All I knew was that MSDN Universal sent me a note telling me I had one to choose between the three, my time had expired the previous week with no warning and that I was going to get professional by default.
if architect is the superset, then I dont see why I shouldnt have been given that.
Regarding your tester comment, yes, they are undervalued. And making them run tests and record results is part of the reason, that is grunt work for which machines can do themselves. Everyone should be writing tests, and having the machines run them, the architects by writing XML documents that represent SOAP messages on the wire, the developers writing unit tests for their classes as they write their code, and the testers by architecting the high level test suite for the system.
And yes, a complex test system is an architecture all of its own. I'm collaborating with PhD students at CERN, and a brazilian university to get our distributed testing framework right, because it is the kind of thing that PhDs are still being granted for. This is not grunt work, this is research
I think you do need full time testers, but they should be good programmers who are writing tests to bring the app to its knees. You dont treat them as second class citizens.
Architects need to write tests because otherwise they write specifications that are untestable. and the tester gets the blame. Also, the test suite forms part of the formal definition of system behaviour.
I have problems @work with various W3C and OASIS Web Services specs that were written by committees of architects (WS-Addressing, WS-RF, etc). None of these specs have tests. Instead it is left to implementations to sort it out, which of course they dont as they each have to write tests and everyone argues about whose test suite is the correct interpretation of the spec.
So there now three editions: Architect, that makes code from powerpoint-like sketches, Developer that has the PPT-tool without the code generation, and Tester. Which means that testers arent allowed to design things, architects cant test and developers get to do a bit of neither, but not very well.
What kind of organisation does this represent? I guess it reflect's microsoft world view. But it doesnt match that of OSS applications.
This gives me an idea: a "free your windows" installer that automatically installs the useful stuff on a PC to set it free
-firefox, thunderbird
-VLC
-ShrinkTo5 DVD backup utility
-open office
-(maybe java, perl, python runtimes)
-purge all the stuff you dont want users at
-ad-aware
-lock down IE settings so that AX is turned off except for trusted sites; trusted sites are set to "medium" and http://.microsoft.com/ added so that windows update works.
If the google toolbar gets included, we'd make a $1 an install, which could be enough to cover costs...
Remember, you cannot actually drive a car alone until you pass the test, so there is no justification for having your own car unti you pass. You just have a provisional license that says 'learning'
You either need somone else with a car, or you pay for driving lessons.
These are people that teach you to drive in dual-control cars (foot pedals, esp brakes on the passenger side), so you can learn more safely. Suddenly transiting to driving without a passenger was very odd, especially because the werent there to straighten up the car when you got too close to parked vehicles. I got through two wing mirrors before learning the width of my vehicle,
UK tests are harder than US ones BTW. I have an OR drivers license that I got from driving round the block. I thought I'd failed by driving through an orange light during a lane change, but the tester on criticised my premature switching off of the indicator. I think.de tests are even harder as you have to spend time on the autobahn as part of the qualification process.
Ok didnt know that. I know that currently out-UK cars are fairly exempt from everything but wheel clamping, primarily because the UK cant be bothered to track down the cars (unlike switzerland which will pursue you to the grave)
Foreign car plates probably cant be handled. they also cant handle the old plates you could get in custom fonts.
it used to be you could go anywhere and get some new plates made up; no ID, nothing. now you have to have the vehicle ownership certificate and the drivers license (of the owner) to get a plate, and it comes in an extra-machine-readable font. Primarily to stop people avoiding speed cameras and then london congestion charges.
I didnt know about remotely visible shares finding rootkits. I would be surprised if that was the case, but I will take your word for it.
One way i do know that people are looking at is just doing an enum of the HDD+registry on the box, then booting it off a trusted CD and repeating the process. then you diff the files. anything that isnt found on the local enum that crops up on the trusted CD enum is hiding from you: voila, one rootkit.
yeah, sony and colleagues have just destroyed the remaining value of a CD: a high quality source of MP3 files with no DRM.
By adding DRM to the CD, they have lowered the value of the CD to that of iTunes tracks. By adding a rootkit to the drive, they have even made it less useful.
