Slashdot Mirror

Someone appears to have obtained some more common sense over at MS and the basic dev tools including the IDE are free nowadays.

See? It even comes with Expression Blend. http://www.microsoft.com/visualstudio/en-us/products/2010-editions/windows-phone-developer-tools

go read that : http://www.microsoft.com/investor/EarningsAndFinancials/Earnings/SegmentResults/EntertainmentAndDevicesDivision/FY09/Q4/performance.aspx
it made them a small profit....

You should peruse some of the research topics, projects, papers, and technology transfers from MSR if you are unfamiliar with them.

http://research.microsoft.com/en-us/about/techtransfer/default.aspx

http://research.microsoft.com/en-us/research/default.aspx

I am unable to find a similar body of material from Apple. When I type "Research" in the main search box on apple.com, I get many hits from iTunes about songs and television programs.

Searching for "Apple Research Labs" using a proper search engine, I find links to shuttered efforts. These are interesting reading in and of themselves. I've read previously that Apple had a rich legacy of HCI research, and clearly less successful products like the Newton had a fair bit of groundbreaking work that went into them.

http://mambo.ucsc.edu/psl/apple.html
(no longer exists; link to apple.com dead)

http://en.wikipedia.org/wiki/Apple_Multimedia_Lab
(no longer exists)

http://en.wikipedia.org/wiki/Advanced_Technology_Group
(no longer exists)

I'd appreciate some assistance in reading more about the novel, non-product research going on at Apple. Perhaps you can help?

You should peruse some of the research topics, projects, papers, and technology transfers from MSR if you are unfamiliar with them.

http://research.microsoft.com/en-us/about/techtransfer/default.aspx

http://research.microsoft.com/en-us/research/default.aspx

I am unable to find a similar body of material from Apple. When I type "Research" in the main search box on apple.com, I get many hits from iTunes about songs and television programs.

Searching for "Apple Research Labs" using a proper search engine, I find links to shuttered efforts. These are interesting reading in and of themselves. I've read previously that Apple had a rich legacy of HCI research, and clearly less successful products like the Newton had a fair bit of groundbreaking work that went into them.

http://mambo.ucsc.edu/psl/apple.html
(no longer exists; link to apple.com dead)

http://en.wikipedia.org/wiki/Apple_Multimedia_Lab
(no longer exists)

http://en.wikipedia.org/wiki/Advanced_Technology_Group
(no longer exists)

I'd appreciate some assistance in reading more about the novel, non-product research going on at Apple. Perhaps you can help?

Sure, it's definitely not for everyone.

For those that care or need it (it's great for end users), there is a helpful website from Microsoft that let's you do something in Office 2003 and then shows you the steps in Office 2007/2010. It's super easy: http://office.microsoft.com/en-us/outlook-help/learn-where-menu-and-toolbar-commands-are-in-office-2010-and-related-products-HA101794130.aspx#_Toc268688374

In my experience just thinking about it like a menu does the trick. Just giving this to end users before an upgrade helps tremendously. People are smart and can pick things up quickly. Good luck!

For windows, here is a helpful list:

Keyboard shortcuts for Windows

You can mount a partition as a folder in a NTFS partition (like it is on Linux).

How?

Computer Management ->Disk Management -> Right click on the partition you want to mount ->Change drive letters and paths->Add->Mount in the following empty NTFS folder

When you install Windows you can specify that the user profiles be somewhere else other than "C:\Documents and Settings"

No you can't, or at least my install process didn't give that option.

No, but nLite lets you customize this, as well as other settings (for example my temp directory is C:\Temp and not c:\Documents and Settings\user name\Local Settings\Temp)

You can move the profile of a single user to another folder/drive

How?

http://support.microsoft.com/default.aspx?scid=kb;en-us;236621

Uhhh...dude? 16 bit apps are more than A DECADE AND A HALF old okay? And you can STILL use them with DOSBox trivially. How well does 15 year old Linux apps run? try not at all. BTW I just got done playing some No One Lives Forever, that is 1998 vintage gaming on windows 7 X64. That is 13 YEARS worth of playability.

