Domain: microsoft.com
Stories and comments across the archive that link to microsoft.com.
Comments · 34,132
-
Re:Inaccurate summaryAll it would take is for Microsoft to release a fully compatible viewer/converter so that everybody can open the oldest of documents, and companies would likely cease to care.
But they have done this for years, and yet everybody still complains.
-
Re:Hardware DRM....Microsoft running cars electronics, already happening... (I shudder at the thought)...
http://www.autosport.com/news/report.php/id/55980
or for more PR
http://www.microsoft.com/presspass/press/2006/dec06/12-11FIAPR.mspx "[ ... ] Microsoft's innovative technologies to deliver the best electronic system possible." And I was wondering why those formula one engines kept blewing up during races. I hope this doesn't make it to the general public (although my bicycle should be safe for now) -
Re:Hardware DRM....
Microsoft running cars electronics, already happening... (I shudder at the thought)...
http://www.autosport.com/news/report.php/id/55980
or for more PR
http://www.microsoft.com/presspass/press/2006/dec06/12-11FIAPR.mspx -
Re:enough?More importantly, say MS is forced to remove IE from Windows in the EU - how the heck does the average user then go and download Firefox or Opera? Use an FTP client? Well, MS will get forced to unbundle that too...
After seeing the effects of the forced Windows XP-N (without WMP included) racking up a massive 1,800 worldwide sales, well, I think there are some basic misconceptions in the "MS is teh sux0r" crowd. Apparently for most people, IE and WMP are acceptable, and when given a choice - as demanded by that roiling crowd - most people will choose to use IE and WMP. XP-N sales kind of prove the point...
Complain about standards compliance, sure. But the way to push for standards compliance isn't to remove the very item that the public wants, and make it nearly impossible for them to access (no browser, no FTP client, how do you get Firefox or Opera?). MS allows manufacturers to preload other applications now, nothing that I know of is stopping Dell, HP, Compaq or others from preloading Firefox or Opera.
Perhaps - just perhaps - HP, Dell, Compaq, and the other manufacturers have found their customers prefer IE or WMP?
-
Re:Lets try the other way around, eh
See slide 3 of former Microsoft Research Jim Gray's (RIP) presentation on flash drives for the diagram referred to in the parent. This is a great summary of what one of the most informed individuals believed about the future of SSD. I'm waiting!
:)
http://research.microsoft.com/~Gray/talks/Flash_Is_Good.ppt
SixD -
Re:Apple's next
I would bet money that WMP doesn't [work with Macs].
You lose: Windows media components for Mac -
Re:Registries and stupid ideasWindows XP seems to have lost that ability It absolutely has not: http://support.microsoft.com/kb/307545
Vista is the same.
captcha: sighed... I sure did. -
Re:Lead by Example
Also, development in Firefox with these two extensions has made my life immeasurably easier: Web Developer Toolbar by Chris Pedrick, and Firebug (in which I am always managing to discover new features that have been there all along). I shudder and groan when it's time to make it work in IE, because I know that javascript debugging, or CSS debugging, or just "Operation Aborted" errors are going to keep me unproductively busy for hours.
Just FYI, there is a Developer Toolbar for IE, but I agree it's not as good as the version for Firefox: http://www.microsoft.com/downloads/details.aspx?familyid=e59c3964-672d-4511-bb3e-2d5e1db91038&displaylang=en -
Re:3cm?!
Seems perfect for M$ Surface actually.
-
Re:Autorun is evil
The closest thing I know of to an official way of disabling autorun is to install Microsoft's powertoy TweakUI. As you might guess from the name, it gives you a GUI to tweak various aspects of the Windows user interface, including letting you turn off autorun. I've never had a problem with it.
-
The problems you faceMS Office 2007 has been a runaway bestseller at retail. The Year of Office 2007
The zealot never considers the possibility the proprietary alternative may simply be best-of-breed. He inflates the cost by quoting retail list for the most expensive version on the market.
If your employer has a volume licensing agreement with Microsoft, you may be able to get a full version of Office for the price of S&H. Home Use Program
MS Office Home 2007, with a three seat license, sells retail boxed for around $125.
The price of five replacement inkjet cartridges.
The software is essentially a one-time purchase, it's the price of consumables and services that will eat you alive. It is calculations like these that help programs like Paint Shop Pro and Photoshop Elements to compete against the GIMP.
Microsoft Office Home is a handsome and accessible site that consolidates resources for both amateur and professional users. OpenOffice.org plain text, pure Geek, circa 1992.
