NO -- disabling the Scripting Host is an idiotic response dreamed up by dunderheaded MCSEs. It's like disabling Bash or Perl on a Linux box -- it prevents one or two specific things from going wrong, but it also axes a big bunch of functionality.
The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.
The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.
Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API. --
Apparently when Steve Jobs got the job, he rounded up all the top marketing people and started asking questions -- "I'm student - which should Mac I buy, the 4400 or the 5300 or the 6500? Should a business user buy the 7300 or the 8600? How about any of these 39 clones? Which is faster - a 300Mhz 603 or a 200Mhz 604?" and so on.
The marketing guys all scratched their heads, and Apple has been down to a handful of models ever since. --
I think Junks Jerzey's point was that a good GUI is made up of thousands of little, correct decisions. Things like shut down policy or mouse acceleration or video card settings.
Microsoft got a whole lot of those decisions wrong. So did Apple (as the snide trolls about the one button mouse go to show. But at the very least, Apple put the GUI issues into the spotlight by not including a CLI/config file interface. For example, MS can get away with CHKDSK/F, but Apple had to design a friendly 'Disk First Aid' program.)
The problem with Linux OSes is that nobody has gotten around to solve most of these problems. Maybe the question is if a bad administration GUI is worse than no administration GUI.
So, you are right -- We need a system that's truly easy to use -- but getting there is not some transendant new invention, but instead the painstaking process of doing all of the small things absolutely right. --
The Open Group, having been forced by the Open Source community to relinquish totalitarian power TWICE, may decide it's politically wiser to live up to it's name.
Well, from their standpoint, they missed a huge opportunity to be relevant.
Think about it -- if Motif and CDE were under the X11 licence from the beginning, all of you Linux users would be running Motif and CDE right now, and not Gtk/Qt and Gnome/KDE.
There would be no incentive to re-engineer the GUI the way the free software community has been for the last couple years. Instead, folks would be hacking CDE to accept themes, something like Gtk would be a small, interesting side project, and TrollTech wouldn't have had a business model and would have never developed Qt.
Meanwhile, Motif is still used heavily in commercial UNIX applications, but at the same time commercial UNIX is dying quickly on the desktop. Replaced with NT, replaced with Linux, the vendors are too busy selling servers. The TOG isn't really trying to help the free software community -- they are trying to salvage UNIX commerial software developers as the market shifts from real Unix (where Motif is a 'standard') to Linux (where Motif is disliked and disused). --
Somehow we've gotten the idea in our heads that computers are such great tools that they automatically translate into improved efficency without any human effort involved.
an IT department is non-existant
You'd like to think so, but usually there is some third party consultant or integrator lurking around these situations. Odds are these guys own a local clone shop and aren't the brightest blubs themselves. Either way, their interest is selling hardware, not selling ongoing support and services. (I've seen these guys juggle their price lists because nobody will buy "Microsoft Small Business Server" as a seperate line item -- they will only buy the magic box.)
If anything, there's something to be said about IBM's old business model where you wrote them a check every year, and they made sure that you were set up. Certainly in the low-end small business and school markets there's people who definately should be paying for it because they will never accumulate the knowledge themselves.
So, there's a market here for service-oriented providers that maintain systems for their customer base. Linux is a perfect fit here, at least on the server. But I don't see these services advertised -- instead it's all "P550/64M/12G/AGPX4" commodity hardware stuff. --
Huh? Nothing's been censored until there is a court order. Besides, posting (c)Microsoft documentation on a web discussion board would be also be a no-no under conventional pre-DMCA copyright law. --
You don't think that Windows 98 pretty much meets the criteria? It always has the latest and greatest Microsoft gaming API and best driver support, and is backwards compatible with 20 years of DOS games.
On the other hand it's too unstable for even 8 hrs/day of regular work, has no security or other wasteful 'overhead' features, and so on. It's even explicity marketed as a low-end home OS versus Windows NT. --
EPIC seems to be desperate enough to bank on their relationship with Microsoft, and they do all that in a very foggy situation when Microsoft can be split up and God know what else can happen to them.
