Slashdot Mirror

Speaking of Microsoft,

Link from TFA regarding password strength. It's where they got that table in the article. At the Microsoft site, they have a link...

They have a Password Checker: is your password strong test?

That's just a mock phishing example waiting to happen.

I kludged up some code a while back to create a shim dll that can be used as the basis for selectively replacing functions in dlls...

A slightly more sophisticated solution would've been Detours.

Or, if you didn't feel like coding, WinAPIOverride32.

Not 100% accurate. Windows 7 includes direct-x 9 itself (there's not much to it), but not all the different d3dX9_??.dll extension files. Those are what you have to install.

The DX web setup will bring you up to date with all direct-x 9 onwards extension files, regardless of whether you're running XP or 7, x86 or x64, Home or Ultimate (just look at the comprehensive supported OSs list!).

Any older versions of DX are supported, you shouldn't need to install anything for them.

You're looking at this from a users perspective. I'm looking at it from a webmasters perspective.

Even webmasters can choose what they use. Not only that but they can even choose to use more than one search engine and provider of advertising. Actually if I were an employer and my webmaster wasn't using more than one provider then I wouldn't want to pay their salary. Sure right now Google has the major market position but that is likely to change. For instance Microsoft handles Facebook's ads as well as other high traffic websites. Until the end of August Google handled News Corp's MySpace ads however in July News Corp was in discussion with Google, Microsoft, and Yahoo for ad placement. Marketing is growing on other social networking websites as well, and Google doesn't do ads on all of them.

How many people install their own OS?

Well, I do. My daughters use Linux.

Did you install Linux for your daughters, or did they install it themselves?

How many buy Macs?

Well, I do. My wife uses a Mac.

So do I, I'm typing this on my MacBook Pro. I also have 2 Linux PCs, both of the tower PCs under my desk have Linux installed. One is a really old one I ordered from Microway with two HDDs, one with NT4 and the other with Redhat Linux, so I can dualboot. The other I bought with Linspire preinstalled. I also plan to install Ubuntu on my Mac. But most people buy and use Windows PCs.

How many buy PCs with Linux preinstalled?

I would say, enough to make it a venture that's profitable enough that manufacturers keep doing it.

But how many people can easily switch to Linux? Without a Linux guru it is difficult for most people to switch. Distros like Linspire attempted but Ubuntu is doing successfully is making it easier but there's still a long way to go before Linux is as easy to use for normal people as Windows, heck even Macs, is to use.

Falcon

Yes there is sites out there where the company behind them send out software that infect your computer and causes it to become open for anyone to take over.

Some of them even pretend to do useful things for you like pretending to be a way to secure your computer from nasty attacks.

For one nasty example check out this site:

http://www.microsoft.com/

I heard Windows has its own P2P framework to build applications and MS could use it for Windows Update anytime they wanted but they didn't enable it yet.

http://technet.microsoft.com/en-us/network/bb545868.aspx

They also bought a relatively little known P2P company recently. I am almost sure they could be using same bandwidth as youtube for windows updates. Of course, youtube has ads, windows update hasn't.

If something like you suggest implemented on *NIX, OS level, recently tested rtorrent myself, on a 1.25 Ghz G4 Mac mini. It is absolutely the choice without question. I mean "libtorrent". 1% of CPU on full bandwidth, speechless.

I don't understand; how does theming your window manager help against this? I'm assuming the malware bit is *inside* the Google Chrome window, so even if you themed your windows with say a Pikachu theme, the *insides* of the Chrome window would still contain the rogue site, imitating Chrome's red and white-colored malware block UI.

The only way out of this is if crucial error pages are protected with some sort of "sign-in seal", like Yahoo uses for its login screens.

Lol at the firefox warning button here

"Get me our of here and upgrade"

So what, you're getting me one more 'our of browsing on this site before I have to upgrade? Allright, I'll upgrade in an hour.

