Some are moving that way already. The botnet developers are beginning to realize the monetary value of their little operations, and are moving to protect their investments. There has been enough published crypto that these guys can basically drop in a secure signalling system. And one of the botnet researchers has said some are already using encrypted channels.
Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.
The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!
Re:Botmasters will switch to distributed C&C
on
Meet the Botnet Hunters
·
· Score: 2, Interesting
Maybe [...] they should alert the proper athorities (in each country involved) and see if they can get enough information to make an example of them. I doubt it would take more then a couple dozen prosecutions with maximum penalties to discourage the vast majority of these net operaters form trying it in the first place.
From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating outside of the USA.
Many of these operators work out of countries that have police who can barely keep up with the local street crime. Their police certainly don't have time to worry about some rich guy's PC in the USA. And given the current state of dislike for the U.S. that's found across the world, it's possible the local police would refuse to cooperate with an American investigation.
And if they do say they'll cooperate, chances are not bad that if one of these officers was tasked with busting someone running a botnet from a cafe, they'd say "I hear you're hacking PCs in the USA and made $10,000. For $5,000 I'll let you know if Interpol starts asking about you."
I tried your solution long ago, but it's unworkable in practice.
Firefox's cookie manager is close to useless once the list has more than a handful of cookies in it. It's sorted alphabetically by then name of the host that issued the cookie, which is often unrelated to the name of the site you're at. Let's say you wanted to whitelist your cookie from xfire. Would you look for that cookie under "x", for xfire.com? Or "w", for www.xfire.com? Would you believe "d" for dcs.xfire.com? Yeah, that's intuitive.
Cookie Button (and there are other similar extensions, I seem to recall playing with Add'n'Edit Cookies, too) makes it easy. That's the whole idea behind extensions -- if someone doesn't like something, they're free to write a replacement that they think is better.
I found noscript to be a pain in the ass. It killed a lot of sites' menuing systems, and pretty much got in my face too often. It became as bad as the nuisances I was trying to block. AdBlock is much nicer -- if an ugly flashy site makes me want to kill stuff, then I do it. If they leave me alone, I pretty much reciprocate.
I have taken to AdBlocking virtually every site that delivers third party scripts. I started out blocking just the annoying ad scripts, but I'm now blocking falkag, google-analytics, interclick, scripps, sageanalyst, adsonar, statcounter, sitemeter, feedburner, tribalfusion, linksynergy, atwola, imr-worldwide -- virtually any third party site script I encouter, and specifically sites that are trying to track eyeballs.
Sure, I have to go look at AdBlock to see if there's a script to kill, but it usually works out that sites that have an in-your-face advertisement also have a set of scripts. So in the bin they all go, with the bonus that blocking the tracking scripts from the ugly sites blocks them from the good sites, too.
Then this extension is for you. Cookie Button adds a widget you can place in your toolbar (I placed mine next to the reload button) and it features a drop-down menu with four choices: default, reject, accept session and accept always. I already have "third party" cookies disabled, so it only has to control cookies delivered by the main page.
I run with "prompt always" too. I differ from you in that for the most part I reject all cookies by default, unless it's a forum or some place I'm interested in creating or maintaining a longer-term relationship. Occasionally I'll be too quick to say no, and Cookie Button makes it darned easy to go back and reenable them. Firefox's cookie manager is horrible to navigate -- it's virtually unusable after you've built up a list of a thousand different sites that you've rejected or accepted at some time in the past.
That's why I subscribe to Slashdot. I like the site (usually) and I want them to stay in business, but their ads got blocked just as much as anyone else's. I'd been running the Proxomitron for many years, and just recently switched to AdBlock for my full-time blocking needs (right-clicking is quicker than editing a text file.)
Even if the/. ads were more muted or more relevant than most, at least some of them were flashy-blinky things, so out they all went.
A first-party cookie in a frame hosted by a third-party advertiser. Let's say that hungry4revenue.com has an ad supported page. They include a reference to a frame hosted by ads-r-us.com. The URL to the ads-r-us.com frame would have a tag that ads-r-us would decode to host a link to a special "cookie image" on the hungry4revenue's site.
Now, another link on the main page from hungry4revenue.com can query that cookie. Technically, it's still a first party cookie, because it was placed there by hungry4revenue.com's server. If it's rejected, they redirect you to a "Sorry, you are rejecting cookies from us and/or ads from ads-r-us.com, and that's how we pay for this site. If you really want to view our cool stuff, please reenable them."
At this point, of course, I'd personally say "no thanks, your stuff isn't that cool" and move on.
I personally rely on the stupidity of the web-surfing public to not install ad blockers on their machines.
Remember, no web site ever went broke underestimating the stupidity of the American public.
