Domain: microsoft.com
Stories and comments across the archive that link to microsoft.com.
Comments · 34,132
-
Re:Microsoft following a (de facto) standard?
XMLHTTPRequest was first implemented as an ActiveX component, making it hard to implement in other OS's.
No, it didn't make it difficult to implement in other operating systems, it just meant that instantiation should be different. Remember that other browsers don't have to copy Microsoft's implementation, merely the interface.
Besides, the whole behaviour is not documented properly
-
Re:What Internet Explorer 7 *REALLY* needs...
Fix this problem: [link] Documenting a design flaw does not make it any less of a design flaw.
-
What Internet Explorer 7 *REALLY* needs...
What IE really needs right now, if it wants to be taken seriously as a platform for AJAX web applications, is proper DOM/CSS support. The following would be a good start (my current peeve list with IE6):
- Implement document.importNode()
- Support setting of opposite side CSS positioning properties at the same time, i.e., setting "left" and "right or "top" and "bottom" properties on same element.
- Fix this problem: http://support.microsoft.com/default.aspx?scid=kb
; en-us;177378 Documenting a design flaw does not make it any less of a design flaw. - Fix other problems with SELECT element, e.g., the fact that it is not possible to add a ListBox-style select to a document using DOM manipulation.
- Fix bug where the presence of a vertical scrollbar adjacent to a 100% wide table inside of a CSS positioned element results in a horizontal scrollbar due to incorrect width calculations.
- Fix issue where 100% wide textareas expand to be a bit wider (creating a horizontal scrollbar) once text is entered. This also only occurs if the text area resides in a CSS positioned DIV.
- Correctly monitor the DOM for updates and repaint appropriately. Currently there are cases where IE will not repaint the screen even though the DOM has changed, requiring the developer to perform additional DOM manipulations just to trigger a repaint.
- Fix this completely insane bug (scroll down to a few paragraphs or search for the text "worst bug ever in Internet Explorer 6."
- And last but definitely not least, simply bring the performance up to a level relative to Firefox/Opera/Konqueror/Safari, especially when dealing with reasonably complex and interactive DOMs.
I've posted this on ieblog before. I sincerely hope that somehow someone on the IE team sees one my numerous implementations of the above list of rants and implements solutions for them. It'll make the professional lives of many AJAX developers quite a bit more pleasant.
-
Re:Uh, you can turn off USB drive access in Window
If you want to turn off USB drive access on XP, this command will do it:
sc config usbstor start= disabled
To turn them back on, use this:
sc config usbstor start= demand
Be sure to include the space after the equal sign. You can get sc.exe from the Windows 2000 Resource Kit as well.
http://support.microsoft.com/?kbid=166819 -
Re:Good.I had to click the linky to get this, but here's why what you're saying doesn't work:
Obtain a PIC and use it to create a signed
Interestingly, you need this PIC through Microsoft. That's not the end of what you need though. .cat file. PICs are issued by Microsoft and can be used to sign kernel-mode modules that are intended for Windows Vista. The PIC verifies the integrity and origin of a driver. To be signed with a PIC, drivers are not required to pass WHQL testing.To obtain a PIC, a publisher must first obtain a VeriSign Class 3 Commercial Software Publisher Certificate. Registration with Verisign results in establishing a credential that can be used to establish a Microsoft Windows Quality Online Services (Winqual) account. The publisher can then use that certificate to authenticate itself to Microsoft. If the certificate is valid, Microsoft issues a PIC.
How to obtain this commercial software license:
A publisher typically completes the authentication process once a year through the Winqual Web site. The process is completed over a channel that is protected by the secure sockets layer (SSL). Figure 1 illustrates the process of obtaining a PIC. For more information about Winqual, see "Resources" at the end of this paper.What are the criteria for obtaining a commercial software publisher certificate?
You can go to the website mentioned and find where I can sign up if I am someone writing open source drivers or I am not incorporated and wish to write drivers.
To issue a commercial software publisher certificate, VeriSign must be able to authenticate the identity of the person and organization applying for the certificate. The most convenient method for a software publisher to establish organizational identity is to submit a D-U-N-S number from Dun & Bradstreet during the enrollment process.