This is inexcusable for a marquee open source project backed by powerhouses like IBM and Sun.
It does not invite users to dig any deeper into FOSS. Rather it will have them running - not walking - in the opposite direction.
____ God help you if a problem with a FOSS app leads your potential convert to Slashdot and an encounter with the GNAA.
-
Branding is extremely important
and what would have happened if Dell went all out putting Linux on the front page, only selling Linux machines no MS Windows and it was a failure? There's another ten years of "Linux Sucks" right there.
No. Dell did the right thing by slowly growing their Linux desktop market and now everyone is copying them.
Branding matters a lot.
It's the reason Microsoft runs it's Get the facts campaign against Linux. Having Linux associated with big brands that people have heard of increases your chance of people picking your product. It doesn't matter that Linux runs on the top 8 super computers of the world because people will make judgements based of how familiar they are with a product.
This is why Ubuntu is more popular then other distributions, because Mark S. has associated Ubuntu with larger brands. More people know about Ubuntu and are more likely to pick it compared to another distributions. A lot of people here on /. grumble about "Why Noobuntu, why not try X". Well now you know, if distribution X had better branding it would probably be more popular then Ubuntu.
Another branding example..
Have you noticed recently how "Windows Server" adverts keep popping up on websites such as top500.org, sourceforge, etc? Places that decision makers might see them, but also developers. Sourceforge in particular seems to have tons of Microsoft adverts that it is starting to put me off visiting that website at all. -
Re:The real story
BTW, is this the Digg effect? I notice more and more looney conspiracy stories over there all the time. Maybe it's spreading.
At least in the case of Digg it is very clear how they get their money. This quote is from the bottom of the main Digg site:Advertise
You can buy advertising on Digg through our advertising partner MICROSOFT. -
Re:Where is the reference image from?
I don't know if there is a plugin, but you can just right-click the page in Fx and select "View Page Info" and then it will either say "Render Mode: Standards compliance mode" or "Render Mode: Quirks mode".
Oddly enough, I had trouble finding a site that renders in quirks mode so I could get the exact message that the dialog displays. I tried about a half dozen sites in my bookmarks and they were all rendered in standards compliant mode. So then I tried microsoft.com and bang, I had a site that rendered in quirks mode. -
Re:I would blame this on...http://support.microsoft.com/oas/default.aspx?ln=en-ca&x=10&y=16&prid=10530&gprid=459224 http://support.microsoft.com/oas/default.aspx?ln=en-us&x=10&y=16&prid=10530&gprid=459224 It's also $59 USD. Looks like we here in the good ol' US are getting the short end, eh?
-
Re:I would blame this on...http://support.microsoft.com/oas/default.aspx?ln=en-ca&x=10&y=16&prid=10530&gprid=459224 http://support.microsoft.com/oas/default.aspx?ln=en-us&x=10&y=16&prid=10530&gprid=459224 It's also $59 USD. Looks like we here in the good ol' US are getting the short end, eh?
-
Re:It's doesn't fit 'the model'3. Do they have guaranteed response times on support calls? CROSS And does IE have such a guarantee? Or even anything vaguely resembling support (as in "fixing egregious defects", not in "telling an accountant that they need to click the 'X' in another program to get to the 'Internet' icon")?
You bet your ass: https://www.microsoft.com/services/microsoftservices/srv_enterprise.mspx
-
What do you think?
The FCC is not going to be a very good regulator while it's being punished for industry corruption. Do you think they will be able to stop China style internet filtering (2, 3, 4). A reasonable agency would have taken action against port blocks and fined the company responsible for network flooding and endagering insecurity and spam. The entire industry is conspiring to impede and censor communications and the Federal Communications Commission is supposed to prevent that. It's obvious that they are being slapped down because the new chairman is doing something industry does not want.
-
Re:Upgrades to MFC? what upgrades?
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2389517&SiteID=1
Office 2007 Ribbon Bar: Ribbon, Pearl, Quick Access Toolbar, Status Bar, etc.
Office 2003 and XP look: Office-style toolbars and menus, Outlook-style shortcut bar, print preview, live font picker, color picker, etc.
Internet Explorer look: Rebars and task panes.
Visual Studio look: sophisticated docking functionality, auto hide windows, property grids, MDI tabs, tab groups, etc.
Vista theme support: Dynamically switch between themes!
"On the fly" menus and toolbar customization: Users can customize the running application through live drag and drop of menu items and toolbar buttons.
Shell management classes: Use these classes to enumerate folders, drives and items, browse for folders and more.