I don't think that the anti-trust case really makes that much of a difference. When you consider the development time + shelf life of a game versus the the years and years the case will bounce around the courts, it's not that relevant.
Even if Microsoft is broken up, DirectX is not going away -- it's too popular, and would probably be maintained independantly outside of Microsoft if necessary. --
Nice conspiricy theory, but referencing the "Samba" comment (#86), was just a screw-up on the MS Lawyer's part. Comment #87 had the full text of the MS document.
Standard disclaimer, but I don't think a judge would throw out the case because of a minor error like that. --
He's referring to OS/2 LAN Manager, a product dating back to 1987. LanMan sorta is notable because it had hashed credientials to discourage sniffing. This is with NetBEUI only - so small flat 'trusted' LANs were the norm.
This was great compared to the contemporary clear text logons of NetWare and Unix protocols. However, 13 years later, your Internet-connected Windows 2000 server still accepts the old style NTLM logons.
To address your point about age and the previous guy's point about popularity -- Kerberos was never really langushing in obscurity, but it also hasn't been deployed to the same extent as NTLM, NetWare NDS, or, in a year or two, Win2000's MS-Kerberos. This is partially because regular Kerberos was designed (as Jeremy Allison puts it) as an "authentication", but what Microsoft and other directory users really want is an "authorization" protocol to provide a central point of management. So to some extent, the extention makes sense (and Unix vendors have used the disputed fields the same way). Not openly publishing the information is the problem. --
Apple and others have done studies showing that on average, mouse users are no less efficient than pure keyboard users, despite the hand moving. The reason is that the user spends more time finding the correct command than actually executing the command. (Note that this is a generalization -- if you know the emacs or MS Word keyboard commands by heart, you are going to be faster than a mouse user. However, if you don't, you will probably be slower.) The general rule is that your brain is slower than your hands.
Anyway, I've been using a mouse for about 14 years, and have never had any carpel tunnel problems, from the mouse. A typical crapo PC keyboard will have my fingers knotted in 5 minutes, however. So, I normally run with an IBM Trackpoint II keyboard plus a MS optical mouse just because the trackpoint 'seems' quicker (not necessarily easier), and typing is definately quicker on the clickity-clack. I do wish there was a scroll wheel on this old IBM keyboard, though. --
The only purpose of the proprietary extension to Kerberos is to hide important authentication functionality,
You mean to say the only purpose of not fully disclosing the functionality is to keep 3rd parties (Free Software and authentic SMB providers like IBM and AT+T) from interoperating, and to keep the SMB domain controllers on Windows.
See the comments by Jeremy Allison. Using the field for Windows-specific authorization is apparently legitimate according to the spec. Other Unix-based systems such as DCE have done the same thing, if I understand correctly. --
One thing I've heard about Evolution is that the eventual goal is a 'groupware' application like Lotus Notes or (theoretically) Outlook.
One thing that people like about Notes is that it's easy to build workflow routing and approval applications. One of the main points of these types of apps is that your address book gets scanned and mail gets sent programmatically.
(Notes has a security infrastructure in place that allows a administrator to prevent the use of this feature by unauthorized users. However, most shops are configured loosely enough to allow a internal version of ILOVEYOU to happen.)
So, the Outlook feature was there for a good reason, although the implementation was totally retarded in that there was no security sandboxing at all. With Evolution, I hope you've considered balancing the valid need to do these sorts of things (e.g. routing apps) with the invalid needs (viruses). I'd be real curious to hear your thoughts on how this would be implemented, because nobody, including Lotus, has really gotten it right.
BTW, the programming model of Outlook is completely halfwitted, IMO, and not widely used. I'd hate to think that you'd put a lot of effort into cloning it. --
VBScripting is another thing. Why, oh why does MS even include this mess?
The VBS virus could be trivially modified and compiled into an EXE with VisualBasic. Getting rid of the Windows Scripting Host would do nothing to solve the problem except raise the entry bar by about 2 inches. Besides, I thought it was the "UNIX Philosophy" that scripting was a good thing...
The real problems here are
(1) As you say, hidden file types on a platform where the file type determines the OS's handling of the file. This, however, can easily be fixed via policy by a MCSE with half-a-clue (rare, I know...) in about 15 minutes.