If a software publisher does not have a D-U-N-S number, they can obtain one from a local D&B service center quickly and at low cost. For more information about D&B and getting a D-U-N-S number, please see http://www.dnb.com.
To ensure the commercial viability of a software publisher, Microsoft has arranged for VeriSign to check a company's D&B Financial Stress Rating as part of its authentication process. If a company's financial stress rating is 1, 2, or 3 (on a 5-point scale with 1 representing the lowest level of risk), the VeriSign Commercial Software Publisher (Class 3) Digital ID will indicate that the company has met Microsoft's criteria for identification as a commercial software publisher. If the company's rating is 4 or 5, VeriSign will undertake additional checking to determine whether the company meets commercial software publisher criteria. If no financial stress rating exists for a company, the Commercial Software Publisher (Class 3) Digital ID will indicate that.
In the event that a softwarepublisher cannot get a D-U-N-S number, they can submit articles of incorporation to VeriSign (translated into English). -
Re:Incredible
Microsoft has something like 50,000 employees. That won't even fill many major sports arenas and concert venues.
However, probably for the sake of convenience, Microsoft does hold company meetings in major sports arenas from time to time. -
Re:Relax: Just get Sourceforge a cert!
However, it may be difficult to obtain the credentials verisign requires before issuing these certs. See http://msdn.microsoft.com/library/en-us/dnauth/ht
m l/signfaq.asp?frame=true#10b for a little more info. -
Push mail on Exchange 2003 requirements/info
First you need to be running Exchange 2003 Service Pack 2 on your Exchange 2003 servers. Luckily this has been out a few months. However....
Unfortunately it requires the Messaging and Security Feature Pack for Windows Mobile. I believe Microsoft only has just recently released (December timeframe) the feature pack code to the OEMs for testing. If the device is strictly a PDA then you will need a code update from the manufacturer of the device. If you're using a smartphone/cell-enabled PDA then it is sounding like you have to get the code update from your carrier. I only know of three or four Windows Mobile 5.0 devices that the US carriers currently offer.
More info on the feature pack is available here:
http://www.microsoft.com/windowsmobile/business/5/ default.mspx
Here is the ActiveSync Web Administration Tool to do remote wiping of the Windows Mobile devices:
http://www.microsoft.com/downloads/details.aspx?Fa milyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&Displa yLang=en -
Push mail on Exchange 2003 requirements/info
First you need to be running Exchange 2003 Service Pack 2 on your Exchange 2003 servers. Luckily this has been out a few months. However....
Unfortunately it requires the Messaging and Security Feature Pack for Windows Mobile. I believe Microsoft only has just recently released (December timeframe) the feature pack code to the OEMs for testing. If the device is strictly a PDA then you will need a code update from the manufacturer of the device. If you're using a smartphone/cell-enabled PDA then it is sounding like you have to get the code update from your carrier. I only know of three or four Windows Mobile 5.0 devices that the US carriers currently offer.
More info on the feature pack is available here:
http://www.microsoft.com/windowsmobile/business/5/ default.mspx
Here is the ActiveSync Web Administration Tool to do remote wiping of the Windows Mobile devices:
http://www.microsoft.com/downloads/details.aspx?Fa milyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&Displa yLang=en -
Re:And not always duped...
Well, if you want talking popups, try this. Of course, you need Windows, IE, permissions to run ActiveX, scripts, make sure you have enough MS Agent installed, have the Peedy character available... *phew*!
-
Re:Push mail on Exchange 2003?
Starting with Windows Mobile 2003 you can. Better still is Windows Mobile 5 (devices with that have started coming out recently, like the Treo 700 (for a Pocket PC form factor) and the HTC Faraday (for a Smartphone form factor), you can have push mail. You need Exchange Server 2003 SP2 (or higher of course) to support it.