+ many additional controls -
Re:Paid technical support?
Have to post this anonymously...
IE support comes with your Windows Volume License. And in certain situations, is worth every penny.
The whole ActiveX activation fiasco - Got a tool from MS to scan our (rather large) network for apps that were going to be affected.
Had an interesting Windows Authentication issue (Kerberos not playing nice with DNS CNames http://support.microsoft.com/kb/911149 nice to have your own MS KB :-) ) that IE support worked out. Don't have any clue who you would go to for a MOZ issue like this. Personally I'd post it in Bugzilla and pray...
So for big corporations, yes, the support *is* an issue when the product is used by 200,000+ plus people. -
Re:Paid technical support?
I'm curious. How much does paid technical support for Internet Explorer actually cost? And what do you get with that level of support?
That's a really tough question to answer... The support cost for most products varies from contract to contract, based on number of licensed products, level of support, duration of support, 24/7 vs 9-5, guarantee of response times, etc.
I don't think Microsoft has it's own support for just IE, but it all gets bundled under a Microsoft Product Support Services contract (which I believe most companies would purchase with their Windows license).
You're also not limited to just M$ support, there are third party "Geek Squad" support services available as well.
As far as a dollar value, I'm really only guessing, but I'd think for ~1000 enterprise licenses, you're talking about a $250,000-500,000 contract for EOL support.
-
Re:I would blame this on...
Yeah, Seriously. Do you really need paid support for a web browser? Corporations really need to get away from this attitude. Stop paying through the nose for every piece of software. How often do you really call up the company who made your software and ask for support. Sure sometimes, but I be that most of the time, your in house IT staff fixes the problem before calling up support. You want support with IE, here it is. $CAD 59 for each request during business hours. Over $500 for after hours support. This is why you have in-house IT support staff. To fix your problems. If you were going to call up Microsoft every time you had a problem, your company would go belly-up pretty fast. Also, it's not like you can make MS release bug fixes, or security patches, even when you know there are problems.
-
Re:I can't believe the new MS form factor isn't he
Actually the rearrangement of the home/end etc keys has been returned to it's true home in most of the newest Microsoft keyboards.
The F keys very based on the keyboard quite a bit. For example my MS keyboard has only one split: F5/F6.
I'm actually happier with this keyboard than any previous keyboard. One of the reasons for that is that the wrist support actually works for people with longer fingers (like me). Most keyboards (and mice) seem to be designed for people with hands like my wife: one full joint shorter than mine in all fingers. -
Re:I can't believe the new MS form factor isn't he
Actually the rearrangement of the home/end etc keys has been returned to it's true home in most of the newest Microsoft keyboards.
The F keys very based on the keyboard quite a bit. For example my MS keyboard has only one split: F5/F6.
I'm actually happier with this keyboard than any previous keyboard. One of the reasons for that is that the wrist support actually works for people with longer fingers (like me). Most keyboards (and mice) seem to be designed for people with hands like my wife: one full joint shorter than mine in all fingers. -
Re:no CD/DVD drive bay?
I keep hearing people buy Microsoft products for great software , maybe you could try them?
-
Re:Windows Home ServerRTFA. I've researched this issue a lot as an owner of a WHS box. From Microsoft's KB -
You can still use the Windows Home Server home computer backup to back up and restore files from and to your home computers.
It doesn't corrupt your backups. Those are fine. The issue only occurs when the machine is under a high load and you save a file to a shared folder on the WHS using one of a handful of applications. It's easy to avoid and they're working on a fix - http://support.microsoft.com/kb/946676/en-us?spid=12624.
But you know, feel free to ignore the facts and resume your mindless fear mongering. You should run for President! -
Windows Home Server
Say what you like about Microsoft, but they appear to have finally made a decent product here. You can buy an OEM copy through Newegg for $169. Then slap it on any machine you like. It's got built in support for automatically backing up all of your files. If you have multiple HDD's in your server you can specify at the folder level which folders should be copied onto multiple drives (for redundancy should one of your HD's fail). It's also got nifty support for managing it from outside your home and streaming music, videos and photos to other machines inside / outside of your home. Take a look at it - http://www.microsoft.com/windows/products/winfamily/windowshomeserver/default.mspx
-
Re:When did W get on the internet???
I think this is how the lobbyist got into his brain: http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx Firewall or not, they have smash his TCP stack and are exploiting his office.
-
Useful keys abound!Insert - I've never had a use for "write over mode." Has anyone? Windows - Almost useless, squeezed between useful keys. Fortunately my Linux systems ignore this key. That specific key is a very useful metakey, ignoring it completely seems to tell me you just don't know how to use it.