One thing you can NOT complain about with MSFT is backwards compatibility, hell I'd say more than half of the patches released for Windows 7 so far have been more shims for compatibility to make even more old programs run.

BTW did you know that you too can write shims to improve compatibility? And unlike Linux there is ZERO CLI involved, nor need for scripting? All you need is the Application Compatibility Toolkit and MSFT is even nice enough to provide several Technet videos to walk you through making your own shims. this is how dedicated gamers have gotten games like the Star Wars VS TIE Fighter to run.

So I really don't see how you have ANY leg to stand on when it comes to BC. With Windows you have DOSBox and XP Mode for 16bit, you have incredible support for 32bit in 64bit Windows with NO recompiling bullshit, and they even give you tools that you can use to make your own shims if the ones included don't work for you, and it is all easy peasy beautiful.

No compare that to Linux. Every 6 months? Driver borkage thanks to Linus going Goatse on the kernel, need to run old apps? Well you better have the correct kernel for those old apps or be ready for a recompile friend! And don't say LTS because currently the LTS has less time to EOL than XP does, and I DARE you to try to go from the previous LTS to the latest without having to start over thanks to borkage.

The simple fact is Linus don't give a shit about users, or consumers, the only person Linus gives a shit about is Linus. He still acts like it is 93 and the kernel is his personal science project, free for him to scratch itches wherever and whenever he wants, fuck everybody else. You mark my words less than 6 months after Linus retires Linux WILL have a stable ABI and the constant kernel Goatse bullshit will end. But as long as he is the head of the kernel team he is the worst enemy of his own creation.

This is why they should just let piracy go, especially for the OS and Visual Studio, that way when people enter the workforce, they already are accustomed to these things..

The OS should be cheaper... no way should the basic crippled version of the OS cost $100 for an upgrade and $200 for the full version. Mac OS X is $29.99 and has almost no OS Piracy.

Also, just FWIW, MS does have a free version of Visual Studio called Visual Studio Express that works quite well for students.

With 7 and 2008 they are pushing about about as hard in that direction as volume customers will put up with. You either do a one-time activation with microsoft, per computer(don't worry, if you have a high-security or airgapped network you can activate by phone!) or you set up a KMS host(modify our DNS server configuration to support your DRM? Sounds reasonable to me!) which activates with Microsoft, and then serves as a sort of activation proxy for KMS clients who phone home not less than every 180 days.

They didn't try to push a per-machine external dependency, much less a per-boot one; because that Just Wouldn't Be Happening; but your KMS host is going nowhere without external activation.

Dmitry Khovratovich is a Microsoft Researcher and the other two are from Dutch Katholieke Universiteit visiting MSR.

If you choose to believe some of the articles, it was Microsoft who "broke" this encryption algorithm.

However, if you read the actual research paper the first page explicitly explains the relation between Microsoft and the researchers as "The authors were visiting Microsoft Research Redmond while working on these results."

So, the only way to guarantee a native code program on current machines is... equivalent to solving the halting problem.

Which isn't that hard for most useful programs. The Microsoft Static Driver Verifier, used on all signed Windows 7 drivers, can decide safety about 97% of the time within its standard time limit. If your driver's memory safety is undecidable, or even hard to decide, it's broken.

Since the x86 has deprecated segmentation (which could be used for this)...

That's how the Google Native Client works, and that's why it supports 32-bit x86 code only.

or reference counted smart pointers

Want a file or a network connection closed? You have to wrap it in a try...finally block and close it manually. Every single time, no way to automate it.

Not anymore. It does require you to get the resource in a special block, just like C#.

Then there's Java's brain-dead inheritance model. Get ready to do multiple inheritance manually by copying/pasting code from all the base classes. Cross your fingers that the interface never changes and you have to go and hunt down every last copy of it.

