail opportunity. This opportunity is either Valentine's Day or Easter or Summer Break or Thanksgiving or some other arbitrary retail holiday.</p><p>The programming manager tells his programmer, "We need it by end of week."</p><p>The programmer begins to think about the problem. He raises objections to the timeline and lack of design. The marketing manager cries to the CEO. The CEO screams at the CTO. The CTO screams at the programming manager. The manager tells the programmer that he's wasted a day and we still need it by end of week.</p><p>The programmer thinks about coding and how to grab the data he needs. He browses a database and finds a table that he needs. To make it accessible to the web frontend, he opens up some permissions. Maybe he creates a new view that combines multiple tables to make his code easier or faster. This new view now violates PCI and SOX regulations, but he doesn't care.. this is just for testing until he can figure out how to do it properly.  He stays up all night and gets a proof of concept working.  The next day he shows it to his manager.</p><p>His manager says, "OK, tell them it's done."</p><p>The test software becomes production.</p></htmltext>
<tokenext>Designing for security and using secure coding practices from the beginning , however , makes it much , much easier.Sure it does... but that sort of design takes money and expertise .
More often software is dreamed up and planned in ad hoc meetings .
For example , a person in marketing decides it would be a great idea if their customers can get updates on their phones and Nitwitter accounts .
In a 4PM meeting the marketer proposes it to his boss as a necessary value-add function without which the competition would eat us alive ( 1 ) .The next day , a " planning " meeting is called .
The marketing manager tells ( note , I say " tells " not " asks for input " ) the programming manager that the company needs mobile updates .
The company needs ( note , it 's changed from the " Marketer wants " to " company needs " ) it before the next peak retail opportunity .
This opportunity is either Valentine 's Day or Easter or Summer Break or Thanksgiving or some other arbitrary retail holiday.The programming manager tells his programmer , " We need it by end of week .
" The programmer begins to think about the problem .
He raises objections to the timeline and lack of design .
The marketing manager cries to the CEO .
The CEO screams at the CTO .
The CTO screams at the programming manager .
The manager tells the programmer that he 's wasted a day and we still need it by end of week.The programmer thinks about coding and how to grab the data he needs .
He browses a database and finds a table that he needs .
To make it accessible to the web frontend , he opens up some permissions .
Maybe he creates a new view that combines multiple tables to make his code easier or faster .
This new view now violates PCI and SOX regulations , but he does n't care.. this is just for testing until he can figure out how to do it properly .
He stays up all night and gets a proof of concept working .
The next day he shows it to his manager.His manager says , " OK , tell them it 's done .
" The test software becomes production .</tokentext>
<sentencetext>Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.Sure it does... but that sort of design takes money and expertise.
More often software is dreamed up and planned in ad hoc meetings.
For example, a person in marketing decides it would be a great idea if their customers can get updates on their phones and Nitwitter accounts.
In a 4PM meeting the marketer proposes it to his boss as a necessary value-add function without which the competition would eat us alive (1).The next day, a "planning" meeting is called.
The marketing manager tells (note, I say "tells" not "asks for input") the programming manager that the company needs mobile updates.
The company needs (note, it's changed from the "Marketer wants" to "company needs") it before the next peak retail opportunity.
This opportunity is either Valentine's Day or Easter or Summer Break or Thanksgiving or some other arbitrary retail holiday.The programming manager tells his programmer, "We need it by end of week.
"The programmer begins to think about the problem.
He raises objections to the timeline and lack of design.
The marketing manager cries to the CEO.
The CEO screams at the CTO.
The CTO screams at the programming manager.
The manager tells the programmer that he's wasted a day and we still need it by end of week.The programmer thinks about coding and how to grab the data he needs.
He browses a database and finds a table that he needs.
To make it accessible to the web frontend, he opens up some permissions.
Maybe he creates a new view that combines multiple tables to make his code easier or faster.
This new view now violates PCI and SOX regulations, but he doesn't care.. this is just for testing until he can figure out how to do it properly.
He stays up all night and gets a proof of concept working.
The next day he shows it to his manager.His manager says, "OK, tell them it's done.
"The test software becomes production.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331472</id>
	<title>Obsolete?</title>
	<author>vlm</author>
	<datestamp>1267552620000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>The conventional wisdom is that open source is risky.</p></div><p>Does anyone believe that anymore, other than journalists quoting other journalists and PR people?</p><p>I did some google searching, trying to find when that old FUD campaign started.  It seems to not show up much until 1998.</p><p>The 12 year old advertising/FUD campaign is getting kind of tired.</p></div>
	</htmltext>
<tokenext>The conventional wisdom is that open source is risky.Does anyone believe that anymore , other than journalists quoting other journalists and PR people ? I did some google searching , trying to find when that old FUD campaign started .
It seems to not show up much until 1998.The 12 year old advertising/FUD campaign is getting kind of tired .</tokentext>
<sentencetext>The conventional wisdom is that open source is risky.Does anyone believe that anymore, other than journalists quoting other journalists and PR people?I did some google searching, trying to find when that old FUD campaign started.