Specificially, I know I use Win+R (run prompt), Win+M (minimze active windows), and Win+L (lock system) all the time. Equally useful can be Win+E (bring up a file explorer) or Win+F (which brings up a search dialog). Only "issue" I see with the Win+ combinations is that they're only available to the OS (not as a general meta to applications). On my laptop (which conveniently omits this key), I map the off-hand Alt key (left-handed, so the right-side Alt) to Win. Menu - I'll just right-click, thanks. Some agreement here -- I don't usually use it (as most of the time, the context items are available via different shortcuts anyway), but I don't begrudge its presence. On my laptop (which conveniently omits this key), I don't map it to something else. Num lock - Why won't this go away? Why do I need a way for my numeric keypad stop to working? Are the arrow keys hard to find? I find use for NumLock generally when playing games with my keyboard (the orientation of the keys is a nice straight-arrow setup for that). That being said, NumLock usually stays on for me (except on laptops, as the laptop implementation of the keypad is atrocious).
I'm surprised you didn't mention anything about poor old ScrollLock. Then again, Scroll Lock doesn't do much of anything (mostly speaking from a windows PoV here, I don't usually go key-exploring when I'm on a 'nix platform), except in Excel. -
Re:Anyone who watches Apple's 15 minute iPhone mov
If other vendors cared as much about usability as Apple, they wouldn't be so embarrassed having (potentially) new customers watch 15 straight minutes of their product's operation.
-
WrongWindows will warn you if you yank the drive without telling it to disconnect the drive precisely for this reason. You have not messed with Windows in about 7 years, have you? Windows 2000 did indeed warn you if you yanked a USB drive without unmounting it first, XP and Vista do not.
On a side note, in a parent thread, someone stated that the slow read / write speeds were caused by Vista. It should be noted that Microsoft's technet states that the slow copy / move issue with tons of files in a folder is something that is fixed in SP1. -
Re:Windows is open-sores software
Here's a a EULA thread at Microsoft's forums.
Nothing new, but it's interesting to see the Microsoft employees and MVPs going from reciting elaborate justifications for EULAs to "It's not policy for MS employees to comment on legal matters" when their points were challenged.
Is it a crime to knowingly give false legal advice for your own direct profit? If you commit an illegal action unknowingly but then refuse to investigate the legality of that when challenged, is that seen as willful ignorance?
Microsoft employees were being shown the error of their ways, encouraged to investigate the related laws or consult with MS's legal staff and refute these claims, and they refused, continuing to push the EULA theory. Going so far as to directly tell a customer that running Vista in a VM is a violation. -
Point-in-case
Have a look at Clean (http://clean.cs.ru.nl/) for a use of pointers (internally) that makes for efficient execution. An interesting read concerning the subject is found here:
http://clean.cs.ru.nl/contents/Addison__Wesley_book/addison__wesley_book.html
Actual benchmarks to show the efficiency can be examined here (note the comparison is with C-versions of the same algorithms compiled on gcc):
http://shootout.alioth.debian.org/gp4/benchmark.php?test=all&lang=clean&lang2=gcc
Here's Java 6 (server version) for comparison:
http://shootout.alioth.debian.org/gp4/benchmark.php?test=all&lang=java&lang2=gcc
You'll notice that differences are mainly in the memory footprint, already known to be attributable to the large number of libraries (classes) loaded into the vm at start-up, something the Clean runtime isn't quite as encumbered with:
(Java) http://java.sun.com/docs/books/performance/1st_edition/html/JPRAMFootprint.fm.html
So, the difference in speed is often-times negligible, and it's been shown that the memory footprint can be reduced to a size where you can run an embedded jvm in a mobile phone (really!), and rumour has it that someone even wrote an operating system in Java, but the memory footprint still seems the biggest culprit:
http://www.jnode.org/node/573
In other words, it's not Java - the language, but Java - the massive OO-framework, and JVM - the specific implementation, that's the problem. Even C++ or C with an OO-framework can be made into a large memory footprint, if you can believe it:
http://www.microsoft.com/windows/products/windowsvista/editions/systemrequirements.mspx
Then, of course, memory is cheap:
http://www.simmtester.com/page/memory/memprice.asp
But, the over-use of which, sometimes stays with us as itching bugs for too long:
http://blog.wired.com/monkeybites/2007/11/firefox-3-add-o.html
If memory serves me right (http://www.google.com), there's something to be said of the virtues of garbage-collection applied to systems programming:
http://www.digitalmars.com/d/
and the actual (memory and) time efficiency of such an attempt:
http://shootout.alioth.debian.org/gp4/d.php
But I could be wrong. After all, no-one in their right mind would ever attempt to write an operating system in something like, say, Lisp:
http://cbbrowne.com/info/lisposes.html
- let alone design an actual computer around it:
http://en.wikipedia.org/wiki/Lisp_machine
It simply wouldn't run. No, the skills of an engineer depend solely on the language he/she speaks, not on the abstract concepts he/she masters, applied to whatever tool he/she chooses to use/create.