(2) The fact that Outlook's exposed object model allows mailsending without security checks or user interaction. Compare this to Eudora, which warns you before any mail is sent programmatically; or Lotus Notes which requires a security check before performing such actions.
#2 can only be fixed by Microsoft. It's not the infrastructure (Windows, ScriptingHost, the 'Object Model' itself) -- it's just a stupid implementation detail.
And finally (3) IT departments really need to educate users about what an 'executable' is, and the fact that VBS, JS, CMD, BAT, and so on are examples of one.
Yeah, but for most people the Internet started at 28.8K and then went "x2" to 56K. Twice as fast, pages got twice as heavy, but still the same order of magnitude.
Anyway, it's a hellava jump from 56K to the 300K to 2M of broadband. And fortunately for us broadband users, the basic inequity between broadband and modem users is going to be a feature of the Internet for a long time. Broadband is only physically available in very small parts of the US, AOL still has 30% of the Internet users, and sites will still have to optimise for modem connections. (Furthermore, there's quite a few companies that believe that a "T1" is big-time bandwidth, even when shared between a hundred-or-so users.)
One can imagine a broadband-only site that runs MPEG movies instead of animated GIFs. Fortunately that's a long way off. --
"Because they are counting on the people that are even too lazy to change channels."
More like the ad companies have done studies to figure out what percentage of the audience is paying attention (conciously or unconciously), and that rate built into the advertising cost.
That's one reason ad time is so expensive on the SuperBowl - People actually go out of their way to watch the commercials. --
I don't know where you got the idea that MS Outlook has the most marketshare. In the corporate market, for example, Lotus Notes/Domino has twice the seats of Exchange/Outlook.
It is true that Outlook has a lot of installations, because it comes free with MS Office, but nobody knows exactly how many users it has. However, as far as I know, nobody prepares market share figures for POP/IMAP clients.
This discussion, has turned into a gigantic flamefest, which I'm trying to stay out of. I'm just trying to point out that the Microsoft swagger projects the assumption that all of their products are the most popular and the defacto standard, even when that's totally untrue. It's important not to drink that Kool-Aid, even if your bread-n-butter is MS products.
(Although, I agree with your point - a local script could do something similar with almost any mail client, with the exception of Lotus running under a tightened configuration.) --
Excel, when it shipped for the Macintosh in 1985, pretty much defined how a GUI spreadsheet should be done. Even though it might seem obvious now, when you look at abortions like 1-2-3 R3's psuedo-GUI mode with it's horrid mouse functionality, Microsoft pretty much hit the nail on the head right off.
Early versions were ported from the Mac to Windows, but MS found that they had to include a Windows runtime for anyone to buy it (because nobody would buy Windows on it's own). With Windows 3.0, they discovered the key idea to their current business model -- give away Windows for free (just put WIN in the autoexec!) and make the money back on the robust, highly developed GUI apps they had ported from the Macintosh.
Meanwhile, Lotus, which had abandon GUI development with Jazz for the Mac (1985), had to figure out how to adapt 1-2-3 to a WIMP environment. It took them about 3 tries to get right, and by that time Excel was the 'standard'.
Trying to argue that Excel beat 1-2-3 by "bundling" is silly. They had a better product, at least in a GUI environment (which most people seem to like). Plus it was half the cost of Lotus 1-2-3 in the early 90s. Microsoft has shut out other vendors like Corel and Lotus from bundling agreements with OEMs, but most Excel and Office sales come from customers paying full freight. --
The slashdot under load behavior I've observed goes like this:
1 - Click on something 2 - Long hang (up to 30 seconds) 3 - Network light starts flashing on the front of my machine (fairly quick DSL connection) 4 - IE spikes the CPU rendering the page. (Netscape 4 just hangs for a long time here with small CPU spikes.) 5 - Page appears
So, the drag seems to be either the database or the PL script which renders the page. Apache is filling the network pipe, and rendering on the client end is quick with IE or Mozilla.
