Here in California SBC is getting sued by EarthLink for DSL customers getting a message that all lines are full when they tried to sign up on the EarthLink web page then getting a call back from a SBC rep trying to sign them up with SBC instead.(EarthLink had to connect to telco computers to check for available trunk lines.)
I guess it goes both ways. When I was ordering DSL for my apartment in Los Angeles, Verizon claimed up and down that DSL wasn't available for my address. But Speakeasy got it hooked up, no problem.
Have you done a quantitative ascessment of this feeling that Moz is big or slow?
Yes. I've implemented a web grid-view component that runs solely using DHTML orchestrated by a JavaScript object. The component is capable of showing a grid with literally millions of lines of data, since the display algorithms I use are O(1) with respect to the data set size and O(xy) with respect to the visible size of the grid on the page. This is done by dynamically creating/modifying/repopulating a table which is absolutely positioned within an overflow:clip DIV to give the appearance of a small view into the bigger dataset. On top of that is overlaid a overflow:auto DIV with a transparent DIV inside that is sized by calculation of the number of rows and columns in the dataset, in order to present scrollbars to the user where the scrollbar thumbnail is sized appropriately. I went to great pains to make sure it works in both IE and in Mozilla.
The component, without any data attached, but set to think it has a dataset of several thousand rows and several hundred columns, when maximized to fill my 1280x1024 display, can update the display for each scroll in 70ms in Internet Explorer. On the same system, under the same conditions, even running a slightly different code path in order to make use of Mozilla-specific performance boosts, it updates in 180ms. In IE, it's usable but feels a little chunky -- in Mozilla, it's so slow to the point where grabbing a scrollbar thumb and dragging the view is not practical.
These times were calculated by loading the page in question, scrolling the view from top to bottom to top using the Page Down and Page Up keys, allowing the system to settle, then doing the same operation, having JavaScript measure the amount of time each update took to scroll from top to bottom to top again, then averaging the times.
(For what it's worth, a.NET-based implementation of the component which can used directly in IE 5.5 and up in a completely secure fashion, the update times with data population are less than 10ms. This is why I've been wanting Mozilla to support the use of.NET components via the OBJECT tag, like IE does, but that's mostly a pipe dream since I don't realistically think it's ever going to happen.)
In this real world example, using code that's actually being used in a web-based intranet application, Mozilla's performance is more than 200% that of Internet Explorer. Depending on whether I can convince management of the potential benefits of doing so, I might be able to release the actual code used in this test some day. I'd really like to see Mozilla improve, I've certainly been giving it the old college try to the point of spending more time on testing with Mozilla than I really should, but this is just one in a long string of problems with Mozilla I've run into that would block it from being rolled out as our platform of choice.
SVG will turn out to be a disaster in IE, making sure everyone in 2007 is still stuck using JPGs and GIFs.
IE supports VML... the W3C's predecessor to SVG. In fact, I was often bewildered that Mozilla didn't at least provide marginal support for it.
By then IE will have integrated.NET ( Or some other half-assed scripting language. ) scripting abilities tied into the browser to replace the now obsolete potential ActiveX vulenrabilities.
IE 5.5 and higher support.NET integration on the client side, fully tied into.NET's robust security model. I [b]really[/b] wish Mozilla would support it, on Windows at the least, and with Mono/DotGNU on other platforms -- though, with the dependency on Windows Forms, I could see why they wouldn't do cross-platform with it.
You can, however, create new AppDomains. Then destroy them.
Which is incredibly slow and limited, since you can only pass data between AppDomains if the data is serializable, which means no passing filehandles, sockets, API handles, or the like -- and then you encounter the overhead of having to serialize/deserialize it, which is considerable.
Is there anything the MONO team can do to improve support for dynamic languages?
Mono, today, actually would support dynamic languages better than Microsoft's framework, since they implement the DynamicMethod class, which Microsoft fully documents in their Longhorn SDK documentation, but won't actually be released until.NET 2.0 comes out.
The DynamicMethod class allows you to load a method into memory for JITting and execution, and preserves the ability for you to unload that code from memory, which you can't do with full-fledged Assemblies, even those generated via Reflection.Emit -- in.NET, once an Assembly is loaded into memory, it stays there until the AppDomain quits.