That is why I propose we all forget about abstraction all-together, and revert to coding like this:
010101100001111010110101101101111101111...
But wait, that is itself an abstraction - Turing must have suffered from premature abstraculation. No, let's hear it for using copperwires instead of silicon, so we can attach some large, hand- -
Re:Is it burst speed?
XP doesn't use write caching for removable drives but 2000 does and there's no way to turn it off. You can only flush the cache by using the "Safely Remove Hardware" applet. What were they thinking?
If any of you are stuck with flash drives on 2000, you really need to get Sync 2.0. -
Re:2 vs 3
I disagree.
You can disagree all you want. It doen't make that disagreement sound or valid.
Yes, of course. Unfortunately for you, that goes both ways.
Seems that everybody forgets that months ago Microsoft latest strategy against OSS was to cut "interoperability" and "patent protection" deals with every Linux distribution it could (a move that allowed them both to throw FUD and -potentially- profit on OSS at the same time).
Well, it isn't that everyone forgets, the fanaticism died down and they were able to look at the details of the deals to find that what was being said about them wasn't true. Only the truely foolish and the fanatics continue to spout ideas like you are.
Sorry, but bashing and name calling won't get you nowhere, and judging by the level of your "argumentation" I'm pretty sure you're the one acting as a fanatic. Perhaps it would be best if you just shed some light on the details you're talking about which supposedly disprove my view.
It was the release of the GPLv3 (which among other things, closed that possibility) what made them back out; something which was accomplished without needing any actual project to change their license (the mere threat that it could happen was enough).
Well, it was more or less Novell that backed them out. But something more interesting is that Linspire, xandros or whatever it is called now and a few other companies made a deal with Microsoft knowing full well about the GPLv3 and what it said. Or are your forgeting about those?
No, Microsoft was actually the only one to back out from the deal: http://www.microsoft.com/presspass/misc/07-05statement.mspx (Novell response: http://www.novell.com/prblogs/?p=365)
Microsoft-Xandros: june 4, 2007 http://www.xandros.com/news/press_releases/xandros_microsoft_collaborate.html
Microsoft-LGE: june 6, 2007 http://www.microsoft.com/Presspass/press/2007/jun07/06-06MSLGEPR.mspx
Microsoft-Linspire: june 13, 2007 http://www.desktoplinux.com/news/NS9642338710.html
GPLv3 release: june 29, 2007 http://www.fsf.org/news/gplv3_launched
But I'm sure they had studied the license extensively (even though the GPLv3 was released weeks after the last deal...)I'd say that alone justify it's existence and is prove enough that there is a point to GPLv3.
I would say your either ignorant of how it didn't accomplish that or you are attempting to pump up the GPLv3 hoping that people are dumb enough to believe you. Either way, what I wouldn't say is that you are correct in your interpretation.
Ooops, you caught me there. I guess there's no point in keeping it secret any longer: I'm a GPLv3 zealot payed by RMS himself to post on Slashdot as part of the worldwide FSF conspiracy to take over the world.... (you know, your username almost honours you...)
Back to reality, I stand by my original point: even is the GPLv3 were impractical in most cases, it has already had a significant positive impact on OSS by putting an end to that. I'm afraid that to prove your point you'll have to do a bit more than posing a false dichotomy where I must either be completely ignorant or have some obscure agenda.Just because it's not perfect it doesn't mean that it's not better than it's predecessor (and it certainly doesn't mean it's worst). That
-
Re:2 vs 3
I disagree.
You can disagree all you want. It doen't make that disagreement sound or valid.
Yes, of course. Unfortunately for you, that goes both ways.
Seems that everybody forgets that months ago Microsoft latest strategy against OSS was to cut "interoperability" and "patent protection" deals with every Linux distribution it could (a move that allowed them both to throw FUD and -potentially- profit on OSS at the same time).