One thing to note is that Slashdot stories pretty much go from 0 to 200 comments in one hour. That's quite a few updates locking the mySQL tables, during which time all SELECTS are blocked. (That is, if I understand the critique of mySQL correctly.)
This is probably an oversimplistic view of how slashdot works, and I know I could get the code and look to see where the hotspots are. But, from the outside, the DB layer looks to be the slow spot. --
OK, I'll bite -- If there's something wrong with Windows itself, why don't any of the other 2000 Windows MUA have these problems? Why is it always Outlook or OutlookExpress?
Surely you don't think the problem is the scripting host? After all, scripting engines are supposedly what make Unix so great.
I think it's clear what the real problem is -- Idiots in Microsoft's applications groups. --
See RFC 2110: MIME E-mail Encapsulation of Aggregate Documents, such as HTML (MHTML) for a description of Microsoft's Web Archive (*.mht) format. Note that Netscape and other programs support this already, they just do not support saving the MIME document as a single file on your system.
Note that even a properly permissioned NT system could have problems. The user would be able to write to his/her own IE and Outlook settings, and the personal strtup folder, as well as the personal \Run keys in the registry. It's pretty much impossible to firewall a user against him or herself.
But, as you mention, it's a "Outlook" problem, not a "Windows" problem. Not only does Outlook allow a user to attack his/her own files/regkeys, but it also allows a mere user to unwittingly launch a DoS attach on the mailserver and other mail users (which is the *real* problem).
The only solution is execution control in the e-mail client. Either do it the Unix way (don't execute anything), or the Lotus way (require digital signatures, which are transparent part of the system). But don't do it the Microsoft way (execute lots of stuff without regard where it came from, because it's 'easier' for some WordBasic programming slob.)
I'm glad that you addressed the issue in detail -- there is all too many fscking moronic posts on this issue assuming that Unix is immune because it has sensible file system permissions. The truth is that a mythical Outlook-on-Unix user would be just as screwed as the Windows user. --
The possibility for Notes attacks is pretty much limited to 'internal' users. The default Execution Control List (ECL) allows any member of your/Org to run pretty much any script on your machine.
The one big hole in this scheme is that it allows former users to continue to run scripts after left the company. (Having old IDs 'in the wild' is pretty much inevitable for Notes shops.) So I could write a Notes mailbomb, encapsulate it and the proper/O signature into an SMTP message, and mail into my former place of work. Blammo.
The best solution (I can think of) is to create an OU such as/Developers/Org, put all of the developers there, and only grant them access in the Domain ECL, and then make sure that *everything* is properly signed. This would limit normal users to some extent, but normal users really don't want this sort of macro functionality anyway.
Making things worse is the fact that there's lots of sensitive information in Notes systems, so tactics such as these would make wonderful industrial espioniage devices. (One well crafted PostOpen event sent to the Director of HR could lead to the entire Salary database ending up in my Hotmail inbox.)
Right now Exchange/Outlook shops are pretty much limited to mail/calendar/discussion applications. But, Microsoft is building a more compelling groupware infrastructure on top of Exchange and Office. If anything, ILOVEYOU proves how easy it would be to conduct espionage activities against such shops -- just mail in a HTML message with a OLE Automation script embedded. --
"Don't watch their movies", or at the very least don't go and buy DVDs, knowing that you are supporting a closed format.
Personally, I think the whole DVD/Linux thing (especially here on Slashdot) is rather silly. There seems to be this presumption that people have the "right" to consumer entertainment in 525-line resolution, and therefore they have some moral standing to use DeCSS. Lots of twisty arguments about "Fair Use" and "Reverse Engineering" get posted here, apparently just so DeCSS users can morally justify themselves.
It is just far more respectable to stand up and say I don't watch DVD movies because I don't like the licencing terms.
Or if you can't say that: I illegally use DeCSS to watch DVD movies because I don't give a crap what the MPAA and the Government thinks. In fact, I might start making copies of DVDs as soon as the tech appears.
Either of those positions are more admirable than the bogus moral middle ground that folks try to stake out. --
Slashdot Mirror
NO -- disabling the Scripting Host is an idiotic response dreamed up by dunderheaded MCSEs. It's like disabling Bash or Perl on a Linux box -- it prevents one or two specific things from going wrong, but it also axes a big bunch of functionality.