Even if every geek out there installed Firefox and AdBlock, that leaves 80+% of the machines belonging to the great unwashed masses who can punch all the monkeys they want. As long as Joe Sixpack is out there generating eyeballs for these sites, I'm going to free ride the whole trip.
Besides, I figure I'm just saving Doubleclick the bandwidth. It's not like I've ever purchased anything at all from an on-line ad, targeted or not. All my purchases have been driven by me, through Google/Froogle searches, pricewatch, Amazon, ebay, etc. I do not follow ad links.
Yeah, I agree that Windows having different handles for sockets vs. files is bad (and clumsy.) And yes, I've often thought they maintained these incompatibilities just to keep code non-portable away from the Microsoft platform. But their libraries such as MFC and ATL already go a long way towards that end.
But assert() does indeed allow you to break into the debugger, as long as you've compiled with the debug version of the C runtime libraries. As a matter of fact, the debug version of assert() pops up a message box allowing you to choose Abort, Retry, Ignore. Also, don't forget to hit F12 to break into the debugger at any random time, like if you need to check the call stack to figure out how the hell you got to that weird message box:-)
If you're interested in further debugging tools in the language, the _Crt* family of functions is really useful. If you discover a repeatable memory leak, for example, _CrtSetBreakAlloc() can set a breakpoint on the allocation that caused it. (You can even run this in "immediate" mode in a watch window, assuming you haven't passed the allocation that's burning you.) Don't get me wrong, it's nicer to have DevPartner than to have to code up a special test function call, but it never hurts to have more than one tool in the toolbox.
Not that I want to take away from your unhealthy Mac worship:-), but I thought I'd mention that XP does support both Alt-Tab and Shift-Alt-Tab for moving right and left through the task list.
I think the rest of your points are more personal preferences that work well for you -- I dislike the single menubar interface, for example. And have found very few tasks that I couldn't write in command shell language that I could write in ksh, csh or bash. They may be a bit less elegant (ok, a sh!tload less elegant:-) but most things are still possible.
(My biggest hangup in the command shell is the lack of the back-quote execution, particularly in the SET command, where you can assign a shell variable to the output of a program. The only workaround I've found so far is that I can perform command execution inside a FOR statement, and assign the output to the FOR iterator. But that's a crock.)
A few comments: First, you make an excellent point about Sony wanting to protect their pointstuff. I imagine that the company internal newsletter reads something like
"MUSIC PIRATES ROBBED YOUR 401K OF 10% THIS YEAR!" So yeah, they'd want to stop it.
Next, it wasn't even Sony employees who came up with the rootkit solution. It was an external company who sold it to them. I'm betting with you on this one, that most folks at Sony did not even understand the implications of what they had purchased -- they just bought a new "high-tech" protection system that hid itself.
However, I disagree with your last assertion. The protection scheme consisted of two parts, one of which was exactly the definition of a rootkit -- software that surrepetitiously modified the OS to hide its existence from everyone, including the OS itself. The installer even installed the rootkit prior to the acceptance of the EULA, and didn't uninstall if the EULA was not accepted. Calling it a rootkit brings in exactly the correct connotations. You should be absolutely outraged if you find it on your computer, and you should be appalled at a corporation that stoops to not only stealing part of your computer from you, but opens your computer up to other security weaknesses.
Sorry, but I have to disagree with the "intuitive interface" statement, at least with respect to their digital camera line. Their menu systems are among the worst that I've ever had to use.
But yeah, their remote controls aren't too bad (a bit Sony-centric, but that's to be expected.) And their TV pictures are pretty good.
I gave up liking Sony products after my last CD/DVD player purchase. The player did not support VCD / SVCD, Picture CD or any other home-burned formats that had already become commonplace at that time. They have simply been heading in the DRM direction ever since before the MiniDisc came out, and I've frankly had it with them. The rootkit was the last straw -- I've completely stopped buying Sony anything, and when friends and family ask me to help buy their equipment, I'm even steering them away from Sony.
I certainly am not arguing that Microsoft has created swiss cheese in the past. Their track record is long and ugly.
What they're doing with.NET is making the sandbox completely policy driven. Let's say that a trojan in a Word document sends a bunch of spam emails. The administrator can specifically turn off the permission to "send email from application X" or "send email from any application other than Outlook" or "require human confirmation before sending email from any application other than Outlook."
So that's the rose-colored glasses view that they're selling to companies.
Reality is likely to be a bit different. The Microsoft people I've talked to have shown no ability to differentiate between "security policies" and "computer security". They run around and say "if you change John's logon to prevent him from using DCOM to sending emails he can't get a spammer worm." That's a policy. The worm, of course, isn't going to care about DCOM. It doesn't stop the worm from opening a socket to the local SMTP server and writing "from: spammer@cheapdrugs.com / to: spammee@unlucky.net".
