Office 2003 Bug Locks Owners Out 247
I Don't Believe in Imaginary Property writes "A Microsoft Office 2003 bug is locking people out of their own files, specifically those protected with Microsoft's Rights Management Service. Microsoft has a TechNet bulletin on the issue with a fix. It looks like they screwed up and let a certificate expire. There's no information on when the replacement certificate will expire, though, or what will happen when it does."
Tag: Not a bug, defective by design. (Score:5, Insightful)
amazing... (Score:5, Insightful)
Putting that amount of trust in a third party that has the power to lock you out of your own files... It boggles the mind as to why that is acceptable in anything of importance.
Re:Screw Up Or Forced Upgrade? (Score:5, Insightful)
I know a LOT of people still using MS Office 2003. Some people dislike the Ribbon System with '07's version. Some people are too cheap to upgrade when the old copy still "works".
That's why there's OpenOffice. An experience that brings you back to the good 'ol days of Office 2003 for free. Actually, it may even bring you back to the days of Office '97.
At least until the next version comes out. Then you have the ribbon too. God, I hope it can be disabled.
Re:Screw Up Or Forced Upgrade? (Score:5, Insightful)
Why did you put "works" in quotes? Office 2003 still does, in fact, work. It works just fine.
A lot of people are still using Office 2003 because the number of new features that impact daily usage seems to shrink with every new release. Why upgrade when the version you have does everything you need it to, and the new version doesn't do anything you wish it did?
There's always someone who will benefit from [insert new feature here]. But for the rest of us, Office has suffered from a paucity of innovation since 1995. If anything, things have gotten worse -- e.g. they keep trying to make Microsoft Word "smart," but the result is a program that's too smart to be obedient and too stupid to do what you actually want it to do.
The writing's on the wall for Office. If the folks in Redmond don't figure out something reeeal soon, Office is toast.
Re:Locks OUT!? (Score:4, Insightful)
What's worse is when Microsoft does not exist anymore at some point in the future. Eventually, the certificates will expire again; then -- without Microsoft to renew them anymore -- you're screwed.
Want to access your important, digitally protected documents? Sorry.
Re:Screw Up Or Forced Upgrade? (Score:4, Insightful)
I get your point but this is a little different.
Not having perfect page layout might take you 30 minutes to fix. Worst case, the text is in a zip file and can be pulled out.
Not being able to read encrypted data would be a little bit more serious.
Re:Screw Up Or Forced Upgrade? (Score:3, Insightful)
Sure it does, so long as you didn't lock up your own files with Microsoft's rights management services.
Considering that this is used mostly, if not entirely, by corporate clients implementing access control, the idea that it's Microsoft doing evil in the background is foolhardy. Locking documents out because of the failure of a security certificate would hardly convince a corporate client to upgrade to a newer version of Office.
Re:amazing... (Score:3, Insightful)
Totally off the mark. (Score:5, Insightful)
Microsoft gets people to update by giving their product to the CEOs and "bigwigs". When everybody _else_ in the organization cannot read or use the new format for the documents, they have to keep bouncing transfered documents back to the aforementioned bigwigs. Eventually the bigwigs get tired of the fact that they cannot understand how to use save-as-older-format, and they dislike having their underlings telling them to do things, and they cannot bear to find all the files they saved and re-save them before they downgrade back to the old version... So the entire company naturally has to pay to upgrade everyone.
Repeat that at the border of the company. Every iteration of Little Company that works with and is dependent on Big Company, cannot allow themselves to be seen as unhelpful nor out of date, and they cannot bounce the documents they receive via email etc. without giving that exact impression...
Letting certificates expire is _not_ a Microsoft "strategy", it's an artifact of their adoption of "We don't care. We don't have to. We're The Phone Company" where there is no longer just one phone company, but Microsoft wants to be "The Software Company".
This _is_ egg on their face, but the only ones who will not yell "brilliant omelet" are the people who can connect the "Trusted Computing" dots. Letting the world _again_ see what it means to leave the keys to your property in the hands of any entity that doesn't _have_ to care is just another Microwhoops...
Re:amazing... (Score:3, Insightful)
That said, I'm not entirely sure using Office 2003 gives you such a competitive advantage over other products. But that is not my decision.
Re:Screw Up Or Forced Upgrade? (Score:5, Insightful)
At least until the next version comes out. Then you have the ribbon too. God, I hope it can be disabled.