The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.
The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.
Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API.
--
Apparently when Steve Jobs got the job, he rounded up all the top marketing people and started asking questions -- "I'm student - which should Mac I buy, the 4400 or the 5300 or the 6500? Should a business user buy the 7300 or the 8600? How about any of these 39 clones? Which is faster - a 300Mhz 603 or a 200Mhz 604?" and so on.
The marketing guys all scratched their heads, and Apple has been down to a handful of models ever since.
--
I think Junks Jerzey's point was that a good GUI is made up of thousands of little, correct decisions. Things like shut down policy or mouse acceleration or video card settings.
/F, but Apple had to design a friendly 'Disk First Aid' program.)
Microsoft got a whole lot of those decisions wrong. So did Apple (as the snide trolls about the one button mouse go to show. But at the very least, Apple put the GUI issues into the spotlight by not including a CLI/config file interface. For example, MS can get away with CHKDSK
The problem with Linux OSes is that nobody has gotten around to solve most of these problems. Maybe the question is if a bad administration GUI is worse than no administration GUI.
So, you are right -- We need a system that's truly easy to use -- but getting there is not some transendant new invention, but instead the painstaking process of doing all of the small things absolutely right.
--
The Open Group, having been forced by the Open Source community to relinquish totalitarian power TWICE, may decide it's politically wiser to live up to it's name.
Well, from their standpoint, they missed a huge opportunity to be relevant.
Think about it -- if Motif and CDE were under the X11 licence from the beginning, all of you Linux users would be running Motif and CDE right now, and not Gtk/Qt and Gnome/KDE.
There would be no incentive to re-engineer the GUI the way the free software community has been for the last couple years. Instead, folks would be hacking CDE to accept themes, something like Gtk would be a small, interesting side project, and TrollTech wouldn't have had a business model and would have never developed Qt.
Meanwhile, Motif is still used heavily in commercial UNIX applications, but at the same time commercial UNIX is dying quickly on the desktop. Replaced with NT, replaced with Linux, the vendors are too busy selling servers. The TOG isn't really trying to help the free software community -- they are trying to salvage UNIX commerial software developers as the market shifts from real Unix (where Motif is a 'standard') to Linux (where Motif is disliked and disused).
--
Somehow we've gotten the idea in our heads that computers are such great tools that they automatically translate into improved efficency without any human effort involved.
an IT department is non-existant
You'd like to think so, but usually there is some third party consultant or integrator lurking around these situations. Odds are these guys own a local clone shop and aren't the brightest blubs themselves. Either way, their interest is selling hardware, not selling ongoing support and services. (I've seen these guys juggle their price lists because nobody will buy "Microsoft Small Business Server" as a seperate line item -- they will only buy the magic box.)
If anything, there's something to be said about IBM's old business model where you wrote them a check every year, and they made sure that you were set up. Certainly in the low-end small business and school markets there's people who definately should be paying for it because they will never accumulate the knowledge themselves.
So, there's a market here for service-oriented providers that maintain systems for their customer base. Linux is a perfect fit here, at least on the server. But I don't see these services advertised -- instead it's all "P550/64M/12G/AGPX4" commodity hardware stuff.
--
Huh? Nothing's been censored until there is a court order. Besides, posting (c)Microsoft documentation on a web discussion board would be also be a no-no under conventional pre-DMCA copyright law.
--
You don't think that Windows 98 pretty much meets the criteria? It always has the latest and greatest Microsoft gaming API and best driver support, and is backwards compatible with 20 years of DOS games.
On the other hand it's too unstable for even 8 hrs/day of regular work, has no security or other wasteful 'overhead' features, and so on. It's even explicity marketed as a low-end home OS versus Windows NT.
--
EPIC seems to be desperate enough to bank on their relationship with Microsoft, and they do all that in a very foggy situation when Microsoft can be split up and God know what else can happen to them.
I don't think that the anti-trust case really makes that much of a difference. When you consider the development time + shelf life of a game versus the the years and years the case will bounce around the courts, it's not that relevant.