Well, it isn't that everyone forgets, the fanaticism died down and they were able to look at the details of the deals to find that what was being said about them wasn't true. Only the truely foolish and the fanatics continue to spout ideas like you are.
Sorry, but bashing and name calling won't get you nowhere, and judging by the level of your "argumentation" I'm pretty sure you're the one acting as a fanatic. Perhaps it would be best if you just shed some light on the details you're talking about which supposedly disprove my view.
It was the release of the GPLv3 (which among other things, closed that possibility) what made them back out; something which was accomplished without needing any actual project to change their license (the mere threat that it could happen was enough).
Well, it was more or less Novell that backed them out. But something more interesting is that Linspire, xandros or whatever it is called now and a few other companies made a deal with Microsoft knowing full well about the GPLv3 and what it said. Or are your forgeting about those?
No, Microsoft was actually the only one to back out from the deal: http://www.microsoft.com/presspass/misc/07-05statement.mspx (Novell response: http://www.novell.com/prblogs/?p=365)
Microsoft-Xandros: june 4, 2007 http://www.xandros.com/news/press_releases/xandros_microsoft_collaborate.html
Microsoft-LGE: june 6, 2007 http://www.microsoft.com/Presspass/press/2007/jun07/06-06MSLGEPR.mspx
Microsoft-Linspire: june 13, 2007 http://www.desktoplinux.com/news/NS9642338710.html
GPLv3 release: june 29, 2007 http://www.fsf.org/news/gplv3_launched
But I'm sure they had studied the license extensively (even though the GPLv3 was released weeks after the last deal...)I'd say that alone justify it's existence and is prove enough that there is a point to GPLv3.
I would say your either ignorant of how it didn't accomplish that or you are attempting to pump up the GPLv3 hoping that people are dumb enough to believe you. Either way, what I wouldn't say is that you are correct in your interpretation.
Ooops, you caught me there. I guess there's no point in keeping it secret any longer: I'm a GPLv3 zealot payed by RMS himself to post on Slashdot as part of the worldwide FSF conspiracy to take over the world.... (you know, your username almost honours you...)
Back to reality, I stand by my original point: even is the GPLv3 were impractical in most cases, it has already had a significant positive impact on OSS by putting an end to that. I'm afraid that to prove your point you'll have to do a bit more than posing a false dichotomy where I must either be completely ignorant or have some obscure agenda.Just because it's not perfect it doesn't mean that it's not better than it's predecessor (and it certainly doesn't mean it's worst). That
-
Microsoft Shared Source Initiative
Also see their Shared Source Initiative.
-
Microsoft Government Security Program
Microsoft does open up its source code to the government for review. They refer to the program as the Government Security Program.
-
Re:SQL injectionFair enough, there still may be some sql 2000 servers out there, but there shouldnt be many left. SQL 2000 goes out of mainstream support from MS in 3 months.
In addition, many of the defaults and published guidelines on this stuff changed after slammer went around, in 2003. So thats been 5 years people have had to clean up their messes and adopt best practices.
In my world, we moved over to a 'best-practices' installations of IIS and SQL Server when we migrated to sql server 2000, which was the best part of 7 years ago. Yea, you can probably set enough permissions to not require local admin rights, but seriously, the places we're talking about already are too lazy to sanitize database inputs, do you really thing all of their practices are top-notch security wise? You dont have to do any work for this. Just tell the installer what service account you're using, and it grants all the privs and ntfs/registry acls you need. Years before, with SQL 2000 (And pretty much every bit of what I said applied to SQL 2000), Microsoft said you had to have setup the SQL service account as a local administrator on the machine. There are still some remnants of this policy: http://support.microsoft.com/kb/239885 Where it's explicitly said to make sure the user is a local administrator (NT4, SQL 2000 and SQL 7). Note that in that link, it says that the ms sql 2000 service account has to be a local admin ONLY on NT4.
Considering how long its been (years) since the current version of sql server released, and considering how much longer (even more years) the best practices were published for the previous version, I think its reasonable to focus on the current version.
If you look at 5 years old versions of products in any space right now, the products look alot crappier. Especially in the MS world, everything has changed since then. -
self-recursive acronym
Microsoft has been using one for quite some time now:
http://msdn2.microsoft.com/nl-nl/directx/aa937793(en-us).aspx
Q: What does XNA stand for?
A: XNA's Not Acronymed -
Re:SQL injection
Yes, xp_cmdshell is disabled by default in SQL 2005, but do you seriously think every site is running SQL 2005 on their servers?