I am the author of a computer book
Java development with Ant. A self-publishing house is doing a competing book
Java Ant notes and filling it with fake 5* reviews, which is obvious because they always get the case of Ant wrong ("ANT"), and they like the book. All the real reviewers give it 1* for being awful.
Amazon are refusing to take down the fake ones because they dont explicitly break their rules, and instead pull the ones complaining about the fake reviews.
To make matters worse, when someone adds a 1* review to the self-published book, they copy that negative review to either my book or the o'reilly alternative. So we are getting our ranking pulled down by real reviews written about a different book.
This has been ongoing for months and amazon are doing nothing about it, even though it shows that you can't trust amazon reviews at all. What interested parties can do is go to this page and leave 1* comments to balance off the fake ones.
There already a fair few bits of advertising hook ins.
-the sign up to MSN/AOL stuff on an XP home system -default search through MSN; pre XP SP2 that would even bring in popups -the 'buy more music like this' hint when you browse a folder full of MP3s. -the 'print your photos right now' option when you upload photos -the 'get a digital ID' button on the Outlook security panel
So its there, its there, just no blatantly in your face.
If you are going to say skype is a security risk then yes, it could be. But the risk of buffer overflow attacks will be higher on windows because its the juicy targets.
Run skype on something less mainstream, like freebsd or unix, and the chance of a worm exploiting your box is significantly smaller.
same for the email client, the word processor, flash (an attack for flash's latest patch is out in the field now), etc. etc. Any program that processes data from untrusted sources is a security risk, but windows turns it into a security reality.
Maybe MS should make an add of that
"you see a buffer overflow, we see a network of zombie systems"
As someone who works at a research lab (HP's) I dont want to pick on MS. Technology transfer is a problem for all R&D labs. The bits of the company that build things are in short-term firefighting mode and with senior management changing direction, it is hard to guess what the long term areas to research are.
Some of the stuff that MSR have done have been kind of interesting, in a CS-hard way. But that doesnt mean relevant. The other thing is that they've hired some great names, but that doesnt map into great stuff. It works in universities, because those names supervise the PhD students that do the real work...
Returning to tech transfer, the problem that MSR has is that their main pipeline for apps has been MS products, which are invariably behind schedule. And when things are behind schedule what happens to the leading edge stuff? Yes, it gets dropped. Whereas if the people in google-labs are doing research, they can try it out on a server or two in another 'beta program': the pipeline from research to product is shorter.
For me, OSS has transformed our pipeline. We can improve products without having to go through the normal inertia of the product process because if the patch is good, it goes in. Indeed, the core runtime of the I work on -deployment- is actually up online Smartfrog. This means that we can get stuff out there being used within days of being coded, and evolve it in the field. OSS and corporate R&D labs go hand in hand. This is somewhere where MSR are at a disadvantage.
Having worked in a laptop vendor, its a different problem. What laptop vendors want is the best laptop for a price point (like $799) in the shortest time. So someone out in Taipei (the ODM) gets to do the mainboard, selecting parts from the list of things that work on windows. And that is because "works on Linux" is not something that the customers push back on.
The best way to get Linux support on drivers is for the vendors to demand it, which means that the customers want it. This is why it is good that (a) HP ships linux laptops, (b) Ubuntu are being really good at laptop-ready linux. I worry about the effects of IBM's exit from the laptop biz tho', and I don't see dell caring enough about Linux. Plus ACPI2.0 is coming out of MS and Intel, which leads to an even tighter OS/bios integration.
This really matters. Out there in the office and the home, the desktop is over, the future is the laptop. And Linux lags in hardware support. But it is a lot more mobile that it was before, and with a faster dev cycle than windows, things can only get better.
In the heady days of '98 and '99, MSN and AOL would pay the PC vendor a nice big bounty fo $10-20 if you signed up with them. But since them microsoft took over the ISP signup process and tried to take the money for themselves, which caused no end of controversy.
I dont know what the current status is, but I know this: the bounty is back. Not from sites like webvan, boo and whoever else used to pay kickbacks to the OEM for signing up to their web site, but just the search engine.