That was an intentional language decision. From what I've heard it's because Sun thought the majority of programmers who tried to use multiple inheritance in C++ used it wrong. Instead, Java and C# only allow multiple inheritance of completely abstract classes (dubbed interfaces) plus one non-completely abstract class.

To quote from here:

The primary use of this interface is to release unmanaged resources. The garbage collector automatically releases the memory allocated to a managed object when that object is no longer used. However, it is not possible to predict when garbage collection will occur. Furthermore, the garbage collector has no knowledge of unmanaged resources such as window handles, or open files and streams.

So basically you are still having to manage your resources manually anyway or you are going to cause leaks. So what exactly am I gaining?

Yes, because managed code has no memory leaks.

Yes, and managed code never has need for manual memory management. Oh wait...

IMPERVIOUS to scripted attacks (especially if foisted on the end-user via javascript, plugins, iframes, & even cookies): It's Opera's "Site Preferences" feature!

Here, I set all of those items globally, to DISABLED status... & I only turn them on for sites that absolutely NEED them (think ecommerce sites & ones that NEED database scripted access for example, or ones that need plugins, like YouTube - For a couple quick examples) enabled...

(Thus, lessening potential for attack surfaces available to scripted or malicious plugin style attacks, or those embedded in iframes etc./et al).

* Between THAT, & using HOSTS files to blockout 1,556,420++ KNOWN bad sites/servers/hosts-domains that either serve up malicious scripts or malwares, botnet C&C servers, bogus/rogue DNS servers + more, alongside firewalls (both in software &/or hardware routers here) to blockout attacks/malware-in-general via IP address (vs. host-domain names which HOSTS files handle in "layered-security"/"defense-in-depth" fashion supplementing firewalls doing both IP addresses + HOST/DOMAIN names as well), which operates FAR FASTER & MORE EFFICIENTLY THAN DO USERMODE/RING3/RPL 3 BROWSER ADDON SOLUTIONS (because HOSTS are a filter for the IP Stack, which operates in Ring 0/RPL 0/kernelmode (usually PnP design nowadays too on most all OS of modern design as well))?

Yes... I am TRULY very nearly "impervious" here!

(Simply because the only OTHER real way "into my system" for an attacker, & via a webbrowser? Would be a flaw in the browser's code being exploited, & keeping up on updates for security to them &/or my Operating System (Windows 7 64-bit) does the rest...).

By the way, some "FYI": IE9 has a nice new feature too called "TPL"'s you all may wish to look into also -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ ...

Opera has an analog called urlfilter.ini/filter.ini that does the same as well (there are sources for those online also that populate them vs. attack, & iirc, SpyBot "Search & Destroy" fortifies this "automagically" for a user as well).

Firefox has a similar "internal to browser" blocklist feature as well!

FireFox also has "NoScript" which functions a BIT better than Opera's "By Site Preferences" (which globally disables scripting wholesale on a site's pages, whereas NoScript can do so "by source item" on each page IF needed - not really "superior", just more "granular" is all).

Chrome has a "sandbox" feature which is nice, because even IF you "suck in" a malware, it technically can only operate within said 'sandbox' & not hose your OS... but, sandbox features have been known to be broken (e.g. -> chroot jail breaks for 1 example thereof).

HOWEVER: Does my "browser 'weapon-of-choice'" have room for improvements? Sure, & some areas come from ideas from OTHER browsers (lord knows they've copied enough of Opera's featureset over time via addons or just blatantly ripping them off from Opera)

I'd like to see Opera have the following features added:

---

1.) Sandboxing like Chrome

2.) A native 64-bit build for Windows

3.) Something a bit more "granular" than bysite prefs for Javascript &/or iframes + plugins...

---

HOWEVER, & overall?

Well - Because Opera has "by site preferences" & HOW I use it (again - e.g.: All features are globally OFF, & only turned on where a site DEMANDS them)?