It seems to not show up much until 1998.The 12 year old advertising/FUD campaign is getting kind of tired.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31334192</id>
	<title>Interesting.</title>
	<author>E. Edward Grey</author>
	<datestamp>1267562280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even though the "conventional wisdom" is that the science of programming has entirely changed to consider security issues from end to end, in reality this does not appear to be the case at all.</p><p>I think this is a very interesting and valuable insight.  The people doing the talking have completely sold everyone on a vision in which the coder keeps security in mind from the get-go, but the people doing the, uh<nobr> <wbr></nobr>... doing<nobr> <wbr></nobr>... are doing things the way they have always done them, and tacking on the security piece after the fact.</p><p>Is it that programmers in general simply believe that buyers are unreasonably paranoid?  Or is it that planning for security throughout the process is too costly and time-consuming?</p></htmltext>
<tokenext>Even though the " conventional wisdom " is that the science of programming has entirely changed to consider security issues from end to end , in reality this does not appear to be the case at all.I think this is a very interesting and valuable insight .
The people doing the talking have completely sold everyone on a vision in which the coder keeps security in mind from the get-go , but the people doing the , uh ... doing ... are doing things the way they have always done them , and tacking on the security piece after the fact.Is it that programmers in general simply believe that buyers are unreasonably paranoid ?
Or is it that planning for security throughout the process is too costly and time-consuming ?</tokentext>
<sentencetext>Even though the "conventional wisdom" is that the science of programming has entirely changed to consider security issues from end to end, in reality this does not appear to be the case at all.I think this is a very interesting and valuable insight.
The people doing the talking have completely sold everyone on a vision in which the coder keeps security in mind from the get-go, but the people doing the, uh ... doing ... are doing things the way they have always done them, and tacking on the security piece after the fact.Is it that programmers in general simply believe that buyers are unreasonably paranoid?
Or is it that planning for security throughout the process is too costly and time-consuming?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332712</id>
	<title>Re:That's great.</title>
	<author>TheLink</author>
	<datestamp>1267556880000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>&gt; If you can't easily restrict a program to a small subset of your machine, you're forced to trust code you didn't write to get anything done.<br>&gt; Nobody should blame the users, if the OS sucks.<br><br>Agreed. And most OSes out there suck in this respect (OSX, Linux, Windows).<br><br>FWIW Windows Vista and Windows 7 kinda suck less - since they actually have some sandboxing with IE8.<br><br>Ubuntu has apparmor sandboxing of firefox as an option that's turned off by default, and even if you turn it on it's not sandboxed enough IMO (firefox can read and write almost anything in the user's home directory with the exclusion of just a few directories).<br><br>As it is, most users are either forced to:<br><br>1) Solve a version of the Halting Problem where they don't and can't know all the inputs and are unable to read the source code (or even know if that's really the source code of the executable they are about to run<nobr> <wbr></nobr>;) ).<br><br>2) Use only software from a Trusted Vendor's repository. Not a good strategy for Microsoft given their Monopoly Status, and this approach/philosophy doesn't actually help the OSS cause that much either.<br><br>You can say "download the source and compile it yourself", when even experts have difficulty finding flaws in the software, how would users find them (see also 1) ).<br><br>Users will just skip the pointless steps and go to "make install" (which often requires root permissions).<br><br>As it is I have proposed that applications request for the sandbox they want to be run in. Then the O/S enforces the sandbox.<br><br>It's easier to figure out the danger the application poses, if you require applications to state up front the limits of what they want. If they say "No Limits" you can assume you don't want to run it.<br><br>The sandboxes can be from a shortlist of template sandboxes, or custom sandboxes which are signed by trusted parties.<br><br>Organizations could have Trusted 3rd Parties audit the application's proposed sandbox and sign it if they believe it's OK.<br><br>It is much easier to audit a sandbox than audit thousands of lines of code.<br><br>Furthermore the code audit results will be invalidated if the program can update itself online, or can possibly fetch new instructions from the Internet. Whereas the sandbox audit would still be valid.<br><br>For example, without sandboxing, a code audited program might fetch new instructions and decide to turn on your webcam without your permission. In contrast if the sandbox doesn't allow the program to access the webcam, the program isn't going to be able to access the webcam even if it fetched new instructions.<br><br>Unless of course there's a bug in the sandboxing. But at least this means you can concentrate more resources on getting the sandbox and O/S bugs fixed, rather than try to get the dozens or hundreds of programs security audited and reaudited everytime there's a new update.</htmltext>
<tokenext>&gt; If you ca n't easily restrict a program to a small subset of your machine , you 're forced to trust code you did n't write to get anything done. &gt; Nobody should blame the users , if the OS sucks.Agreed .
And most OSes out there suck in this respect ( OSX , Linux , Windows ) .FWIW Windows Vista and Windows 7 kinda suck less - since they actually have some sandboxing with IE8.Ubuntu has apparmor sandboxing of firefox as an option that 's turned off by default , and even if you turn it on it 's not sandboxed enough IMO ( firefox can read and write almost anything in the user 's home directory with the exclusion of just a few directories ) .As it is , most users are either forced to : 1 ) Solve a version of the Halting Problem where they do n't and ca n't know all the inputs and are unable to read the source code ( or even know if that 's really the source code of the executable they are about to run ; ) ) .2 ) Use only software from a Trusted Vendor 's repository .
