I stopped using Quicken in late '99, when the copy of quicken I'd been using turned out not to be y2k compliant, and intuit would do nothing about it but offer an upgrade. I cross upgraded instead. But the MS alternative is flawed in different ways.
Activation sucks badly. Actually, I just installed groove this week, and I forgive their activation as (a) you can install groove on up to 5 of your own machines; just export your account and import it on the others (b) on their web site you can manage activations for everyone on the team you bought copies for -deactivate existing installations, see all your keys listed and so stay in control.
Finally, because groove works by logging in to their servers (and consuming lots of their bandwith), the logon and authentication process is legit.
Dont worry about WINE. This isnt about DLLs. This is about the.NET runtime and its 'strong binding' to checksumed (and potentially signed) "assemblies". Mono will have to deal with it, but not Wine;.
That's a good question. The commit messages usually get sent to the mail list, and do get reviewed -but very large commits (100+KB) dont get such rigorous reviews. So I bet I could sneak a back door into an apache project inside a very, very large commit. I wouldnt, but I think I could.
Question is: if I did put a back door in: how long would it last before someone noticed? That I dont know. Do you check your XML parser for special handling of a processing instruction?
Re:Lets make Google a pejorative instead.
on
Verbing Weirds Google
·
· Score: 4, Funny
or use the law to water down other trademarks.
microsoft. v. 1. To write bad quality code. "I was too hungover to write quality code, so I microsofted all day instead"
2. to crash without warning "My car was playing up; it microsofted twice on the way in"
Re:Compact Discs Obsolete & Universally Standa
on
The Future of the CD
·
· Score: 1
> I wish manufacturers could just agree on another > new standard, such as some sort of Flash based > storage. With the quality of Mp4 video and audio > you could have relatively small capacity "compact > flash cards"
Flash is too expensive; always will be at the capacity you want, though maybe some burn-once equiv could be done for less. But the problem is that any new universal music format would meet tooth and nail resistance from Hilary and friends, who would want their business model protected at all costs.
Maybe once they are gone we can get back to new business models like MP3.com's 'all your albums online', again, and just sync up all my devices with my online music collection in the big server cloud out there
I still have 'legacy' cassettes in my recent car (2000 VW passat) -its just another MP3 destination, one that you have to burn in real time.
The nice thing about this legacy format is you know nobody will break into the car to steal it. The bad thing is that the cost of a cassette is about $2.50-$3.00, or approximately 10x a CDR blank. Wow. I guess that is why Hilary doesnt complain about cassette tapes killing music any more. (Though I think the UK and some other EU countries like Germany still have a cassette tax)
I agree with almost everything you say. The point I differ is that MS have only now cared about compatibility. The success of win3.x, win9x and laterNt is that they jump through hoops to keep old code running.
Which is why apps can do portIO on Win9x, and why the windows security model is wide open by default.
Where the MS culture has created risk is the obsessiveness with adding progammability to everything -the hacker urge combined with marketings vision of 'enterprise solutions'. Example: Windows scripting host; why do I need.js and.vbs support? I dont, but I get it with every IE upgrade.
Example 2: why do word docs have the right to be able to open any library and run any app. It used to be spreadsheet macros were little functions you wrote to simplify the spreadsheet. Now anyone receiving a spreadsheet with a macro in it assumes you've an email virus and panic.
I dont think OSS is any different here in terms of adding programmer-centric flexibility (emacs, for example), we just started with a more secure foundation (unix) and tried not to make it worse.
The other diff is deadline driven coding: commercial apps have a ship date, and MS would neglect non-critical bugs to meet that date. They need to recognise that all security holes are showstoppers.
well I think the intro claims are basic distributed computing, and all the claims 1-42 are covered by prior art called 'Java'. That leaves claim 43, a type system including 'delegate' and 'enumeration'; i think C owns those two:)
The details are fascinating, a patent which includes the entire.NET framework help manual and just says 'everything in here is patented'. That's wild. Even the idea of patenting an API is wild, but this, this is wilder.
That is a valid point -to get full zero config you want to spend zero time dealing with security issues.
I guess the clients need to be take all responses as potentially malicious, and probe the destinations carefully to see if they are trustable.
I've been adding web service discovery to Apache Axis, with a servlet implementing an XML equivalent of SLPv2 broadcast/response, and so far punted on security. My rationale was that you need to authenticate the endpoints themselves, but I see now I should think about authenticating the responses, though that'll be hard in the payload of a single datagram.
so you believe in security through obscurity of discovery, then?
all service location does is make weak points easier to find. But you'd be mad to export such discovery protocols beyond the firewall. Madder things have happened...what is the RV request for 'all machines with SQL server on port 1434?'