Even if Microsoft is broken up, DirectX is not going away -- it's too popular, and would probably be maintained independantly outside of Microsoft if necessary.
--
Nice conspiricy theory, but referencing the "Samba" comment (#86), was just a screw-up on the MS Lawyer's part. Comment #87 had the full text of the MS document.
Standard disclaimer, but I don't think a judge would throw out the case because of a minor error like that.
--
He's referring to OS/2 LAN Manager, a product dating back to 1987. LanMan sorta is notable because it had hashed credientials to discourage sniffing. This is with NetBEUI only - so small flat 'trusted' LANs were the norm.
This was great compared to the contemporary clear text logons of NetWare and Unix protocols. However, 13 years later, your Internet-connected Windows 2000 server still accepts the old style NTLM logons.
To address your point about age and the previous guy's point about popularity -- Kerberos was never really langushing in obscurity, but it also hasn't been deployed to the same extent as NTLM, NetWare NDS, or, in a year or two, Win2000's MS-Kerberos. This is partially because regular Kerberos was designed (as Jeremy Allison puts it) as an "authentication", but what Microsoft and other directory users really want is an "authorization" protocol to provide a central point of management. So to some extent, the extention makes sense (and Unix vendors have used the disputed fields the same way). Not openly publishing the information is the problem.
--
Apple and others have done studies showing that on average, mouse users are no less efficient than pure keyboard users, despite the hand moving. The reason is that the user spends more time finding the correct command than actually executing the command. (Note that this is a generalization -- if you know the emacs or MS Word keyboard commands by heart, you are going to be faster than a mouse user. However, if you don't, you will probably be slower.) The general rule is that your brain is slower than your hands.
Anyway, I've been using a mouse for about 14 years, and have never had any carpel tunnel problems, from the mouse. A typical crapo PC keyboard will have my fingers knotted in 5 minutes, however. So, I normally run with an IBM Trackpoint II keyboard plus a MS optical mouse just because the trackpoint 'seems' quicker (not necessarily easier), and typing is definately quicker on the clickity-clack. I do wish there was a scroll wheel on this old IBM keyboard, though.
--
The only purpose of the proprietary extension to Kerberos is to hide important authentication functionality,
You mean to say the only purpose of not fully disclosing the functionality is to keep 3rd parties (Free Software and authentic SMB providers like IBM and AT+T) from interoperating, and to keep the SMB domain controllers on Windows.
See the comments by Jeremy Allison. Using the field for Windows-specific authorization is apparently legitimate according to the spec. Other Unix-based systems such as DCE have done the same thing, if I understand correctly.
--
One thing I've heard about Evolution is that the eventual goal is a 'groupware' application like Lotus Notes or (theoretically) Outlook.
One thing that people like about Notes is that it's easy to build workflow routing and approval applications. One of the main points of these types of apps is that your address book gets scanned and mail gets sent programmatically.
(Notes has a security infrastructure in place that allows a administrator to prevent the use of this feature by unauthorized users. However, most shops are configured loosely enough to allow a internal version of ILOVEYOU to happen.)
So, the Outlook feature was there for a good reason, although the implementation was totally retarded in that there was no security sandboxing at all. With Evolution, I hope you've considered balancing the valid need to do these sorts of things (e.g. routing apps) with the invalid needs (viruses). I'd be real curious to hear your thoughts on how this would be implemented, because nobody, including Lotus, has really gotten it right.
BTW, the programming model of Outlook is completely halfwitted, IMO, and not widely used. I'd hate to think that you'd put a lot of effort into cloning it.
--
You honestly believe that Linux program that you executed could not get your address book (grep) and send mail (mail)?
Thanks for the object example -- the Linux version of ILOVEYOU is coming sooner than anyone expects.
--
VBScripting is another thing. Why, oh why does MS even include this mess?
The VBS virus could be trivially modified and compiled into an EXE with VisualBasic. Getting rid of the Windows Scripting Host would do nothing to solve the problem except raise the entry bar by about 2 inches. Besides, I thought it was the "UNIX Philosophy" that scripting was a good thing...