Agree. The Ribbon was a tremendous step backwards in user friendliness, all in the name of eye candy. It sucks. Way too long a familiarisation curve. In contrast, I'm having zero trouble -- almost zero thought -- in using the plain vanilla Gnome / Open Office interface to do the stuff I need to do on the home laptop, i.e. load documents, edit them, and store them.
Re:amazing... (Score:1, Insightful)
Having the source out there before the fact didn't help in that case, so why would it help in this case?
So having a binary package uploaded by a third party, not compiled by trusted developers proves that source doesn't help? Perhaps if it was a compiled app, with source available, pushed by a trusted source rather then a website that allows anyone to upload anything you would have a point...
Re:amazing... (Score:3, Insightful)
And yet people use such things as gmail, hotmail, facebook, and etc.
Re:Tag: Not a bug, defective by design. (Score:5, Insightful)
Me too... (Score:3, Insightful)
There's been a boatload of warnings about depending on this kind of technology.
The problem is, there's been plenty of opportunities for "I told you so", and people still buy software with time bombs built into it.
Re:Screw Up Or Forced Upgrade? (Score:5, Insightful)
...to handle writing scientific reports on Linux, and AbiWord wasn't up to the job (Note to trolls: please don't bother with shill posts for TeX/LaTex. I'm sure it's very good, but I've got work to do.)
Excuse me but would you also consider someone who tells a carpenter that a hammer is a much better tool for driving nails than a stapler a troll because you can't be bothered taking three seconds to figure out what end of the hammer to hold?
/Mikael
Re:Unexpected error? (Score:5, Insightful)
Still, I suppose no MS coder had ever considered that a time limited certificate would ever expire.
Re:Locks OUT!? (Score:3, Insightful)
The government?
Re:Unexpected error? (Score:4, Insightful)
Every error message that Microsoft has ever written is like this.
Sometimes they think to include a way of getting the full error in proper technical language across - maybe by writing to the event log or having a "click for technical details" option but more often than not they don't. As a Unix admin, it's immensely frustrating dealing with software which goes so far out of its way to be opaque.
Re:Screw Up Or Forced Upgrade? (Score:3, Insightful)
Re:Tag: Not a bug, defective by design. (Score:3, Insightful)
Re:amazing... (Score:5, Insightful)
If I had my way, documents would be done using plain text and markup languages. Everything is simple and separate, so you don't have many security issues that way.
Re:Unexpected error? (Score:3, Insightful)
I love these kind of messages. Everybody keeps calling me, it says here you know what is going on. WTF? I don't have a clue what you've done, just because I am the system administrator I am not telepathic or having some kind of better error messages mailed to me...
Even better, you are installing something and the dialog pops up: "Contact your system administrator". I am the fucking administrator if I wasn't I wouldn't be logged in as 'administrator'...you haven't told me what the problem is...
Take off your tinfoil hat (Score:3, Insightful)
The reality of the situation is much simpler.
When you buy a new PC or laptop for your company - guess which version of office comes on it - the latest.
Guess if it is cheaper or more expensive to purchase one with the old version - more expensive. And whi is going to approve to pay more for something older?
So, as new machines come into *ANY* company, no matter *WHO gets them, they have the newest versions of Windows and Office, and this is what makes the problems. In many companies, I imagine it is the CEOs and marketing who get the newest machines first - which then leads to your flawed theory. (In the company I work for, engineering gets the newest machines first, as we actually need the horsepower).
Re:Screw Up Or Forced Upgrade? (Score:1, Insightful)
3 seconds for TeX/LaTeX? Really?
Re:Screw Up Or Forced Upgrade? (Score:3, Insightful)
I'm a carpenter. And the particular hammer that is LaTeX is a wonderful, powerful hammer, that is too heavy to lift for many home workmen. That's not a "3 second job", and the constant recompilation to get viewable or printable output is a serious burden.
Re:Screw Up Or Forced Upgrade? (Score:4, Insightful)
Actually, my experience with LaTeX is that if you look at it as HTML with different keywords and keep some decent documentation nearby (there are several good PDF books available for free online) it is easier to use LaTeX if you want sane printable results than it is to use MS Word or another word processor (hell, the reason I started using LaTeX to begin with was because I got fed up with trying to force word processors to give me decent output).
/Mikael
Re:Take off your tinfoil hat (Score:3, Insightful)
And who is going to approve to pay more for something older?