The original version of the push technology used specially crafted SMS messages to trigger the phone in to doing a sync. (i.e. the SMS message never showed up in your inbox, it was eaten by the software, nor was the email message actually included in the SMS itself) This means that with a cellular company that charges you for incoming SMS messages you may end up having to pay for them. Some of the cell companies put filters in place so that you didn't get charged for these system type messages.
The newer version of direct push no longer relies on SMS messages, so you don't have to worry about paying text messaging fees.
Personally, I like to just set my device to a scheduled sync (every 5 to 10 minutes) which is just as effective really. -
Re:You will be able to disable verification
The Windows kernel debugger is a free download.
-
Re:Y?
But isn't Yahoo working on being able to talk to MSN? If so, does that make MSN compatibility moot?
Microsoft Live Communication Server and its Public IM Connectivity should do this. It links LCS with Yahoo, AOL and MSN Messenger. We're about to do a pilot so I'll have more details the next time the subject comes up, but as of now it sure looks like it unifies all the biggest players with your corporate IM and a single account.
Cost, $1-$2 per user, per month, plus servers, server licenses etc. Not free, and maybe not cheap, depending on your view of things, but definately something to consider if you want it all in one place.
TW
P.S. Not a shill or fan-boy, just a customer. -
Re:How can something publicly available be "leaked
Last I checked, MSIE 7 is available via MSDN subscriptions, Action Pack subscriptions, and even Microsoft's own web site.
I just wanted to point out that there is no download link on that page, so it's technically not "available". -
I'm not sure it'll even do that.
Some software of that variety takes the approach of acting as an iSCSI device. So long as the OS has native iSCSI support, the application need not install its driver.
I'm considerably more worried about the impact on projects like OpenVPN. -
How can something publicly available be "leaked"
Last I checked, MSIE 7 is available via MSDN subscriptions, Action Pack subscriptions, and even Microsoft's own web site . It's not like anyone outside of M$ has not seen MSIE 7.0 already. So a single build got leaked a little early -- this is a) nothing unusual and b) not anything significantly different from what was previously made available through legitimate. This strikes me as: "Oh boy, screenshots of a beta everyone has been able to download for months. Oh wait, this is DIFFERENT because the build number in help-> about is different."
Now if the SOURCE were leaked, that would actually be something newsworthy. -
A Plan for Spam
I scoff at Bill Gates' "efforts" to reduce spam. What has he done precisely?
Probably just deferred the responsibility to one of his underlings. Aside from that, he talks about crazy methods such as deciding how much money the sender has to pay you before you open the e-mail.
Gates has plenty of articles which detail how much he hates spam. Anyone can sit down and write this, but Gates gets the high exposure interviews with the Wall Street Journal and the AP.
Gates is all talk. If you want to read some articles from some very interesting people, check out A Plan for Spam by Paul Graham. It talks about simple ways to write Bayesian spam filters and does a very good job at describing how they work. Another valuable member of the anti-spam community is Jonathon Zdziarski who has written many books about how to actually get rid of spam. You can also read the Slashdot interview with him. -
A Plan for Spam
I scoff at Bill Gates' "efforts" to reduce spam. What has he done precisely?
Probably just deferred the responsibility to one of his underlings. Aside from that, he talks about crazy methods such as deciding how much money the sender has to pay you before you open the e-mail.
Gates has plenty of articles which detail how much he hates spam. Anyone can sit down and write this, but Gates gets the high exposure interviews with the Wall Street Journal and the AP.
Gates is all talk. If you want to read some articles from some very interesting people, check out A Plan for Spam by Paul Graham. It talks about simple ways to write Bayesian spam filters and does a very good job at describing how they work. Another valuable member of the anti-spam community is Jonathon Zdziarski who has written many books about how to actually get rid of spam. You can also read the Slashdot interview with him. -
Re:This is why I use Windows
Everybody here forgot that KDE is made with the help of mainly unpaid and anonymous contributors? Didn't anyone take account of the fact that KDE e.V. is more like a charity that like an enterprise? Did anyone know that the amount of money directly collected by either the kjs or the konqueror teams from selling their products amounts to zero?
I'm sick of this Windows/KDE comparations (not the mention the Windows/(GNU/Linux) ones). You Windows weenies will have a point against gratis and free software as soon as M$ stops charging for their products and support.