To some degree yes.

http://research.microsoft.com/en-us/um/people/simonpj/papers/list-comp/index.htm

and still has a paltry 512 mb of memory, which, when they eventually get around to implementing multitasking, means that what you're actually going to get is something on the order of windows 3.1 multitasking with a few services, not actual task switching, etc.

The system requirements for Windows 3.1 was 2MB (4MB recommended). I'm not a big fan of the iPad myself for various reasons but you sound like you're on an anti-Apple rant. Computers have been fast "enough" for most people for a long time, and I can't really see why you'd try abusing an iPad into running anything like a workstation load. Or at least if you do, that you got any reason to complain about it not being the right tool for the job.

Welcome to 2003, kids. Microsoft has been doing this for a long time.

See: http://technet.microsoft.com/en-us/library/cc781109(WS.10).aspx

Or go look up "Windows Hotpatching".

Their ``Royal'' font format.

http://www.microsoft.com/typography/truetypehistory.mspx

Microsoft got access to it by trading to Apple their ``TrueImage'' PostScript clone (seen that used anywhere lately?)

William

"*symbolic links to files, incorrect NTFS has supported reparse points since Windows 2000"

Incorrect. Reparse points apply only to directories, not files.

Yes and no; there's some mixed up terminology there. You're thinking of junctions, which are used to implement a sort of symbolic link for directories in Windows 2000 and later. Windows Vista and Server 2008 introduced support for symbolic links to both directories and files. (The directory version has different semantics from junctions in certain situations.)

All of these link types are implemented using reparse points, a generic mechanism of redirecting filesystem object operations that has been present in the NTFS spec since Windows 2000.

...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it

A user without administrative access cannot install a rootkit.

Incorrect (at least as I was discussing). The *user* doesnt have to install it, the escalated malware (via .NET or other methods) does. There are a bunch of escalation exploits available via .NET and especially it's ClickOnce crapnology. But they've been fixed!!! For almost TEN years, that promise has been made repeatedly. The June announcement went way too far in claiming that all such issues were permanently and properly fixed - as opposed to the more truthful statement that the should have used indicating that a patch for the specific exploit was released (and leaving it at that).

Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.

It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly.

No... those are sometimes patched quickly, sometimes not (like the .NET exploit noted in June that took months to improperly patch.

If you are referring to the hotfixes they release that hope to mitigate the circumstance until a real (though usually not fully fixed - at least in the case of .NET) patch is released, well, I dont count those, since, as I noted, they generally dont really fix the hole.

Do you have any examples or sources to back up that claim?

Yeah, as I indicated, it's called "Windows Updates" - check it out sometime! You can go right into your (XP) "Add/Remove Programs" or (Vista upwards) "Programs and Features" and enable viewing of all updates, and check the last few weeks - then check the associated Microsoft pages which will tell you exactly what I posted in Microsoft's own words.

Use Google if you really want to learn more. In the meantime, with your lack of knowledge, and lack of interest/willingness to do the very simple check on a Windows machine that's up to date to verify my claims, don't assume/claim they are wrong.

But to give you a head start, here's ONE of the various CRITICAL updates (this one from this month):
We Never Really Fixed the .NET issue

This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.

This security update is rated Critical for all affected releases of Microsoft .NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; Microsoft Silverlight 2; and Microsoft Silverlight 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Even users with "fe

I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.

What is the Microsoft Security Development Lifecycle (SDL)?

The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development life cycle (SDLC). Many of these security activities would provide some degree of security benefit if implemented on a standalone basis.

Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!

Inotherwords, (at least from their "What is") this isnt about code. This isn't about APIs. This is about methodology to write secure software.

Think about this... isn't this:
(1) The type of stuff programmers should be taught in college, or self learn from reputable places?
(2) Something Microsoft's track record proves they have limited or no knowledge about?
(3) Something somewhat irrelevant to the Linux and Open Source world?
(4) Something that is more likely simply a publicity stunt? (look how many people think this has to do with actual APIs and such)

So, whoop-de-do!!!! One could already learn this stuff from better sources, implement it in better ways, and gain more knowledge from other companies who are quicker with security updates and better at designing programs with security in mind.

