Slashdot Mirror
The Microsoft Protection Racket
bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
The NSA: The only part of the US government that actually listens.
But that's just me.
And yes, I know he isn't the same as the keyboard guy.
I don't get it.
> I enjoy salt with my Dvorak, but that's just me.
Zonk eats people !!
Alert the authorities !
It is mind boggling. Dvorak is right.
In case you aren't ready when Dvorak makes Al Capone related references: http://en.wikipedia.org/wiki/Frank_Nitti
~jennifer.k~
from the article:
Where's the story here?
I like food with my salt.
Parent is a troll only, I suggest adding to foes and karma modifier -1 for all foes.
Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?
Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.
It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...
using namespace slashdot;
troll::post();
Dvorak - stop using the registry
Gnome Developers - start using GConf
maybe i'm missing something but why is one central preference/setting repository better then another? (note: i don't like the concept of either)
While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.
In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.
Sig under construction since 1998.
This is just one more reason for people to switch to ___________ (insert favorite OS). My favorites are Linux and OS X.
Think Deeply.
He is somewhat correct, if security was a priority these problems wouldn't exist.
However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.
Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.
"Nice server room you got there.... It would be a shame if something happened to it."
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.
/quote ]
Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.
Also why is this retard writing about Security??
[ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [
Your f'ing joking right?.
Why doesn't the company just bite the bullet and bring out various exploitable versions? Here are some suggestions:
...
Vista - Won't Boot Edition... $29.95
Vista - Preloaded with Viruses and Spyware Edition... $39.95
Vista - Initially Clean but Use at Your Own Risk Edition... $49.95
Vista - Clean with Firewall and Weekly Protection Update Edition... $200
This sounds like a typical slashdot rant from a Slashdot Linux Zealot... how can he be able to write this crap, and be paid for that?
This man is a total Troll... of course this time because he is writing about Microsoft, on slashdot he will get a +10 Insightful moderation
Ubuntu is an African word meaning 'I can't configure Debian'
Vista - Won't Boot Edition... $29.95
Vista - Preloaded with Viruses and Spyware Edition... $39.95
Vista - Initially Clean but Use at Your Own Risk Edition... $49.95
Vista - Clean with Firewall and Weekly Protection Update Edition... $200
From TFA.
From TFA;Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that.
Maybe foundationally the architecture is so poor that no amount of code writing could be done to fix it.
It may be the cost of paying for all those backward compatibility barnacles through the years.
Or maybe Microsoft just doesn't want to bothered with it. But don't you think that if windows code was open sourced that eventually all the leaks would be patched??
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Everybody keeps saying shit like Microsoft should just fix their OS instead of releasing protection software. Contrarily though even with a "perfect" OS you still can have use for anti-malware software. What fix should MS implement that will prevent a browser plugin installer from also putting in a spam relay?
Remember the good old days when applications stored all of their configuration data in a file like SETTINGS.CFG? You could zip the entire application directory up, unzip it on another machine, and it would run just fine. An uninstall was as simple as erase *.*, cd .., rmdir foocalc.
Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.
For me, an application that doesn't use the registry is a huge plus.
Seriously, folks, Microsoft is not running a charity here. What he suggests doing is dirty, scummy, and cheap because it will make them more money. I often agree with Dvorak, and this is definitely the case. Now, if Microsoft does this, it will inevitably hurt their profits in the long run, but for the short term, it'll boost them. The same thing happens with outsourcing. The same thing happens when customer service is moved to a call center in India where the workers don't speak passable English. The customers of these businesses decide that they want to work with the business that deal with issues themselves.
Do, do not, or delegate to someone else: there is no try.
I personally love the fact that Windows is so unsecure and so easy to hack/trojanize/etc. If they made a secure, bug-free operating system, there would be a ton of us support peeps out of a job. I support windows computers every day at work and use linux at home so i dont have to do the same thing when i get home. GAWD Life is good :)
Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.
Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.
Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?
You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.
I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.
I agree 100% with him, and that's 100% more than usual.
Thay porbablbly ues wind0xz 2!!!!!!!!
Actually I like the fact that he takes a stance against Microsoft. Criticism is always a good way to create change. The issue I have with him is that maybe he should actually learn something about it before writing about it. And make coherent arguments (jumping from charging for spyware utilities bad to registry bad).
I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.
Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.
The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....
HTTP/1.1 400
I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries...how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.
Amazing how he jumps to the conclusion that because something told him he had spyware on his system, he assumes it's because he left an FTP client in memory overnight. Interesting theory.
Because FTP clients typically aren't exploitable "through an open port", you dingleberry, let me propose an alternate theory: You're a clueless moron that doesn't understand the most basic of security concepts.
I'm a big tall mofo.
You think so, eh? Just try to install the latest version of Postfix and see how the delightful packaging mechanisms go for a toilet float.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.
His ignorant rantings are not in the least insightful.
Oolite: Elite-like game. For Mac, Linux and Windows
If windows is so craptastic then why the hell is everyone using it? Because its the easiest and best OS out there, sure it has an assload of problems, but if your software was as complicated and widely run as windows it would as well.
On the notion of charging for patches, they must be joking, if they seriously think it will make them any money in the long run they are nuts. My guess is this is some new service which got totally blown out of proportion.
That's not to say that Windows quality isn't well below what it could be (eg. root privaledge separation could be relied upon much more), but even trustworthy OS's recognize that security isn't perfect, and provide extra software to try to accomodate that.
Or, stated another way: Security CAN'T be a single-layer thing. Try to break into a Area 51. If you get past the remote electronic sensors, the dogs, and the armed patrols, there's still locks, internal electronic sensors, doors that only open with specific badges, etc. Once you have multiple layers of security, you're no longer nearly as vulnerable to the "chain is only as strong as its weakest link" problem. Intrusion-detection software is just one more layer of security, and that's not a bad thing.
Kips wedding song is a strangely appropriate ode to Dvorak:
Sure the world wide web is great, but you, you make my salivate... I love technology, but not as much as you, you see... But I STILL love technology... Always and forever. Our love is like a flock of doves, flying up to heaven above... always and forever, always and forever... Why do you need me? Why do you love me? Always and forever...
whether microsoft can or can't fix the basic structure of windows, its pretty clear that doing so is not the most marketable option. a "secure OS" is always going to be less trustworthy than a separate, identifiable, specialized program designed to fix a problem that's been given a name. i think most people who don't know about the nuts'n'bolts of computing (and, more importantly, don't care) need a ritual, like washing your hands, when it comes to keeping computers clean; something reassuring and visible in the GUI. people need to know that their OS comes with a crusading anti-evil-things champion. it may not be the smartest way to do it, but it's what people want.
hell, it'd be a shrewd move on the part of MS if they were to build their own virus/spyware protection, but package it as a separate module--say, building MSAS into the core of Vista, but keeping the name and the interface. a shady move, but a shrew one.
