For me, a low power, quiet, 486DX266 running OpenBSD has worked well for the past 5 years as a firewall.
Without sounding snarky or sarcastic, why do you do this? I bought a $40 wireless router a couple years ago and use its built-in firewall with great success. The thing is about the size of 2 packs of cards, has no moving parts, and the 4 LAN ports are perfectly suited to connect my home server, desktop, media PC, and printer. Granted, I only use about half a dozen firewall rules (in addition to a few individually forwarded ports for remote access to various services), but do you really do anything on that box that couldn't be accomplished with a cheap broadband router, or is it just the geek factor kicking in?
If one was so inclined, could a ficticious person download and grab the code from a validated machine and paste it in from an unvalidated machine?
Yes. The point of WGA is not to prohibit determined users from accessing downloads; it's to educate customers of the value of a genuinely licensed copy of Windows over a pirated copy. If the value of both is perceived to be the same, not only does Microsoft lose sales, but legitimate resellers are unable to sustain a business. A secondary goal is to encourage those swindled customers to nark on the reseller who is knowingly hawking unlicensed copies of Windows. Microsoft knows it's not going to extract more revenue from users who have unknowingly purchased counterfeit copies of Windows - the target is underhanded resellers (who, I honestly believe, rightly should be punished).
To that end, the validation scheme relies on a time-based hash which is non-computer specific and valid for up to 12 hours. That means that, yes, you can copy the genuine hash from a licensed machine to use on an unlicensed machine, but you can't post the hash on a webpage for everyone to use (unless you're going to update it every 12 hours, which no one really has the incentive to do). But if you're going to copy the hash, why not just copy the URL of the item you're trying to download? The files themselves are not restricted in any way; the WGA pages serve as a gate only.
If you're doing windows cloning, you may want to look into this free NewSid Utility from sysinternals.
Except for the fact that doing so puts you squarely in unsupported territory. The only supported way to duplicate Windows boxes is by using Sysprep (also free and already included on your Windows CD).
I just paste into Windows' Notepad, Linux's Nano, etc. and recopy to paste. An extra step, but works well for me.
If you're a Windows user, you may find PureText useful. It accomplishes the same thing but in 1 step (Win+V) instead of several (Win+R,notepad,Ctrl+V,Ctrl+A,Ctrl+C,Alt+F4,N,Ctrl+ V). Since it's a Windows program instead of a browser add-in, it works from any program and it's lightweight enough that I'm comfortable leaving it running in the background. Configurable for those with compulsive keyboard habits.
Did you notice they didn't actually say that in that second question. They said the "term of that license", which could be perpetual, or it could be 30 days, or anything in between. Very peculiar wording there, although it's probably just a lawyer-talk to cover their ass.
The "term of that license" is "without limitation," meaning there is no limitation specified. Download the.iso have a look at the license if you like; the English eula (eula.1033.txt) has no provision for a limitation of rights to a specific time. All Microsoft products that do ship with license term limitations make it very very clear ("THIS SOFTWARE WILL EXPIRE 180 DAYS FROM FIRST USE"). Given that this one does not, we can conclude that the license is perpetual.
Why stop downloading? It means they're going to offer it free for at least a year. From the site:
You said "free for one year" -- what does that mean, exactly? Will you be charging for this later? We originally announced pricing of Visual Studio Express at US$49. We are now offering Visual Studio Express for free, as a limited-in-time promotional offer, until November 6, 2006. Note that we are also offering SQL Server 2005 Express Edition as a free download, and that this offer is not limited to the same promotional pricing period as Visual Studio Express.
and
Do customers who acquire the Visual Studio Express products during the free promotional pricing period have to pay after the first year if they want to continue to use them? If you acquire Visual Studio Express products within the one-year promotional period, you will enjoy the rights granted in the applicable license at no cost for the term of that license.
The license is perpetual, so you don't have to pay for it later, regardless of how long you use it.
static ads don't bother me so much, but blinking, flashing, moving junk drives me nuts.
I actually have a visual impairment that makes it nigh-impossible to focus on the actual content of the page if there's something blinking, flashing, moving, or otherwise changing in the vicinity. I used to just block flash completely, as well as turn off animation (you really don't miss that much), but even that's not enough as sites will use DHTML or Javascript or anything to get dynamic content to display. The only way I could browse the net without going completely bonkers was by using ad-blocking software.
True, and thank you for the clarification - But you've overlooked one particular group of users that might earn the sympathy of a Slashdotter or two - Developers.
In a mid-to-large business environment, you might well break a 16-way system up into four 4-way virtual machines. In a dev enviromenment, however, we frequenly do the exact opposite - Try to simuate conditions of 16 systems on a single physical RAM-heavy 4-way machine.
So what effect does this have, on the development side? Exactly one - Small-time developers (meaning any person/group/company with a single-digit number of physical (not virtual) human members) will now have a much harder time (legally) developing software that scales up well. Not that most dev teams bother with licensing, but still, most people prefer running legal...
Congratulations, Microsoft - With a single cryptic (and spinnable) change in server licensing, you have destroyed any legal "enterprise" level development by individuals, small teams, or anyone with a budget where "Taco Bell" counts as a significant budgetary line item.
If Microsoft really wanted to give up profit, they could have, with a single license clause, capped the cost at the physical CPU equivalent. But, oddly enough, they didn't. Hmm...