Not a good strategy for Microsoft given their Monopoly Status , and this approach/philosophy does n't actually help the OSS cause that much either.You can say " download the source and compile it yourself " , when even experts have difficulty finding flaws in the software , how would users find them ( see also 1 ) ) .Users will just skip the pointless steps and go to " make install " ( which often requires root permissions ) .As it is I have proposed that applications request for the sandbox they want to be run in .
Then the O/S enforces the sandbox.It 's easier to figure out the danger the application poses , if you require applications to state up front the limits of what they want .
If they say " No Limits " you can assume you do n't want to run it.The sandboxes can be from a shortlist of template sandboxes , or custom sandboxes which are signed by trusted parties.Organizations could have Trusted 3rd Parties audit the application 's proposed sandbox and sign it if they believe it 's OK.It is much easier to audit a sandbox than audit thousands of lines of code.Furthermore the code audit results will be invalidated if the program can update itself online , or can possibly fetch new instructions from the Internet .
Whereas the sandbox audit would still be valid.For example , without sandboxing , a code audited program might fetch new instructions and decide to turn on your webcam without your permission .
In contrast if the sandbox does n't allow the program to access the webcam , the program is n't going to be able to access the webcam even if it fetched new instructions.Unless of course there 's a bug in the sandboxing .
But at least this means you can concentrate more resources on getting the sandbox and O/S bugs fixed , rather than try to get the dozens or hundreds of programs security audited and reaudited everytime there 's a new update .</tokentext>
<sentencetext>&gt; If you can't easily restrict a program to a small subset of your machine, you're forced to trust code you didn't write to get anything done.&gt; Nobody should blame the users, if the OS sucks.Agreed.
And most OSes out there suck in this respect (OSX, Linux, Windows).FWIW Windows Vista and Windows 7 kinda suck less - since they actually have some sandboxing with IE8.Ubuntu has apparmor sandboxing of firefox as an option that's turned off by default, and even if you turn it on it's not sandboxed enough IMO (firefox can read and write almost anything in the user's home directory with the exclusion of just a few directories).As it is, most users are either forced to:1) Solve a version of the Halting Problem where they don't and can't know all the inputs and are unable to read the source code (or even know if that's really the source code of the executable they are about to run ;) ).2) Use only software from a Trusted Vendor's repository.
Not a good strategy for Microsoft given their Monopoly Status, and this approach/philosophy doesn't actually help the OSS cause that much either.You can say "download the source and compile it yourself", when even experts have difficulty finding flaws in the software, how would users find them (see also 1) ).Users will just skip the pointless steps and go to "make install" (which often requires root permissions).As it is I have proposed that applications request for the sandbox they want to be run in.
Then the O/S enforces the sandbox.It's easier to figure out the danger the application poses, if you require applications to state up front the limits of what they want.
If they say "No Limits" you can assume you don't want to run it.The sandboxes can be from a shortlist of template sandboxes, or custom sandboxes which are signed by trusted parties.Organizations could have Trusted 3rd Parties audit the application's proposed sandbox and sign it if they believe it's OK.It is much easier to audit a sandbox than audit thousands of lines of code.Furthermore the code audit results will be invalidated if the program can update itself online, or can possibly fetch new instructions from the Internet.
Whereas the sandbox audit would still be valid.For example, without sandboxing, a code audited program might fetch new instructions and decide to turn on your webcam without your permission.
In contrast if the sandbox doesn't allow the program to access the webcam, the program isn't going to be able to access the webcam even if it fetched new instructions.Unless of course there's a bug in the sandboxing.
But at least this means you can concentrate more resources on getting the sandbox and O/S bugs fixed, rather than try to get the dozens or hundreds of programs security audited and reaudited everytime there's a new update.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331106</id>
	<title>Re:The other half</title>
	<author>Opportunist</author>
	<datestamp>1267551060000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p>Nah, the other half crashed when pitted against the security test suite.</p></htmltext>
<tokenext>Nah , the other half crashed when pitted against the security test suite .</tokentext>
<sentencetext>Nah, the other half crashed when pitted against the security test suite.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330820</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331252</id>
	<title>sometimes security doesn't matter</title>
	<author>i.r.id10t</author>
	<datestamp>1267551780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Sometimes security doesn't matter, esp. with regard to the "internal project" stuff mentioned.</p><p>Of course, this is the area that basic utility scripting is used, you and perhaps one or two others are the only ones using it, you already have access to any other system you could  get via a cross scripting technique, access to any DBs you'd get with a SQL injection, etc.</p></htmltext>
<tokenext>Sometimes security does n't matter , esp .
with regard to the " internal project " stuff mentioned.Of course , this is the area that basic utility scripting is used , you and perhaps one or two others are the only ones using it , you already have access to any other system you could get via a cross scripting technique , access to any DBs you 'd get with a SQL injection , etc .</tokentext>
<sentencetext>Sometimes security doesn't matter, esp.