Well - thus, I am very, Very, VERY SAFE online (because what I cannot touch, cannot hurt me! Simplest principle of all really...).

APK

P.S.=>

"Opera 11 caught 6.1% of the live threats, providing considerably less protection against
socially-engineered malware than the other browsers tested." - SOURCE ARTICLE .PDF FILE, titled

By " Windows Phone is now the only platform that does so with equal opportunity for all partners." he means "Well, except for Nokia, who is our pet OEM, with whom we have a cozy special alliance..."

Obviously, the biggest potential downside of the Google/Motorola acquisition is the effect on other current Android device producers, so MS can reasonably be expected to say something like that; but come on. It was not so very long ago that Microsoft and Nokia were shamelessly leveraging one another's dynamic synergies, right there in public, and now they want us to believe that Windows Phone is all equal opportunity for everyone and fuzzy kittens?

Bing also has a calculator and "define" as well as many other no-click "instant answers": http://onlinehelp.microsoft.com/en-us/bing/ff808522.aspx

When the user gets useful organic search results leading directly to a useful site, the search engine makes nothing. When the search ads are more relevant than the top organic results, the user is likely to click on an ad, making the search engine some money. If some of the top-results are from ad-heavy content farms, leading the user on a detour through made-for-Adsense pages, the search engine profits. Some commentators have said that Google results are "just bad enough" to keep users coming back while driving traffic to the ads.

Then there are ads on third-party pages, what Google calls "AdSense". This is the business that used to be called "DoubleClick", which Google bought in 2007. Bing has a quality advantage here, because they have no incentive to send traffic to Adsense pages. (Microsoft is considering a "publisher" program of their own, but so far it's just in test. Adsense is 30% of Google's revenue.)

This is a fundamental conflict in the search engine business, creating tension between the "editorial" side of the company and the advertising side. Google is nowhere near as tough on spam as it could be. Google Adsense funds most of the dreck on the web. Google does not seem to favor AdSense heavy-sites (SEO metrics people watch this closely), but they don't disfavor them, either. Compare Blekko, which takes a hard line on spam, blocking all the major content farms.

That may be why Bing scores higher in Experian's metric.

Can you give an example of how to circumvent UAC with slider on maximum and an "admin" account? (i.e. no password entered in UAC prompt, just OK/Cancel).

The reason why sudo asks for a password (even for user's password, like in Ubuntu by default) is to prevent input injection attacks. UAC doesn't do that because it relies on an OS mechanism to prevent input injection (isolated desktop). I'm not aware of any known ways to exploit this. Hence I'm claiming that UAC in this mode is exactly as secure as sudo is by default in Ubuntu - unless there's evidence to the contrary.

As for Mark's claim, it is misrepresented by the article you've linked to. Here is the primary source. He's not saying that it's not a security feature, but he's saying that it's not an impermeable security boundary. He then gives some examples of permeability, but note that none of them involve actually hijacking the elevated process. Instead, he points out the ability to spoof things - e.g. if you try to run an installer (some downloaded setup.exe in your ~/Downloads), and you have a malware running locally with normal user privileges, it could simply replace setup.exe with its own malicious version. When you try to run it, it asks for elevation, you give it (since you don't know it is replaced), and bingo - malware has root. But the exact same thing can be done with sudo!

Another example he gives is the ability for applications to draw directly on the desktop (which is only true when DWM - or rather compositing - is disabled). This way you can draw a different UI on top of an existing elevated application, e.g. replacing labels on its buttons so as to make the user to click where you want him to click. I don't know if this can be done with X (some kind of window that is visible but transparent for mouse clicks?).

At no point Mark says that it is possible for third-party app (potentially malware) to gain elevated privileges without going through an UAC prompt. He points out that it's possible to fake the prompt such that it pretends to be for a different app that has a legitimate need to elevate - a prompt like that would not pass close scrutiny, but not the cursory glance most users - even power users - give to the UAC dialog.