Besides, if you don't believe whether the patch solves or not the problem you can go and get a diff yourselves. Easy, huh? Try that somewhere else.
-
Re:ENOUGH. Gibson was right about raw sockets.
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
Wrong. Windows XP shipped with raw sockets enabled, and the functionality was not changed until SP2 shipped in August of 2004:
http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2netwk.mspx
So, why wasn't there a raw sockets disaster during the first three years of Windows XP's use?
Face it; Gibson is a fear-mongering blowhard who does nothing but vie for attention, and can't stand being outshined by real experts like Mark Russinovich.
Microsoft should sue Gibson. -
Re: WHY THE GODDAMN HELL DOES EVERYBODY...
blame America's financial problems on "The war on terror", what the hell about the expensive food, cloths, cars, houses, and other crap your favorite liberal democrat enjoys paid for by his government check coming from tax dollars??? you cant blame everything on Bush and conservative republicans...
Um, maybe because the expensive food, cloths, cars, houses, and other crap provides something back to the national industry, which is hard to say about the war on terror. Besides those government contractors that like to go around overcharging for their services, of course. -
From experience
Spyware / Adware / Malware stuff is pretty easy to deal with. Check out some of this stuff: it's free, clean and won't trash your computer.
Spybot Search and Destroy.
AdAware
MS Anti-Spyware
Keeping your OS up to date definitely will help out, and being smart about what you download from who and where. Most people infect themselves, and don't know it because of all of the shady software downloads out there. A good hardware or software firewall solution is easy enough to come by for cheap or free depending on how much time and effort you want to put into it. It's up to you as a user to protect yourself so study up.
Now, who's going to be the first to crack the "But Windows is malware" joke? -
Re:Depends...
Sadly, no. If you write standards-based code (like my home page, for example), the 80+% of the market that's using Internet Explorer will not see the page as you designed it. The really frustrating thing is at least five years ago there was a beta of Internet Explorer 6 which got my home page right. Microsoft know how to do the standards thing, they choose not to.
So run IE in strict mode
-
Plugging the "arbitrary code" hole?
So many vulnerabilities seem to involve writing past the extents of a data structure (stack, heap, buffer, etc.). But how does this lead to the ability to execute arbitrary code? It would seem that the system must lack an ability to clearly segment memory in the distinct data spaces or to distinguish between data and code.
Perhaps machines need a more secure memory management scheme (such as an execute disable bit or Data Execution Prevention).
Yes, malware could still crash an application or machine (to the extent that the system has inadequate input checking and nongraceful failure modes) but arbitrary code execution wouldn't be possible.
Why don't people use these concepts to plug a vast range of vulnerabilities? -
We are not seeing sufficient care.
Here is more development of my ideas of what I consider to be enforced sloppiness by Microsoft management: Why no check of user code? Sociology.
Matt, I can tell you something felt strongly by those of us who work in the field: We're suffering badly. Windows Vista is just Windows XP renamed and extended, which is just Windows 2000 renamed and extended. When Windows XP was released, it was very buggy, and caused many time-consuming problems. Windows XP SP2 is much improved, but we are spending days with extremely serious problems. If you would like one example, see the Windows Update Newsgroup. People are being dragged over the coals by the incredible inability of Microsoft to provide a service that works reliably. We ourselves have spent at least 30 hours in the last 3 months wrestling with Windows Update errors.
If sufficient care is being taken, we are not seeing it. -
Re:can't wait...an NDC with license terms that prohibit their use in competing products like Microsoft's done
You mean like the Creative Commons license? And which free software license is Apple using?
-
Back door or poor design? You can't really tell
First of all, that was extremely wordy article to explain the WMF vulnerability, IMHO. But some important points were made:
if an attacker can get your computer to execute their WMF file through Internet Explorer or Outlook, for example, they can make your system execute arbitrary Windows commands, including downloading malicious applications and launching them.
My belief is that Microsoft developers decided to implement as much as the GDI function-set as possible.