Perhaps developers that use Microsoft's development tools, and Microsoft's frameworks MAY gain some advantage from this, but even that advantage is limited by what security holes there are in those frameworks (.NET and so on) and Windows as a whole.

http://www.microsoft.com/security_essentials/

(when promoting being up to date, linking to an out of date version was a pretty ironic screw-up.. :)

I seem to be missing something here. Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

The biggest problem is people not using them - not using automatic windows update (or very frequently manual) and not having up-to date malware and antivirus (it's free and some, like this one, are not the resource hogs fx old Norton was infamous for.)

Nothing is 100% secure, but boy to this take care of most of it, as you correctly are saying (when I turn my sarcasm detector off :)

fx Windows had actually Conficker patched quite early, in Windows Update, it became the big ongoing epidemic because of unpatched machines (people not doing auto- or frequent updates, for some reason or other).

And some people are probably going to suggest Mac or Linux at this point, fair enough, but for people that wants or needs to use Windows, it isn't that hard to have a quite secure and trouble free Windows 7 setup (decade old XP is starting to be another story).

I'm just reading this doc and the whole thing seems to be an exercise in fail on the part of Windows and antivirus programs:

* Detection of this is as easy as looking for a file "Rs32net.exe" in the Windows system folder.

* Subverting Windows' "safe mode" is as simple as writing registry values to "HKLM\SYSTEM\CurrentControlSet\Safeboot\Minimal\[EXEFILENAME]"

* Making sure you load into memory *before* the antivirus is as simple as this (yet somehow the antivirus programs can't use this technique??)

etc.

DO NOT use Microsoft Craporation software.

Yours In Moscow,
K. Trout

*blink*

I spent the past five years working in a small (~25 developer) Windows XP Pro based software development house. Our file server was running Win2K3 Enterprise and was using a large (1TB, later upgraded to 10TB) hardware RAID 5 disk array. All of this equipment was sourced from Dell.

Once a month, we needed to call in an admin to bring down the server (and once every other month for someone's desktop machine) to delete files that were "screwed up". "Screwed up" means:
* Cannot delete, rename, read, or modify the file.
* The only tab available on the "File->Properties" dialog for the file in question is the "General" tab. (This means that the Sharing, Security, and Customize tabs shown here are not present.)

Note that *every* developer performed work as an unprivileged user. Noone on staff possessed an Administrator account, with the exception of the admins.

I've never *ever* seen this behaviour with *any* filesystem on Linux. I've abruptly pulled the plug on my home machines hundreds of times and never had *any* filesystem issues. (Not even with reiserfs V3. :D)

I/O is only frozen for 10 seconds. I'm sure Microsoft has an article about this

Yes, one method shadow copy uses is COW. Shadow copy is not NTFS.

It is a volume-level mechanism that lies under the NTFS file system. There is an area for files, and there is a volume shadow copy region on each volume.

There are two methods shadow copy can be implemented, one involves re-directing writes to the reserved region. Copy on write is the other option.

Those agreements were made after the design of .NET:

http://www.microsoft.com/presspass/press/2004/apr04/04-02sunagreementpr.mspx

It's also not clear that they would even cover the CLR.

http://www.microsoft.com/casestudies/default.aspx

http://www.microsoft.com/casestudies/Microsoft-Exchange-Server-2010/NASDAQ-OMX/Electronic-Stock-Market-Firm-Improves-Business-Critical-Communication-Solution/4000005727

http://www.microsoft.com/casestudies/default.aspx

http://www.microsoft.com/casestudies/Microsoft-Exchange-Server-2010/NASDAQ-OMX/Electronic-Stock-Market-Firm-Improves-Business-Critical-Communication-Solution/4000005727

Sure looks to me like lots of companies you .net and other Microsoft products for a lot of varied purposes, including mission critical work.