Again, this scheme also fully applies to sudo , in fact even more so - my hypothetical Linux malware, initially running under user account, would just hijack, say, Synaptic (by replacing the menu icon) to point to my patched version with the payload. When gksudo pops up, when it normally does with Synaptic - surely you would type your password and elevate - and then I fire off my payload.

And, of course, they have a program you can add to Windows (but can't ship with Windows for antitrust reasons (thanks Symantec!)) called Microsoft Security Essentials to actually help protect against user stupidity,

Considering that Windows can't really be stripped down to bare essentials

It isn't quite the 200 MB you ask for, but Windows can be stripped down to 600 MB.

From TFA:
Storms said it appeared that today's "Ping of Death" bug was a different vulnerability than Microsoft patched in its now-ancient OSes of the 1990s.

"it appeared"?
The bug affects the QoS service on Vista and newer OSes - a service which wasn't available in 1990 on windows.
XP and machines without URL-based QoS enabled are unaffected.

Also from TFAdvisory:
By default, the URL-based Quality of Service feature is not enabled on any Windows operating system.

In other words: no big deal.
And it's a "ping of death" only in that the QoS service listens to ICMP packets.
Misleading story is misleading.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

EnableICMPRedirect = 1

* This stops PING responses IF set to = 1 (0 of course, re-enables it)... I've been using this as a defense vs. ICMP "Ping-Of-Death" attacks since, oh, around 1996-1997, or thereabouts, iirc...

APK

P.S.=> Take a read here for more detailed information, "straight-from-the-horses'-mouth" @ Microsoft:

http://technet.microsoft.com/en-us/library/cc739622(WS.10).aspx

and, of course, a verification for you that PING does indeed rely on ICMP, here:

http://en.wikipedia.org/wiki/Ping

... apk

Ignore Linux bias from slashdotters for a quick moment and think about what they are used for? If the kids are just browsing the web going to PBS kids or coolmath games then the OS should not matter. Ubuntu or whatever distro you want as long as the hardware works. If they want to run something like Meavis Beacon Teaches Typing, Oregon Trail, Math Blaster, MS Word/Works, and other kid software then you should choose Windows.

If you need or want the kid software for win32 then the donated computers must have the OEM license on them and you have to have the media restore cd's then you are good. You can order the restore CDs as well from the OEM. then I would keep Windows XP on them. If not and the computers have a volume licence from some organization then you legally can not donate them without wiping them.

If it is a non profit charity MS has an incentive program listed here with great discounts. I do not know how much ram this machines have but I think Windows 7 Starter Edition with the volume license might be very affordable as it works well with machines with just 1 gig of ram. I am thinking if you get donated old software then Windows XP might be a better.

Mathblaster and Lexia Lab really do work and children love them and I think would give them more value than just a machine to browse the web.

KB link, with hotfix: http://support.microsoft.com/kb/2028965

Is it this one? Which has a hotfix.

It may also depend on the IDE version, perhaps. I've seen this in both the student version of the full VS2010 distributed through DreamSpark and the free Visual C++ 2010 Express; perhaps the MSDN-distributed version of VS2010 includes IntelliSense components these don't.

haha, Actually for stuff like this:

http://developer.android.com/sdk/requirements.html

http://msdn.microsoft.com/en-us/library/4c26cc39(v=vs.80).aspx

I do confess to never having encountered such a file myself, but I have heard from others who have claimed that the file infected them with some form of malware. A likely explanation would be that the website is the true location of the exploit - I imagine WMP would open IE to get the license, which means any scammer not only has a way to lure in visitors but also knows what browser they'll be using and thus what exploits to use.

MP3 files are not the problem ones. It's WMA/WMV/ASF (all the same internally). The extension is merely changed to make the file look more tempting, as most pirates are looking for mp3 files. WMP doesn't use extension to identify files, so it doesn't care.