with regard to the "internal project" stuff mentioned.Of course, this is the area that basic utility scripting is used, you and perhaps one or two others are the only ones using it, you already have access to any other system you could  get via a cross scripting technique, access to any DBs you'd get with a SQL injection, etc.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331424</id>
	<title>Not a shocker</title>
	<author>Anonymous</author>
	<datestamp>1267552440000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Coming from the systems integration side of things, I don't view this as a surprise. Developers are great at writing software, but in my experience they have no idea about how the platform they're deploying it on actually works beyond the API function calls they make. This leads to internal applications that I have to throw back because part of the requirements are, "User must be a member of the Administrators or Power Users group." Most dev guys just don't get that it's very dangerous to give the end user full rights to an Internet-connected Windows box. There's just too many holes in Windows to safely allow it.</p><p>To be fair, there are a lot of reasons for stuff like this...not the least of which is deadlines for deploying "something that works." I've been there on the systems side too...scrambling at the last second to get hardware and operating systems deployed because of a deployment date. There are also a lot of apps coded in C++ and other unmanaged languages that open the system up for all sorts of buffer overrun attacks. Not much you can do there except vigilant code checking.</p><p>I think a little education on both sides of the fence would be useful. Developers should get some kind of training in "systems administration and internals for developers" and systems guys should definitely be educated in what holes are safe to open up on their systems. (That's a big cause of this too -- there's a lot of low-skilled systems admins out there who take the developer's instructions at face value without checking to see if full access is really needed.)</p></htmltext>
<tokenext>Coming from the systems integration side of things , I do n't view this as a surprise .
Developers are great at writing software , but in my experience they have no idea about how the platform they 're deploying it on actually works beyond the API function calls they make .
This leads to internal applications that I have to throw back because part of the requirements are , " User must be a member of the Administrators or Power Users group .
" Most dev guys just do n't get that it 's very dangerous to give the end user full rights to an Internet-connected Windows box .
There 's just too many holes in Windows to safely allow it.To be fair , there are a lot of reasons for stuff like this...not the least of which is deadlines for deploying " something that works .
" I 've been there on the systems side too...scrambling at the last second to get hardware and operating systems deployed because of a deployment date .
There are also a lot of apps coded in C + + and other unmanaged languages that open the system up for all sorts of buffer overrun attacks .
Not much you can do there except vigilant code checking.I think a little education on both sides of the fence would be useful .
Developers should get some kind of training in " systems administration and internals for developers " and systems guys should definitely be educated in what holes are safe to open up on their systems .
( That 's a big cause of this too -- there 's a lot of low-skilled systems admins out there who take the developer 's instructions at face value without checking to see if full access is really needed .
)</tokentext>
<sentencetext>Coming from the systems integration side of things, I don't view this as a surprise.
Developers are great at writing software, but in my experience they have no idea about how the platform they're deploying it on actually works beyond the API function calls they make.
This leads to internal applications that I have to throw back because part of the requirements are, "User must be a member of the Administrators or Power Users group.
" Most dev guys just don't get that it's very dangerous to give the end user full rights to an Internet-connected Windows box.
There's just too many holes in Windows to safely allow it.To be fair, there are a lot of reasons for stuff like this...not the least of which is deadlines for deploying "something that works.
" I've been there on the systems side too...scrambling at the last second to get hardware and operating systems deployed because of a deployment date.
There are also a lot of apps coded in C++ and other unmanaged languages that open the system up for all sorts of buffer overrun attacks.
Not much you can do there except vigilant code checking.I think a little education on both sides of the fence would be useful.
Developers should get some kind of training in "systems administration and internals for developers" and systems guys should definitely be educated in what holes are safe to open up on their systems.
(That's a big cause of this too -- there's a lot of low-skilled systems admins out there who take the developer's instructions at face value without checking to see if full access is really needed.
)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332172</id>
	<title>security is important</title>
	<author>Anonymous</author>
	<datestamp>1267555200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>mostly to security consultants. nobody else really cares because it just doesn't matter that much.</p></htmltext>
<tokenext>mostly to security consultants .
nobody else really cares because it just does n't matter that much .</tokentext>
<sentencetext>mostly to security consultants.
nobody else really cares because it just doesn't matter that much.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31342286</id>
	<title>Re:That's great.</title>
	<author>Random Walk</author>
	<datestamp>1267610640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
<i>Ubuntu has apparmor sandboxing of firefox as an option that's turned off by default, and even if you turn it on it's not sandboxed enough IMO (firefox can read and write almost anything in the user's home directory with the exclusion of just a few directories).</i>
</p><p>
It's trivial to simply run Firefox under a different user id. I use about three applications that need to access the net (web, mail, chat), and each of them gets started (via a simple wrapper script) under a different, dedicated UID.
</p></htmltext>
<tokenext>Ubuntu has apparmor sandboxing of firefox as an option that 's turned off by default , and even if you turn it on it 's not sandboxed enough IMO ( firefox can read and write almost anything in the user 's home directory with the exclusion of just a few directories ) .
It 's trivial to simply run Firefox under a different user id .