/. is what happens when geeks talk. get used to it.
I once predicted that historiclly some year around 1997 to 1999 will be seen as the peak of MS influence in the tech world. Although it might take 20 years for the company to be weakened to a minor player, I think we are seeing MS in its declining years!
Think Deeply.
Just try to install newest version of Windows and see how well it goes.
UBUNTU IS HERE TO SOLVE IT ALL!
There's nothing wrong with the registry that a little knowledge wouldn't fix.
"I enjoy calling Dvorak a blohward with my Dvorak"
I think you need more practice.
Why yes, I AM a rocket scientist!
What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.
Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.
I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.
He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.
I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.
It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.
Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.
Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.
So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.
/\/\icro/\/\uncher
Why post the article at all? If you don't respect the author, why post his article.. Just to make fun of it?
It's what you get if you buy an economical PC. Honestly. It has NOTHING to do with it being all that good or easy. It's what was there, so that's what gets used because you have to go out of your way to use anything else.
It's so "craptastic" as you put it that most people spend as much as 20-40% dealing with Spyware, Worms, Trojans, and Virii on their boxes. This isn't because they're not security conscious, it's because the OS is actually THAT bad. "Easy to use" isn't when you're broken part of the time because of something that got inserted on your machine without your permission because of horrendous design flaws in the tool you're using.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
>> Anyone who suggests 'abandoning the use of the registry'
>> has obviously never written Windows software. What do
>> you suggest we replace it with, INI files?
> Or property lists, yes.
Well, INI files don't scale well; not because they are flat text files, but because the way a hierarchy is modelled in an INI file is inefficient and error prone. Something in the nature of a property list would be quite reasonable.
It is also worth noting that since DotNet, lots of data that used to be in the Registry is now in XML files in the application folder. That's a big part of the XCOPY install feature MS brags about for DotNet.
>> What do you suppose we do about the thousands of existing
>> applications that use the registry?
> Wrappers for the INI/PLIST files that behave like the old
> registry calls.
Perfectly doable.
>> How do you suggest we support access controls for individual
>> settings and keys - make a single INI file for each one?
> Why not?
Well, it isn't strictly necessary to use the Registry to support access controls on keys and settings. As long as the file itself only allows administrator access, the APIs that model the current Registry APIs can implement key and value level security within the file. This would make the files read-only in a text editor for common users; however a simple editor could be created that allows the appropriate access to the individual keys via the APIs.
But INI files aren't appropriately structured for that; XML files would be better, or any number of less-verbose-than-XML text formats.
> OS X does this like a dream, I can take my Library folder with me
> and wham, everything is the way I like it on a new machine. I'm
> sure it would be possible to do something similar on Windows,
> provided I paid $50 for some crappy shareware product.
Well, it wouldn't be a crappy $50 shareware product to virtualize the Registry. Since the APIs are inside ADVAPI32.DLL, and are used during the boot process, it would be a kernel hack; generally more expensive when done third-party. MS could do it safely; third parties would need to worry about MS breaking the hack with an OS update.
A stopped clock is accurate twice a day; one that is five minutes slow
is *always* wrong...
Dvorak and Hoagland (and others) have taken this to heart. If you are spinning
at exactly the right speed as the rest of the world, you will always be wrong.
So what if you start spinning wildly, at several revolutions per second?
Won't you be right dozens, or even hundreds of times in a day?
Never mind the fact that you'll be wrong thousands, or even tens of thousands
of times in that same period of time, and that's the problem with both men.
Both can point to a number of times when they were spot-on, either through plain old
dumb luck or because someone who really does know told them so (and they parrotted it)
Trouble is, the times they are correct are so outnumbered by the times they are
wrong that they just aren't worth following, regardless of the absolute number
of times they are correct. How do you know for sure when they are correct, unless
you do all the leg work yourself to verify?
"That's the joke." - McBain
I enjoy salt with my Dvorak, but that's just me.
Salt? I take Dvorak with Lot's Wife.
I've long since quit taking Dvorak seriously. He's repeatedly shown himself to be clueless when it comes to these things. But then, you don't need any usable current qualifications in the industry that you're being a pundit for- all you need is an opinion, it seems.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Wake me up when Ubuntu figures out what real system administrators need.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The last time I took Dvorak seriously was in the late 80's. Once I got a clue, I realized he didn't have one and I started ignoring him. He isn't news, nor is he stuff that matters. He's just a lump of clay that one day will turn into worm food, like the rest of us, but unlike the rest of us, he can safely be ignored.
Word of the post: benign
He's using Windows, what does he expect?
I typically take Dvorak's stuff with half or more of one of the Utah Salt Domes...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.
Really. Who cares? The people buying their software don't appear to. If people start demanding more then they will get it. This probably won't last but I hope it does. I want Microsoft to charge as much as possible for this service. I want their products to require more spending from their customers. Why? Because I want those customers to discover they have options.
"Does Microsoft think it is going to get away with charging real money for any sort of add-on service, or new product that protects clients against flaws in its own operating system?"
I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.
"Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me.."
This is one of those "features" brought about by the "tight integration" that Microsoft oh-so likes to spout off, the same goes for their "feature rich", "Tightly Integrated" Office Suite!
[regarding the Registry]"Why does Microsoft insist on continuing its use? There has to be a better way."
Another "tightly integrated" feature of the Windows OS, Surely there is a way, maybe when they receive the money for the patch management services, they will fix the problems with the registry.
I really don't know why Microsoft is even worried about it, Isn't it the Coders Fault anyway?
"Why doesn't the company just bite the bullet and bring out various exploitable versions?"
Vista - Wont't Install (BSOD) Edition
Vista - Phisermans Dream Editition (Code Named CHUM)
Vista - Cleaned and Optimized (Linux , Gnome w/Vista Skin)
My FTP program (WS_FTP) has the annoying property of not working if left alone for a few minutes. I always figured this was a bug. But maybe it's a feature! It certainly makes sense to kill a process that can be used to modify the registry, if it's just sitting there doing nothing. Does anybody know if this is intentional? Could it be that someone actually had some foresight for a change?