These licensing changes are for companies who are using virtualization in production environments. If you are even a small-time developer, it makes sense for you to purchase an MSDN subscription (prices range from about $500 to $2500 for a year, depending on the products you need). MSDN recently included Virtual Server amongst its offerings. A few points about MSDN subscriptions:
- You subscribe for one year, which gives you a starter set of all software on CD/DVD, plus 12 months of updates mailed to you and access to the download site. - MSDN licenses are *perpetual*. Even after your subscription lapses, all the software you have is still fully licensed and legal. It can even be resold (must go as an entire unit though). - Retail subscriptions come with retail keys, which generally means 10 activations. If you ever run out, though, I've found you can just give them a ring and they'll give you another key to use. Subscriptions purchased under volume licenses come with volume license keys and no activation. - The license is a free-for-all for development and test purposes. From the EULA: "For purposes of designing, developing, testing, and demonstrating your software product(s)... Microsoft grants you a limited, nonexclusive, royalty-free license to make, use, and install the Server Software for any individual Server Software on any number of Servers."
None of these licensing changes affect developers who are running software for development and testing purposes. Accuse Microsoft of gouging real customers if you must, but developers get a pretty sweet deal with MSDN.
30 gigs? suso.org has been offering no quota email since 1997.
I respect what you're doing, I really do. I think it's great that you run a business with such a personal touch. But there really is no such thing as unlimited hosting services. Every single provider has an "uncle" clause in the TOS that basically says, "if we think you're using too much, we cut you off." It's usually expressed in nicer terms, like "undue strain on the system" or "unfair share of the resources" but it all means the same thing. As soon as usage hits some magical number, you're out of a provider. And since I'd like to be able to steer clear of my cap, I'd much rather find a provider that's upfront about what that ceiling is. It means that they've at least done some rudimentary math with regards to server capacity, and I know exactly how close I am to needing a better plan or different provider.
Personally, I use 1and1.com. I originally signed up under their 3 years free hosting plan, and I moved all my domains to them after about 14 months of solid service. $10 a month gets me 2 GB space and 50 GB transfer, 500 1GB email accounts, 5000 email aliases, and 3 free domain names. It's well more than 10 times what I need, so I have the comfort of an "unlimited" plan with guaranteed service.
Well, if you're copying whole directories, may I recommend ROBOCOPY.
While I do love the Resource Kit Tools, I hadn't used robocopy extensively before. I read through the robocopy documentation, and it appears that robocopy is designed almost solely for copying directories rather than files. There is, for example, no way to copy a file to the same directory with a different name (eg copy importantfile.ext importantfile.bak). It looks like robocopy gets me much closer to what I'm looking for (thanks!) but it's not yet the One True Tool.
Seriously, if you do much file copying at all (especially as an automated/scheduled task), check this tool out.
Make that "...if you do much directory copying..."
I have been searching for something like this (progress bar, eta, etc. for copy operations) for native Win32 for over 2 years. I've seen the unxutils page, but the cp.exe included in that package doesn't support the -g parameter. I pride myself in being able to accomplish more via the command line in both Windows and *nix environments, but lack of progress information makes me resort to the GUI for large file transfers (> 2 GB). Moving platforms and using Cygwin are not viable alternatives, but if anyone has any other suggestions, I welcome them. (I can't even find someone to take my money; $40 for XXCopy gets you every feature under the sun and only a pop-up GUI progress bar! wtf?!?)
It's time firefox is also bundled in the new PC's/laptops which are sold out there into the market.
Start catering to the scenarios that are important then... provide deployment tools and reference guides for unattended installation. Last time I was tasked with a (Windows) Firefox deployment, I found out that settings are stored in a random directory per-user. All pre-installation configuration had to be done by manually changing default values in the compressed original package. Settings and policies were just not available to be set via the registry (easy to script) or Group Policy (easy to manage).
Despite what you may think about Microsoft's business practices, they have got the scenarios down. Both Windows and Office have OEM Pre-installation Kits, and products are designed with corporate and OEM deployment scenarios in mind, not just as an afterthought. At the very least, they don't *actively resist* large-scale deplyments by so rudely thumbing their noses at admins with settings stored in text files in randomly-named directories. Ugh.
It's not a built-in calendar. It is merely a graphical device to let you change the current system date. A lot of administrators don't want their users changing the system date willy nilly. Thus it is locked down for standard users
then why can't it give the permission denied error when the user clicks ok/apply!?! or have some kind of error in there. or something!!!
Most of all I'd really like to see Microsoft cough up the ability to configure absolutely every aspect of IIS (and Windows it self for that matter) from the commandline.
What is your primary concern? Is it that tools are simply not available at all to do the work you'd like, or is it that the command-line tools are distributed separately from the OS?
What tasks (in IIS and Windows) can you absolutely not accomplish via the command line today? (Please give as many examples as you can, I'm very interested in others' experiences.) Is this due to lack of awareness of the tools, or lack of availability of tools?
Wrong. PayPal errs on the side of profit. Some bean counter ran the numbers and discovered that accounts that increase by x-hundred percent in y hours are more often fraudulent than not. It costs PayPal more money to deal with 1 fraudulent account than to collect their cut on that same account, so they've determined their financial risk threshold and freeze accounts accordingly.
Make no mistake about it, PayPal has no reason to be cautious with your money. In fact, part of their business model is based on the fact that it's easier (and more profitable) to screw over the "good guy" in a dishonest transaction than to devote resources to tracking down the "bad guy". It's this sort of behavior that makes people hate them, and it's why I refuse to pay for anything with PayPal.