In any case, its not clear that the developers envisioned applications creating on-disk metafiles with abort procedures.
...given a choice of believing there was malicious intent or poor design behind this implementation, I'll pick poor design.
Either way, it is still hard to tell why it was designed that way in the first place, maybe one of these links can tell us? -
It's quite funny, really
How "computer viruses" have broken countless systems, racked up unbelievable maintenance costs, and scared everybody into not trusting their machines, yet the easiest method of receiving one is praised and used by most end-users.
They are not "computer viruses", they are "windows diseases". -
My thoughts
From my perspective in the IT industry, no, there is not hardly any discrimination in hiring practices. I've worked in a few different jobs and all were fairly diverse (proportional probably to the actual racial/sex representations). What people look at is your accomplishments, research, etc.
However, I would be willing to say that there are discriminatory practices with regards to internships and scholarships. I come from a very poor family which currently has no income at all. My high school was horrible, e.g. only 20% of the students in 10th-12th grade could pass a basic algaebra 1 standardized test. I have a very respectable gpa, with a constant 3.5, in major and out. Yet I doubt many people would believe the lack of opportunities and/or assistance available to me. I would say somewhere around 50% of the internships, and around 80% of the scholarships for CS students focus heavily on race instead of economic/educational background.
Companies like Microsoft are notorious for being eager to deal out internships to people of any race which isn't white (and, recently, isn't Indian), as can be noted here. From the link:
While all candidates who meet the criteria for eligibility described below may apply, a large majority of our scholarships will be awarded to female students, underrepresented minority students, and students with disabilities. Minority applicants must be a member of one of the following groups underrepresented in the software field: African-American, Hispanic, or Native American.
But it isn't just private corporations trying to make themselves look culturally sensitive, many universities have similar practices. I was extremely excited last semester when I received an email telling me about a summer internship at UC Berkeley, which the email described as targeting "first generation, low income, students with little chance for research", I matched all 3 criteria and was very excited. However, when I went to look at the application I noticed something very peculiar--there was nothing about income, instead it requires your ethnicity.
Now I'm not saying that all schools do things like that, and yes it's possible that my advisor simply misunderstood the description she was given about the scholarship. I'm actually not even very upset about most of it all. My problem is that people seem to use the argument that because of past racism, other races need to be helped along wherever possible, so as to create a better and more equal society. The problem is, how is any of that equal? You're just saying that people need extra help soley because of their race. It seems like if you're concerned that there are so many people of race x in economic class y, then maybe you should be looking at people's economic status instead of their race. If this is the case, then scholarships will go out to the people of race x that really need them, instead of giving them to both the poor and the more fortunate simply because of their skin color. -
Re:What does this mean for Vista?
Duh! That was while it was still supported by MS:
2k pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =17&y=7&p1=3071
XP pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =21&y=10&p1=3223
http://support.microsoft.com/gp/lifepolicy
perdy pictures of new lifecycle:
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_2_8_19_05.gif
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_1_8_18_05.gif -
Re:What does this mean for Vista?
Duh! That was while it was still supported by MS:
2k pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =17&y=7&p1=3071
XP pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =21&y=10&p1=3223
http://support.microsoft.com/gp/lifepolicy
perdy pictures of new lifecycle:
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_2_8_19_05.gif
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_1_8_18_05.gif -
Re:What does this mean for Vista?
Duh! That was while it was still supported by MS:
2k pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =17&y=7&p1=3071
XP pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =21&y=10&p1=3223
http://support.microsoft.com/gp/lifepolicy
perdy pictures of new lifecycle:
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_2_8_19_05.gif
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_1_8_18_05.gif -
Re:What does this mean for Vista?
Duh! That was while it was still supported by MS:
2k pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =17&y=7&p1=3071
XP pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =21&y=10&p1=3223
http://support.microsoft.com/gp/lifepolicy
perdy pictures of new lifecycle:
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_2_8_19_05.gif
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_1_8_18_05.gif -
Re:What does this mean for Vista?