Now, on the SQL being a local administrator. In researching this one to show you where it says it, Microsoft seems to have change their guidelines since I last looked them up (and good for them, I'm gonna start pushing the new guidelines at work to the DBA team)
Years before, with SQL 2000 (And pretty much every bit of what I said applied to SQL 2000), Microsoft said you had to have setup the SQL service account as a local administrator on the machine. There are still some remnants of this policy: http://support.microsoft.com/kb/239885 Where it's explicitly said to make sure the user is a local administrator (NT4, SQL 2000 and SQL 7).
Now, Microsoft says "If you don't want the SQL service account to be a member of the local administrators group" (and they do recommend against it as well, but how many lazy admins are gonna do that...) You merely have to grant the account the following rights:
Act as Part of the Operating System = SeTcbPrivilege
Bypass Traverse Checking = SeChangeNotify
Lock Pages In Memory = SeLockMemory
Log on as a Batch Job = SeBatchLogonRight
Log on as a Service = SeServiceLogonRight
Replace a Process Level Token = SeAssignPrimaryTokenPrivilege
And make sure the file system and registry permissions are granted to your service account user.
Yes, MSSQL installs by default with only windows security mode enabled. So you have a few options for connecting your application to the DB:
1. Add the user the web app runs under to the SQL server, and used integrated security.
2. Turn on SQL security, and create a user for the application to use.
3. (seriously, I've seen this in my travels) Setup a COM+ component that does database access, running under the same account as the SQL server, so they "don't have to worry about permission problems"
I've seen programmers do all three in my time, depending on what they are more comfortable with. Sometimes, I see them just use the magical SA account, to login to the database. Again, having a proper DBA would prevent stupid things like this, but not every place has a proper DBA (or a person that can truly act like one part time)
I've seen all sorts of stupid things, including most of the above, some by admins that should know better, some by admins that have very little clue what a database is, and just "need to get this app working" Some were recommendations by the vendor of a product at the time of install. Many of these practices have gotten better over the years, but some have not.
Now, if you have only ever dealt with SQL 2005 (which is MUCH more secure by default, but still prone to admins and programmers doing stupid things, and no one can prevent that) Then yea, most of the stuff I said does not
apply.
Yea, you can probably set enough permissions to not require local admin rights, but seriously, the places we're talking about already are too lazy to sanitize database inputs, do you really thing all of their practices are top-notch security wise?
And so concludes another episode of "Hey, with how lazy some people are, I could see if happen." -
Re:Sounds like HowStuffWorks material!
In case you dont know Halvar Flake, he is a master at reverse engeneering and recently gave a talk at bluehat
short audio clip with halvar explaining how he analyzes ms patches for differences
-- bookmark me -
Re:Cue first BSoD joke in... 3...2..1...
Oh, there's no need to worry about BSODs because Microsoft makes automotive software.
*shudder* -
Jumping to Conclusions
As usual, the Slashdot community will jump any distance to the conclusion that Microsoft sucks.
First, this 100 million number is ambiguous at best. One might assume that Gates included all sales in that figure, including volume licensing deals. This, however, seems to conflict with numbers that have already been published. For instance, as of October 2007, Microsoft said they sold 88 million copies of Vista, in *addition* to 42 million volume licensing purchases. See: http://www.infoworld.com/article/07/10/26/88-million-copies-of-Vista-shipped_1.html
The 89 million number cited for XP must have included volume licensing sales as well, because Microsoft's press release regarding the sales of XP during the first year of availability explicitly states that XP sold 67 million copies on new PCs *and* via retail upgrades.
In other words, XP was sold on, at absolute most, about 50% of new PCs in 2002. It was actually probably a bit less than this because the 67 million licenses *included* upgrades.
So, if we assume that Gates was talking about the sales of Vista on new PCs (not upgrades), and we factor in the 20% quarterly sales growth that Vista sales have seen since it was released, we get about 105 million units sold. This represents about 41% of all new PCs shipped, world wide. This number doesn't even account for the holiday season's affect on sales.
In order for sales to be identical to XP, we only need for 14% of people who bought XP during the first year to have bought it as a upgrade. I would say that's a pretty reasonable hypothesis. If you don't find that to be reasonable, PCs with Vista only need to sell at about double the rate during the holiday season as they sell during the rest of the year in order for Vista to hit that 50% mark. Either way, if you mix each of these factors, it becomes very easy for the Vista sales numbers to pan out in Vista's favor.
Furthermore, I was unable to find the data that shows where all those new PC purchases were coming from. The fastest growing PC market is Asia, especially China. Studies have shown that the piracy rate in China is over 90%. We have no idea how this information affected Vista sales overall. (Although, honestly, probably not much.)