"Is this Winkhorst a nova criminal?" "No just a technical sergeant wanted for interrogation."
Some federal case against Microsoft? It is wrong to bundle and it is wrong to not bundle? Peoples are just plain silly.
1. Break up the company.
2. One division for OS (MicroSoft), one division for "security" (MicroHardened)
3. ????
4. PROFIT!
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files?...
I have developed large windows apps and I don't touch registry or any windows folders. Our our app configuration data sits in our own file, in the folder based on the location of executable (we don't use absolute paths for our data & other folers). If user loses OS and has to instal new one from scratch, our software runs exactly as before. If user needs to put our programs to a laptop or another machine, they just copy from our base folder down and it all works in the new place, no reinstal or configure anything. In contrast, most other apps require locating old CDs to be reinstalled, finding unlock codes on some stickers or packaging long gone, registration keys and confirmation emails, full GUI configuration (which may have taken months or years to tune up)... a nightmare.
If app needs a tree-like database to store its configuration, one could have had all the registry API's, except that it stores all the data in a local file within the app folder. If user copies app folder & subfolders, it should all just work. If app needs to look some global configuration (set via windows), it should be via read-only Windows own config database. Similarly, nothing should be allowed to write into windows or system32 folders (such as dll's or other app specific files), unless explicitly allowed by admin user.
In other words, the apps, their data & dll's should be self-contained, isolated from the rest, prohibited from touching or modifying other app folders, data & configurations (unless explicitly allowed by admin). If you don't like some app you just installed, you simply delete its folder and it is gone without trace.
The only item which does need to sit in a common registry is the list of app root folders, to help for example with installing a new version of the app (which would require a proper signature to access the old version data). The applications would not normally care about this common list for routine operation. If the app starts and it has no entry in the app master list (e.g. when system was rebuilt or when you copy app to another machine), the startup could append the entry for the app, so a new version could find it.
Apps which need access to config or data of other apps would need approval by admin user to read, and especially to write into other app folders.
The present Windows scheme is terrible for users and developers, both with registry, DLLs and windows & system32 folder cesspool. It is a completely wrong-headed, oppressive scheme, with no concern for user time and convenience, as if devised by some stalinist era buraucrats.
Can I pick "E.) All of the above"?
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
Once Microsoft starts giving away their suite of security products, taken 90% market share (and "cut off Symantec's air supply"), what will be their incentive to deliver updates, patches, or virus libraries on a timely basis? What will be *ANYBODY'S* incentive, once Microsoft has seen to it that you can't make money in the security business. They will provide virus updates about as often as they provide browser updates.
Research shows that 67% of those who use the term "research shows", are just making shit up.
Microsoft offering anti-virus or anti-malware for Windows does not mean that they will stop fixing bugs in Windows.
No more than the fact that McAfee or Symantec offers antivirus software means they active release viruses to spurn the adoption of their software.
Microsoft is being pro-active about security by trying to get software into Windows that will stop undiscovered bugs from making systems expoitable. This will make users safer in the long run, and eventually (probably) will be included in every copy of Windows.
You know, whenever there is a story with Microsoft stating something about Linux or a writer compares the two and says something more favorable about Microsoft the half-penguin/half-sheep here start crying conspiracy. Countless times an author of a story has been trampled on this site due to past affiliations or past viewpoints. It is fairly obvious that Dvorak is not objective and his points are nothing more than attacks fired at MS and praises aimed at Linux. Show me something completely non-biased.
Then there's *nix for those that just can't handle Windows. Idiot users clearly shouldn't be using Windows.
Blame the user, not the software.
This is just Microsoft trying to jump on the trend of having a services pricing model. For the past few years this has been a really popular way to abuse customers in all industries (Not that Microsoft hasn't already abused customers by selling them defective software).
If you are vigilant about protecting and updating Windows, you MAY not experience any major problems.
However, if you don't, it will become infected - which in turn provides jobs to those who can clean, fix and update these PCs. If Windows wanted to get serious about fixing their problems, it would be sad news for support people who charge by the hour to fix Windows' flaws.
Yeah it kind of sucks and I am not making an excuse for it by any means, but it does provide work for techies who may not find work otherwise.
The perfect or ideal computer will have the ability to protect and fix itself.
He who knows best knows how little he knows. - Thomas Jefferson
In a voice of Shear PANIC If they abandoned the Registry!?!?!? What would I do with Regedit!? Even More, How would I know that a program had been installed properly if I didn't need to Reboot after the install?!?!?
Generation Trance: What generation are you?
Me?
Get rid of the notion of "installers" altogether.
i t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).
A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.
Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.
I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.
Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.
Then and only then can we expect users to be able to avoid social engineering.
You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-sh
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
This sounds like racketerring to me. Any lawyers out there know when exactly RICO laws come info effect here
The war with islam is a war on the beast
The war on terror is a war for peace
Or is it with Explorer.exe?
Basically, If I boot up a fresh Winxp w/no SP, kill explorer.exe, then plug it into the intarweb... will shit go wrong?
[Fuck Beta]
o0t!
Maybe Racketeer Influenced and Corrupt Organizations Act (RICO) laws are more appropriate than anti-trust avenues.
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
3) Typical Windows running as Administrator.
4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."
His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
How about, "it's from Dvorak, so take it with a grain of salt, you stupid fuck!"
Yes, it may well be unintentional, but MS is certainly running a protection racket. If your local mob extorts money from businesses lest they get an unwelcome visit by enforcers, that is a protection raacket. Pay money or your business will suffer losses.
If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.
No, I am not a real MS basher.
Subject should read UBUNTO=Debian Desktop Done Right
If you want good/secure servers, stick with Debian. If you want awesome desktops, use its variants.
Half the time I'm right, the other half you're wrong.
Reading the other comments, I get the impression this guy is not necessarily a trustworthy source. So does anyone know for sure? If so, please let us know.
Thanks.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
OK, obviously your story is true. However you're in the minority. Ubuntu just works for the majority of the people and believe it or not, some day it will work for you too.
BSD& Friends vs Windows
People even complain about the OpenBSD security obsession making this hard to use.
I know this post will get modded down because it doesn't suggest immediate formatting and installing of *nix on every hard drive in existence, but here's something I don't understand about the folks who complain about Microsoft's approach toward security: Why didn't they also complain about, say, the designers of the Alfred P. Murrah Federal Building?