As an aside, if Sun wanted Java preinstalled on all machines, they only had to offer a bounty too. Now that google are prepared to pay, Maybe boxes with firefox+toolbar+java will become standard.
The problem is, the whole point of a rootkit is kernel-mode code that subverts OS API calls and lies about the results. Even booting to safe mode wont find the sony rootkit (Very naughty that, as it really screws up recovery).
The current best way to find a rootkit is to boot from a CD and scan for them, or just compare disk and registry enumerations made on the 0wned box with the listings that the CD (could be linux) makes. If there is any difference, you have just found a new rootkit.
Maybe the next version of PC games will be bootable CDs with their own linux distros. Of course, then the GPL will require them to release their OS image to make it more hackable.
yeah, lets make it Multics derivative instead. oh, wait a minute, it probably is already.
Actually, having used OS/360 in the distant past, I am grateful that IBM didnt port all ther mainframe world into Linux. A world where you wouldnt use a pipe to feed stuff to programs, but instead use virtual card punches and virtual card readers is not one I want to be part of.
Some early versions of Ant did Bad Things to people's filesys as you could send a pattern to delete stuff with a nested fileset dir="build" includes="**/*" that actually forced a recursive enum of everything (and an exclusion of the default excluded files, things like CVS and SVN metadata). When that runs through a symlink, and would happily follow it and delete stuff in other places.
now some magic manages to detect a symlink even though there is no official API Call for it, and you can ask whether or not to follow symlinks.
If their routers deliver a consistently bad QoS to all packets sent over the wire: a bit of jitter, nothing to affect bulk throughput, just the whole VoIP experience, then you can get a bad skype/google talk experience without ever having your packets sniffed.
then you sign up with the cable telco's "high quality VoIP solution", which pretends to mean better pipes upstream but really means TCP without the jitter, they get their tax.
Any program that deletes files ought to be vaguely symlink aware, as you need to know whether you are following and deleting stuff under symlinks or not.
Case in point, Apache Ant has symlink awareness for its delete and copy operations (and others) which is a real dog to implement in Java, sun having chosen to hide symlinks and file permissions from the unworthy java developers.
I think it may also be related to network performance.
recall that on NFS, symlinks are interpreted client side. so a server side link like//machine1/home/steve/files ->//machine2/files would be handed to the client that would then go to machine2 to get the files.
when you hit linux with samba, symlinks are handled securely, but the//machine2/files link is (I believe) resolved with the rights of the samba share running. So the link is resolved, the file is opened as the same user who mounted the share, But the data goes from machine2 to machine1 and then back to the client, which is very inefficient.
-It was a sandstone quarry, not a mine. The sandstone that was used to build my house (and many others in bath and bristol) came from it. The way the sandstone deposits were the quarry was at the same height as the London-Bristol railway tunnel, so they built a special stop off the tunnel to get the rock and transport it to bristol, bath and london, which, back in 1850, pwas the main long haul transport.
-It just so happened that before WWII the air force grabbed it to be an arms store from conventional air attacks; it was used as that and later there were underground airplane factories nearby.
-when the cold war came along, it became the secret seat of government, though not that secret after a while, which, with better precision weapon delivery, meant it was not that useful.
Post cold war, a lot of the quarry has been abandoned. the local cavers know this and pop down the old shafts sometimes. Security used to rely on above-ground troops with guns, but as that has been rolled back, things are more accessible. Even then, the main burlington "citadel" is something they have always been scared of going to.
I think it survived till now as an underground seat-of-government is often useful, even outside a full-blown east-west nuclear exchange, where the place would last only a few minutes into the conflice. For example, after 9/11 dick cheney went off to the US equivalent to run the country (!), but I guess eventually the operational costs are too steep.
interestingly, the area has very good transport (railway, nearby motorway) and communications infrastructure. A lot of the main telecoms lines go through those railway tunnels, probably because the govt. told them to.
Slashdot Mirror
OK, I didnt know that.
d f
All I knew was that MSDN Universal sent me a note telling me I had one to choose between the three, my time had expired the previous week with no warning and that I was going to get professional by default.
if architect is the superset, then I dont see why I shouldnt have been given that.