http://www.microsoft.com/casestudies/default.aspx

http://www.microsoft.com/casestudies/Microsoft-Exchange-Server-2010/NASDAQ-OMX/Electronic-Stock-Market-Firm-Improves-Business-Critical-Communication-Solution/4000005727

Sure looks to me like lots of companies you .net and other Microsoft products for a lot of varied purposes, including mission critical work.

http://www.microsoft.com/casestudies/default.aspx

http://www.microsoft.com/casestudies/Microsoft-Exchange-Server-2010/NASDAQ-OMX/Electronic-Stock-Market-Firm-Improves-Business-Critical-Communication-Solution/4000005727

Link swallowed in another post, sorry. Here:

http://www.microsoft.com/whdc/winlogo/maintain/StartWER.mspx

Developers can also sign up to receive the WER reports for their "in the wild" applications: http://msdn.microsoft.com/en-us/library/bb513641(VS.85).aspx

It doesn't matter how much they assure that they won't go after free implementations. Without it written in legalese, irrevocable, it's a worthless statement.

It is written in legalese. And it is actually quite a bit stronger than a license as it does not require the beneficiary (you) to accept any license agreement. The legal term is estoppel. Here, look it up: http://en.wikipedia.org/wiki/Estoppel.

From Microsofts community promise (emphasis mine):

Microsoft irrevocably promises not to assert any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation, to the extent it conforms to one of the Covered Specifications, and is compliant with all of the required parts of the mandatory provisions of that specification ("Covered Implementation"), subject to the following: [...]

Read the full text here: http://www.microsoft.com/interop/cp/default.mspx

Now, could that term "Necessary Claims" leave Microsoft with a legal loophole they could wiggle through and sue anyway? IANAL, but it certainly doesn't appear so, as the only way Microsoft could claim that your infringement on one of their patent wasn't "necessary" would be for them to demonstrate what you could have done. Remember, this is a one-sided promise, the burden would be on Microsoft to demonstrate how you would fall outside of the patent coverage.

Now, this promise covers C#, the common language runtime, common type system and core libraries such as collections, P/Invoke etc. It does not cover some of the framework parts higher-up in the stack, such as WPF, WCF, ASP.NET.

It is still unclear to me how implementation of such APIs would be more prone to infringing MS patents than implementing the same functionality on other platforms with other languages. Remember, you cannot patent an API, you can only patent an actual "machine" implementation. Surely if some critical part is covered by a software patent, said patent is language/platform agnostic.

It appears that the problem Google has with Dalvik/Oracle is precisely covered by Microsofts legally binding community promise. See, Google has no interest in implementing a full Java SE. And they had no interest in paying license fees to Sun(now Oracle) for an official JavaME. So they wiggled around and made their own platform in a way which has opened them up to litigation from Oracle.

Had they gone with Mono instead of Dalvik (remember, Dalvik was merely a way to wiggle around Java licenses) there would have been no license fees, and no patent infringement.

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Let me try to explain how this works.

WER (Windows Error Reporting) applies to any application you run on Windows. If something crashes, you'll be offered to send a report. In fact, third-party application developers can register to directly receive reports for their apps through the same system. For MS apps - including Visual Studio - the data ends up at MS.

The "phone home" process, as of Win7, works that way with the default settings: the initial "phone" on crash is automatic (you will see the "Windows checking for a solution to a problem" dialog), but includes the absolute minimum of information - name of binary that crashed and its embedded version number, that kind of thing. This is used to determine if the problem is known, and to direct the user to a web page describing how to solve it (e.g. update an application). You can change these defaults - including switching the thing off altogether - at "Control Panel\System and Security\Action Center\Problem Reporting Settings".

If the issue is not known, the user is explicitly requested to send additional information to MS to help debug it. If you don't click "Send", then nothing else goes. Now that stuff actually includes a process dump of the offending process, which can, obviously, include some private information. That is covered by this privacy statement. It will also tell you what data, exactly, it is going to send, so that you may look at it and decide if you want to proceed or not.