Please don't purport that PayPal is just an innocent party trying to do the right thing. They're not. They're attempting to maximize profit even if it's at the expense of honest customers (or, in this case, needy victims of a natural disaster).
Apologies for the late response, I didn't have time to set up a proper test environment until this evening.
I used Virtual Server for this experiment. I started with one clean Windows XP SP2 image, with the Microsoft VM Additions (for improved performance in Virtual Server) and all current patches. To represent a true, imaged environment, I sysprep'd this machine and then created 2 child virtual machines from this common base. The sysprep process ensures that the machine's name and all security identifiers are unique, and is the only Microsoft-supported method for deploying imaged computers.
I created a small.vhd to share between the 2 virtual machines, which will contain the encrypted test data.
I started machine 1 and named it EncTest1. On this machine I created 2 new users, test1 and test2. As user test1, I created a folder d:\testdir. Note that this folder is on the secondary hard drive (not the operating system drive). I created a text file in this directory, and then used Windows Explorer to encrypt the entire folder (including this folder, subfolders, and files). I verified that user test1 was able to access this file, and user test2 was not able to access this file.
I then used the certificate manager to export the certificate and private key belonging to user test1. It is VERY important during this process to check the box to export the user's private key as well. The private key is required to be able to decrypt files. However, the default choice when exporting a certificate is to NOT include the private key along with it. Select the option "Yes, export the private key" during this process. The certificate will be stored in a.pfx file. I stored the.pfx file on the D: (shared) drive.
We now have all the files and information required to simulate a crash or other unexpected loss of the original operating system and user's profile. I shut down EncTest1 and started our second machine, EncTest2. I attached the shared hard drive used in EncTest1 to our new recovery machine, EncTest2. Note that I did not xcopy the files to or from any system. You cannot copy an encrypted file to another machine on which the user does not have a certificate. If you are able to copy encrypted files to another system, you need to verify exactly which users/certificates still have access to those files (by using the Details button in file properties, advanced).
At this point, to decrypt the files, only two things are required: the user test1's user certificate and private key. Both are contained in the.pfx file we exported earlier. No other similarities to the original environment are required (ie, usernames, passwords, and machine names are not required to match.) I created two new users test3 and test4 on EncTest2, and verified that as user test3, I was not able to access the encrypted test file in d:\testdir. Then, using certificate manager, I imported the.pfx containing user test1's user certificate and private key. Instantly, without even logging off, I was able to access the encrypted file in d:\testdir, as expected.
To verify this was the result solely of the certificate I imported, I then logged in as user test4 and confirmed that I was unable to access the content in d:\testdir.
If you'd like to verify my results, I can make available to you the.vhd representing the shared drive between these two virtual machines. It contains the user test1's user certificate (including private key), and an encrypted directory. You'll be able to do exactly as I did: import the certificate and gain access to the encrypted content.
With that, I'd like to cover a few other points:
- Yes, it's very easy to lose access to your encrypted files if the proper precautionary measures are not taken. This could possibly be remedied by a more proactive backup process or more documentation, but is not a limitation of the EFS design. - Getti
[A]ll of Microsoft's technical documentation leaves out an important point. The documents about backup methods don't mention that they don't work with stand-alone computers.... it is not possible to back up all the passwords.
I submit that not only are you incorrect, the Microsoft technical support agent you spoke to was either misinformed, or you misunderstood him.
Your statement:
"If a computer is stand-alone, not part of a domain, then backing up everything, reformatting your hard drive, and reloading Windows XP will result in not having access to any of your EFS encrypted files."
Let's not forget that you are talking about people who have backed up their certificates:
"I was talking about people who did not lose their password or encryption certificates, obviously."
Here's what I know and can be verified. The published documentation regarding EFS provides two ways for a user to recover their encrypted data: with the user's certificate, or with a Designated Recovery Agent (DRA). This principle holds true regardless of whether the computer is in a domain or stand-alone environment. Let's discuss each:
1) Restore the users's previously-backed up user certificate (and private key) to the machine. There is no hidden or extra password required. Just the user's certificate and accompanying private key. This applies EVEN in a stand-alone environment. The documentation supports this and this can be independently verified on any standalone Windows XP machine.
(Note that when exporting a user's certifiate and choosing to include the private key, the user will be prompted for a password. This is used to secure the private key and the user must remember this password to restore the private key. However, this password is in no way hidden or undocumented.)
Therefore, if a user does not back up his user certificate (including private key) on a standalone Windows XP box before formatting the drive, AND there was no previously-specified DRA, he will subsequently not be able to access his encrypted data. This is by design, however, and fully documented. There is no hidden password you can use to ever recover the data.
Please, if you still disagree with me, I urge you to 1) Read the documentation (all the links in the grandparent post are links to individual topics in the single chapter on EFS in the Windows XP Resource Kit). You can find similar information in the OS help by searching for "efs" or "encryption". 2) Try it yourself. You don't have to take my word, or the word of a technical support agent. Use a virtual machine (in Virtual PC or VMWare) for a convenient fully-reproducible scenario on demand. 3) If you're still in doubt, let me know how I can contact you directly. I hate to see falsehoods perpetuated as truth, and I'm willing to work with you until we both agree what that truth is.