As for the scripts, I think I can answer that. I actually wrote an ASF header study tool years ago, and I believe I recall it... I shall just find the specification from MS.

http://download.microsoft.com/download/7/9/0/790fecaa-f64a-4a5e-a430-0bccdab3f1b4/ASF_Specification.doc

That's completly useless, by the way. Microsoft has the format patented, and has threatened to sue at least one independent developer (of Virtualdub) for implimenting it without agreeing to their very restrictive (You can read it, note that is specifically prohibits releasing the source of any implimentation) license. If you go to section 3.6, script command object... there it is. Scripting support, of a very limited form. The actual script commands available are not defined by the ASF specification, but left to the specific implimentation. WMP includes at least the 'open URL' and 'open a specified media file' commands, as those are given as examples, but I don't know just how powerful ASF scripting is.

Note that ASF, WMA and WMV are identical formats. The extension is merely a convenience to allow video files to be more easily told from purely audio.

Already here. I use this in postfix to opportunistically encrypt all SMTP sessions with SMTP servers that support TLS.

Why? Do you know of any source that indicates that later .NET Frameworks have changed in this respect? I did bother to do some further searches on NGen on MSDN and all I got were the various optimization improvements on NGen's code general or a general rehash of why NGen should be used by people. All of that to me would indicate that you have to go out of your way to select NGen and to have native code generated and cached on disk. That makes a lot of sense in some ways, since there's situations in which a JIT solution may actually be faster--for example, it sounds like there's a circumstance where JIT can be 6x faster than NGen for Static Field Fetch, whatever that is, although with ASP.NET possibly making NGen 2x faster than JIT. Of course, overall program performance is based on what are the bottlenecks, most commonly used code, etc, so it's a non-trivial point.

The real question to me is how much NGen is hamstrung into sub-optimal situations because it has to be flexible enough to deal with JIT code generation or the other quirks of .NET vs if the code was linked against Win32 dlls. I don't know enough about Win32 to really have a clue. But my guess would be that Win32 programs don't have the same level of instructions overhead for a lot of the shared library interactions. Having said that, I can see a lot of special situations where JITing would easily win out because it can detect ways to better optimize frequently run loops which would more than compensate for any other more general kludginess.

http://www.microsoft.com/mscorp/twc/endtoendtrust/

Microsoft has been pushing that idea for years.

I find it far more likely that this has something to do with Office 365: http://www.microsoft.com/en-us/office365/online-software.aspx

Microsoft has trademarked Windows on its own. http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx

An their right to the term will only be in the areas they've trademarked it. So if they haven't trademarked it in everything then you could use Windows in the name of your toilet paper. In fact there are other trademarks for Windows as I recall and at the moments there are two trademarks for Scrolls and two for Scroll. This hasn't stopped the numerous other trademarks with those words within their trademark.

If you have a trademark you're expected to defend it or risk losing it so Bethseda have to put up some sort of fight over this even if Notch ends up with it.

"Windows is a registered trademark of Microsoft Corporation in the United States and other countries."

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/Usage/Windows.aspx

Uhhh...tell me how EXACTLY telling the equivalent of "water is wet" a MSFT propaganda piece? You sir might want to read this article on OSNews by the title of OS X - Safe, Yet Horribly Insecure or is OSNews MSFT propaganda? it points out the Apple implementations of serveral technologies, when it has them, simply aren't up to snuff. Technologies such as DEP and ASLR either are not implemented or are implemented poorly.

Now Apple was able to get away with that with relative impunity simple because they weren't worth the effort as malware writers like most criminals are a lazy sort of creature and will ALWAYS go for the biggest bang for the least work. It is like that old saying, you rob banks because that is where the money is. You attack Windows because it has been trivially easy to get little Suzy to run your "LOL_Kittehs.screensaver.exe" trojan nasty.