Yes, it is. We even have a term for it: "breach of contract."
A contract can never strip you of certain rights guaranteed to you, even if it specifically outlines you as giving them up. Fair use is one of those rights as recognized by the courts.
however, if you read those stories about paypal scamming you will say that paypal has a nice record of unkept promises.
You can find websites that claim the same about any company larger than a certain size. I've used Paypal since they were still X.Com, I've processed thousands upon thousands of payments through them, and I've had no more trouble with them than I have from any brick-and-mortar bank I've dealt with.
There are two sides to every story -- keep that in mind when you go to paypalsucks.com and read the stories about how PayPal "screwed" the always "completely innocent" complaint filer.
Well, email viruses can still exist, though, since your email client has access to all the functionality needed to look through an addressbook and send mail out.
Exactly. And the OS has absolutely no way of knowing that a certain program (your email client) should not be sending email due to a certain condition (a script embedded in a message). Operating systems just don't have that much insight into the process's functionality -- and they shouldn't either. Imagine how big the kernel would have to be to implement detailed security rules for every type of application you might ever want to run on it!
NX is not a silver bullet to eliminate all exploits -- and not even Microsoft is trying to paint it as such. It is, however, a very effective solution for dealing with a very specific (and, in practice, common) type of exploit.
Create a login script to reapply the necessary security settings (WMI/VBScript) each time a user logs in. You might only need it every reboot, but the user has to log in after a reboot, so this approach should cover all the bases.
IP Filtering isn't even in any obvious place. It doesn't have a link from the Control Panel. Doesn't have one from Modems, or Network Connections, nothing.
If you go into Network Connections, pull up the Properties page for an adapter, click on the TCP/IP binding and click Advanced, you'll be able to access the IP Filtering UI from there.
Admittedly, it's not simple, but Windows 2000 is not an operating system that was intended for home users -- it doesn't have to be simple enough for grandma to do in this case.
Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!?
Unless it's Palladium, the operating system doesn't care what's running in user space beyond what it needs to know about to ensure operational integrity. A buffer overflow in an application doesn't compromise the OS, it compromises the application -- and even if it wanted to, the OS likely wouldn't even be able to tell with any reliability that something illicit was happening in the process. The NX flag is a way of letting the OS know how to know if things go sour.
No one should never do 100s of hours of work between backups. If someone does it indicates either that they really don't care if they lose it or that they're stupid.
So why bother with this security stuff at all, then?
Sure there is. With software, and indeed with most all digital media, the scarcity is in the production -- not the duplication.
Saying that software/music/movies should be free because it's so easy to copy that there's no limited supply is ignoring the whole reason the founding fathers put copyright protection in the Constitution in the first place.
We have DRM'd music, what about Public-Private Key Encrypt'd music? Won't it ultimately come down to that, where the key's are owned by a company and you have to be connected online to listen to your music?
Won't matter. Either the key has to be sent to you for you to decrypt your music, which means it's being stored in memory during the decryption, which means it can be snagged out of memory; or the decryption is done on their servers and the decrypted music is streamed to you, which means you're getting a decrypted stream you can just rip and save.
Someone correct me if I'm wrong, but I think the big hangup in adoption at the moment is mod_perl. mod_perl 2.0 is supposed to fix that but it's still under development at the moment.
mod_perl 2.0 is still technically in development (1.99_04 is the latest version), but I've found it stable enough to use in production, and have been without problems for quite some time now.
It's a little crufty, especially around the (almost necessary) libapreq2/Apache::Request library, and as far as API documentation goes, but if you're familiar with mod_perl 1.x, it's not that different.
Prefork MPM assumed, only a madman would run on the worker MPM.
This morning I woke up, ordered the sun to rise, and it rose high into the sky. The only possible conclusion is that I am the most powerful man in the world.
Utter nonsense. You're only the most powerful man in the world if you can make it stay in the sky... until then, I will continue to prove you as inferior by commanding the sun back down out of the sky!
If you're comparing Apache to IIS, you'll need to combine Apache, wuftpd, NFS, CUPS, and Sendmail's bug counts, since you'd need to use all of those software packages to meet feature-for-feature with IIS.
Of course, if you've properly configured IIS to be only a web server, it has a bug count competitive with Apache's. Of course, let's not let such minor details get in the way of a good Microsoft bashing session.
WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?
Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."
NT is a microkernel. The various APIs that applications use are implemented by regular processes running under it (CSRSS, for example, implements the Win32 API). LSASS implements most of the security infrastructure of the system. The reason you can't kill it through the Task Manager is because it's providing services to every other process running. (Actually, if you use a third-party process monitor, you can easily kill it, but your machine will hit a STOP error as soon as you do).
In many ways, this design is regarded as superior to the Linux kernel's design; unintended bugs notwithstanding.
No, no receipt should be kept correlating specific, identifiable voters and their votes. That leads to the situation where companies could 'encourage' employees to vote in a specific way.
That's exactly what I said.:). Most pencil-and-paper voting techniques today involve going into a booth, marking your votes, sealing your ballot, then coming out of the booth to drop it into a ballot box. The suggestions for a paper trail with touchscreen voting have been related -- make your votes on the screen, get a printed form to go drop into the ballot box.
Swapping it around a little bit would make it better -- fill out your ballot manually, and use the scanner in the booth to check that your votes were read correctly. The scanner in the booth would keep your ballot, so that you couldn't "forget" to drop it in the ballot box on the way out.
The security problem is that people will see your ballot and match it to your face. If it spits out a ballot that's got errors, they can see who *you* voted for. That's the problem.
I don't see any reason that last step of the process (scanning and verifying your ballot) needs to be public. Go into a voting booth, fill out the scantron form, stick it into the machine in the booth, verify the results on the screen, and if they're correct, the machine keeps your ballot, otherwise it gives it back to you.
Sounds like an even better solution than having a touchscreen voting machine print off a receipt to stick into a ballot box outside the booth, since this way you're certain that every vote the machine counted is in the physical ballot box.
Slashdot Mirror
Here in California SBC is getting sued by EarthLink for DSL customers getting a message that all lines are full when they tried to sign up on the EarthLink web page then getting a call back from a SBC rep trying to sign them up with SBC instead.(EarthLink had to connect to telco computers to check for available trunk lines.)
I guess it goes both ways. When I was ordering DSL for my apartment in Los Angeles, Verizon claimed up and down that DSL wasn't available for my address. But Speakeasy got it hooked up, no problem.
Have you done a quantitative ascessment of this feeling that Moz is big or slow?
.NET-based implementation of the component which can used directly in IE 5.5 and up in a completely secure fashion, the update times with data population are less than 10ms. This is why I've been wanting Mozilla to support the use of .NET components via the OBJECT tag, like IE does, but that's mostly a pipe dream since I don't realistically think it's ever going to happen.)
Yes. I've implemented a web grid-view component that runs solely using DHTML orchestrated by a JavaScript object. The component is capable of showing a grid with literally millions of lines of data, since the display algorithms I use are O(1) with respect to the data set size and O(xy) with respect to the visible size of the grid on the page. This is done by dynamically creating/modifying/repopulating a table which is absolutely positioned within an overflow:clip DIV to give the appearance of a small view into the bigger dataset. On top of that is overlaid a overflow:auto DIV with a transparent DIV inside that is sized by calculation of the number of rows and columns in the dataset, in order to present scrollbars to the user where the scrollbar thumbnail is sized appropriately. I went to great pains to make sure it works in both IE and in Mozilla.
The component, without any data attached, but set to think it has a dataset of several thousand rows and several hundred columns, when maximized to fill my 1280x1024 display, can update the display for each scroll in 70ms in Internet Explorer. On the same system, under the same conditions, even running a slightly different code path in order to make use of Mozilla-specific performance boosts, it updates in 180ms. In IE, it's usable but feels a little chunky -- in Mozilla, it's so slow to the point where grabbing a scrollbar thumb and dragging the view is not practical.
These times were calculated by loading the page in question, scrolling the view from top to bottom to top using the Page Down and Page Up keys, allowing the system to settle, then doing the same operation, having JavaScript measure the amount of time each update took to scroll from top to bottom to top again, then averaging the times.