I use about three applications that need to access the net ( web , mail , chat ) , and each of them gets started ( via a simple wrapper script ) under a different , dedicated UID .</tokentext>
<sentencetext>
Ubuntu has apparmor sandboxing of firefox as an option that's turned off by default, and even if you turn it on it's not sandboxed enough IMO (firefox can read and write almost anything in the user's home directory with the exclusion of just a few directories).
It's trivial to simply run Firefox under a different user id.
I use about three applications that need to access the net (web, mail, chat), and each of them gets started (via a simple wrapper script) under a different, dedicated UID.
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332712</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331326</id>
	<title>Re:Security is no selling point</title>
	<author>ka9dgx</author>
	<datestamp>1267552080000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>Actually, good security would be a GREAT selling point, if someone actually implemented it.</p><p>Security is the ability to run code without unwanted side effects.  Windows, Mac, Linux do not offer a simple way to do this. The closest you can get is either Sandboxie on Windows, AppArmor on Linux, or setting up a VM per program.</p><p>If you offered a way to specify the limits of side effects on an application before and while it runs, you could make a ton of people very happy. I suspect there is some money to be made there as well.</p></htmltext>
<tokenext>Actually , good security would be a GREAT selling point , if someone actually implemented it.Security is the ability to run code without unwanted side effects .
Windows , Mac , Linux do not offer a simple way to do this .
The closest you can get is either Sandboxie on Windows , AppArmor on Linux , or setting up a VM per program.If you offered a way to specify the limits of side effects on an application before and while it runs , you could make a ton of people very happy .
I suspect there is some money to be made there as well .</tokentext>
<sentencetext>Actually, good security would be a GREAT selling point, if someone actually implemented it.Security is the ability to run code without unwanted side effects.
Windows, Mac, Linux do not offer a simple way to do this.
The closest you can get is either Sandboxie on Windows, AppArmor on Linux, or setting up a VM per program.If you offered a way to specify the limits of side effects on an application before and while it runs, you could make a ton of people very happy.
I suspect there is some money to be made there as well.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331494</id>
	<title>Re:Security is no selling point</title>
	<author>jsebrech</author>
	<datestamp>1267552740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It depends on the product, but there are indeed corporate customers who have policies disallowing them from purchasing / deploying software that does not pass independent security audit.</p><p>It's a mixed bag, and it depends on the market you're in. For some types of software, security is a non-issue. Security is like usability. You can always improve things, but at some point you have to say "up to here, and no further".</p></htmltext>
<tokenext>It depends on the product , but there are indeed corporate customers who have policies disallowing them from purchasing / deploying software that does not pass independent security audit.It 's a mixed bag , and it depends on the market you 're in .
For some types of software , security is a non-issue .
Security is like usability .
You can always improve things , but at some point you have to say " up to here , and no further " .</tokentext>
<sentencetext>It depends on the product, but there are indeed corporate customers who have policies disallowing them from purchasing / deploying software that does not pass independent security audit.It's a mixed bag, and it depends on the market you're in.
For some types of software, security is a non-issue.
Security is like usability.
You can always improve things, but at some point you have to say "up to here, and no further".</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331084</id>
	<title>They get paid to find security holes</title>
	<author>dcraid</author>
	<datestamp>1267550880000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Will a security firm ever certify that a solution is perfect on the first pass?  Not if they want to be invited back for a second.</htmltext>
<tokenext>Will a security firm ever certify that a solution is perfect on the first pass ?
Not if they want to be invited back for a second .</tokentext>
<sentencetext>Will a security firm ever certify that a solution is perfect on the first pass?
Not if they want to be invited back for a second.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333860</id>
	<title>Re:Well now</title>
	<author>sgtrock</author>
	<datestamp>1267561260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I made my submission after first seeing a story in El Reg.  While I saw it in several other places, I thought the Dark Reading story was a bit better in highlighting the findings than most.  You're right, though.  It's very light on the methodology.  The <a href="http://www.veracode.com/content/view/1015/38" title="veracode.com">press release</a> [veracode.com] on VeraCode's site has a bit more information:</p><blockquote><div><p>...<b>1,600</b> Internally Developed, Open Source, Outsourced, and Commercial applications analyzed <b>when first submitted to Veracode</b>...

</p><p>...the first report of its kind to provide security intelligence derived from <b>multiple testing methodologies</b> (static, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and<nobr> <wbr></nobr>.NET) <b>from every part of the software supply chain</b> on which  organizations depend.

</p><p>...analyzing <b>billions of lines of code</b> submitted to Veracode for independent verification of software security from <b>more than 15 industries</b>.</p></div></blockquote><p>
<i>(emphasis added)</i>

</p><p>So.  The sample consists of approximately 1,600 applications consisting of billions of lines of code from self selecting organizations; organizations who have an interest in writing the most secure code possible or they wouldn't be subjecting themselves to this process or paying for the service.  And still, <i>60\% of all these apps fail the first time through</i>!