Microsoft makes this giant software behemoth called Windows that's comprised of hundreds of thousands of lines of code. Somebody finds a flaw in the way that it's put together, and Microsoft's the bad guy because they let it happen. Worse yet, they're taking another PR beating by selling an ongoing security service for their behemoth. (Whether this service is provided in a complete or timely manner is both highly unlikely and outside the scope of the point I'm making).
In the physical world, people built a giant behemoth of a building comprised of hundreds of thousands of pounds of concrete and steel in Oklahoma City. Somebody finds a flaw ("Hey! I can park this rental truck full of explosives only a few feet away on the street!"), and to my knowledge, no one thought to blame the building's architects and construction workers for not thinking to encase the whole building in a blast-proof dome. Now, let's say that when Freedom Tower is finished in New York, they hire a full-time security force to patrol the grounds and monitor the skies so we don't have a repeat of the WTC bombings. Would they be bad guys and extortionists too?
I support the separation of oil and state.
...protection is needed. Lets take unix and assume that there are no elevation of priv attacks or any other vulnerability. We can aggree that the user at some point has to be able to (a)run an application, and (b)modify their personal information (read, not system config info, just theirs). So, the issue still exist of a dumb user running a bad executable, unless you limit a user to only installed executabled which IMHO would limit the appeal of the OS to the general user market. This is where anti-spyware/anti-virus software is still needed, and will always be needed.
I agree that Windows has a long way to go from being this perfect OS, and this is why they offer anti-spyware for free.
The same arguments of a "protection racket" can easily be applied towards software vendors that also charge for services/consulting. Everyone knows that those companies are making huge bucks on their consulting fees. Much more than on their software sales. (Thus, the push for many software vendors to start providing consulting services.) If the software was easy, bug-free, and provided features and interoperability, then there wouldn't be any consultants required for installation and integration.
A classic example of poor design.
By having many different INI files, the loss of one file isn't going take the whole frigging system out.
I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Add to that the following:
On the other hand, "Consolidating all settings into one proprietary data store" is not entirely true. The registry is stored into (at least?) two different files.
Computer security experts say that they've already felt plenty of sting, thank you very much. Thanks to the openings in their already paid for OS, they'd really like a chance to not be stung anymore.
I'm not tense. I'm just terribly, terribly, alert.
All NT-based operating systems halt the CPU in the System Idle thread. It just halts and waits for an interrupt to occur. It has the lowest possible thread priority and only runs when NOTHING ELSE IN THE SYSTEM NEEDS TO RUN.
What exactly does he think "System Idle" means, anyway?!
"Microsoft made Windows insecure! Ready pitchforks!"
"Microsoft is making anti-virus software! Ready the tar and feathers!"
"Derp de derp."
If you don't like Microsoft go ahead and run Linux, OSX, or whatever other op sys does it for you. There is no freaking law that says you must run freaking Windows! (and then complain about it constantly) Isn't it better to light a candle that curse the darkness? Besides, it's not like complaining is going to make MS change at all, so why bother.
By the perception of illusion, we experience reality
with that approach.
but something entirely new. The pharmaceutical industry realizes that with about 90'ish percent of the prescription drug market at their doorstep, treatment is much more lucrative than a cure. After all, what have they got to lose? A market they will always own as far as their concerned.
The higher the technology, the sharper that two-edged sword.
To be fair, he was complaining about an explorer hang (he only bitched that the system was pretending to be idling).
i ntermittent-and-annoying.html
That's quite common in some situations, and Russinovitch dissecates one quite nicely in his blog:
http://www.sysinternals.com/blog/2005/08/case-of-
How about someone translates that for those of us who don't tend to mess around with DVORAK layouts? Including me, that is.
There is no incentive to fix the code base if it can make additional money selling "protection."
That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.
Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.
Two points about this:
1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?
This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"
Real profound.
Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that. A barrier has to be erected that changes the way the computer works, by monitoring things more aggressively.
... instead of having individual applications that build extensions of appropriate security around a set of resources (HTML rendering, HTTP access, CIFS access, scripting, the registry, and so on) they have committed to applications (Windows Update, Windows Explorer to an ever-increasing degree, Outlook, ...) built out of components running under the web browser.
Microsoft CAN fix the code, but there is no way they can get the political will to do it. They have too much time, face, and capital tied up in their internet-oriented OS to ever back away from it. Internet Explorer, Outlook, Windows Update,
The security problems inherent in such a design were obvious to me in 1997, and when I banned the use of the "outside-facing" members of this family of tools at the local office we were able to easily ride out every one of the worm/virus outbreaks that slammed the rest of the company on a regular basis. I don't claim any great insight in this... virtually everyone else I knew in the security business came to more or less the same conclusion... but unfortunately few of them had the luxury of working for a company willing to give them the support for such an obvious step, and equally unfortunately I wasn't able to expand the policy beyond our building
Microsoft could redesign their system to once again be application-centered, with the HTML control a display-only module that requires the application to install internet access, trusted scripting, and other potentially dangerous components only when needed. But they're moving the other direction, and so while they COULD fix their basic problems it's ever less likely that they WILL.
HKEY_CURRENT_USER is a hive loaded from the NTUSER.DAT file in the user's profile directory. Copy that and you can copy all the settings, probably more settings than you want though. It works for the most part, but it's not a good solution.
... we're stuck with it. It's too hard to change the design and too easy not to. Very rational.
Did anyone else's sphincter clench at the thought of body shots with Dvorak?
Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate.
Aureate changed its name to Radiate. In 2001, they settled a class action over privacy issues.
Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."
Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."
Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.
AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.
For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf).
It's interesting that in my experience gained by cleaning up people's machines, the paid-for anti-spyware stuff misses a ton of stuff, while the freeware finds everything the paid for stuff does and a lot more. Paying for anti-spyware has to date been a counterproductive move.