(For what it's worth, a
In this real world example, using code that's actually being used in a web-based intranet application, Mozilla's performance is more than 200% that of Internet Explorer. Depending on whether I can convince management of the potential benefits of doing so, I might be able to release the actual code used in this test some day. I'd really like to see Mozilla improve, I've certainly been giving it the old college try to the point of spending more time on testing with Mozilla than I really should, but this is just one in a long string of problems with Mozilla I've run into that would block it from being rolled out as our platform of choice.
SVG will turn out to be a disaster in IE, making sure everyone in 2007 is still stuck using JPGs and GIFs.
.NET ( Or some other half-assed scripting language. ) scripting abilities tied into the browser to replace the now obsolete potential ActiveX vulenrabilities.
.NET integration on the client side, fully tied into .NET's robust security model. I [b]really[/b] wish Mozilla would support it, on Windows at the least, and with Mono/DotGNU on other platforms -- though, with the dependency on Windows Forms, I could see why they wouldn't do cross-platform with it.
IE supports VML... the W3C's predecessor to SVG. In fact, I was often bewildered that Mozilla didn't at least provide marginal support for it.
By then IE will have integrated
IE 5.5 and higher support
You can, however, create new AppDomains. Then destroy them.
Which is incredibly slow and limited, since you can only pass data between AppDomains if the data is serializable, which means no passing filehandles, sockets, API handles, or the like -- and then you encounter the overhead of having to serialize/deserialize it, which is considerable.
Is there anything the MONO team can do to improve support for dynamic languages?
.NET 2.0 comes out.
.NET, once an Assembly is loaded into memory, it stays there until the AppDomain quits.
Mono, today, actually would support dynamic languages better than Microsoft's framework, since they implement the DynamicMethod class, which Microsoft fully documents in their Longhorn SDK documentation, but won't actually be released until
The DynamicMethod class allows you to load a method into memory for JITting and execution, and preserves the ability for you to unload that code from memory, which you can't do with full-fledged Assemblies, even those generated via Reflection.Emit -- in
Yes, it is. We even have a term for it: "breach of contract."
A contract can never strip you of certain rights guaranteed to you, even if it specifically outlines you as giving them up. Fair use is one of those rights as recognized by the courts.
however, if you read those stories about paypal scamming you will say that paypal has a nice record of unkept promises.
You can find websites that claim the same about any company larger than a certain size. I've used Paypal since they were still X.Com, I've processed thousands upon thousands of payments through them, and I've had no more trouble with them than I have from any brick-and-mortar bank I've dealt with.
There are two sides to every story -- keep that in mind when you go to paypalsucks.com and read the stories about how PayPal "screwed" the always "completely innocent" complaint filer.
Well, email viruses can still exist, though, since your email client has access to all the functionality needed to look through an addressbook and send mail out.
Exactly. And the OS has absolutely no way of knowing that a certain program (your email client) should not be sending email due to a certain condition (a script embedded in a message). Operating systems just don't have that much insight into the process's functionality -- and they shouldn't either. Imagine how big the kernel would have to be to implement detailed security rules for every type of application you might ever want to run on it!
NX is not a silver bullet to eliminate all exploits -- and not even Microsoft is trying to paint it as such. It is, however, a very effective solution for dealing with a very specific (and, in practice, common) type of exploit.
Create a login script to reapply the necessary security settings (WMI/VBScript) each time a user logs in. You might only need it every reboot, but the user has to log in after a reboot, so this approach should cover all the bases.
IP Filtering isn't even in any obvious place. It doesn't have a link from the Control Panel. Doesn't have one from Modems, or Network Connections, nothing.
If you go into Network Connections, pull up the Properties page for an adapter, click on the TCP/IP binding and click Advanced, you'll be able to access the IP Filtering UI from there.
Admittedly, it's not simple, but Windows 2000 is not an operating system that was intended for home users -- it doesn't have to be simple enough for grandma to do in this case.
Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!?
Unless it's Palladium, the operating system doesn't care what's running in user space beyond what it needs to know about to ensure operational integrity. A buffer overflow in an application doesn't compromise the OS, it compromises the application -- and even if it wanted to, the OS likely wouldn't even be able to tell with any reliability that something illicit was happening in the process. The NX flag is a way of letting the OS know how to know if things go sour.
No one should never do 100s of hours of work between backups. If someone does it indicates either that they really don't care if they lose it or that they're stupid.
So why bother with this security stuff at all, then?