You'd be surprised how chatty badly done multicast protocols can be...UPNP is an example of something that really, really, shouldnt be allowed near a corporate network. RV just leverages DNS, so is less of a load.
But, the IETF work on Service Location Protocol does scale beyond a subnet, and once you add an (optional) SLP directory service, clients stop multicasting, only the dir service multicasts to advertise its existence; everything just talks straight to the service.
Where all these device discovery protocols fail on the office LAN is there is no point knowing there are 15 printers within two datagram hops, you want to print to the closest machine, and you dont want to have to install another print driver to do so...
They really do give you the raw film info content for download, though the licensing rules for the data say that you cant use them on your own web site; people provide implementations of standalone clients from the mainstream -unix & windows to the obscure: OS/2 and Amiga; so if you want to integrate your linux PVR with a standalone IMDB dataset, go right ahead...
Enjoy the data; its a good example of how a bunch of perl and mysql hackers remain true to their roots, and the origin of the data as some Usenet affiliated files.
IMDB's robots.txt file has a no robots most places policy to keep server load down, but the file also talks about how to get the raw data if you really want to, which is a good compromise.
The file also appends the User-Agent field of the browser at the bottom, which shows that even that.txt file is probably served by a few lines of Perl...
Actually, the experiment is being put together with the assistance of the local council, HP labs and Bristol University to provide an enhanced tourism experience, presumably similar to that provided by a Lancaster University prototype back in '99.
So its location specific data related to the 'tour' you are on, though you could also leave geographic post-it notes for your friends
A nice side effect of the project is that it should give the town centre good, free, 802.11 access points. I say should as I was there in September and the APs were there but not active.
should have smoothed your finger down with a bit of sandpaper first. Fingerprint biometrics have a low success rate with rock climbers, especially those who climb granite for this reason: not enough consistent fingerprint for matching.
yeah, I coudnt fix my sql server install, which I dont run by default (its a dev box). The service pack upgrade wanted to shutdown the service first, but I didnt want to do that unless it got slammed, so I'd have had to pull it off the network, etc, etc. I just uninstalled sql server instead.
As an aside, this dev version of the server came from the MS Vs.net 2003 beta; from a CD that MS shipped to me at the end of september. So even next gen products being tested after the slammer hole got found were still shipping with bugs.
If there is another point of failure of MS it is that: their product cycles are such that they are still shipping insecure apps, which you need to patch manically before you can put on the net. Get a new server with Win2K + IIS5 + SQL server? Spend a week sanitising it before attaching it to a LAN. So you have this buy+download patches+install patches +run process, whereas OSS apps are download up to date apps+install+run; probably the same amount of D/L and install time, but you are more sure of a secured system by the end.
What you need to note it that it is the keyboard controller (KBC) bios, not the main CPU bios. There are differeent KBCs, but they are really little 16 bit RISC cores from different vendors. But as all PC laptops come from about 3 ODMS in Taiwan, I bet they are all pretty much identical.
but the KBC runs straight off the EPROM; no ram shadowing. when you are doing laptop bios dev you make a custom rom by unsoldering the rom and putting a socket in, cutting out a hole in the base for access. To make a virus/rom that blew up laptops you'd need to include the code to write to the EPROM as part of the payload...easy to do under win9x, but harder under a real OS. With admin priveleges on NT you can reenable port IO from a a win32 app, so it is possible for a worm to do the work.
overall though, its a serious undertaking: the kind of things goverments can do especially if they get the C source from a PC vendor. But the idea of a dedicated virus that could destroy a laptop spectacularl, potentially injuring the user, is the kind of thing they might like.
sounds painful? Would be. Try setting fire to one of those disposable lithium cell batteries. Then imagine what a laptop battery on fire would be like.
FYI, the chip in the battery sends I2C messages to the keyboard controller, telling it to stop charging the battery. If you ever get in to laptop BIOS hacking, the 'stop charging me now' message is the one thing you never, ever, mess with.
Well, maybe we do try and dictate a bit. We often get bugreps by people complaining ant is rebuilding stuff all the time, which we explain is because you need to put files in a directory structure that matches the package tree, which makes them complain we are control freaks or something. Which forces us to point out the bits in the java spec that says you must lay out your files in this order for javac to import stuff automatically. Similarly, we get sporadic complaints about how we do JAR manifest line wrapping, which are in fact exactly how the language specs demand it, even if one or two duff apps out there cant handle it.
But if we werent strict control freaks, who would be?
As for redisting source in your OSS project, yes, that is trivial; everything does it, just multiple s.