The problem is that Windows XP makes an additional password, one that is not backed up using any of the tools or documents provided. That automatically generated password is necessary, as well as the user account password, to decrypt the files.
Rather than making vague claims about what hidden, undocumented passwords are preventing you from using EFS (or recovering your data), why not start reading?
I really have very little sympathy for those who whine about how much EFS sucks. First of all, one must make an explicit decision to use EFS. If you are going out of your way to protect your files, it's in your best interests to research how you can back up whatever passwords, certificates, or keys necessary to maintain access to your files.
Some particular sections that may be of interest to you and help dispel the FUD:
The Decryption Process How EFS Uses Certificates Exporting and Importing EFS and DRA Certificates and Private Keys: "You can use the Certificate Export wizard to export a certificate and private key to a removable medium." Backing Up and Restoring Encrypted Files or Folders: "Opening restored, encrypted files is no different from decrypting and opening any encrypted files. However, if files are restored from backup onto a new computer, in a new forest, or at any location at which the user's profile (and thus the private key needed to decrypt the files) is not available, the user can import an EFS certificate and private key. After importing the certificate and private key, the user can decrypt the files." Data Recovery and Data Recovery Agents: "The default design for the EFS recovery policy is different in Windows XP Professional than it was in Windows 2000 Professional. Stand-alone computers do not have a default DRA, but Microsoft strongly recommends that all environments have at least one designated DRA."
It will probably fail because MS has been telling all their sysadmins that command lines are worthless and that the only people who use command lines are communist dirty hippies. After decades of telling their users that they don't need a command line, that the GUI is better then the command line, that command lines are dangerous I don't see how they will change all those minds. What are they going to say? "Sorry we have been lying to you for a decade"?
Maybe it's because I come from a more Microsoft- than *nix- centric background, but since where and when have Microsoft ever made any sort of statement even resembling anything close to what you've said above? Sysadmins have plenty of tools at their disposal. See %windir%\help\ntcmds.chm for tons more info than I can provide here.
I use Windows at home and at work and find the command line environment very powerful and usable. I admin my machines (3 at home, 3 at work, 1 laptop, and several remote family member's pc's) almost exclusively via the command line. The set of default tools has increased dramatically in the last 10 years, and any Microsoft OS released in the last 5 years includes all of the following:
sc - service controller for starting/stopping/managing services on local or remote machines diskpart - create/modify/delete local disk partitions (including advanced configurations like RAID arrays) bootcfg - modify boot entries fsutil - file system tools (reparse points, sparse files, hardlinks) netsh* - network configuration tool to manage interfaces, protocols, routes, firewall, etc. wmic - complete WMI (Windows Management Instrumentation) control cacls* - modify NTFS permissions systeminfo - query basic configuration information for local or remote machine findstr - text searching, and yes, it handles regular expressions msiexec* - not strictly a command line tool, but supports installation/configuration/uninstall of any.MSI package. reg - modify the registry (including online and offline hives, and other users' hives)
I do find a couple of things lacking, so I customize all my Windows installs to include the following (all free except for the last, which requires that you own WinZip):
File Hashing: By the time Microsoft came out with fciv, I was already sold on fsum. HTTP Downloads: I use wget for Windows. Patch Scanning: I use MBSA for an instant report of missing patches so I can avoid Windows Update. cab Compression Tools: Uncompression is supported natively via "expand"; need cabarc from the support tools to compress. zip Compression Tools: Free add-on to Winzip works here.
Most people I know (Windows and *nix users alike) are very uninformed about Windows command line capabilities. However, this does in any way mean that the command line is crippled, or unable to perform the same admin tasks that are possible via the GUI.
The blue is actually a reference to the color of the square around your photograph on the Microsoft corporate cardkey. Only full-time employees of Microsoft have blue borders. Contractors and vendors have an orange border. Events for Microsoft employees only are typically referred to as "blue-badge only."
It was my understand (sic) that these areas were accessible by some DVD+RW drives.
Do you have any documentation of this? Any links or accounts of anyone ever actually having successfully done this? Can you provide a first-hand account?
The Optical Storage Technology Association has a great writeup on this (summary: the lead-in area isn't even writeable on consumer DVD media). I'd love to hear what information or any products you have that contradict what they've written.
DeCSS could have worked years ago, when writable DVDs were expensive. But now that I can get a dual layer writable DVD for 3 or 4 bucks, it's too easy to just bit copy the whole damn thing.
I'm not sure you understand how DeCSS (or, more appropriately, CSS) works. The contents of the DVD are encrypted, so "just bit copy[ing] the whole damn thing" doesn't help you at all. You still need to be able to decrypt the content to view it. The decryption key for pressed DVD's is stored in the innermost track of the disc. This area is readable by DVD players and DVD-ROM drives, but DVD-RW drives cannot write to this track. Thus, if you copied the "entire" disc, you would have only actually copied the encrypted video but not decryption key, making the disc rather useless to you. This is the reason programs like DVDDecrypter are so popular.
In Massachusetts, if I remember correctly the employer may not withhold a paycheck for more than a week after the paycheck for the pay period would normally be issued, and in the case of a termination or layoff, they're required to issue a paycheck, expenses, and pay for accrued vacation all on the day of the termination or layoff.
I've lived in at least 2 other states that have "same day paycheck" rules for involuntary termination. It sounds great in theory. One sleazy company got around this law by never firing anyone on the spot. They would only 'suspend' the employee until the end of the pay period. Once payday rolled around and the check was ready, you would be officially fired. It prevented them from ever having to write on-demand checks while still complying with the letter of the law.