Now, the only way your source code can end up in that report is if you get Visual Studio (or whatever application you're using to edit the code) to crash, and then send the report via WER. Even then it's not a given, because, by default, reports do not include process heap data, only the stack, so that the report is small and is uploaded quickly without annoying the user. Gathering of heap data (and then still only of the offending processs) is enabled on a case-by-case basis when it's deemed necessary for identifying the source of the problem. And, of course, practically all text editors (including VS) keep edited code on the heap.

In case of TFA, they're rather talking about people writing exploits, which, by definition, do something that is normally caught by WER. A successful exploit won't be, of course, but before you get to that point you'd likely spend a lot of time testing & debugging it, and then you'd get a few WER-reported crashes. If you send in those, loaded parts of the binary may end up in the report. It's not the source code, of course, but then exploits are typically very small and low-level, so there isn't a huge difference between source and assembly in understanding how they work.

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Let me try to explain how this works.

WER (Windows Error Reporting) applies to any application you run on Windows. If something crashes, you'll be offered to send a report. In fact, third-party application developers can register to directly receive reports for their apps through the same system. For MS apps - including Visual Studio - the data ends up at MS.

The "phone home" process, as of Win7, works that way with the default settings: the initial "phone" on crash is automatic (you will see the "Windows checking for a solution to a problem" dialog), but includes the absolute minimum of information - name of binary that crashed and its embedded version number, that kind of thing. This is used to determine if the problem is known, and to direct the user to a web page describing how to solve it (e.g. update an application). You can change these defaults - including switching the thing off altogether - at "Control Panel\System and Security\Action Center\Problem Reporting Settings".

If the issue is not known, the user is explicitly requested to send additional information to MS to help debug it. If you don't click "Send", then nothing else goes. Now that stuff actually includes a process dump of the offending process, which can, obviously, include some private information. That is covered by this privacy statement. It will also tell you what data, exactly, it is going to send, so that you may look at it and decide if you want to proceed or not.

Now, the only way your source code can end up in that report is if you get Visual Studio (or whatever application you're using to edit the code) to crash, and then send the report via WER. Even then it's not a given, because, by default, reports do not include process heap data, only the stack, so that the report is small and is uploaded quickly without annoying the user. Gathering of heap data (and then still only of the offending processs) is enabled on a case-by-case basis when it's deemed necessary for identifying the source of the problem. And, of course, practically all text editors (including VS) keep edited code on the heap.

In case of TFA, they're rather talking about people writing exploits, which, by definition, do something that is normally caught by WER. A successful exploit won't be, of course, but before you get to that point you'd likely spend a lot of time testing & debugging it, and then you'd get a few WER-reported crashes. If you send in those, loaded parts of the binary may end up in the report. It's not the source code, of course, but then exploits are typically very small and low-level, so there isn't a huge difference between source and assembly in understanding how they work.

there should be a way to restrict execution to only code signed by the owning organization's IT security.

There is such a way: it's called "Software Restriction Policies". It's been around since Windows 2000 and it can be deployed by GPO... You can restrict by signature, by file name, by path, etc. It's part of Windows, it's "free", you just need to configure it.

http://technet.microsoft.com/en-us/library/bb457006.aspx

Oh, and you can block access to floppy, CD/DVD and USB drives as well. All with GPOs.

I'm no addressing specifically to you, but it gets on my nerves that people keep bashing MS, and they simply don't know squat about their products.

And it seems that the FBI, that would greatly benefit from this sort of security features, quite likely didn't have it implemented... "Incompetence" springs to my mind... If this incident involved linux in some way, everyone would say "it was shoddy configured, shoddy admins!", etc, etc... Since it involves MS products, the first reaction is "MS sucks". Well, I bet that, in this case, it was "soddy sysadmin" indeed.

Just my 2 cents...