</p><p>I've been following testing results for FOSS for years.  I've waded through thesis papers, press releases, magazine articles, Coverity's Scan site, you name it and I've dug into it.  Virtually everything else that I've come across covered just a single means; static or dynamic code analysis, pen testing, fuzz testing, bug report analysis, mathematical breakdowns that attempt to address the "why" FOSS works so well, etc.  The press release defines a sample size that is at least within shouting distance as the largest two that I know of; a <a href="http://ec.europa.eu/enterprise/sectors/ict/files/2006-11-20-flossimpact\_en.pdf" title="europa.eu">study commissioned by the European Commission</a> [europa.eu] to analyze the economic impact of FLOSS which briefly discusses bug fixing, <a href="http://news.cnet.com/Security-research-suggests-Linux-has-fewer-flaws/2100-1002\_3-5489804.html" title="cnet.com">Coverity</a> [cnet.com], and <a href="http://scan.coverity.com/" title="coverity.com">Coverity again</a> [coverity.com].

</p><p>At most, they might have tackled two methodologies in a single article.  This is the first such announcement that I've been able to find that covers multiple methodologies.  IMNSHO, that's what makes this an important story.  Slashvertisement or not.



</p><p>(BTW, note that the original announcment was at RSA Conference 2010.  I suppose that makes it a RSAvertisement first?  Nahhh.  Doesn't trip off the tongue.<nobr> <wbr></nobr>;)  )</p></div>
	</htmltext>
<tokenext>I made my submission after first seeing a story in El Reg .
While I saw it in several other places , I thought the Dark Reading story was a bit better in highlighting the findings than most .
You 're right , though .
It 's very light on the methodology .
The press release [ veracode.com ] on VeraCode 's site has a bit more information : ...1,600 Internally Developed , Open Source , Outsourced , and Commercial applications analyzed when first submitted to Veracode.. . ...the first report of its kind to provide security intelligence derived from multiple testing methodologies ( static , dynamic and manual ) on the full spectrum of application types ( components , shared libraries , web and non-web applications ) and programming languages ( including Java , C/C + + and .NET ) from every part of the software supply chain on which organizations depend .
...analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries .
( emphasis added ) So .
The sample consists of approximately 1,600 applications consisting of billions of lines of code from self selecting organizations ; organizations who have an interest in writing the most secure code possible or they would n't be subjecting themselves to this process or paying for the service .
And still , 60 \ % of all these apps fail the first time through !
I 've been following testing results for FOSS for years .
I 've waded through thesis papers , press releases , magazine articles , Coverity 's Scan site , you name it and I 've dug into it .
Virtually everything else that I 've come across covered just a single means ; static or dynamic code analysis , pen testing , fuzz testing , bug report analysis , mathematical breakdowns that attempt to address the " why " FOSS works so well , etc .
The press release defines a sample size that is at least within shouting distance as the largest two that I know of ; a study commissioned by the European Commission [ europa.eu ] to analyze the economic impact of FLOSS which briefly discusses bug fixing , Coverity [ cnet.com ] , and Coverity again [ coverity.com ] .
At most , they might have tackled two methodologies in a single article .
This is the first such announcement that I 've been able to find that covers multiple methodologies .
IMNSHO , that 's what makes this an important story .
Slashvertisement or not .
( BTW , note that the original announcment was at RSA Conference 2010 .
I suppose that makes it a RSAvertisement first ?
Nahhh. Does n't trip off the tongue .
; ) )</tokentext>
<sentencetext>I made my submission after first seeing a story in El Reg.
While I saw it in several other places, I thought the Dark Reading story was a bit better in highlighting the findings than most.
You're right, though.
It's very light on the methodology.
The press release [veracode.com] on VeraCode's site has a bit more information:...1,600 Internally Developed, Open Source, Outsourced, and Commercial applications analyzed when first submitted to Veracode...

...the first report of its kind to provide security intelligence derived from multiple testing methodologies (static, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and .NET) from every part of the software supply chain on which  organizations depend.
...analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries.
(emphasis added)

So.
The sample consists of approximately 1,600 applications consisting of billions of lines of code from self selecting organizations; organizations who have an interest in writing the most secure code possible or they wouldn't be subjecting themselves to this process or paying for the service.
And still, 60\% of all these apps fail the first time through!
I've been following testing results for FOSS for years.
I've waded through thesis papers, press releases, magazine articles, Coverity's Scan site, you name it and I've dug into it.
Virtually everything else that I've come across covered just a single means; static or dynamic code analysis, pen testing, fuzz testing, bug report analysis, mathematical breakdowns that attempt to address the "why" FOSS works so well, etc.
The press release defines a sample size that is at least within shouting distance as the largest two that I know of; a study commissioned by the European Commission [europa.eu] to analyze the economic impact of FLOSS which briefly discusses bug fixing, Coverity [cnet.com], and Coverity again [coverity.com].
At most, they might have tackled two methodologies in a single article.
This is the first such announcement that I've been able to find that covers multiple methodologies.
IMNSHO, that's what makes this an important story.
Slashvertisement or not.
(BTW, note that the original announcment was at RSA Conference 2010.
I suppose that makes it a RSAvertisement first?
Nahhh.  Doesn't trip off the tongue.