The real problems here are
(1) As you say, hidden file types on a platform where the file type determines the OS's handling of the file. This, however, can easily be fixed via policy by a MCSE with half-a-clue (rare, I know...) in about 15 minutes.
(2) The fact that Outlook's exposed object model allows mailsending without security checks or user interaction. Compare this to Eudora, which warns you before any mail is sent programmatically; or Lotus Notes which requires a security check before performing such actions.
#2 can only be fixed by Microsoft. It's not the infrastructure (Windows, ScriptingHost, the 'Object Model' itself) -- it's just a stupid implementation detail.
And finally (3) IT departments really need to educate users about what an 'executable' is, and the fact that VBS, JS, CMD, BAT, and so on are examples of one.
--
Yeah, but for most people the Internet started at 28.8K and then went "x2" to 56K. Twice as fast, pages got twice as heavy, but still the same order of magnitude.
Anyway, it's a hellava jump from 56K to the 300K to 2M of broadband. And fortunately for us broadband users, the basic inequity between broadband and modem users is going to be a feature of the Internet for a long time. Broadband is only physically available in very small parts of the US, AOL still has 30% of the Internet users, and sites will still have to optimise for modem connections. (Furthermore, there's quite a few companies that believe that a "T1" is big-time bandwidth, even when shared between a hundred-or-so users.)
One can imagine a broadband-only site that runs MPEG movies instead of animated GIFs. Fortunately that's a long way off.
--
"Because they are counting on the people that are even too lazy to change channels."
More like the ad companies have done studies to figure out what percentage of the audience is paying attention (conciously or unconciously), and that rate built into the advertising cost.
That's one reason ad time is so expensive on the SuperBowl - People actually go out of their way to watch the commercials.
--
I don't know where you got the idea that MS Outlook has the most marketshare. In the corporate market, for example, Lotus Notes/Domino has twice the seats of Exchange/Outlook.
It is true that Outlook has a lot of installations, because it comes free with MS Office, but nobody knows exactly how many users it has. However, as far as I know, nobody prepares market share figures for POP/IMAP clients.
This discussion, has turned into a gigantic flamefest, which I'm trying to stay out of. I'm just trying to point out that the Microsoft swagger projects the assumption that all of their products are the most popular and the defacto standard, even when that's totally untrue. It's important not to drink that Kool-Aid, even if your bread-n-butter is MS products.
(Although, I agree with your point - a local script could do something similar with almost any mail client, with the exception of Lotus running under a tightened configuration.)
--
Excel, when it shipped for the Macintosh in 1985, pretty much defined how a GUI spreadsheet should be done. Even though it might seem obvious now, when you look at abortions like 1-2-3 R3's psuedo-GUI mode with it's horrid mouse functionality, Microsoft pretty much hit the nail on the head right off.
Early versions were ported from the Mac to Windows, but MS found that they had to include a Windows runtime for anyone to buy it (because nobody would buy Windows on it's own). With Windows 3.0, they discovered the key idea to their current business model -- give away Windows for free (just put WIN in the autoexec!) and make the money back on the robust, highly developed GUI apps they had ported from the Macintosh.
Meanwhile, Lotus, which had abandon GUI development with Jazz for the Mac (1985), had to figure out how to adapt 1-2-3 to a WIMP environment. It took them about 3 tries to get right, and by that time Excel was the 'standard'.
Trying to argue that Excel beat 1-2-3 by "bundling" is silly. They had a better product, at least in a GUI environment (which most people seem to like). Plus it was half the cost of Lotus 1-2-3 in the early 90s. Microsoft has shut out other vendors like Corel and Lotus from bundling agreements with OEMs, but most Excel and Office sales come from customers paying full freight.
--
The slashdot under load behavior I've observed goes like this:
1 - Click on something
2 - Long hang (up to 30 seconds)
3 - Network light starts flashing on the front of my machine (fairly quick DSL connection)
4 - IE spikes the CPU rendering the page. (Netscape 4 just hangs for a long time here with small CPU spikes.)
5 - Page appears
So, the drag seems to be either the database or the PL script which renders the page. Apache is filling the network pipe, and rendering on the client end is quick with IE or Mozilla.