Is this REALLY so surprising? It isn't like any of the other OSes have held up very well when being targeted either. On OSX you had MacDefender followed by MacGuardian which caused Apple to give their infamous order to the Applecare guys "Do NOT say the word Malware and do NOT help those....people!" and on the Linux side we've seen Android pounded pretty regularly as well as the KDELook screensaver bug someone put out for shits and giggles awhile back, as well as this article that shows how trivial it is to infect Linux if you get the user to help you which is how nearly all modern nasties spread nowadays.

So why hasn't Linux and OSX been pounded before now? it ain't brain surgery folks it is because it just wasn't worth the effort for sub double digit userbases. And before some Linux fanboi trots out the old "but but but...Linux is used on servers!" I would point out you don't see Linux admins running "LOL_Kitteh.Screensaver.py" and if you do they should be given a nice white jacket and placed somewhere where they can't hurt anyone. We are talking DESKTOPS, not servers, routers, your toaster, or your remote controlled Linux thermostat. DESKTOPS are were the money is at for malware writers, because they have nice fat broadband connections they don't monitor for shit, they are MUCH more likely to be clueless about best security practices, much more likely to run funny software from the net if you wave a cookie in front of them, etc. it is simply easy money whereas grizzled non-sociable Linux admins don't play that.

So saying Windows is targeted because that is where the money is at is no different than saying the sky is blue and water is wet. If you want an easy target grandma on WinXP is about as easy as you can get. to their credit someone at MSFT FINALLY got hit with the clue stick and the whole "Hey lets all run as admins!" bullshit finally died with Vista, and now that I've switched the majority of my customers and family to Windows 7 I've seen infection rates go waaaaaay down. Did I magically give them a brain transplant? did my years of bashing my head against the wall trying to teach them best security practices FINALLY get through their heads? oh hell no! It is the fact MSFT makes the default a regular user now and has tech like ASLR, DEP, file and registry virtualization, and you can even do as I did and add SEHOP from Server 2K8 to Windows 7 to lock it down even tighter. this with a good sandboxing AV like Comodo or Avast free and we finally have a decent OS that is pretty locked down.

Now that Windows will be getting harder as XP is replaced by 7 it will be OSX's turn to start to worry. Apple being hip has gotten through to some who saw after MacDefender there is money there, and like blood in the water to sharks they WILL come.

Call me crazy but a piece of non-executable code in a HTML file on a partition in the firmware does not sound a) exploitable, or b) critical.

Something has to process the HTML file. HTML is a complex standard -- far more so than plain text. An HTML rendering engine needs code to process every tag it supports.

I remember back in the day when the Goodtimes virius hoax was making the rounds. Software professionals were incredulous that people actually believed it was possible to catch a virus simply by reading email. Yet a few years later viruses started popping up that exploited security holes in email clients.

Back to the subject of HTML, here are a few security vulnerabilities in HTML rendering engines:

• KHTML
• Firefox
• Internet Explorer

Siemens is taking the issue seriously.

While the Easter egg may have simply been a developer's idea of fun, Beresford says he's still examining it to see if it's possible to send commands through the html page back to the PLC.

.Net libraries are mear wrappers around COM and Win32 counterparts.

Not as much as you might think. Some examples are System.Xml which is not a wrapper of MSXML, the Managed portions of System.Security.Cryptography, and WPF, which is written in entirely managed code. Also note that GDI+ was written in C++ and cannot be called from C code.

.Net libraries are mear wrappers around COM and Win32 counterparts.

Not as much as you might think. Some examples are System.Xml which is not a wrapper of MSXML, the Managed portions of System.Security.Cryptography, and WPF, which is written in entirely managed code. Also note that GDI+ was written in C++ and cannot be called from C code.

If you want to cache the native .NET image, use ngen.exe.

Well, according to here, the JIT compiler is just a JIT compiler with the persistence at most to the life of a process. If you want something more persistent, you can use NGen which can store native code in the NGen cache. Having said that, NGen code seems to have some caveats that make it worse than native code (either less ability to share pages between processes or a potentially longer startup time). So, yes, there's an option for native code, but it doesn't sound like a default except for the .NET framework itself.