;)  )
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332274</id>
	<title>Firefox has too many developers</title>
	<author>Anonymous</author>
	<datestamp>1267555560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>This obviously causes security holes.</p><p>In its last several releases, everyone's favorite Open Source browser has become an unstable mess of add-ons, plugins, and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog. In fact, just last week, SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.</p><p>From its infancy Firefox has been the product of collaborative effort, unifying code from hackers worldwide. But thanks to the Hayes Law, we see that there is a "sweet spot" to such a development style, and that Firefox has long since left it behind. In the chart below, we can see that the number of Firefox developers has increased exponentially since 2002, and that number will more than double in 2010.</p><p>But it's time to be honest: either Firefox, as a modern web browser, will have killer performance on 64-bit, multicore Intel chips or it's not worth downloading and installing. And since, as we have seen in the recent past, that Firefox is actually getting slower with each release, Firefox is certainly a waste of time for anyone who takes their web browsing seriously.</p><p>The Hayes Law states that, given a specific type of software project, there is a certain complexity associated with it, and with that complexity an optimal number of developers. It's actually a little more complicated than that, taking into account development model, coding platform, programming language, and code repository platform, but in the end it's easy to plug in the numbers and see where a project's headed.</p><p>Against the Hayes Law, Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006. The next major release, Firefox 3.0 in 2008, introduced many issues users today complain about: bloat, sloth, instability, and insatiable hunger for memory. Firefox user complaints increased in tandem, all syncing up with the jump in developers. Ergo Firefox's problem: too many cocks in the kitchen.</p><p>To further underline this growing problem, Firefox completely falls down in Acid3: Firefox 3.5 scores 93/100, and Firefox 3.6 scores only 87/100. Needless to say, Firefox 4.0 mockups score 0/100. Sadly, this is a continuation of a trend: Firefox took the longest of all browsers to beat Acid2. And don't even think about Acid4. Firefox is collapsing under its own weight.</p><p>The core of this problem looms: the number of developers, as seen in the chart above, will only continue to skyrocket for Firefox 3.6 and beyond. By the time Firefox 4.0 is released, sometime in December 2010, the number of developers will be nearly 4,000, almost a full magnitude greater than the optimal 445 or so in 2006. Clearly, Firefox is about to capsize.</p><p>So what is to be done? Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model, focus on optimization instead of new features, and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface. Concerned individuals should log into Mozilla's Bugzilla and let loose with their bug and crash reports like never before.</p><p>Unless Brendan Eich and Mitchell Baker take their heads out of their asses, however, the best course of action is to escape Firefox like rats from a sinking ship. There are other options out there: Apple's small, fast, and efficient Safari, coded by several dozen professional programmers, is currently the best browser for Mac and Windows. The time-honored Internet Explorer continues to embrace and extend Web standards. Other browsers like Chrome, Opera, and Lynx are out there too but aren't for everyone.</p><p>In the end, Mozilla Firefox as it stands is a sick browser that is in need of emergency surgery not ready to take on the challenges of Web 2.0 and things like CSS 3, HTML5, and JavaScript 1.9. Unless something happens soon, Firefox will take the entire World Wide Web&mdash;and everyone who depends on it&mdash;back to the Stone Age of the Internet.</p></htmltext>
<tokenext>This obviously causes security holes.In its last several releases , everyone 's favorite Open Source browser has become an unstable mess of add-ons , plugins , and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog .
In fact , just last week , SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.From its infancy Firefox has been the product of collaborative effort , unifying code from hackers worldwide .
But thanks to the Hayes Law , we see that there is a " sweet spot " to such a development style , and that Firefox has long since left it behind .
In the chart below , we can see that the number of Firefox developers has increased exponentially since 2002 , and that number will more than double in 2010.But it 's time to be honest : either Firefox , as a modern web browser , will have killer performance on 64-bit , multicore Intel chips or it 's not worth downloading and installing .
And since , as we have seen in the recent past , that Firefox is actually getting slower with each release , Firefox is certainly a waste of time for anyone who takes their web browsing seriously.The Hayes Law states that , given a specific type of software project , there is a certain complexity associated with it , and with that complexity an optimal number of developers .
It 's actually a little more complicated than that , taking into account development model , coding platform , programming language , and code repository platform , but in the end it 's easy to plug in the numbers and see where a project 's headed.Against the Hayes Law , Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006 .
The next major release , Firefox 3.0 in 2008 , introduced many issues users today complain about : bloat , sloth , instability , and insatiable hunger for memory .
Firefox user complaints increased in tandem , all syncing up with the jump in developers .
Ergo Firefox 's problem : too many cocks in the kitchen.To further underline this growing problem , Firefox completely falls down in Acid3 : Firefox 3.5 scores 93/100 , and Firefox 3.6 scores only 87/100 .
Needless to say , Firefox 4.0 mockups score 0/100 .
Sadly , this is a continuation of a trend : Firefox took the longest of all browsers to beat Acid2 .
And do n't even think about Acid4 .
Firefox is collapsing under its own weight.The core of this problem looms : the number of developers , as seen in the chart above , will only continue to skyrocket for Firefox 3.6 and beyond .