I just finished reading John C. Dvorak's excellent article about forthcoming Microsoft security softwares. I've always been against paying M$ to fix their own problems, especially since they seem to do such a poor job of it. Think about the irony of Microsoft selling an operating system that is hugely susceptible to viruses, spyware, and other malware, then offering to sell you "security softwares" that will help against these very things. Wouldn't it just make more sense to fix the operating system itself? Suffice it to say that hell will need to freeze over before I buy any anti-virus, anti-spyware, or any other anti-resolve-the-holes-in-Windows add-ons from M$ themselves. I'll stick to other, 3rd party companies for now. And here's the real kicker... what's Dell or HP's answer if you call their technical support department and they determine you have a virus or spyware? They ask you to restore to factory contents (which involves reformatting your hard drive). Now, considering that there is no perfect anti-spyware software on the market yet, what is M$'s response going to be when their own softwares can't rid your PC of viruses or spyware? They're going to ask you to re-install and format the drive in the process (note: not that this will resolve a boot record [MBR] virus). So let's make sure the full picture is laid out for us: first you pay around $300 for Windows. After installation, you spend 4 hours of your time getting all the latest updates from Windows Update (let's be conservative and say you're worth $25/hour... so that's another $100.00). Then you pay another say $100 for Microsoft security software. Then you get a virus or spyware. After 2 hours of trying to fix it yourself (another $50.00), you call Microsoft technical support at $75.00 per hour. After two hours (another $150), you're still infected. So they ask you to re-install (and format the drive which wipes out all your personal data). So $700.00 later you're right back where you started. I'll bet this isn't factored into the "true cost of Windows" or their "Get the FUD" campaign. And all this time M$ wonders why people are shifting to Linux in droves. Linux is free. With Linux you could (though aren't as likely to) arrive at the exact same place... re-installing and losing all your data, but at least you didn't flush $700.00 down the toilet on the way. Riddle me this, though... how is it that an operating system who's source code is closed off to the world remains so easily afflicted (through viruses, spyware, etc) while Linux, whose source code is publicly available to all, remains largely affliction free?
i don't trust pay-for antispyware software as it's really easy for a spyware firm to shove an envelope of large bills under the table to a big company and say "ignore our stuff".
upon the advice of my lawyer, i have no sig at this time
This will probably get modded down as flamebait, but I really wish Dvorak (the man) did not exist. Or rather was not so, um... popular does not seem to fit. He really gives the work "Dvorak" bad connotations. I use the Dvorak keyboard layout, and I wonder if people ever get confused and think that Dvorak (the man) was responsible for it. At least google is not confused.
Even Microsoft is recommending the use of XML configuration files in .NET and not the registry. So is Microsoft wrong? Or have they seen the error of their ways?
Somehow, OS X development is so much nicer without the use of a registry. I like being able to back up all my settings, make multiple copies, easily edit them myself, etc. A registry just seems so ancient.
"Sufferin' succotash."
Ahh yes ..
The last time I took a Dvorak, I needed a whole roll to clean up after myself.
Not only that, there was a nasty greasy smear in the bowl and my roommate threatened to evict me for the stench.
Dvorak is some pretty awful stuff in my book.
Dvorak blames Microsoft for CUTEftp client security holes ?!!!? And somehow concludes that also registry concept is to blame here ???!!!
What an idiot !
If windows is so craptastic then why the hell is everyone using it?
Answer: The abusive monopoly Microsoft imposed when cheap commodity PCs exploded in the 90s.
Because its the easiest and best OS out there
Ha...hahaha. Easiest? Have you ever done tech support for Windows? God, Personalized Menus confuses non-geeks so often, as does the idea that deleting an item from the Start menu doesn't uninstall the program, right-clicking in general, and the whole way Microsoft uses a bunch of wizards as a layer between the user and the difficult interface, which just increases the amount of clicking and hunting around. Microsoft's solution is to pack more and more hyperlinks into their webpage-resembling Explorer.exe window, which confuses users even more.
The best OS? This is purely subjective, but my nomination goes to OS X, which manages to be more functional yet more simple.
if your software was as complicated and widely run as windows it would as well.
That's bogus. First, my software wouldn't be as complicated, and second, it would be widely run because of it.
People didn't choose Windows and make it the monopoly. They chose cheap PCs, and Windows just came on them. Microsoft still makes the vast majority of its Windows sales through OEM installs. It's why Longhorn's requirements are so bloated, to get people to buy new PCs to run it.
"Sufferin' succotash."
It might make sense to use to buy such a "use at your own risk" version if you've already got the software to back it up. Norton systemworks and internet security (Or zone alarm for you freebies) these days is a steal with their upgrade deals would make that version quite useable. True this would be even better than XP since XP comes preloaded with some spyware for some reason.
And with the boot disk that symantec provides with systemworks, you'd be able to knock out a lot of the viruses and spyware on the pre-loaded with virus and spyware version. Then when you initially start vista, one might be able to bite the bullet, deal with the popups for the short time for installation of good anti-virus, firewall, and spyware software. Then when everything has been cleaned from the system, the HD is imaged so the user never has to go through it again. This could potentially even make the non-booting version work.
Simply put, microsoft has shown that they are incompetent at making their own stuff work. So why should we trust in their anti-virus and anti-spyware?
The registry exists to obscure information?
That comes as quite a shock to me. And here I was believing it was some sort of centralized configuration system, designed for the storage and retrieval of arbitary persistent data using a single set of APIs.
They really threw me for a loop with that one.
If the registry was only a location to store/fetch various program settings then that is pretty unremarkable and of value. However as it is implemented, Windows makes use of the registry to not only store settings but to modify and run programs. Heck you can store a binary *inside* a registry key. It is not a place for settings any more.
One of the reasons why Windows is weakened in security is because of the registry. It is used as a pointer for ActiveX and COM components. It is used for locating various components. If you want to easily infiltrate system components the first place too look is in the registry.
In short, the registry as conceived is a mechanism for programmers to allow hooks into the operating system. Unfortunately without thinking about higher security issues, this just means that people who code malicious stuff have the same easy access too.
Really sorry to interrupt everyone's groove... But parent's post title. Where is that from? I've heard that a bajillion times and I don't know what the canonical version is.
A classic example of poor design.
By having many different INI files, the loss of one file isn't going take the whole frigging system out.
I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...
I am no fan of Microsoft but I have to defend them on this count. If I remember correctly IBM's AIX (a Unix variant) also stores most of its system configuration in a Object Database and does not appear to suffer for it. Of course IBM, unlike Microsoft, was very selective about who and what gets to run as Root. So I don't think the problem with Windows is so much the fact that Microsoft decided to use a database instead of text files. The problem lies in the fact that this registry database was badly structured and the fact that that since most people using Windows boxen are running everything from Minesweeper through IE 6.0 to Doom3 as Administrator it is very easy for malicious software that slips in to manipulate the Windows Registry. That still does not mean that using databases to store the system configuration informanton of an operating system is the root of all evil.