Total Cost of Ownership [wikipedia.org]
Those who don't want to pay for:
- Training for users to be able to use the new software interface
- Training for technical staff to be able to quickly troubleshoot common issues
- Cost in man-hours of re-writing that bodge macro which auto-fills / sorts details which is now broken in every document
- Accompanying hardware upgrades for any computers which don't run fast enough for the new software
IIRC, MS Office on new computers is a 60-Day trial, or you get MS Works instead. You'll be needing a different compatibility pack for Works documents.
Re:Screw Up Or Forced Upgrade? (Score:3, Insightful)
If YOU lose your own key, then that's your own fault. Forgetting to take your keys and closing the door behind you, that's simply your own silliness. And no news.
Here it is a third-party vendor (Microsoft in this case) that basically changes the locks to your files. As if the developer of the apartment building where you live suddenly changes the locks of all the flats. Locking out everyone who locked their doors. Even if they did not lose their own keys.
And that is bad. Very bad.
Re:Unexpected error? (Score:3, Insightful)
What you are describing isn't a problem with the exception system, as you are free to craft your exception-handling system so that it informs you exactly where the exception was thrown. If you want to blame someone then blame those who failed to learn how to use them.
Re:Unexpected error? (Score:5, Insightful)
Code reuse is the more likely problem. The biggest problem is that each component has to assume there is no UI. It could be in a GUI, or commandline, or silent mode, or a service, or whatever else, so it doesn't pop up an error message - it just returns a value.
You tell your handy security library to use the internet library to connect to the microsoft server thingie, and the internet library doesn't have any reason to know about certificates. The security library assumes the certificate will always be valid (or the network will take care of that), so it doesn't have a "bad certificate" return value. Then the app doesn't check the return values (only success/fail), or it's not in the list of things to check.
Detailing your actions makes it easier to disassemble and comprehend, so lots of proprietary coders don't do that. Bubbling up an exception could have a detailed description of why something failed, but proprietary coders don't want end users to see the gory details of what their code is doing. "Confusing error messages" is one of those things Windows users hate, so they generally either detail what you might do to fix it or, if it's too detailed or on a server instead, just skip that part.
It's nothing the user can do anything about, so why bother reporting it? Plus you need to make translations and test cases to ensure your message pops up in all languages when the cert is expired... more work when you could just ship it, and list a known risk that the server team has to keep the cert up to date.
I know, tldr. Black box programming combined with allowing ignorant users peace of mind will result in this type scenario every time. I always chuckle when I see "Table or view does not exist" errors in Oracle SQL when I can see the table in the list of ALL_USER_TABLES or similar. I don't have access to it, and revealing that it exists but I'm, not allowed to read from it might be a security violation the same way "bad username" vs "bad password" gives brute-force people more information to work with so you say "bad username/password combination" and now they don't know if the user exists. Maybe they thought of that, or maybe they tried to select, got 'denied' return code, and translated that into one they do have a text string for.
So many possibilities, of which yours is the least likely. Exceptions can be done well, there just aren't enough good examples out there so it takes a serious debugging headache before someone looks at a better way of doing it. Then Management says the errors are too wordy and you're back to "Unexpected error" meaning everything from "Network down" to "I crapped my pants".
Re:Screw Up Or Forced Upgrade? (Score:2, Insightful)
Some people are too cheap to upgrade when the old copy still "works"
There's some bias showing there, spendthrift. Why put quotes around "works"? If the copy you are using serves your needs, and there are no new features in the new version that would make things easier for you, why in the world would you spend the money and have to relearn the program you are used to and comfortable with with no added benefit?
IMO that would be worse than a waste of money, and wasting money alone is stupid.
Re:Screw Up Or Forced Upgrade? (Score:3, Insightful)
Unfortunately most people are just resistant to change.
Course maneuvers. I've survived as a programmer for forty years. If I were resistant to change I'd have quit thirty-nine years ago. I've also seen rather a lot of very good, and very bad UI design since the introduction of the command line and have adapted to all of it.
The Office Ribbon UI is a tremendously bad concept, because it intrudes on the process of using the application in a negative way. Every little smooth, automatic, dynamic expansion and compression of menu items contrasts with the items you have already scanned and mentally noted, and costs you a re-think as to the arrangement of items.
Familiarity is definitely the issue here, because you are forced to read and interpret transitions that previously were static enough to select by reflex. No amount of familiarisation can compensate for a UI designed (deliberately or otherwise) to avoid your becoming familiar with object placement.
The Windows XP interface and associated Office products had a decent UI design. The current Ribbon UI is simply crap by comparison.
Re:Compatability pack worse than OO.o (Score:3, Insightful)