One thing to note is that Slashdot stories pretty much go from 0 to 200 comments in one hour. That's quite a few updates locking the mySQL tables, during which time all SELECTS are blocked. (That is, if I understand the critique of mySQL correctly.)
This is probably an oversimplistic view of how slashdot works, and I know I could get the code and look to see where the hotspots are. But, from the outside, the DB layer looks to be the slow spot.
--
OK, I'll bite -- If there's something wrong with Windows itself, why don't any of the other 2000 Windows MUA have these problems? Why is it always Outlook or OutlookExpress?
Surely you don't think the problem is the scripting host? After all, scripting engines are supposedly what make Unix so great.
I think it's clear what the real problem is -- Idiots in Microsoft's applications groups.
--
See RFC 2110: MIME E-mail Encapsulation of Aggregate Documents, such as HTML (MHTML) for a description of Microsoft's Web Archive (*.mht) format. Note that Netscape and other programs support this already, they just do not support saving the MIME document as a single file on your system.
The compiled help format is something different.
--
Note that even a properly permissioned NT system could have problems. The user would be able to write to his/her own IE and Outlook settings, and the personal strtup folder, as well as the personal \Run keys in the registry. It's pretty much impossible to firewall a user against him or herself.
But, as you mention, it's a "Outlook" problem, not a "Windows" problem. Not only does Outlook allow a user to attack his/her own files/regkeys, but it also allows a mere user to unwittingly launch a DoS attach on the mailserver and other mail users (which is the *real* problem).
The only solution is execution control in the e-mail client. Either do it the Unix way (don't execute anything), or the Lotus way (require digital signatures, which are transparent part of the system). But don't do it the Microsoft way (execute lots of stuff without regard where it came from, because it's 'easier' for some WordBasic programming slob.)
I'm glad that you addressed the issue in detail -- there is all too many fscking moronic posts on this issue assuming that Unix is immune because it has sensible file system permissions. The truth is that a mythical Outlook-on-Unix user would be just as screwed as the Windows user.
--
The possibility for Notes attacks is pretty much limited to 'internal' users. The default Execution Control List (ECL) allows any member of your /Org to run pretty much any script on your machine.
/O signature into an SMTP message, and mail into my former place of work. Blammo.
/Developers/Org, put all of the developers there, and only grant them access in the Domain ECL, and then make sure that *everything* is properly signed. This would limit normal users to some extent, but normal users really don't want this sort of macro functionality anyway.
The one big hole in this scheme is that it allows former users to continue to run scripts after left the company. (Having old IDs 'in the wild' is pretty much inevitable for Notes shops.)
So I could write a Notes mailbomb, encapsulate it and the proper
The best solution (I can think of) is to create an OU such as
Making things worse is the fact that there's lots of sensitive information in Notes systems, so tactics such as these would make wonderful industrial espioniage devices. (One well crafted PostOpen event sent to the Director of HR could lead to the entire Salary database ending up in my Hotmail inbox.)
Right now Exchange/Outlook shops are pretty much limited to mail/calendar/discussion applications. But, Microsoft is building a more compelling groupware infrastructure on top of Exchange and Office. If anything, ILOVEYOU proves how easy it would be to conduct espionage activities against such shops -- just mail in a HTML message with a OLE Automation script embedded.
--
"Don't watch their movies", or at the very least don't go and buy DVDs, knowing that you are supporting a closed format.
Personally, I think the whole DVD/Linux thing (especially here on Slashdot) is rather silly. There seems to be this presumption that people have the "right" to consumer entertainment in 525-line resolution, and therefore they have some moral standing to use DeCSS. Lots of twisty arguments about "Fair Use" and "Reverse Engineering" get posted here, apparently just so DeCSS users can morally justify themselves.
It is just far more respectable to stand up and say I don't watch DVD movies because I don't like the licencing terms.
Or if you can't say that: I illegally use DeCSS to watch DVD movies because I don't give a crap what the MPAA and the Government thinks. In fact, I might start making copies of DVDs as soon as the tech appears.
Either of those positions are more admirable than the bogus moral middle ground that folks try to stake out.
--