By the time Firefox 4.0 is released , sometime in December 2010 , the number of developers will be nearly 4,000 , almost a full magnitude greater than the optimal 445 or so in 2006 .
Clearly , Firefox is about to capsize.So what is to be done ?
Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model , focus on optimization instead of new features , and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface .
Concerned individuals should log into Mozilla 's Bugzilla and let loose with their bug and crash reports like never before.Unless Brendan Eich and Mitchell Baker take their heads out of their asses , however , the best course of action is to escape Firefox like rats from a sinking ship .
There are other options out there : Apple 's small , fast , and efficient Safari , coded by several dozen professional programmers , is currently the best browser for Mac and Windows .
The time-honored Internet Explorer continues to embrace and extend Web standards .
Other browsers like Chrome , Opera , and Lynx are out there too but are n't for everyone.In the end , Mozilla Firefox as it stands is a sick browser that is in need of emergency surgery not ready to take on the challenges of Web 2.0 and things like CSS 3 , HTML5 , and JavaScript 1.9 .
Unless something happens soon , Firefox will take the entire World Wide Web    and everyone who depends on it    back to the Stone Age of the Internet .</tokentext>
<sentencetext>This obviously causes security holes.In its last several releases, everyone's favorite Open Source browser has become an unstable mess of add-ons, plugins, and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog.
In fact, just last week, SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.From its infancy Firefox has been the product of collaborative effort, unifying code from hackers worldwide.
But thanks to the Hayes Law, we see that there is a "sweet spot" to such a development style, and that Firefox has long since left it behind.
In the chart below, we can see that the number of Firefox developers has increased exponentially since 2002, and that number will more than double in 2010.But it's time to be honest: either Firefox, as a modern web browser, will have killer performance on 64-bit, multicore Intel chips or it's not worth downloading and installing.
And since, as we have seen in the recent past, that Firefox is actually getting slower with each release, Firefox is certainly a waste of time for anyone who takes their web browsing seriously.The Hayes Law states that, given a specific type of software project, there is a certain complexity associated with it, and with that complexity an optimal number of developers.
It's actually a little more complicated than that, taking into account development model, coding platform, programming language, and code repository platform, but in the end it's easy to plug in the numbers and see where a project's headed.Against the Hayes Law, Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006.
The next major release, Firefox 3.0 in 2008, introduced many issues users today complain about: bloat, sloth, instability, and insatiable hunger for memory.
Firefox user complaints increased in tandem, all syncing up with the jump in developers.
Ergo Firefox's problem: too many cocks in the kitchen.To further underline this growing problem, Firefox completely falls down in Acid3: Firefox 3.5 scores 93/100, and Firefox 3.6 scores only 87/100.
Needless to say, Firefox 4.0 mockups score 0/100.
Sadly, this is a continuation of a trend: Firefox took the longest of all browsers to beat Acid2.
And don't even think about Acid4.
Firefox is collapsing under its own weight.The core of this problem looms: the number of developers, as seen in the chart above, will only continue to skyrocket for Firefox 3.6 and beyond.
By the time Firefox 4.0 is released, sometime in December 2010, the number of developers will be nearly 4,000, almost a full magnitude greater than the optimal 445 or so in 2006.
Clearly, Firefox is about to capsize.So what is to be done?
Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model, focus on optimization instead of new features, and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface.
Concerned individuals should log into Mozilla's Bugzilla and let loose with their bug and crash reports like never before.Unless Brendan Eich and Mitchell Baker take their heads out of their asses, however, the best course of action is to escape Firefox like rats from a sinking ship.
There are other options out there: Apple's small, fast, and efficient Safari, coded by several dozen professional programmers, is currently the best browser for Mac and Windows.
The time-honored Internet Explorer continues to embrace and extend Web standards.
Other browsers like Chrome, Opera, and Lynx are out there too but aren't for everyone.In the end, Mozilla Firefox as it stands is a sick browser that is in need of emergency surgery not ready to take on the challenges of Web 2.0 and things like CSS 3, HTML5, and JavaScript 1.9.
Unless something happens soon, Firefox will take the entire World Wide Web—and everyone who depends on it—back to the Stone Age of the Internet.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333860
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332932
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31342286
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332712
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333928
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331106
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330820
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331326
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331378
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331282
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335088
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331230
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31336032
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331424
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333644
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330804
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331558
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332020
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333386
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331494
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335554
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31337272
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330914
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331362
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330874
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31340286
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331228
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332082
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331390
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332580
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332274
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_02_1443210_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333352
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330778
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332274
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332580
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330778
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333352
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331802
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331504
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330914
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31337272
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330820
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331106
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330802
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331282
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331390
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332020
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332706
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330788
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331228
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330874
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330842
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331558
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333860
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333386
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332932
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331424
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31336032
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331450
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331084
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331230
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335088
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330804
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333644
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330864
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331494
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31333928
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331326
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331378
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332082
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331362
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331252
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330758
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31331148
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31332712
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31342286
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31340286
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31335554
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_02_1443210.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_02_1443210.31330880
</commentlist>
</conversation>