This is an attempt by the more security-wise OS teams to impose restrictions on the security-unwise application teams. It certainly can help reduce the problem -- if it's adopted. But the adoption will come with a price. DRM gets to be a policy, just like security. I'm saying "no" to Vista until I see what can be turned off.
There are different levels of.NET safety. Only "pure" code is considered safe, and that's code that is 100% MSIL. Calling the Win32 API via any mechanism other than through the framework class libraries, or linking any native x86 code will result in your assembly not being compilable as pure. Any "back and forth" between MSIL and x86 or "unsafe" practices such as pointer math is verboten.
The deal with MSIL is that they run it through a verifier. Only things that have appropriate permissions can do restricted stuff -- your company might want a policy that prohibits you from writing to any folder other than "My Documents", for example, and they may prohibit any code existing in "My Documents" from being executed. No more spyware, no more browser-based attacks. Assuming it's all verified.NET code, that is.
[ warning: descending into speculative anti-MS, anti-.NET rant here ]
Once enough of the business world has their code ported to.NET, MS intends for Info Security groups to swoop through corporations turning on all these wonderous restrictions that will keep the corporate computers safe. [ *cough* ]
Well, that's their plan, anyway. It goes hand-in-glove with the TCPA and unTrustworthy Computing. Ultimately only pure code will get signed, and only signed code will be allowed to run. Oh, and while they're at it, only official, currently-licensed copies of Word, Excel, Office, Outlook, etc., will be permitted to run. Have you tithed Bill this month? Well, let's just check the records before we let you go running Word now, shall we? Hmm... that copy of Access looks like it's about to expire. You might want to have your boss pay the license bills a little quicker next month.
From what I saw on the site, they claim Al Sufi described over a thousand uses for an astrolabe.
I'm thinking there was a lot of repetition there. I have one and I have figured out maybe a dozen or two, tops. I wonder if he isn't claiming different "targets" as different "uses". Perhaps his descriptions run along the lines of these:
Measure the height of a tree.
Measure the height of a wall.
Measure the height of a tower.
Measure the height of a man standing next to a tower.
Seriously, though, there certainly are many unique uses, although I have to believe most of them involve only using the alidade as a fancy protractor. Very few involve the rete -- time and direction being pretty much it. (Although I suppose he probably figured out how to use the stars as reference points for indirectly measuring angles between horizontal objects.)
We use it for "normalizing" images. We have a device with a fixed resolution and some pretty severe limitations on the sizes, resolutions, formats, etc., of images we can send to it.
The original developer had his "submit image here" web page load the image into some Windows "object" format, and then do a bunch of tests, like 'reject if is it > 500 pixels wide' and 'warn if color depth > 2' and 'reject if not.BMP format'. But this is horrible for the users -- they may not have the image in the required format, and some won't have the knowledge to get it into the format we require.
I told him to just inline imagemagick's convert function, and output the exact format he requires. The sanitization is now very simple: if imagemagick can read it and successfully convert it to the desired format, it's good. That means we don't even have to tell our users to use.BMP or.GIF or.whatever -- if they can get us an image in a format recognized by imagemagick, we can use it. We've published guidelines that say "if you make your image conform to such-and-such attributes, our output will be as good as we can possibly make it." We're not promising an image that is horribly tortured by Imagemagick will print as well as they desire, but at least our app won't crash if they try to feed us garbage, or try to blow us up with a 10MB.TIFF or.WMF.
To be honest, I have only had to insulate cold water pipes. When someone is showering, they get cold enough to form condensation and cause drips. The hot water pipes, of course, don't have that problem.
There's a related feature you'll find on upper end plumbing, too, where they feed toilet a mix of cold and hot water. It keeps the tank from forming condensation after flushing.
Inductive water heaters can save a lot of money when the fuel to heat a traditional tank is very expensive. They don't offer enough flow for high volume applications, but they only consume energy when you are using the water.
Phone-to-entertainment system integration would be great! Imagine caller ID blinking near the bottom of the screen, and with the universal remote I could choose to answer it, foist it off to the answering machine, or just plonk it. If I answered it, the system's speakers would play the callers voice, and an in-room microphone would allow me to answer (or possibly a Bluetooth microphone mounted on the universal remote.)
I'd like to better synchronize my TV sets. Right now, I have a digital cable box/DVR for the HDTV, a ReplayTV decoding and recording the analog cable in the living room, a Hauppauge analog computer tuner tied to the cable in the computer room, and a straight analog TV in the kitchen. All four of them are starkly out of sync, usually by a few seconds. If all four are loud enough to hear simultaneously, it's like living in "Row, Row, Row your Boat" land.