5 Cameras actually. http://technet.microsoft.com/en-us/library/ee692114(Surface.10).aspx

Microsoft's virtual desktop manager:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

I've tried all 4 ways - to me, single desktop on Windows is the easiest to use. Other combinations work for other people. I'm just sick of being told that virtual desktops are automatically superior and a reason to switch to Linux.

In front of me, I have two bowls. One bowl with soup, and one bowl with screws. Of course, I could just have one bowl with both the soup AND the screws in it.

Thing is, sometimes their is a logical division between apps. On one virtual desktop I might have firefox and some notetaking ap running, while on another I have an IDE running. It's really convenient.

And how can you hate virtual desktops? Even if you have them, you aren't forced to use them.

You can try them out today, even if you're running windows:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx (used to be really painfully slow, perhaps it's gotten better?)
or
http://www.goscreen.info/ (haven't tried this one)

There is already a monoculture, it's just centered around Microsoft. Microsoft has posted a nice whitepaper (.doc) about the Air Force Standard Desktop, which includes such juicy tidbits as: "As of May 2006, it was installed on over 435,000 PCs. This represents more than 92% of the unclassified computers on the AF network. As application compatibility issues are resolved, the AF expects to have 100% deployment of the SDC.

The SDC is currently being implemented on the major classified network (SIPRNET) and will eventually be fully deployed there as well."

I would prefer the variety of operating systems. Unfortunately this also increases support difficulty.

There is. It's called Software Restriction Policies.

Like "Software Restriction Policies" in windows XP and AppLocker in Windows 7?

Like "Software Restriction Policies" in windows XP and AppLocker in Windows 7?

Wow. The instructions for disabling Autorun are hideous: http://support.microsoft.com/kb/967715. Is this really how one disables it?

This one looks slightly less hideous: http://www.us-cert.gov/cas/techalerts/TA09-020A.html.

I apologize in advance for the noob question.

TweakUI (an XP powertoy) has nice little checkboxes that allow you to change autorun by drive, by device type, and also add or remove autorun actions.

This is a Windows-only problem. Solution here.

Import the following to registry:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:blahenterrandomlettershere"

It will cause windows to ignore anything inside autorun.inf by replacing the content with non-existing entry ie. null.

Delete this branch from registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

It will wipe away any cached mountpoints and their autorun information.

Disclaimer: This will disable the USB autorun related vector for malicious code as well as any other mounted media or network resource. 'Autoplay' and all its features will still function the way you set them. This fix will break anything that depends on code inside autorun.inf ie. say goodbye to nice 'automatic installation', drive media renaming or placing nice icons to itself etc. Mostly useless stuff. Some special usb-sticks with software features built on autorun might not work anymore. Sad.

Maybe it is said by other companies, but they don't make such a big deal of it.

I disagree. I actually think it's standard practice for companies, especially the big ones, to make a big deal of their values.

Microsoft, for example, makes a big deal enough to have a verbose code of values documented online. http://www.microsoft.com/about/legal/en/us/Compliance/Buscond/Default.aspx#values

Other companies do the same, but only internally. Google just condenses it to "Don't be evil", but if you look at their code of conduct http://investor.google.com/corporate/code-of-conduct.html, the format is very similar to Microsoft's. They do have differences, but they have striking similarities:

Microsoft: Integrity and Honesty
Google: Integrity, Responsiveness (see how they define it)

Microsoft: Open and respectful with others
Google: Respect Each Other

Microsoft: Accountable for commitments, results, and quality
Google: Ensure financial integrity and responsibility

Those are pretty close to what we define as "good" ethically, in terms of a company's relationship with its customers.

Also, to be quite pedantic, "Don't Be Evil" is Google's INFORMAL company motto, and the place it appears in their website is in the same place Microsoft puts theirs in their website: in their investors relations pages. That's pretty standard.

So, back to you. Can you substantiate your claim that Google makes a big deal of their motto any more than other companies? Editorials from the free press not included.

It's naive to think that people have a moral/ethical framework?

No, but you are attacking a straw man. Remember when you contradicted this statement?