Slashdot Mirror
For me, a low power, quiet, 486DX266 running OpenBSD has worked well for the past 5 years as a firewall.
Without sounding snarky or sarcastic, why do you do this? I bought a $40 wireless router a couple years ago and use its built-in firewall with great success. The thing is about the size of 2 packs of cards, has no moving parts, and the 4 LAN ports are perfectly suited to connect my home server, desktop, media PC, and printer. Granted, I only use about half a dozen firewall rules (in addition to a few individually forwarded ports for remote access to various services), but do you really do anything on that box that couldn't be accomplished with a cheap broadband router, or is it just the geek factor kicking in?
If one was so inclined, could a ficticious person download and grab the code from a validated machine and paste it in from an unvalidated machine?
Yes. The point of WGA is not to prohibit determined users from accessing downloads; it's to educate customers of the value of a genuinely licensed copy of Windows over a pirated copy. If the value of both is perceived to be the same, not only does Microsoft lose sales, but legitimate resellers are unable to sustain a business. A secondary goal is to encourage those swindled customers to nark on the reseller who is knowingly hawking unlicensed copies of Windows. Microsoft knows it's not going to extract more revenue from users who have unknowingly purchased counterfeit copies of Windows - the target is underhanded resellers (who, I honestly believe, rightly should be punished).
To that end, the validation scheme relies on a time-based hash which is non-computer specific and valid for up to 12 hours. That means that, yes, you can copy the genuine hash from a licensed machine to use on an unlicensed machine, but you can't post the hash on a webpage for everyone to use (unless you're going to update it every 12 hours, which no one really has the incentive to do). But if you're going to copy the hash, why not just copy the URL of the item you're trying to download? The files themselves are not restricted in any way; the WGA pages serve as a gate only.
If you're doing windows cloning, you may want to look into this free NewSid Utility from sysinternals.
Except for the fact that doing so puts you squarely in unsupported territory. The only supported way to duplicate Windows boxes is by using Sysprep (also free and already included on your Windows CD).
I just paste into Windows' Notepad, Linux's Nano, etc. and recopy to paste. An extra step, but works well for me.
+ V). Since it's a Windows program instead of a browser add-in, it works from any program and it's lightweight enough that I'm comfortable leaving it running in the background. Configurable for those with compulsive keyboard habits.
If you're a Windows user, you may find PureText useful. It accomplishes the same thing but in 1 step (Win+V) instead of several (Win+R,notepad,Ctrl+V,Ctrl+A,Ctrl+C,Alt+F4,N,Ctrl
Did you notice they didn't actually say that in that second question. They said the "term of that license", which could be perpetual, or it could be 30 days, or anything in between. Very peculiar wording there, although it's probably just a lawyer-talk to cover their ass.
.iso have a look at the license if you like; the English eula (eula.1033.txt) has no provision for a limitation of rights to a specific time. All Microsoft products that do ship with license term limitations make it very very clear ("THIS SOFTWARE WILL EXPIRE 180 DAYS FROM FIRST USE"). Given that this one does not, we can conclude that the license is perpetual.
The "term of that license" is "without limitation," meaning there is no limitation specified. Download the
static ads don't bother me so much, but blinking, flashing, moving junk drives me nuts.
I actually have a visual impairment that makes it nigh-impossible to focus on the actual content of the page if there's something blinking, flashing, moving, or otherwise changing in the vicinity. I used to just block flash completely, as well as turn off animation (you really don't miss that much), but even that's not enough as sites will use DHTML or Javascript or anything to get dynamic content to display. The only way I could browse the net without going completely bonkers was by using ad-blocking software.
True, and thank you for the clarification - But you've overlooked one particular group of users that might earn the sympathy of a Slashdotter or two - Developers.
... Microsoft grants you a limited, nonexclusive, royalty-free license to make, use, and install the Server Software for any individual Server Software on any number of Servers."
In a mid-to-large business environment, you might well break a 16-way system up into four 4-way virtual machines. In a dev enviromenment, however, we frequenly do the exact opposite - Try to simuate conditions of 16 systems on a single physical RAM-heavy 4-way machine.
So what effect does this have, on the development side? Exactly one - Small-time developers (meaning any person/group/company with a single-digit number of physical (not virtual) human members) will now have a much harder time (legally) developing software that scales up well. Not that most dev teams bother with licensing, but still, most people prefer running legal...
Congratulations, Microsoft - With a single cryptic (and spinnable) change in server licensing, you have destroyed any legal "enterprise" level development by individuals, small teams, or anyone with a budget where "Taco Bell" counts as a significant budgetary line item.
If Microsoft really wanted to give up profit, they could have, with a single license clause, capped the cost at the physical CPU equivalent. But, oddly enough, they didn't. Hmm...
These licensing changes are for companies who are using virtualization in production environments. If you are even a small-time developer, it makes sense for you to purchase an MSDN subscription (prices range from about $500 to $2500 for a year, depending on the products you need). MSDN recently included Virtual Server amongst its offerings. A few points about MSDN subscriptions:
- You subscribe for one year, which gives you a starter set of all software on CD/DVD, plus 12 months of updates mailed to you and access to the download site.
- MSDN licenses are *perpetual*. Even after your subscription lapses, all the software you have is still fully licensed and legal. It can even be resold (must go as an entire unit though).