Regarding your tester comment, yes, they are undervalued. And making them run tests and record results is part of the reason, that is grunt work for which machines can do themselves. Everyone should be writing tests, and having the machines run them, the architects by writing XML documents that represent SOAP messages on the wire, the developers writing unit tests for their classes as they write their code, and the testers by architecting the high level test suite for the system.
And yes, a complex test system is an architecture all of its own. I'm collaborating with PhD students at CERN, and a brazilian university to get our distributed testing framework right, because it is the kind of thing that PhDs are still being granted for. This is not grunt work, this is research
see: http://people.apache.org/~stevel/slides/testing.p
I think you do need full time testers, but they should be good programmers who are writing tests to bring the app to its knees. You dont treat them as second class citizens.
Architects need to write tests because otherwise they write specifications that are untestable. and the tester gets the blame. Also, the test suite forms part of the formal definition of system behaviour.
I have problems @work with various W3C and OASIS Web Services specs that were written by committees of architects (WS-Addressing, WS-RF, etc). None of these specs have tests. Instead it is left to implementations to sort it out, which of course they dont as they each have to write tests and everyone argues about whose test suite is the correct interpretation of the spec.
So there now three editions: Architect, that makes code from powerpoint-like sketches, Developer that has the PPT-tool without the code generation, and Tester. Which means that testers arent allowed to design things, architects cant test and developers get to do a bit of neither, but not very well.
What kind of organisation does this represent? I guess it reflect's microsoft world view. But it doesnt match that of OSS applications.
I have to do the same thing.
This gives me an idea: a "free your windows" installer that automatically installs the useful stuff on a PC to set it free
-firefox, thunderbird
-VLC
-ShrinkTo5 DVD backup utility
-open office
-(maybe java, perl, python runtimes)
-purge all the stuff you dont want users at
-ad-aware
-lock down IE settings so that AX is turned off except for trusted sites; trusted sites are set to "medium" and http://.microsoft.com/ added so that windows update works.
If the google toolbar gets included, we'd make a $1 an install, which could be enough to cover costs...
Remember, you cannot actually drive a car alone until you pass the test, so there is no justification for having your own car unti you pass. You just have a provisional license that says 'learning'
.de tests are even harder as you have to spend time on the autobahn as part of the qualification process.
You either need somone else with a car, or you pay for driving lessons.
These are people that teach you to drive in dual-control cars (foot pedals, esp brakes on the passenger side), so you can learn more safely. Suddenly transiting to driving without a passenger was very odd, especially because the werent there to straighten up the car when you got too close to parked vehicles. I got through two wing mirrors before learning the width of my vehicle,
UK tests are harder than US ones BTW. I have an OR drivers license that I got from driving round the block. I thought I'd failed by driving through an orange light during a lane change, but the tester on criticised my premature switching off of the indicator. I think
I think that's fair, I'm just not sure the book is in the shops to be reviewed without purchasing,
Ok didnt know that. I know that currently out-UK cars are fairly exempt from everything but wheel clamping, primarily because the UK cant be bothered to track down the cars (unlike switzerland which will pursue you to the grave)
Russian cars have Cyrillic Plates...
Foreign car plates probably cant be handled. they also cant handle the old plates you could get in custom fonts.
it used to be you could go anywhere and get some new plates made up; no ID, nothing. now you have to have the vehicle ownership certificate and the drivers license (of the owner) to get a plate, and it comes in an extra-machine-readable font. Primarily to stop people avoiding speed cameras and then london congestion charges.
I didnt know about remotely visible shares finding rootkits. I would be surprised if that was the case, but I will take your word for it.
One way i do know that people are looking at is just doing an enum of the HDD+registry on the box, then booting it off a trusted CD and repeating the process. then you diff the files. anything that isnt found on the local enum that crops up on the trusted CD enum is hiding from you: voila, one rootkit.
If you have a decent proxy you can block the site there and redir people to a page that says "call IT. we know who you are"
yeah, sony and colleagues have just destroyed the remaining value of a CD: a high quality source of MP3 files with no DRM.