You say the benefit of giving everyone the source is that they can modify it. I agree, but also, what if you want the recipients to build it, That is where ant is great; anyone on PC, Mac, Linux, AS/400, Netware,... can take your build file and build a big complex app then run the unit tests against it. And that no-brain-rebuild is a good reason to provide an ant build file, even if you stick to make or worse, an IDE.
-steve
(ant developer, co-author of Java Development with Ant,...)
Actually Ant does C++ code quite nicely via the task from ant-contrib.sf.net. This task is biased towards the gcc chain, but works with many others
One nice thing does is dependency check based on header file inclusion info, and your compiler settings. So you dont need to state dependencies, the task works it out for your. slick.
yeah, I dont understand what it is with people in the Willamette Valley (writing from Corvallis BTW), and studded tires. Yes, it rains all winter, but it rarely snows in the valley, and if you want to get over the mountains in bad weather then studs arent enough anyway -you are going to have to carry a set of chains and may end up using them. So why do so many people who dont look like skiers cruise around with studs in the part of the state where it rains all winter?
Now in the eastern side of the state, its a different story, and all attempts to limit stud use becomes a west vs east issue. IMO they should just allow studded tires but ban them from the freeways, or limit vehicles with studs to 30mph; that would split the people who need them from those who only think they do.
Actually I try very hard to maintain a disney free household...only aa milne original winnie the pooh books, no mickey mouse family. There are enough other distractions 'bob the builder', 'teletubbies', and so on for this to work. The big problem is actually people that send disney products as gifts. What do you do with a tigger t-shirt? let sprog wear it, or return it to a store?
IMO disney make a big fat juicy target for a boycott. Not only are they MPAA members, they are behind the copyright extensions. And they are the cutting edge of globalization, working with McDonalds to reduce individual culture myths to the saccharin-sweet blandness of Pocahontas, the movie. If you can get the anti-globalization folk on the same side as the./ massif, then maybe we can get critical mass.
Boycott Disney! Bring back fairy tails with unhappy endings! You have nothing to lose but DisneyLand!
Slashdot Mirror
I stopped using Quicken in late '99, when the copy of quicken I'd been using turned out not to be y2k compliant, and intuit would do nothing about it but offer an upgrade. I cross upgraded instead. But the MS alternative is flawed in different ways.
Activation sucks badly. Actually, I just installed groove this week, and I forgive their activation as
(a) you can install groove on up to 5 of your own machines; just export your account and import it on the others
(b) on their web site you can manage activations for everyone on the team you bought copies for -deactivate existing installations, see all your keys listed and so stay in control.
Finally, because groove works by logging in to their servers (and consuming lots of their bandwith), the logon and authentication process is legit.
Dont worry about WINE. This isnt about DLLs. This is about the .NET runtime and its 'strong binding' to checksumed (and potentially signed) "assemblies". Mono will have to deal with it, but not Wine;.
That's a good question. The commit messages usually get sent to the mail list, and do get reviewed -but very large commits (100+KB) dont get such rigorous reviews. So I bet I could sneak a back door into an apache project inside a very, very large commit. I wouldnt, but I think I could.
Question is: if I did put a back door in: how long would it last before someone noticed? That I dont know. Do you check your XML parser for special handling of a processing instruction?
or use the law to water down other trademarks.
microsoft. v.
1. To write bad quality code.
"I was too hungover to write quality code, so I microsofted all day instead"
2. to crash without warning
"My car was playing up; it microsofted twice on the way in"
> I wish manufacturers could just agree on another
> new standard, such as some sort of Flash based
> storage. With the quality of Mp4 video and audio
> you could have relatively small capacity "compact
> flash cards"
Flash is too expensive; always will be at the capacity you want, though maybe some burn-once equiv could be done for less. But the problem is that any new universal music format would meet tooth and nail resistance from Hilary and friends, who would want their business model protected at all costs.
Maybe once they are gone we can get back to new business models like MP3.com's 'all your albums online', again, and just sync up all my devices with my online music collection in the big server cloud out there
I still have 'legacy' cassettes in my recent car (2000 VW passat) -its just another MP3 destination, one that you have to burn in real time.
The nice thing about this legacy format is you know nobody will break into the car to steal it. The bad thing is that the cost of a cassette is about $2.50-$3.00, or approximately 10x a CDR blank. Wow. I guess that is why Hilary doesnt complain about cassette tapes killing music any more. (Though I think the UK and some other EU countries like Germany still have a cassette tax)
>Say, don't you thing that Green Camoflague is a bit inneffecting in an urban combat environment, like an Airport?)