- Retail subscriptions come with retail keys, which generally means 10 activations. If you ever run out, though, I've found you can just give them a ring and they'll give you another key to use. Subscriptions purchased under volume licenses come with volume license keys and no activation.
- The license is a free-for-all for development and test purposes. From the EULA: "For purposes of designing, developing, testing, and demonstrating your software product(s)
None of these licensing changes affect developers who are running software for development and testing purposes. Accuse Microsoft of gouging real customers if you must, but developers get a pretty sweet deal with MSDN.
30 gigs? suso.org has been offering no quota email since 1997.
I respect what you're doing, I really do. I think it's great that you run a business with such a personal touch. But there really is no such thing as unlimited hosting services. Every single provider has an "uncle" clause in the TOS that basically says, "if we think you're using too much, we cut you off." It's usually expressed in nicer terms, like "undue strain on the system" or "unfair share of the resources" but it all means the same thing. As soon as usage hits some magical number, you're out of a provider. And since I'd like to be able to steer clear of my cap, I'd much rather find a provider that's upfront about what that ceiling is. It means that they've at least done some rudimentary math with regards to server capacity, and I know exactly how close I am to needing a better plan or different provider.
Personally, I use 1and1.com. I originally signed up under their 3 years free hosting plan, and I moved all my domains to them after about 14 months of solid service. $10 a month gets me 2 GB space and 50 GB transfer, 500 1GB email accounts, 5000 email aliases, and 3 free domain names. It's well more than 10 times what I need, so I have the comfort of an "unlimited" plan with guaranteed service.
Well, if you're copying whole directories, may I recommend ROBOCOPY.
While I do love the Resource Kit Tools, I hadn't used robocopy extensively before. I read through the robocopy documentation, and it appears that robocopy is designed almost solely for copying directories rather than files. There is, for example, no way to copy a file to the same directory with a different name (eg copy importantfile.ext importantfile.bak). It looks like robocopy gets me much closer to what I'm looking for (thanks!) but it's not yet the One True Tool.
Seriously, if you do much file copying at all (especially as an automated/scheduled task), check this tool out.
Make that "...if you do much directory copying..."
I have been searching for something like this (progress bar, eta, etc. for copy operations) for native Win32 for over 2 years. I've seen the unxutils page, but the cp.exe included in that package doesn't support the -g parameter. I pride myself in being able to accomplish more via the command line in both Windows and *nix environments, but lack of progress information makes me resort to the GUI for large file transfers (> 2 GB). Moving platforms and using Cygwin are not viable alternatives, but if anyone has any other suggestions, I welcome them. (I can't even find someone to take my money; $40 for XXCopy gets you every feature under the sun and only a pop-up GUI progress bar! wtf?!?)
It's time firefox is also bundled in the new PC's /laptops which are sold out there into the market.
Start catering to the scenarios that are important then... provide deployment tools and reference guides for unattended installation. Last time I was tasked with a (Windows) Firefox deployment, I found out that settings are stored in a random directory per-user. All pre-installation configuration had to be done by manually changing default values in the compressed original package. Settings and policies were just not available to be set via the registry (easy to script) or Group Policy (easy to manage).
Despite what you may think about Microsoft's business practices, they have got the scenarios down. Both Windows and Office have OEM Pre-installation Kits, and products are designed with corporate and OEM deployment scenarios in mind, not just as an afterthought. At the very least, they don't *actively resist* large-scale deplyments by so rudely thumbing their noses at admins with settings stored in text files in randomly-named directories. Ugh.
For a command-line solution that works even when you're not an administrator, try:Works on XP and above.
It's not a built-in calendar. It is merely a graphical device to let you change the current system date. A lot of administrators don't want their users changing the system date willy nilly. Thus it is locked down for standard users
then why can't it give the permission denied error when the user clicks ok/apply!?! or have some kind of error in there. or something!!!
sheesh. horrible UI design.
You may be interested in this post.
Most of all I'd really like to see Microsoft cough up the ability to configure absolutely every aspect of IIS (and Windows it self for that matter) from the commandline.
What is your primary concern? Is it that tools are simply not available at all to do the work you'd like, or is it that the command-line tools are distributed separately from the OS?
What tasks (in IIS and Windows) can you absolutely not accomplish via the command line today? (Please give as many examples as you can, I'm very interested in others' experiences.) Is this due to lack of awareness of the tools, or lack of availability of tools?
Wrong. PayPal errs on the side of profit. Some bean counter ran the numbers and discovered that accounts that increase by x-hundred percent in y hours are more often fraudulent than not. It costs PayPal more money to deal with 1 fraudulent account than to collect their cut on that same account, so they've determined their financial risk threshold and freeze accounts accordingly.
Make no mistake about it, PayPal has no reason to be cautious with your money. In fact, part of their business model is based on the fact that it's easier (and more profitable) to screw over the "good guy" in a dishonest transaction than to devote resources to tracking down the "bad guy". It's this sort of behavior that makes people hate them, and it's why I refuse to pay for anything with PayPal.
Please don't purport that PayPal is just an innocent party trying to do the right thing. They're not. They're attempting to maximize profit even if it's at the expense of honest customers (or, in this case, needy victims of a natural disaster).
Apologies for the late response, I didn't have time to set up a proper test environment until this evening.
.vhd to share between the 2 virtual machines, which will contain the encrypted test data.