They may not always reach that standard... but heck, most actual people don't even try.

That seems very doubtful. Most people have some kind of moral/ethical framework.

You were using, as an argument, that "most actual people don't even try [to do good]" is very doubtful because people have a moral/ethical framework. You could only be right IF people are always consistent with their moral/ethical framework -- that MOST people ALWAYS do the right thing BECAUSE they have morals/ethics. That's what makes your argument naive.

Furthermore...

If this is true, then your other claim is bogus:

How so? Google might be particularly prone to evil, hence the need to proclaim "do no evil."

... you AGAIN show your confusion. If people HAVE a moral/ethical framework and they always follow through with it (the hidden assumption that you've always been making) then your statement that "Google MUST be evil because they proclaim this as their moral/ethical framework" is contradictory with your own beliefs, because under your own assumption, since Google has a moral/ethical framework, Google must be good.

I'm not saying that Google might NOT be particularly prone to evil.

I'm saying that your belief:

"most people have a moral/ethical framework, therefore people MUST be good at some level"

contradicts with your other belief:

"Google has a moral/ethical framework, therefore Google MUST be bad at some level"

That shows that either you have a double standard with particular malice against Google (at worst), or simply confused (at best). I chose to give you the benefit of the doubt.

Autorun is one of Microsoft's more frustrating contributions to the world.

But what is still more idiotic, is how user-unfriendly the path is to shutting it off. Microsoft's very own page on the issue...

http://support.microsoft.com/kb/967715

-FL

First of all, using environmental variables alone won't work in a programming IDE such as Visual Studio or others like it. Not without parsing the environment first via API calls (GetEnvironmentStrings or better still, GetEnvironmentVariable for a specific one, etc./et al)...

Yes, that’s how you “use environment variables”, dipshit. Thanks for saying I’m wrong then explaining that what I said to do was correct.

Either you're just another dumbass network techie type that is limited to writing batch files, and now you're trying to play programmer around here because of the stupidity due to incompleteness of your post.

Hey, retard! It’s “Either ... Or”. You just gave “Either”. Or what? Where’s the other possibility that you gave in your post? ... and then you said that my post was incomplete. Hilarious.

you only posted a minor part/partial part of what actually needs to be done, in full, in order to be able to use such environmental "%vars%" from inside a 'real programming language'

Find the place where I said that my post was a “full” explanation of what “actually needs to be done” in order to do what any “real” programmer already knows needs to be done in any “real programming language” in order to do what I said needed to be done. Hint: I didn’t.

I state that, mainly because you only post partial information, instead of complete accurate info.

I posted enough that any non-technical user would adequately understand what should have been done, and enough that any technical user would adequately understand how to do it (because, hell, any “real” programmer should already know how to use an environment variable).

But your own post is incomplete! You forgot to tell how to write the IDE and the compiler, you forgot to tell how to build the computer it runs on, you forgot to tell how to design and etch the PCBs, microcontrollers and other integrated circuits in the system and wire and solder the connections, you forgot to describe how to engineer a power plant and run electric lines to your equipment, and you forgot to describe how to create a river to cool the generators that produced the electricity that you needed.

Of course you ASSUMED that all of that would be unnecessary information, but in fact your post was just incomplete by your own standard (i.e. needs to include reams of redundant, unnecessary information that its audience either doesn’t need or already has).

Delphi, VB

You just disqualified yourself from “real” programming.

P.S.=> The rest of your post's "ok" but you ought to have posted a referential link to Microsoft in order to show the user the search rules for libraries, like this one -> http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx

Somebody else already posted it, moron. And only an idiot (which you are) would post a link and then quote NEARLY THE ENTIRE PAGE that was linked to.

GTFO, troll.

paying them chicken feed until they've proved themselves by getting their name on a published title

A lot of that is the fault of the console makers, who won't deal with an indie developer who starts his own studio until the developer has "relevant video game industry experience". Nintendo spells it out.