Duh! That was while it was still supported by MS:
2k pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =17&y=7&p1=3071
XP pro: http://support.microsoft.com/lifecycle/?LN=en-us&x =21&y=10&p1=3223
http://support.microsoft.com/gp/lifepolicy
perdy pictures of new lifecycle:
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_2_8_19_05.gif
http://support.microsoft.com/library/images/suppor t/en-US/gp_lifecycle_top_1_8_18_05.gif -
Re:XP SP-3 in 2007Also, it won't be available to anyone with a dialup modem (unless they've got a provider that doesn't cut them off every 2 hours like the ones I've used do).
Customers have the option of ordering a "free" CD (plus shipping and handling) from Microsoft. Here's the link for WinXP SP2:
Order Windows XP Service Pack 2 on CD
-
Re:What does this mean for Vista?Microsoft doesn't love releasing service packs for any OS that isn't the latest one.
They might not "love" it, but they released two service packs for Windows 2000 after Windows XP Professional was released:
- October 21, 2001 - Windows XP released
- August 1, 2002 - Windows 2000 Service Pack 3 released
- September 9, 2002 - Windows XP Service Pack 1 released
- June 26, 2003 - Windows 2000 Service Pack 4 released
Win2K SP4 was released 20 months after WinXP Pro was released.
-
Re:What does this mean for Vista?Microsoft doesn't love releasing service packs for any OS that isn't the latest one.
They might not "love" it, but they released two service packs for Windows 2000 after Windows XP Professional was released:
- October 21, 2001 - Windows XP released
- August 1, 2002 - Windows 2000 Service Pack 3 released
- September 9, 2002 - Windows XP Service Pack 1 released
- June 26, 2003 - Windows 2000 Service Pack 4 released
Win2K SP4 was released 20 months after WinXP Pro was released.
-
Re:What does this mean for Vista?Microsoft doesn't love releasing service packs for any OS that isn't the latest one.
They might not "love" it, but they released two service packs for Windows 2000 after Windows XP Professional was released:
- October 21, 2001 - Windows XP released
- August 1, 2002 - Windows 2000 Service Pack 3 released
- September 9, 2002 - Windows XP Service Pack 1 released
- June 26, 2003 - Windows 2000 Service Pack 4 released
Win2K SP4 was released 20 months after WinXP Pro was released.
-
Too expensive?
Depending on the features you need, you could probably get away with MS SQL Server 2005 Workgroup Edition, which is ~$800.
Recoding takes time and introduces risk. It's up to you to evaluate those against the $800.
Here's the edition matrix, in case you're interested.
http://www.microsoft.com/sql/prodinfo/features/com pare-features.mspx -
Re:What has changed?Dear Mr. Nash,
As someone who is a former Windows programmer, a Wine hacker and a security expert, I cannot escape the notion that many of Windows security weaknesses are a direct result of a deliberate design decisions made by Microsoft. This is not to say that Microsoft maliciously designed the entire system, starting with the API, going through the security and users system, and ending with the program features, based solely on "usability" and "convenience", with "security" either being discarded as unimportant or not being considered. Either way, it appears to me that many of the design decisions behind the way Windows were poorly made, security wise.
Vulnerabilities such as buffer overruns are implementation oversights. While the receive much hype for being easily exploitable, they are also a matter of issuing a fix and having it away with the problem. Vulnerabilities such as the latest WMF problems stem from lack of security consciousness when performing design, but low use of the relevant feature probably means that a fix is not very difficult to carry out. These are not the sort of problems I'm talking about.
To demonstrate what I am talking about, allow me to give a few isolated examples:- Sending a WM_TIMER message to a program that did not specifically catch it will cause it to run an arbitrary address.
- Using the CreateProcess API command using a NULL as the "lpApplicationName" parameter creates ambiguity regarding what is the program to execute when whitespaces exists. Often, the command that the program is trying to execute is not the highest priority in the search, resulting in a user able to inject their own code into the application's context
The problem with such design decisions is that the resulting vulnerabilities may not even be with Microsoft applications. I have seen vulnerabilities for both of the above problems with non-Microsoft anti-virus programs. Microsoft's response under such cases has always been "this is not a vulnerability in our code", despite not mentioning anywhere within its documentation that you are required to catch the "WM_TIMER" event, whether you need it or not, or your application will be vulnerable.