Only to idiots, are orders laws.
-- Henning von Tresckow
It annoys me too.
Just go to your control panel, load "security center", and then select the "change the way security center alerts me" option in the left column. Deselect all the alert options and you'll never be bothered by this FUD again.
Altough I'm a sort of "windows hore", I learned one thing from the Linux / Open source comunity: sometimes, the best choice is not the commercial one. There a lot of talented and good intentioned people out there, and there is good free software for Windows, as with any OS.
You just have to search for it and read what others have to say. In this time and age, were everything is just a googling away, I don't understand why people won't search for free alternatives to commercial (and sometimes pretty expensive) software products. If a product is a fraud, it will be denounced somewere, the "word" will get out. Some examples of good, free software (in this area of security): Spybot Search and Destroy Lavasoft Ad-aware Kerio Personal Firewall Spyblaster Hijack This!
"A sysadmin is a cross between a detective, a police officer, a gardener, a doctor and a fireman"
Which is more sane, deleting .ini files from "Program Files"\AppName and from "Documents and Settings"\UserName\AppName or searching through the registry to find all references to AppName and hoping that the app didn't create any keys without it's own name in the name of the key?
If the Windows registry kept all the settings for a given app in comparable places, you might have a point. But as it is, many (perhaps most) programs change keys all over the place, leading to a snipe hunt if the app explodes beyond repair and has to be removed manually.
There is NO way to make the Windows OS better. It is basically a bad design not to mention all the dead code strewn throughout its entrails. Kind of like a dead cow rotting in a field with flies and other insects laying eggs in the open ulcers. Its own little self contained environment with scavangers and insects completing full life cycles again and again and again. Let's call it a self purpetuating gut pile of an operating system. Nice.
If it sucks then it sucks...RE-DO IT!!! This goes for apps and the O.S. The registry really is a huge stinky turd. Nobody want to touch it, let alone get near it. I'd be willing to bet, if you look hard enough, you could even see corn between the registry keys. Yes, it's that bad.
I can't believe the absurdly high level of incompetence and complacency in the Micro$shaft world.
If anyone contributes to this absurdly high level of incompetence and complacency then they need TO BE HONEST, FESS UP TO IT AND ADMIT THEY WRITE CRAP FOR A CRAPPY OPERATING SYSTEM.
That's all there is to it.
{casually waves an electromagnet around} "You know, that's a nice harddrive you have there... would be a pity if anything were to happen to it like an electromagnet wiping the data. But me and the boys, we can protect you from all that."
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
How about someone translates that for those of us who don't tend to mess around with DVORAK layouts? Including me, that is.
Translation:
"How about someone translates that for those of us who don't tend to mess around with Google? Including me, that is."
Lazy ass.
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software.
.NET Windows software.
.config file for each application? That is what Microsoft advocates. And to all those Registry bigots out there:
.config files are not centralised and a bad setting won't corrupt a whole system .config files without the aid of a specialised tool like regedit .ini files, there is a standard XML specification established so all .config files are structured the same--also they are always located in the same directory as the application so it is easy to find. .NET libraries are provided for the creation and modification of .config files, so there is no need to manually parse the file and no excuse not to comply with the standard specification
.config files are "better design".
Anyone who suggests that there is no valid alternative to the registry has obviously not (properly) written
Some people at Microsoft themselves suggest avoiding the registry--as of Windows Vista THE REGISTRY IS ESSENTIALLY DEPRECATED. So what is the alternative? How 'bout a standardised XML
*
* you can edit
* Unlike
*
Of course, we are talking about Windows here, so the legacy registry will be around for another decade I'm sure...and I'm sure as in the past short-sighted developers (both within Microsoft and outside) will ignore this excellent recommendation and continue to use the brain-damaged registry.
It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing
Well, *I* find it pretty annoying when solutions are dismissed as "stupid" because they are different and people can't take the time to understand them. BTW, eliminating dependency on the registry *is* a "real fix"---the registry is a design flaw and
blohward, n: 1; An archaic term used to describe one who frequenly wonders how a hole in the ground ended up in the middle of his ass. 2; The lead ship in John Austin's legendary journey around Hudson Bay, wherin a realiable process for the vulcanization of rubber was discovered.
He was probably using definition 1.
"realiable"
You've got the same kind of keyboard, huh?
Why yes, I AM a rocket scientist!
What is GConf? Well, it's a nice implmentation of a registry. :)
.ini file concept (ie. standardising the format and location of these files). Since MS now advocates XML-based .config files over using the registry it seems they've fired the crackhead or he successfully completed rehab.
Well it is *conceptually* nice anyways (some find the implementation could be improved), because it isn't really a registry in the same sense as the one Windows has. GConf makes use of a collection of non-binary files and it just happens to be an application where they can be centrally managed. On Windows, some crackhead thought it would be a great idea to invent a central, hidden, binary file to store all the config settings for the OS and all applications rather than fix the flaws in the
Why the registry is Good:
n (where a lot of spyware hooks itself) shouldn't even exist because it refers to machine-specific files (not user specific)
1. As of W2K, you can assign permissions (granted, useless if everybody runs as admin)
2. Program settings under HKCU follow users around (when implemented properly, this works very well)
3. Easy to read/write from
The pains of the registry often have not much to do with the registry itself:
1. Silly things like HKCU\Software\Microsoft\Windows\CurrentVersion\Ru
2. IE's poorly-implemented ActiveX plug-in architecture is not a registry problem, it is an application design problem (if IE used a flat config file to store the ActiveX info, it would still be just as bad)
3. Microsoft Office stores its configuration data as binary blobs instead of typed data - laziness that causes unnecessary cross-version compatibility issues
If Microsoft would simply disable the Run key in HKCU, set up an Execute flag (like *nix) and make it default to run as non-admin (which it does in Vista, AFAIK), it would be quite a bit more secure than it is. At any rate, though, none of these things has much to do with the registry. If startup programs were stored in a file somewhere, it would be well-known quickly enough, and we would have just as many problems. Security through obfuscation doesn't work, we all know that.
Well, it was Goodyear who alied it the first time, so clearly this other fellow would have no choice but to re-ali it. Geez, do I have to explain everything? :)
It is *NOT* just him that enjoy salt with his Dvorak.
(8-DCS)
Dvorak is a troll, and this so-called article is a perfect example of his trolling. We shouldn't feed trolls, and neither should the /. editors, because it just wastes everyone's time.