Not surprisingly, the most indie-friendly console is Microsoft's Xbox 360.

Why not surprisingly? Because of their roots in the PC world, where anyone can write anything and release it.

Anyway, MS has (among other things) the XNA Creators Club. XNA itself requires a version of Visual Studio to use it, but it can be one of the free Express Editions.

"Um, that's why they have the %programfiles% environment variable, and it's why you install applications there, and it's why the current directory when you launch a file (%userprofile%\Default\Documents\) should never be where you're getting executable content (such as a .dll file)." - by clone53421 (1310749) on Tuesday August 24, @09:34AM (#33354120)

See subject, because your WEAK 'explanation' is rather incomplete:

First of all, using environmental variables alone won't work in a programming IDE such as Visual Studio or others like it. Not without parsing the environment first via API calls (GetEnvironmentStrings or better still, GetEnvironmentVariable for a specific one, etc./et al)...

Now, also as to libraries to BOTH yourself and the person you replied: Did he even mention current directory vs. the %program files% or %path% location? I don't even SEE it in the quote of his words you utilized, so that also makes you non-sequitur here

Clone53421, seriously here:

I mean, hey - Based on your reply above? Either you're just another dumbass network techie type that is limited to writing batch files, and now you're trying to play programmer around here because of the stupidity due to incompleteness of your post. IF that's the case, and I tend to think it is due to the incompleteness of your post and its seeming non-sequitur statements vs. that which you quoted from the person you replied to??

Don't try to play "expert" in areas you have NO REAL CLUE in, ok? Your lack of complete information shows us all this in fact, quite easily. Your type online???

Your type's the MOST dangerous type!

I state that, mainly because you only post partial information, instead of complete accurate info.

The type of reply you made tells me you are just a noob due to your incomplete data. It also shows your inexperience hands on in coding in languages that can utilize the Win16/32/64 API calls like C/C++, Delphi, VB, and many others.

(Again - I say this because you only posted a minor part/partial part of what actually needs to be done, in full, in order to be able to use such environmental "%vars%" from inside a 'real programming language' (& not just a .bat 16 bit or .cmd 32/64 bit files and their commandline interpreter like DOS tty terminals/consoles/command prompts use and what you do in batch files)).

APK

P.S.=> The rest of your post's "ok" but you ought to have posted a referential link to Microsoft in order to show the user the search rules for libraries, like this one -> http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx

PERTINENT EXCERPT/QUOTE MATERIAL ON DLL SEARCH ORDER CONVENTIONS, and CAVEATS/EXCEPTIONS DUE TO SETUP TYPES:

---

If SafeDllSearchMode is enabled, the search order is as follows:
The directory from which the application loaded.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The current directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:
The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The

Even Microsoft has thrown in the towel with IA-64 given the scalability of AMD64 (err, x86-64) in Xeon & Opteron processors. Windows Server 2008 R2 is the last version to support IA-64...

http://www.microsoft.com/windowsserver2008/en/us/2008-IA.aspx

Has anybody written a test to verify that Microsoft's fix has been properly applied? It would be a simple DLL with that pops up a message, and simple EXE that loads the DLL (which has new unique name). Or even two versions of the DLL, one with a good message and one with a bad message. One goes in the system path, one goes in the same path as the EXE, a temp folder.

The MS kb patch has one typo, you add a new DWORD value to the registry, not a new key.
http://support.microsoft.com/kb/2264107

MS fixed the other typo mentioned here:
http://isc.sans.edu/diary.html?storyid=9445

Sorry, I call bullshit. A known issue, fixed only in 1999, would prevent Windows 95 and 98 from going over 49.7 days of uptime (2^32 milliseconds). Much hilarity ensued back in the day since "how could anyone have noticed / run into this" :-)

Thing is, I know of at least one other installation that was reputed to have stayed up for a long time - much like the GP asserts.

My guess is the machine(s) in question were somehow or other rebooting themselves in the middle of the night long before 49.7 days was up.