Yeah, I keep expecting to see soldiers in special airport-fatigues -all beige or light blue, perhaps with a vegetation cover of potted plants.
They wont tell you and me, but they will tell the powers that be, who might take actions that would otherwise seem odd:-
-Go into permanent hiding in an underground bunker somewhere on the grounds of 'security'.
-Come up with an economic and taxation policy that is clearly hopeless long term.
-Settle old grudges with countries they dont like.
So, keep your eye out for things like this.
I agree with almost everything you say. The point I differ is that MS have only now cared about compatibility. The success of win3.x, win9x and laterNt is that they jump through hoops to keep old code running.
.js and .vbs support? I dont, but I get it with every IE upgrade.
Which is why apps can do portIO on Win9x, and why the windows security model is wide open by default.
Where the MS culture has created risk is the obsessiveness with adding progammability to everything -the hacker urge combined with marketings vision of 'enterprise solutions'. Example: Windows scripting host; why do I need
Example 2: why do word docs have the right to be able to open any library and run any app. It used to be spreadsheet macros were little functions you wrote to simplify the spreadsheet. Now anyone receiving a spreadsheet with a macro in it assumes you've an email virus and panic.
I dont think OSS is any different here in terms of adding programmer-centric flexibility (emacs, for example), we just started with a more secure foundation (unix) and tried not to make it worse.
The other diff is deadline driven coding: commercial apps have a ship date, and MS would neglect non-critical bugs to meet that date. They need to recognise that all security holes are showstoppers.
FYI, Sun does have patents around bytecode verification, but they never tried anything as mad as this.
Actually I suspect MS wont stamp on the mono project till it starts to succeed; before then its a good anti-java project.
well I think the intro claims are basic distributed computing, and all the claims 1-42 are covered by prior art called 'Java'. That leaves claim 43, a type system including 'delegate' and 'enumeration'; i think C owns those two
The details are fascinating, a patent which includes the entire
That is a valid point -to get full zero config you want to spend zero time dealing with security issues.
I guess the clients need to be take all responses as potentially malicious, and probe the destinations carefully to see if they are trustable.
I've been adding web service discovery to Apache Axis, with a servlet implementing an XML equivalent of SLPv2 broadcast/response, and so far punted on security. My rationale was that you need to authenticate the endpoints themselves, but I see now I should think about authenticating the responses, though that'll be hard in the payload of a single datagram.
so you believe in security through obscurity of discovery, then?
all service location does is make weak points easier to find. But you'd be mad to export such discovery protocols beyond the firewall. Madder things have happened...what is the RV request for 'all machines with SQL server on port 1434?'
You'd be surprised how chatty badly done multicast protocols can be...UPNP is an example of something that really, really, shouldnt be allowed near a corporate network. RV just leverages DNS, so is less of a load.
But, the IETF work on Service Location Protocol does scale beyond a subnet, and once you add an (optional) SLP directory service, clients stop multicasting, only the dir service multicasts to advertise its existence; everything just talks straight to the service.
Where all these device discovery protocols fail on the office LAN is there is no point knowing there are 15 printers within two datagram hops, you want to print to the closest machine, and you dont want to have to install another print driver to do so...
They really do give you the raw film info content for
download, though the licensing rules for the data say that you cant use them on your own web site; people provide implementations of standalone clients from the mainstream -unix & windows to the obscure: OS/2 and Amiga; so if you want to integrate your linux PVR with a standalone IMDB dataset, go right ahead...
Enjoy the data; its a good example of how a bunch of perl and mysql hackers remain true to their roots, and the origin of the data as some Usenet affiliated files.
IMDB's robots.txt file has a no robots most places policy to keep server load down, but the file also talks about how to get the raw data if you really want to, which is a good compromise.
.txt file is probably served by a few lines of Perl...
The file also appends the User-Agent field of the browser at the bottom, which shows that even that
Actually, the experiment is being put together with the assistance of the local council, HP labs and Bristol University to provide an enhanced tourism experience, presumably similar to that provided by a Lancaster University prototype back in '99.
So its location specific data related to the 'tour' you are on, though you could also leave geographic post-it notes for your friends
A nice side effect of the project is that it should give the town centre good, free, 802.11 access points. I say should as I was there in September and the APs were there but not active.
should have smoothed your finger down with a bit of sandpaper first. Fingerprint biometrics have a low success rate with rock climbers, especially those who climb granite for this reason: not enough consistent fingerprint for matching.
yeah, I coudnt fix my sql server install, which I dont run by default (its a dev box). The service pack upgrade wanted to shutdown the service first, but I didnt want to do that unless it got slammed, so I'd have had to pull it off the network, etc, etc. I just uninstalled sql server instead.