By adding DRM to the CD, they have lowered the value of the CD to that of iTunes tracks. By adding a rootkit to the drive, they have even made it less useful.
-steve
Amazon are refusing to take down the fake ones because they dont explicitly break their rules, and instead pull the ones complaining about the fake reviews.
To make matters worse, when someone adds a 1* review to the self-published book, they copy that negative review to either my book or the o'reilly alternative. So we are getting our ranking pulled down by real reviews written about a different book.
This has been ongoing for months and amazon are doing nothing about it, even though it shows that you can't trust amazon reviews at all. What interested parties can do is go to this page and leave 1* comments to balance off the fake ones.
There already a fair few bits of advertising hook ins.
-the sign up to MSN/AOL stuff on an XP home system
-default search through MSN; pre XP SP2 that would even bring in popups
-the 'buy more music like this' hint when you browse a folder full of MP3s.
-the 'print your photos right now' option when you upload photos
-the 'get a digital ID' button on the Outlook security panel
So its there, its there, just no blatantly in your face.
If you are going to say skype is a security risk then yes, it could be. But the risk of buffer overflow attacks will be higher on windows because its the juicy targets.
Run skype on something less mainstream, like freebsd or unix, and the chance of a worm exploiting your box is significantly smaller.
same for the email client, the word processor, flash (an attack for flash's latest patch is out in the field now), etc. etc. Any program that processes data from untrusted sources is a security risk, but windows turns it into a security reality.
Maybe MS should make an add of that
"you see a buffer overflow, we see a network of zombie systems"
As someone who works at a research lab (HP's) I dont want to pick on MS. Technology transfer is a problem for all R&D labs. The bits of the company that build things are in short-term firefighting mode and with senior management changing direction, it is hard to guess what the long term areas to research are.
Some of the stuff that MSR have done have been kind of interesting, in a CS-hard way. But that doesnt mean relevant. The other thing is that they've hired some great names, but that doesnt map into great stuff. It works in universities, because those names supervise the PhD students that do the real work...
Returning to tech transfer, the problem that MSR has is that their main pipeline for apps has been MS products, which are invariably behind schedule. And when things are behind schedule what happens to the leading edge stuff? Yes, it gets dropped. Whereas if the people in google-labs are doing research, they can try it out on a server or two in another 'beta program': the pipeline from research to product is shorter.
For me, OSS has transformed our pipeline. We can improve products without having to go through the normal inertia of the product process because if the patch is good, it goes in. Indeed, the core runtime of the I work on -deployment- is actually up online Smartfrog. This means that we can get stuff out there being used within days of being coded, and evolve it in the field. OSS and corporate R&D labs go hand in hand. This is somewhere where MSR are at a disadvantage.
Having worked in a laptop vendor, its a different problem. What laptop vendors want is the best laptop for a price point (like $799) in the shortest time. So someone out in Taipei (the ODM) gets to do the mainboard, selecting parts from the list of things that work on windows. And that is because "works on Linux" is not something that the customers push back on.
The best way to get Linux support on drivers is for the vendors to demand it, which means that the customers want it. This is why it is good that (a) HP ships linux laptops, (b) Ubuntu are being really good at laptop-ready linux. I worry about the effects of IBM's exit from the laptop biz tho', and I don't see dell caring enough about Linux. Plus ACPI2.0 is coming out of MS and Intel, which leads to an even tighter OS/bios integration.
This really matters. Out there in the office and the home, the desktop is over, the future is the laptop. And Linux lags in hardware support. But it is a lot more mobile that it was before, and with a faster dev cycle than windows, things can only get better.
-steve
ok, UDP has no guarantee of reliability, but you can make it worse.
In the heady days of '98 and '99, MSN and AOL would pay the PC vendor a nice big bounty fo $10-20 if you signed up with them. But since them microsoft took over the ISP signup process and tried to take the money for themselves, which caused no end of controversy.
I dont know what the current status is, but I know this: the bounty is back. Not from sites like webvan, boo and whoever else used to pay kickbacks to the OEM for signing up to their web site, but just the search engine.