.pfx file. I stored the .pfx file on the D: (shared) drive.
.pfx file we exported earlier. No other similarities to the original environment are required (ie, usernames, passwords, and machine names are not required to match.) I created two new users test3 and test4 on EncTest2, and verified that as user test3, I was not able to access the encrypted test file in d:\testdir. Then, using certificate manager, I imported the .pfx containing user test1's user certificate and private key. Instantly, without even logging off, I was able to access the encrypted file in d:\testdir, as expected.
.vhd representing the shared drive between these two virtual machines. It contains the user test1's user certificate (including private key), and an encrypted directory. You'll be able to do exactly as I did: import the certificate and gain access to the encrypted content.
I used Virtual Server for this experiment. I started with one clean Windows XP SP2 image, with the Microsoft VM Additions (for improved performance in Virtual Server) and all current patches. To represent a true, imaged environment, I sysprep'd this machine and then created 2 child virtual machines from this common base. The sysprep process ensures that the machine's name and all security identifiers are unique, and is the only Microsoft-supported method for deploying imaged computers.
I created a small
I started machine 1 and named it EncTest1. On this machine I created 2 new users, test1 and test2. As user test1, I created a folder d:\testdir. Note that this folder is on the secondary hard drive (not the operating system drive). I created a text file in this directory, and then used Windows Explorer to encrypt the entire folder (including this folder, subfolders, and files). I verified that user test1 was able to access this file, and user test2 was not able to access this file.
I then used the certificate manager to export the certificate and private key belonging to user test1. It is VERY important during this process to check the box to export the user's private key as well. The private key is required to be able to decrypt files. However, the default choice when exporting a certificate is to NOT include the private key along with it. Select the option "Yes, export the private key" during this process. The certificate will be stored in a
We now have all the files and information required to simulate a crash or other unexpected loss of the original operating system and user's profile. I shut down EncTest1 and started our second machine, EncTest2. I attached the shared hard drive used in EncTest1 to our new recovery machine, EncTest2. Note that I did not xcopy the files to or from any system. You cannot copy an encrypted file to another machine on which the user does not have a certificate. If you are able to copy encrypted files to another system, you need to verify exactly which users/certificates still have access to those files (by using the Details button in file properties, advanced).
At this point, to decrypt the files, only two things are required: the user test1's user certificate and private key. Both are contained in the
To verify this was the result solely of the certificate I imported, I then logged in as user test4 and confirmed that I was unable to access the content in d:\testdir.
If you'd like to verify my results, I can make available to you the
With that, I'd like to cover a few other points:
- Yes, it's very easy to lose access to your encrypted files if the proper precautionary measures are not taken. This could possibly be remedied by a more proactive backup process or more documentation, but is not a limitation of the EFS design.
- Getti
[A]ll of Microsoft's technical documentation leaves out an important point. The documents about backup methods don't mention that they don't work with stand-alone computers. ... it is not possible to back up all the passwords.
I submit that not only are you incorrect, the Microsoft technical support agent you spoke to was either misinformed, or you misunderstood him.
Your statement:
"If a computer is stand-alone, not part of a domain, then backing up everything, reformatting your hard drive, and reloading Windows XP will result in not having access to any of your EFS encrypted files."
Let's not forget that you are talking about people who have backed up their certificates:
"I was talking about people who did not lose their password or encryption certificates, obviously."
Here's what I know and can be verified. The published documentation regarding EFS provides two ways for a user to recover their encrypted data: with the user's certificate, or with a Designated Recovery Agent (DRA). This principle holds true regardless of whether the computer is in a domain or stand-alone environment. Let's discuss each:
1) Restore the users's previously-backed up user certificate (and private key) to the machine. There is no hidden or extra password required. Just the user's certificate and accompanying private key. This applies EVEN in a stand-alone environment. The documentation supports this and this can be independently verified on any standalone Windows XP machine.
(Note that when exporting a user's certifiate and choosing to include the private key, the user will be prompted for a password. This is used to secure the private key and the user must remember this password to restore the private key. However, this password is in no way hidden or undocumented.)
2) Use a Desginated Recovery Agent's certificate and key to decrypt the files. This is the part I believe around which there may be some confusion, because behavior around automatically created DRA's varies between stand-alone and domain-joined computers. As I pointed out in the grandparent post, "Stand-alone computers do not have a default DRA, but Microsoft strongly recommends that all environments have at least one designated DRA."
Therefore, if a user does not back up his user certificate (including private key) on a standalone Windows XP box before formatting the drive, AND there was no previously-specified DRA, he will subsequently not be able to access his encrypted data. This is by design, however, and fully documented. There is no hidden password you can use to ever recover the data.
Please, if you still disagree with me, I urge you to
1) Read the documentation (all the links in the grandparent post are links to individual topics in the single chapter on EFS in the Windows XP Resource Kit). You can find similar information in the OS help by searching for "efs" or "encryption".
2) Try it yourself. You don't have to take my word, or the word of a technical support agent. Use a virtual machine (in Virtual PC or VMWare) for a convenient fully-reproducible scenario on demand.
3) If you're still in doubt, let me know how I can contact you directly. I hate to see falsehoods perpetuated as truth, and I'm willing to work with you until we both agree what that truth is.
The problem is that Windows XP makes an additional password, one that is not backed up using any of the tools or documents provided. That automatically generated password is necessary, as well as the user account password, to decrypt the files.