As an aside, this dev version of the server came from the MS Vs.net 2003 beta; from a CD that MS shipped to me at the end of september. So even next gen products being tested after the slammer hole got found were still shipping with bugs.
If there is another point of failure of MS it is that: their product cycles are such that they are still shipping insecure apps, which you need to patch manically before you can put on the net. Get a new server with Win2K + IIS5 + SQL server? Spend a week sanitising it before attaching it to a LAN. So you have this buy+download patches+install patches +run process, whereas OSS apps are download up to date apps+install+run; probably the same amount of D/L and install time, but you are more sure of a secured system by the end.
yes, it would be kind of messy wouldnt it.
.
What you need to note it that it is the keyboard controller (KBC) bios, not the main CPU bios. There are differeent KBCs, but they are really little 16 bit RISC cores from different vendors. But as all PC laptops come from about 3 ODMS in Taiwan, I bet they are all pretty much identical
but the KBC runs straight off the EPROM; no ram shadowing. when you are doing laptop bios dev you make a custom rom by unsoldering the rom and putting a socket in, cutting out a hole in the base for access. To make a virus/rom that blew up laptops you'd need to include the code to write to the EPROM as part of the payload...easy to do under win9x, but harder under a real OS. With admin priveleges on NT you can reenable port IO from a a win32 app, so it is possible for a worm to do the work.
overall though, its a serious undertaking: the kind of things goverments can do especially if they get the C source from a PC vendor. But the idea of a dedicated virus that could destroy a laptop spectacularl, potentially injuring the user, is the kind of thing they might like.
sounds painful? Would be. Try setting fire to one of those disposable lithium cell batteries. Then imagine what a laptop battery on fire would be like.
FYI, the chip in the battery sends I2C messages to the keyboard controller, telling it to stop charging the battery. If you ever get in to laptop BIOS hacking, the 'stop charging me now' message is the one thing you never, ever, mess with.
Well, maybe we do try and dictate a bit. We often get bugreps by people complaining ant is rebuilding stuff all the time, which we explain is because you need to put files in a directory structure that matches the package tree, which makes them complain we are control freaks or something. Which forces us to point out the bits in the java spec that says you must lay out your files in this order for javac to import stuff automatically. Similarly, we get sporadic complaints about how we do JAR manifest line wrapping, which are in fact exactly how the language specs demand it, even if one or two duff apps out there cant handle it.
... can take your build file and build a big complex app then run the unit tests against it. And that no-brain-rebuild is a good reason to provide an ant build file, even if you stick to make or worse, an IDE.
But if we werent strict control freaks, who would be?
As for redisting source in your OSS project, yes, that is trivial; everything does it, just multiple s.
You say the benefit of giving everyone the source is that they can modify it. I agree, but also, what if you want the recipients to build it, That is where ant is great; anyone on PC, Mac, Linux, AS/400, Netware,
-steve
(ant developer, co-author of Java Development with Ant,...)
Actually Ant does C++ code quite nicely via the task from ant-contrib.sf.net. This task is biased towards the gcc chain, but works with many others
One nice thing does is dependency check based on header file inclusion info, and your compiler settings. So you dont need to state dependencies, the task works it out for your. slick.
yeah, I dont understand what it is with people in the Willamette Valley (writing from Corvallis BTW), and studded tires. Yes, it rains all winter, but it rarely snows in the valley, and if you want to get over the mountains in bad weather then studs arent enough anyway -you are going to have to carry a set of chains and may end up using them. So why do so many people who dont look like skiers cruise around with studs in the part of the state where it rains all winter?
Now in the eastern side of the state, its a different story, and all attempts to limit stud use becomes a west vs east issue. IMO they should just allow studded tires but ban them from the freeways, or limit vehicles with studs to 30mph; that would split the people who need them from those who only think they do.
Actually I try very hard to maintain a disney free household...only aa milne original winnie the pooh books, no mickey mouse family. There are enough other distractions 'bob the builder', 'teletubbies', and so on for this to work. The big problem is actually people that send disney products as gifts. What do you do with a tigger t-shirt? let sprog wear it, or return it to a store?
./ massif, then maybe we can get critical mass.
IMO disney make a big fat juicy target for a boycott. Not only are they MPAA members, they are behind the copyright extensions. And they are the cutting edge of globalization, working with McDonalds to reduce individual culture myths to the saccharin-sweet blandness of Pocahontas, the movie. If you can get the anti-globalization folk on the same side as the
Boycott Disney! Bring back fairy tails with unhappy endings! You have nothing to lose but DisneyLand!