I am shocked that a near monopoly would act in such a way shocked I tell you.
Please please somebody defend MS on this point, I'd love to hear it.
As proof of this look at Steven A Jackson on ESPN...or Rush Limbaugh.
It seems than in todays media landscape all you need is an opinion and a very loud voice. Content or insight is optional and not encouraged
GConf is so much cooler than you give it credit for. They've actually managed to get the best of both worlds by using small, human-readable XML files, laid out across a directory tree. If you're hot about allowing different people to have access to different settings, just set group ownership and change your FS permissions appropriately.
Like INI files? These are pretty simple XML files. Edit it by hand, man!
Like the registry? GConf has a regedit-like feel to it, while being infinitely faster. I've never used the API, but I'd have to imagine that it's roughly analogous to the Windows registry API (which I've also never used).
The great thing about GConf is that it uses an actual filesystem tree to lay out the hierarchy you see in the GConf GUI. That means if something gets messed up due to filesystem corruption, random powerdown, etc, it'll probably only be a small, repairable part of an XML file, not some huge, monolithic binary you have no hope of grokking, let alone repairing. It's kinda like MailDir for Registries.
http://64.233.167.104/search?q=cache:oIR1Ra5Rqv8J: www.pcmag.com/article2/0,1759,1304348,00.asp+dvora k+%22system+idle+process%22&hl=en
John Susek
Instead of creating a security service, do a better job of creating the software in the first place, and fix the existing software that's out there.
If they really want to do it right, they shouldn't release any new products until the ones that already exist are fixed. Then, start new projects with security as the main focus. I'm sure they'd lose some business in the short term, but with billions of dollars in cash, they can afford it. In the long run, if they earn peoples respect for strong security, their business will keep growing.
Two Minus Three Equals Negative Fun -Troy McClure
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
That will provide MS with yet another scheme to get consumers' cash:
Microsoft Security^2 (a.k.a. Microsoft Security Security) - Subscription security service. Provides security monitoring of insecure malware protection of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
Followed with:
Microsoft Ultimate Absolute Security (a.k.a. Microsoft Security^2 Security a.k.a. A 10-lb Hammer) - Subscription security service. Provides security monitoring of software to secure insecure malware protection of underlying insecure operating system. Note: Full warrantee, Full guarantees, no security issues. For $100 a month, a service technician comes to your office weekly and smacks your Windows PCs. For $50 more, you can have the satisfaction of applying the security tool yourself.
We should all go over to some pro MS board one day, and have a massive discussion with them. It'd cause their heads to explode.
Get your own free personal location tracker
I agree with you that the other problems (particularly ActiveX, and the plethora of IPC mechanisms, and the lack of control over application bindings, ...) are a much bigger part of the problem, but the Registry DOES make things worse.
The pains of the registry often have not much to do with the registry itself
The biggest pain of the registry here, as opposed to the "INI" files (which actually do allow hierarchical organization within the file system and protections on the files themselves), is that while there are an incredible number of tools (even some decent ones that come with the system) that people can use to examine, search, analyse, and otherwise keep track of things in text files... working with the registry is like building a ship in a bottle. Worse, it's like building it with two pairs of tweezers, one (regedit) that lets you search the bottle for bits of the ship but doesn't give you a good look at the bits themselves, and the other (regedt32) that lets you look at the bits in detail... but only one at a time.
If startup programs were stored in a file somewhere, it would be well-known quickly enough, and we would have just as many problems.
Startup programs are stored in the file system as well, under the Start Menu/Programs/Startup folder in your Profile. They're not as big a problem there, because they're easier to see and remove.
I'll subscribe to Slashdot when I see a month without a dupe, a typo, or an article the "editors" didn't read.
I couldn't resist.
Under XP, and I'm assuming Vista, they've finally merged the regedit/regedt32 functionality - so you can actually search and look at permissions from the same program (about time).
Personally, I think whether a program is hooking itself in through Programs\Startup, registry run keys, win.ini or as a service, the operating system should warn you about it -- and not allow it unless you are running as admin (assuming someday Microsoft will implement a decent non-admin default in it OS products)
Cisco forces you to pay for support contracts, so you can get updates to the equipment they sold you, and later found out it has problems.
This is not a new practice, lots of software forces you to purchase support for years, or you can't get the upgrades.
Upgrades, I can understand paying for new features, but I don't agree with paying for patches, which Cisco charges for, except in the rare extremely critical cases.
Dvorak is an idiot, it's sad to see slashdot propagating his nonsense ideas.
I don't think selling 7 versions of Vista is going to help Microsoft's communication or licensing issues.
Intelligence is a matter of opinion.
Gconf is arguably a registry: that's not something I care to debate. However Gconf stores information in the way grandparent describes in that each application gets its own "INI file". For example:
Gconf offers a common API for storing and retrieving configuration data, callback events for when data changes, and the opportunity for different backends (eg, LDAP instead of files). However it achieves all that without sacrificing the benefits of human-readable (and text-editable) files and each application still gets its own configuration file.
The Gconf model works well in practise. Recently I had an application that I needed to move to another system. Rather than diving into "registry tools" and using "registry backups" - which is what I would have had to do with a traditional registry - I just copied the relevant %gconf.xml file out of my home directory and onto the new machine. Similarly I had an application that I wanted to reset to factory defaults, so I simply renamed the %gconf.xml file and restarted the application. This works exactly like the traditional UNIX way of dealing with configuration data.
they've finally merged the regedit/regedt32 functionality
Cool. It's a bit like giving a guy with a broken arm an aspirin, but it does reduce the pain a little. Codeine would be better, but he'd still have a broken arm no matter what you did with the registry.
I think whether a program is hooking itself in through Programs\Startup, registry run keys, win.ini or as a service, the operating system should warn you about it -- and not allow it unless you are running as admin
Ah. "Here's some codeine, but you gotta sit on this whoopie cushion before I'll give it to you".
Look, the real problem isn't that the registry makes it so hard to find stuff like this... though that's a problem. Once I've got my code running on your box, I won you. I'll find some way of coming back after you reboot no matter how hard you make it. Maybe I'll take one of the aliases on your desktop and redirect it to my code, or look for an application program that runs scripts, or change your home page in Internet Explorer to one that starts me up and then redirects back to whetever you had it set to. There's always another place to hide once you're in, and any OS will have the same capabilities.