It's certainly possible that Vista sales aren't as good as XP's, but we don't have that data yet, and it's definitely not the blowout that this article suggests. The data we do have suggests that Vista sales are about the same as XP as a percentage of total PC sales. -
Re:How many are actually running XP?
If you have an OEM Vista Business license, that license includes the rights (although not the media) to downgrade to XP, and later re-upgrade to Vista Business again.
It makes sense. Vista Business is put on SKUs targeted at IT shops; if an IT shop has not started to implement Vista yet, it means the vendors can't sell that SKU. It means that vendors don't have to stock separate units for Vista and XP, and it allows MS to inflate its Vista sales figures.
Microsoft and the vendors aren't exactly crowing this bit of information from the rooftops, but you find out about the program with a little Google Fu. You need to have some legitimate (although not necessarily for this purpose) XP disks, such as some old product recovery CDs lying about.
The sticky point is XP activation, since XP will know you are "cheating", you need a human being to bless what you are doing. To do that you have to prove you have a license for Vista Business or Ultimate. If you have your COA great; you should also boot vista to get the product key.
Once you have your proof of virtuousness in hand, simply install XP, and activate by phone, explaining you are doing the Vista Business to XP downgrade and providing proof your license. It would be advisable, I, think, to avoid blowing away any recovery partitions during the XP installation, just in case there is a hitch.
I should caution that I haven't done this procedure personally; I just researched it. My personal solution was to upgrade to Ubuntu bit and run a retail XP Pro in Vmware (I'm converting to qemu so I can try kvm). I find that XP Pro runs at what would have been native speed on XP vintage hardware, and I've got all my Windows related work in a set of os files, which is great. I just copy the files to an external drive, and I can move my computer to a different machine if I have any hardware glitches. Gutsy has all the eye candy of Vista but none of the quirkiness. -
Re:You should still be careful.
Of course it can be "tweaked" - if there is a vulnerability in a web application or an Internet-accessible service. Like the grandparent, for a moment I was worried there was a vulnerability in the LA[M|P]P stack or a particular CMS. Not so. In this case it was a vulnerability in Microsoft MDAC. It's pretty trivial to exploit old vulnerabilities, so the main newsworthy part here is that there are so many unpatched systems.
-
Re:Define "Open"
If every one of MS' customers went on a subscription program, the BSA would be nearly put out of business, at least for enforcement of MS software.
I think you mean, as long as MS' customers stay on the subscription program, they might not be threatened by the BSA.
Also, blaming small business IT for not having the resources to manage the completely unmanageable tangle of Microsoft licensing is unfair. The BSA built it's extortion racket based on Microsoft's history of changing licenses with updates and service packs, along with changing terms regarding the interactions of legacy Microsoft products with new Microsoft products -- can you tell me off the top of your head how many client access licenses (CALs) can be transferred from a Windows 2000 server to the new Windows Server 2008? Who do you ask? Did you know that Microsoft can't even keep it's server certificates up to date?
Read all the licenses, and get back to me about the CALs. Until then, STFU about ignorance. -
Re:Define "Open"
If every one of MS' customers went on a subscription program, the BSA would be nearly put out of business, at least for enforcement of MS software.
I think you mean, as long as MS' customers stay on the subscription program, they might not be threatened by the BSA.
Also, blaming small business IT for not having the resources to manage the completely unmanageable tangle of Microsoft licensing is unfair. The BSA built it's extortion racket based on Microsoft's history of changing licenses with updates and service packs, along with changing terms regarding the interactions of legacy Microsoft products with new Microsoft products -- can you tell me off the top of your head how many client access licenses (CALs) can be transferred from a Windows 2000 server to the new Windows Server 2008? Who do you ask? Did you know that Microsoft can't even keep it's server certificates up to date?
Read all the licenses, and get back to me about the CALs. Until then, STFU about ignorance. -
Okay, found some documentation on this
Here.
It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).
And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.
Now the FUD in TFA is another story... -
Re:A boot sector virus? In my PC?
All you need is a call to certain point of disk to run the code right?
Remember that almost all current Windows systems reserve 1-8Mb space for converting the drive to dynamic disk.
8Mb is likely enough to run almost fullblown virtual machine, atleast versatile enough to hide beneath the "primary" os and act as a spam/ddos drone/keylogging trojan unnoticed.
Sure, it'll eat some resources sitting there, but your average Joe/Jill won't really notice that. They just curse their damn slow computer.