As proof that C is perfectly appropriate for OS kernels, one simply has to look at the most common kernels. Name one that is written in a language other than C. Linux, Windows, Mach, *BSD... All in C. Even OpenBSD is in C, which one would think an odd choice considering the stated goal of OpenBSD.

If anything, one might argue that an OS kernel is the only appropriate place for C.

Windows, huh? This might interest you.

Windows is written in C/C++ hybrid, part of the upper subsystems use classes from C++ (multimedia/sound at least). It also doesn't use C strings (see the link), instead using UNICODE_STRING structures, which are basically Pascal Strings, for all text processing [including, most importantly, file paths]. Oops.

but the crap way references are handled and the lack of some things that are needed by professional programmers (eg no system wide 'include' path to pick up references, so you have great difficulty unless all your devs use the same relative path)

Don't blame the ergonomics of your hammer if you're using the handle to hit the nail.

The Visual Studio project system -- or any sane source control based development process for that matter -- uses relative paths. It's just how it's done in professional environments.

With more than a single developer, absolute paths can't be used any more. You sort-of realise this yourself, but you simply decided to force every developer to use the same absolute paths instead of fixing your project structure. That wallpapers over the issue for a while, but the problem with that is that even a single developer can't use absolute paths if they need to keep multiple complete copies of the source tree around, which is essential for most projects.

For us that know how to use our tools properly, Visual Studio has a brilliant dependency and reference resolution system. I can cross-reference projects trivially and have it automatically determine the build order, include library DLLs in output paths, and build manifests automatically. The binding system is flexible -- it can be used to select the version of a library based on a bunch of different rules.

control.Enabled = false;
control.Enabled = true;

That you couldn't find a simple property searching through msdn says a lot about you.

http://msdn.microsoft.com/en-us/library/system.windows.forms.control.enabled.aspx

Hell "disable control c#" gives you an answer in the first hit on google. The msdn page might be a little to technical for you so might I suggest starting with:

http://www.homeandlearn.co.uk/csharp/csharp.html

On a GUI App I was working on in a previous employer I asked the .NET C# guys how to disable/hide a UI element. I was met with incredulous stares and a 'you don't want to do that' response. As far as I could tell there was NO WAY to enable/disable/hide a UI element without writing my own from scratch.

Unless you were using some weird non-standard GUI layer, I'd fire those devs.

The standard WinForms controls all have .Visible and .Enabled properties. And always have, since .NET 1.0.

They're named .IsEnabled and .Visibility in the newer WPF graphics layer.

I COULD NOT FIGURE OUT HOW TO DO IT!

And they would have shown up in the Visual Studio property editor, so I'd have to fire you as well.

On a GUI App I was working on in a previous employer I asked the .NET C# guys how to disable/hide a UI element. I was met with incredulous stares and a 'you don't want to do that' response. As far as I could tell there was NO WAY to enable/disable/hide a UI element without writing my own from scratch.

Unless you were using some weird non-standard GUI layer, I'd fire those devs.

The standard WinForms controls all have .Visible and .Enabled properties. And always have, since .NET 1.0.

They're named .IsEnabled and .Visibility in the newer WPF graphics layer.

I COULD NOT FIGURE OUT HOW TO DO IT!

And they would have shown up in the Visual Studio property editor, so I'd have to fire you as well.

On a GUI App I was working on in a previous employer I asked the .NET C# guys how to disable/hide a UI element. I was met with incredulous stares and a 'you don't want to do that' response. As far as I could tell there was NO WAY to enable/disable/hide a UI element without writing my own from scratch.

Unless you were using some weird non-standard GUI layer, I'd fire those devs.

The standard WinForms controls all have .Visible and .Enabled properties. And always have, since .NET 1.0.

They're named .IsEnabled and .Visibility in the newer WPF graphics layer.

I COULD NOT FIGURE OUT HOW TO DO IT!

And they would have shown up in the Visual Studio property editor, so I'd have to fire you as well.