I don't call them "problems", any more than the fact that I could steal some water from your outside tap a "problem" with your house... you'd have to so cripple your computer to prevent it from happening that it's clearly not where you want to start working on the problem.
The broken arm, the fundamentally screwed up design of IE and the desktop, will still be there. Deal with *that*, and then we can worry about Administrator and the Registry. That's why I started off with the comment that I largely agree with the original poster... the Registry is a problem, but it's not the whole problem, or even that big a part of the problem.
Not that I don't wish it and its designers sucked screaming down to the lake of boiling blood on a regular basis, mind you, but you have to keep a sense of perspective...
Do you know what accounts are set up when you do an XP install? An 'Administrator' account and then another administrator-level account except with a user specified name (and this is the username that the system logs into by default).
You're blaming him for running as the default user that Windows sets you up with right from the install?
If Microsoft expected people to run as power-user by default, they should have made the default user a power-user account from the install.
"I filter at +6, and have yet to miss out on an important comment." (#822545)
...this was supposed to be Funny, not Insightful. But I'm really not sure.
---
The only thing I hate more than a hypocrite is a person who hates hypocrites.
Generated by SlashdotRndSig via GreaseMonkey
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname?
I agree with you that the registry is not inherently a security hole (while there *are* security issues associated with the registry, they are not inherent to the fact that a registry is used instead of config files), I'm a little dubious that config files are "unorganized and inconsistent". The formats do differ to some extent, but the formats are pretty straightforward when you see them for almost all files (though there are a couple of infamous exceptions, like sendmail). I'd say that it's a *lot* easier to read and edit Unix config files (which were designed to actually, y'know, be edited by the end user) than it is to figure out how (and where) a bunch of settings are stored in the Windows registry.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
I'm pretty sure, having read the occasional Dvorak article for over a decade, that Dvorak knows what he's talking about, but makes deliberately insulting/stupid/controversial statements, just to foster discussion about his work.
You just have to realize that Dvorak is just doing the same thing that Slashdot trolls do -- but because he sells magazines by generating controversy, he gets *paid* for trolling.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Dvorak is an entertainer who makes a good living out of writing controversial articles. His predictions haven't had a good chance of coming out right, but that's totally besides the point. He ensures that he pisses off enough people or intrigues enough people to generate conversation about him and his work.
Dvorak is what you'd get if you took a Slashdot troll and paid him to go pro and slapped his work in the back of various magazines and on websites.
Listening to people argue about whether or not Dvorak is a visionary or an idiot is like listening to people argue about whether or not their favorite pro wrestler is better or worse than some other pro wrestler. It's *all entertainment*. Dvorak doesn't need to have accurate predictions -- if he's got you arguing, he's already got publicity...and he's won.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Do linux distro websites scan for security intrusions on their website computers, or not?
Yes.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
While there are some anti-Microsoft/pro-Linux "sheep" on slashdot, most real Linux users don't really care that much about Microsoft either way. Why? We don't have to deal with Microsoft bugs, security flaws, or prices and haven't for several years.
The only time I respond to an anti-Linux comment is when I know from years of personal counterexamples that the comment is just plain factually incorrect. Don't automatically discount every comment or story defending Linux or complaining about Microsoft as pure zealotry.
This space intentionally left blank.
If Gconf was implemented better Sabayon would not have been needed and would be functional by now since it has some of the best gnome developers working on it. Currently if a user likes what another user has done with twenty-four launchers for different hosts in the gnome panel the only way to implement it is to use the GUI to create twenty-four launchers - you cannot copy the configuration even with the command line gconf tools (someone prove me wrong - please). Now consider the exercise of setting this up on ten PCs configured for four different users. Consider what happens to gnome settings if the users home directory is renamed, or if you upgrade gnome and have to set up all of the panel launchers again because of the lack of backwards compatibility.
Gconf is not an example of a good implementation of a configuration system.
Dude, you earned youself some foe-points. I hate nothing more than a superficial, "conciliatory" post backed by nothing. If you actually used one of the *NIX systems, you would KNOW the difference. I guess your " Both systems blow, and just as equally" post is for the rest of the Windows crowd. Something like 'Nothing to see here, move along'.
/etc, modified setting for property foo in ~/. User settings override default settings.
Or maybe your post is skewed from a windows developer's point of view. Let's take the "disadvantages" one by one:
no standard exists
There are clean standards of configuration files in linux:
DSV Style
RFC 822 Format
RFC 822 metaformat for records
Cookie-Jar Format
More information can be found here: http://www.faqs.org/docs/artu/ch05s02.html
better security (advanced ACL support, not every app has it own parser)
Theoretically. But in practice, who needs advanced ACL support when your users login as root? About parsers, see above, all of the standard formats are trivial.
weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
I really do not follow this. How is this weaker security? But after all it can be done. Default settings in
Please mod parent down (-1,misinformed,troll)
Ain't that the case! Think of all the "Free Trials" you can get on Windows. Remove them and reinstall them, and they just "know" you're not eligible for another "trial." Crap hidden somewhere in the Registry. On my Mac, I just delete the program's Preferences file every 30 days and the trial starts over!
You're talking about Microsoft and Apple, and then about Gates giving away "free money" etc. I don't see any of Founding Steves (Jobs and Wozniak) here. Didn't they get any "free stock" to blow away on charity? Would you donate your "free money" or lock it down as Apple guys or maybe spend it to please your precious ego? Is nearly $28 billion (58% of net worth) donated by Gates to date (2004) a "petty cash"? Killjoe, you're full of shit, pardon the language I never used online before.
My other Beowulf cluster is... er...
For the last time, people..
Warranty ends in Y and is pronounced (in America) "WARR-Un-tee."
Guarantee ends in EE and is pronounced (in America) "Gare-un-TEE."
Anything else is never correct (in America).
http://undecidedgames.blogspot.com
Speaking of the V2, I remember hearing on a PBS documentary that in late WW2, Germans had developed a superior submarine, but it ran on the fuel used in the rockets (Hydrogen peroxide?) and Hitler didn't want to allocate enough for the sub, so said sub went unused.
Of course, Britain was just about to evacuate London, not that that change would have meant German advantage.
Authoriarianism leads to leaders massaging personal prizes (a smouldering London, say), as opposed to real improvements (NOT THAT IN ANY WAY NAZI ADVANTAGE IS AN ABSOLUTE IMPROVEMENT), such as naval control.