Rather than making vague claims about what hidden, undocumented passwords are preventing you from using EFS (or recovering your data), why not start reading?
I really have very little sympathy for those who whine about how much EFS sucks. First of all, one must make an explicit decision to use EFS. If you are going out of your way to protect your files, it's in your best interests to research how you can back up whatever passwords, certificates, or keys necessary to maintain access to your files.
Some particular sections that may be of interest to you and help dispel the FUD:
The Decryption Process
How EFS Uses Certificates
Exporting and Importing EFS and DRA Certificates and Private Keys: "You can use the Certificate Export wizard to export a certificate and private key to a removable medium."
Backing Up and Restoring Encrypted Files or Folders: "Opening restored, encrypted files is no different from decrypting and opening any encrypted files. However, if files are restored from backup onto a new computer, in a new forest, or at any location at which the user's profile (and thus the private key needed to decrypt the files) is not available, the user can import an EFS certificate and private key. After importing the certificate and private key, the user can decrypt the files."
Data Recovery and Data Recovery Agents: "The default design for the EFS recovery policy is different in Windows XP Professional than it was in Windows 2000 Professional. Stand-alone computers do not have a default DRA, but Microsoft strongly recommends that all environments have at least one designated DRA."
Maybe it's because I come from a more Microsoft- than *nix- centric background, but since where and when have Microsoft ever made any sort of statement even resembling anything close to what you've said above? Sysadmins have plenty of tools at their disposal. See %windir%\help\ntcmds.chm for tons more info than I can provide here.
I use Windows at home and at work and find the command line environment very powerful and usable. I admin my machines (3 at home, 3 at work, 1 laptop, and several remote family member's pc's) almost exclusively via the command line. The set of default tools has increased dramatically in the last 10 years, and any Microsoft OS released in the last 5 years includes all of the following:
sc - service controller for starting/stopping/managing services on local or remote machines
diskpart - create/modify/delete local disk partitions (including advanced configurations like RAID arrays)
bootcfg - modify boot entries
fsutil - file system tools (reparse points, sparse files, hardlinks)
netsh* - network configuration tool to manage interfaces, protocols, routes, firewall, etc.
wmic - complete WMI (Windows Management Instrumentation) control
cacls* - modify NTFS permissions
systeminfo - query basic configuration information for local or remote machine
findstr - text searching, and yes, it handles regular expressions
msiexec* - not strictly a command line tool, but supports installation/configuration/uninstall of any
reg - modify the registry (including online and offline hives, and other users' hives)
I do find a couple of things lacking, so I customize all my Windows installs to include the following (all free except for the last, which requires that you own WinZip):
File Hashing: By the time Microsoft came out with fciv, I was already sold on fsum.
HTTP Downloads: I use wget for Windows.
Patch Scanning: I use MBSA for an instant report of missing patches so I can avoid Windows Update.
cab Compression Tools: Uncompression is supported natively via "expand"; need cabarc from the support tools to compress.
zip Compression Tools: Free add-on to Winzip works here.
Most people I know (Windows and *nix users alike) are very uninformed about Windows command line capabilities. However, this does in any way mean that the command line is crippled, or unable to perform the same admin tasks that are possible via the GUI.
*also existed in Win2000 or earlier
The blue is actually a reference to the color of the square around your photograph on the Microsoft corporate cardkey. Only full-time employees of Microsoft have blue borders. Contractors and vendors have an orange border. Events for Microsoft employees only are typically referred to as "blue-badge only."
Dammit, I want a box of Sugar Frosted Chocolate Bombs without the free toy! And I want it at the same price!
Did you mean Chocolate Frosted (Crunchy) Sugar Bombs?
It was my understand (sic) that these areas were accessible by some DVD+RW drives.
Do you have any documentation of this? Any links or accounts of anyone ever actually having successfully done this? Can you provide a first-hand account?
The Optical Storage Technology Association has a great writeup on this (summary: the lead-in area isn't even writeable on consumer DVD media). I'd love to hear what information or any products you have that contradict what they've written.
DeCSS could have worked years ago, when writable DVDs were expensive. But now that I can get a dual layer writable DVD for 3 or 4 bucks, it's too easy to just bit copy the whole damn thing.
I'm not sure you understand how DeCSS (or, more appropriately, CSS) works. The contents of the DVD are encrypted, so "just bit copy[ing] the whole damn thing" doesn't help you at all. You still need to be able to decrypt the content to view it. The decryption key for pressed DVD's is stored in the innermost track of the disc. This area is readable by DVD players and DVD-ROM drives, but DVD-RW drives cannot write to this track. Thus, if you copied the "entire" disc, you would have only actually copied the encrypted video but not decryption key, making the disc rather useless to you. This is the reason programs like DVDDecrypter are so popular.
In Massachusetts, if I remember correctly the employer may not withhold a paycheck for more than a week after the paycheck for the pay period would normally be issued, and in the case of a termination or layoff, they're required to issue a paycheck, expenses, and pay for accrued vacation all on the day of the termination or layoff.
I've lived in at least 2 other states that have "same day paycheck" rules for involuntary termination. It sounds great in theory. One sleazy company got around this law by never firing anyone on the spot. They would only 'suspend' the employee until the end of the pay period. Once payday rolled around and the check was ready, you would be officially fired. It prevented them from ever having to write on-demand checks while still complying with the letter of the law.