In short, it is my opinion that Microsoft's development environment is hostile to secure programming, simply because of the sheer enormity of the API, and because applications may be affected by areas of the API they did not use. This means that producing secure code for Windows requires a level of expertise far outside the level required for producing code.
One thing that is worse with this type of problems is that they receive little attention. While none of the problems I mentioned above is first published here, you will not find either of them mentioned on BugTraq or Full Disclosure anywhere within the past year. This, I believe, is a direct result of MS's "someone else's problem" approach. This means that Black Hats have an attack vector open that programmers are likely not aware of. I have talked to Black Hats that told me candidly that they get in anywhere they want by exploiting the fact that ActiveX's have no certificate revocation. Once an ActiveX was signed by Macromedia, Symantec or Microsoft, it remains signed, even if a security hole is discovered in it. They just push an old, insecure (but signed) ActiveX to the victim's machine, and then exploit the newly opened hole in order to get in.
Even worse, these problems are not implementation problems. People use both CreateProcess' NULL as application name AND WM_TIMER's callback option, which means that no simple implementation fix will close the hole without breaking applications. Microsoft provides no way to revoke a signature on an ActiveX.
My question, then, -
Re:What has changed?Dear Mr. Nash,
As someone who is a former Windows programmer, a Wine hacker and a security expert, I cannot escape the notion that many of Windows security weaknesses are a direct result of a deliberate design decisions made by Microsoft. This is not to say that Microsoft maliciously designed the entire system, starting with the API, going through the security and users system, and ending with the program features, based solely on "usability" and "convenience", with "security" either being discarded as unimportant or not being considered. Either way, it appears to me that many of the design decisions behind the way Windows were poorly made, security wise.
Vulnerabilities such as buffer overruns are implementation oversights. While the receive much hype for being easily exploitable, they are also a matter of issuing a fix and having it away with the problem. Vulnerabilities such as the latest WMF problems stem from lack of security consciousness when performing design, but low use of the relevant feature probably means that a fix is not very difficult to carry out. These are not the sort of problems I'm talking about.
To demonstrate what I am talking about, allow me to give a few isolated examples:- Sending a WM_TIMER message to a program that did not specifically catch it will cause it to run an arbitrary address.
- Using the CreateProcess API command using a NULL as the "lpApplicationName" parameter creates ambiguity regarding what is the program to execute when whitespaces exists. Often, the command that the program is trying to execute is not the highest priority in the search, resulting in a user able to inject their own code into the application's context
The problem with such design decisions is that the resulting vulnerabilities may not even be with Microsoft applications. I have seen vulnerabilities for both of the above problems with non-Microsoft anti-virus programs. Microsoft's response under such cases has always been "this is not a vulnerability in our code", despite not mentioning anywhere within its documentation that you are required to catch the "WM_TIMER" event, whether you need it or not, or your application will be vulnerable.
In short, it is my opinion that Microsoft's development environment is hostile to secure programming, simply because of the sheer enormity of the API, and because applications may be affected by areas of the API they did not use. This means that producing secure code for Windows requires a level of expertise far outside the level required for producing code.
One thing that is worse with this type of problems is that they receive little attention. While none of the problems I mentioned above is first published here, you will not find either of them mentioned on BugTraq or Full Disclosure anywhere within the past year. This, I believe, is a direct result of MS's "someone else's problem" approach. This means that Black Hats have an attack vector open that programmers are likely not aware of. I have talked to Black Hats that told me candidly that they get in anywhere they want by exploiting the fact that ActiveX's have no certificate revocation. Once an ActiveX was signed by Macromedia, Symantec or Microsoft, it remains signed, even if a security hole is discovered in it. They just push an old, insecure (but signed) ActiveX to the victim's machine, and then exploit the newly opened hole in order to get in.