As an aside, if Sun wanted Java preinstalled on all machines, they only had to offer a bounty too. Now that google are prepared to pay, Maybe boxes with firefox+toolbar+java will become standard.
The problem is, the whole point of a rootkit is kernel-mode code that subverts OS API calls and lies about the results. Even booting to safe mode wont find the sony rootkit (Very naughty that, as it really screws up recovery).
The current best way to find a rootkit is to boot from a CD and scan for them, or just compare disk and registry enumerations made on the 0wned box with the listings that the CD (could be linux) makes. If there is any difference, you have just found a new rootkit.
Maybe the next version of PC games will be bootable CDs with their own linux distros. Of course, then the GPL will require them to release their OS image to make it more hackable.
yeah, lets make it Multics derivative instead. oh, wait a minute, it probably is already.
Actually, having used OS/360 in the distant past, I am grateful that IBM didnt port all ther mainframe world into Linux. A world where you wouldnt use a pipe to feed stuff to programs, but instead use virtual card punches and virtual card readers is not one I want to be part of.
I guess you are right.
Some early versions of Ant did Bad Things to people's filesys as you could send a pattern to delete stuff with a nested fileset dir="build" includes="**/*" that actually forced a recursive enum of everything (and an exclusion of the default excluded files, things like CVS and SVN metadata). When that runs through a symlink, and would happily follow it and delete stuff in other places.
now some magic manages to detect a symlink even though there is no official API Call for it, and you can ask whether or not to follow symlinks.
If their routers deliver a consistently bad QoS to all packets sent over the wire: a bit of jitter, nothing to affect bulk throughput, just the whole VoIP experience, then you can get a bad skype/google talk experience without ever having your packets sniffed.
then you sign up with the cable telco's "high quality VoIP solution", which pretends to mean better pipes upstream but really means TCP without the jitter, they get their tax.
-steve
Any program that deletes files ought to be vaguely symlink aware, as you need to know whether you are following and deleting stuff under symlinks or not.
Case in point, Apache Ant has symlink awareness for its delete and copy operations (and others) which is a real dog to implement in Java, sun having chosen to hide symlinks and file permissions from the unworthy java developers.
-steve
I think it may also be related to network performance.
//machine1/home/steve/files -> //machine2/files
//machine2/files link is (I believe) resolved with the rights of the samba share running. So the link is resolved, the file is opened as the same user who mounted the share, But the data goes from machine2 to machine1 and then back to the client, which is very inefficient.
recall that on NFS, symlinks are interpreted client side. so a server side link like
would be handed to the client that would then go to machine2 to get the files.
when you hit linux with samba, symlinks are handled securely, but the
I know the place they are talking about; I live about 30 miles away. The whole area is near the village of Box: http://maps.google.co.uk/maps?q=Box,+Wiltshire,+SN 13&spn=0.062548,0.158512&hl=en
-It was a sandstone quarry, not a mine. The sandstone that was used to build my house (and many others in bath and bristol) came from it. The way the sandstone deposits were the quarry was at the same height as the London-Bristol railway tunnel, so they built a special stop off the tunnel to get the rock and transport it to bristol, bath and london, which, back in 1850, pwas the main long haul transport.
-It just so happened that before WWII the air force grabbed it to be an arms store from conventional air attacks; it was used as that and later there were underground airplane factories nearby.
-when the cold war came along, it became the secret seat of government, though not that secret after a while, which, with better precision weapon delivery, meant it was not that useful.
Post cold war, a lot of the quarry has been abandoned. the local cavers know this and pop down the old shafts sometimes. Security used to rely on above-ground troops with guns, but as that has been rolled back, things are more accessible. Even then, the main burlington "citadel" is something they have always been scared of going to.
I think it survived till now as an underground seat-of-government is often useful, even outside a full-blown east-west nuclear exchange, where the place would last only a few minutes into the conflice. For example, after 9/11 dick cheney went off to the US equivalent to run the country (!), but I guess eventually the operational costs are too steep.
interestingly, the area has very good transport (railway, nearby motorway) and communications infrastructure. A lot of the main telecoms lines go through those railway tunnels, probably because the govt. told them to.