He was using Windows 2000. It doesn't have a firewall.
It has IP Filtering, which can be used to shut off all network communication to affected ports.
they will almost certainly NOT accept source from other people
They have for their other project on SourceForge -- I don't see why you think this one would be any different.
An open source search engine is a great idea! I'll know exactly how to exploit the ranking algorithms to position my pages as #1!
The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*"
You should be a little more careful with your regular expressions:
http://www.warez.com/not.microsoft.com/o2k4.zip
So there is no scarcity.
Sure there is. With software, and indeed with most all digital media, the scarcity is in the production -- not the duplication.
Saying that software/music/movies should be free because it's so easy to copy that there's no limited supply is ignoring the whole reason the founding fathers put copyright protection in the Constitution in the first place.
We have DRM'd music, what about Public-Private Key Encrypt'd music? Won't it ultimately come down to that, where the key's are owned by a company and you have to be connected online to listen to your music?
Won't matter. Either the key has to be sent to you for you to decrypt your music, which means it's being stored in memory during the decryption, which means it can be snagged out of memory; or the decryption is done on their servers and the decrypted music is streamed to you, which means you're getting a decrypted stream you can just rip and save.
Someone correct me if I'm wrong, but I think the big hangup in adoption at the moment is mod_perl. mod_perl 2.0 is supposed to fix that but it's still under development at the moment.
mod_perl 2.0 is still technically in development (1.99_04 is the latest version), but I've found it stable enough to use in production, and have been without problems for quite some time now.
It's a little crufty, especially around the (almost necessary) libapreq2/Apache::Request library, and as far as API documentation goes, but if you're familiar with mod_perl 1.x, it's not that different.
Prefork MPM assumed, only a madman would run on the worker MPM.
This morning I woke up, ordered the sun to rise, and it rose high into the sky. The only possible conclusion is that I am the most powerful man in the world.
Utter nonsense. You're only the most powerful man in the world if you can make it stay in the sky... until then, I will continue to prove you as inferior by commanding the sun back down out of the sky!
Apache has demonstrated this is simply false.
If you're comparing Apache to IIS, you'll need to combine Apache, wuftpd, NFS, CUPS, and Sendmail's bug counts, since you'd need to use all of those software packages to meet feature-for-feature with IIS.
Of course, if you've properly configured IIS to be only a web server, it has a bug count competitive with Apache's. Of course, let's not let such minor details get in the way of a good Microsoft bashing session.
WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?
Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."
NT is a microkernel. The various APIs that applications use are implemented by regular processes running under it (CSRSS, for example, implements the Win32 API). LSASS implements most of the security infrastructure of the system. The reason you can't kill it through the Task Manager is because it's providing services to every other process running. (Actually, if you use a third-party process monitor, you can easily kill it, but your machine will hit a STOP error as soon as you do).
In many ways, this design is regarded as superior to the Linux kernel's design; unintended bugs notwithstanding.
No, no receipt should be kept correlating specific, identifiable voters and their votes. That leads to the situation where companies could 'encourage' employees to vote in a specific way.
:). Most pencil-and-paper voting techniques today involve going into a booth, marking your votes, sealing your ballot, then coming out of the booth to drop it into a ballot box. The suggestions for a paper trail with touchscreen voting have been related -- make your votes on the screen, get a printed form to go drop into the ballot box.
That's exactly what I said.
Swapping it around a little bit would make it better -- fill out your ballot manually, and use the scanner in the booth to check that your votes were read correctly. The scanner in the booth would keep your ballot, so that you couldn't "forget" to drop it in the ballot box on the way out.
We'd either have to export animation overseas
Hasn't The Simpsons' animation been done overseas from the start?
The security problem is that people will see your ballot and match it to your face. If it spits out a ballot that's got errors, they can see who *you* voted for. That's the problem.
I don't see any reason that last step of the process (scanning and verifying your ballot) needs to be public. Go into a voting booth, fill out the scantron form, stick it into the machine in the booth, verify the results on the screen, and if they're correct, the machine keeps your ballot, otherwise it gives it back to you.
Sounds like an even better solution than having a touchscreen voting machine print off a receipt to stick into a ballot box outside the booth, since this way you're certain that every vote the machine counted is in the physical ballot box.