Even worse, these problems are not implementation problems. People use both CreateProcess' NULL as application name AND WM_TIMER's callback option, which means that no simple implementation fix will close the hole without breaking applications. Microsoft provides no way to revoke a signature on an ActiveX.
My question, then, -
There is a SQL Server Solution
Depending on how big your database is, SQL Server 2005 Express Edition may be a 'free' alternative. While there is nothing wrong with switching to MySQL ( I mean hey, this is
/., if I didn't give OSS a plug, well... ), if you want to stay with MS technology, while not having to pay for the DBMS, then this might fit the bill. The only drawback with this solution is that you're basically limited to a 4GB database. Try it out, you might like it. -
dropmyrights
use DropMyRights to lower IE to a LIMITED account privlidges.
Get it from Microsoft Here -
Re:What has changed?
Vista has "User Account Control". Even though your user may be in the administrator group, it is not really running as administrator. In order to perform tasks such as install drivers, add services, etc, you need to run the app in elevated permission mode. This is either manually initiated by right clicking on the app in question and selection "run elevated as...", or automatically by the app which makes an API call that brings up a pop up asking the user if he is willing to grant the application elevated privileges. I actually had some problems with this...For instance, I was unable to relabel a partition in my standard user acct in the administrator group. I had to log in as the actual administrator account to do this (which strangely is still created with no password). Window's Defender add's another layer by catching events such as driver installation, service addition, homepage changes, etc, etc, and additionally prompts the user to allow or deny the action. In the current december CTP of Vista this creates quite a lot of popups, but I am sure in the future much of this will be hooked up to SpyNet and answered automatically if the user opts in. Additionally, IE7 runs as its own unprivleged user. Here is a somewhat outdated description of UAC: http://www.microsoft.com/technet/windowsvista/eva
l uate/feat/uaprot.mspx -
Changing with the times
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from. -
Changing with the times
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from. -
Re:Bug submission policy
This is very annoying. I found what I would consider to be a bug in IE, at the very least an inconsistency. I haven't checked lately to see if it is there, but it was about 6 months ago in the current version of IE6. The specific issue was the bookmarks in folders in the links bar were sorted differently to the bookmarks menu. Not a big issue, but certainly an inconsistency (although possibly by design).
There is no means of reporting this. I can pay for a phone call and hope that Microsoft considers it a bug, or I can send it is ms-wish@microsoft.com. I can't imagine that the latter would actually achieve anything.
Or more recently I believe I found a bug the way the .Net framework renders radio buttons, based on what I would consider to be a misreading of the standards. -
Management?
The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees. -
Re:On the Subject of Slashdot Article Purchasing
Sure Darwin is open source, but OS X is not just Darwin and is just as proprietary as Windows. Indeed with a Mac, Apple ultimately controls both the hardware and software. So this fits into the open source geek mentality exactly how?
Because....
1) Apple has cool ads and one of the best marketing teams in the world.
2) OSX runs UNIX apps natively, which geeks really like.
Oh wait, scratch #2, Windows also runs *nix natively with a complete *nix subsystem.
http://www.microsoft.com/windowsserversystem/sfu
I Guess just #1 then? -
Re:What-if Users
"I seem to have failed to fully convey my points. Being the patient type, I'll explain further.
...
Multiple Excel documents each have an entry in the Windows task bar much like every other window. Yet they do not behave like other windows."
I see that, and agree it's annoying. But if you read (your) post, you'll see that the side-by-side command gives what you asked for.
"Brackets have special meaning in the filename? That's news to me; please explain."
Being the patient type, I will. When Excel crashes, recovery files can be named such as filename[1].xls. My presumption was that MS wants to reserve the character for that purpose. In your defense, I see that MS has acknowledged this sort of thing as a bug, so I'll just concede.
"Yes, looking for more [than Copy Special]... like, maybe I add more data. It won't be duplicated in the transposed part."
You want Excel to spontaneously add data to distant parts of the spreadsheet? I certainly hope not.
" ... But even worse, the transposed part isn't linked to the original data."
Now I see what you want. Let's see, what function might TRANSPOSE a block of cells...? That's like asking the square root of a million - no one will ever know. :-)