( I have a Logitech Harmony 880 remote right now, and I love what it did for the HDTV setup. It's 100% wife friendly. As a matter of fact, it's 100% Luddite aunt-and-uncle friendly, too, so I bought one for them. I found the biggest advantage of the Harmony over the Pronto is the default setups are almost perfect out of the box. I hated having to train or hunt down.CCF files for every random device. )
If my wife liked background music more, I'd want a synchronized whole-house audio system. I'm a bit leery of the ethernet-based setups, as I was at a restaurant when one unit near us went out of sync with the others -- ouch.
I'd like my home heating system available via the web using my cell phone. I want to be able to go on vacation, and have the heat pump keep the house at a maintenance level while I'm gone, but allow me to check on it. Then, when I'm driving home (or at the airport or wherever) I can access it remotely to tell it "we're coming home now, bring up the heat (or bring on the A/C) and run the fan at full speed to stir up the air." I already have a brand-new fancy two-stage furnace and heat pump, with a house humidifier in the system. And I have a brand new very fancy setback thermostat to run it all, but it has no external communications capability (as far as I know.)
I'd like the security system to recognize when we've left. It doesn't have to know where we all are, but it should know when nobody's home and arm itself. As a matter of fact, a cell phone portal for the security system would probably work OK too, but wouldn't be as important. At least then I could check to see if I set the alarm or not.
In the kitchen, I currently have an LCD TV. It has input connectors for a PC, but because there is no good place in a kitchen for a keyboard and mouse, I don't have a PC there. A stowable keyboard might be an OK choice, but I'm thinking along the lines of a "video keyboard" like someone developed for the Palm platform. It consists of a laser diode with a mask shaped like a keyboard -- it projects a keyboard image via laser light. And it has a camera that watches for finger touches on the surface. Very clever, and would be perfect for a kitchen counter where cleanliness is always an issue. The keyboard laser could even be motion activated -- don't display the keyboard unless someone is standing in front of it, for example.
Oh, and I'd like to have a refrigerator / freezer alarm that would alert me if the temperature goes too high.
If I had a PC in the kitchen, it'd be nice to keep the grocery list on line, accessible via cell phone browser.
I have a washer and dryer in the basement. I would like to be able to know when the clothes are clean and dry upstairs, so I can go down and put the next load in. I'd also like to be able to find out how many minutes are left in the cycle -- there's an LED digital count down on the front of each, so the machines obviously know it.
I'd like to be notified when the water softener is low on salt.
The basement water alarm should be tied into the system, too, as should fire/smoke detectors, CO
This points out an interesting potential "defense" against these QoS premiums.
Right now the network companies enjoy "common carrier" status. If you download child porn, or transmit a virus to another person's computer, or even run a botnet, the network operator isn't responsible for your actions. You are, because the network isn't really equipped to censor all inappropriate messages.
Well, now Shaw Cable is saying "hey, look at this VOIP call, we think it's 'bad' data, so we're going to slow it down." Effectively, they're passing "judgement" over the bits they carry. Once they start doing that, they're no longer pure common carriers -- they're refusing to haul bits for the competition. And by doing that, they've shown that they have the ability to censor bad stuff. They may end up responsible for all of the crap that they allow to flow through their network. Do they really want to put themselves in that position?
All a defense lawyer has to do is say "well, Shaw, if you block VOIP, you must have pretty good blocking technology. Why don't you block these botnets, and worms, and viruses, and child pornographers, and terrorists, and all these other things that are much more important to our society? Don't tell me you can't, because you can obviously block things when it increases your profit." At that point, he drills the guy with "since you could have blocked Code Red but chose not to, your customers should line up to sue you for failing to protect them."
Of course, IANAL. But I saw one on TV once, and I'm pretty sure that's what he would have done in this case.
they're big enough to rewrite them in something standards-based, and at this point they've had plenty of warning that this would happen, and plenty of time to re-write away from the M$ crap.
Sorry, I live in the corporate world. We don't get out much. What do you mean by the crack about "standards-based"? Years ago, Gartner told us that "everyone" was writing these in ActiveX controls. Our on-site Microsoft consultants helped us write them. Microsoft Premier Support helped us upgrade by porting our web pages to ASP.NET. And we're running IIS 7.0 on Windows Server 2003. How much more standards-based can we get?
</sarcasm>
Seriously, your idea of what might happen in corporate America is pretty damn far from reality. Most of what passes for infrastructure architecture around here is stupid, blind following of Gartner research reports and on-site Microsoft technical consultants whispering ".NET would solve this problem" any time they're within earshot of a senior group manager or director.
The thought process is that companies like Gartner have fabulously expensive consultants who do all this "research" (*cough* surfing pcweek.com *cough*) and they must be right because we're paying them so much money.
And M$ is the answer, simply because that's our platform. Someone made a decision ten years ago to install M$. We have millions and millions of dollars invested in it. Good money after bad? Sure. Silk purses and sow's ears? Damn right. But NOBODY higher up listens when we tell them that it's a bad decision. And do you know why that is? Because we're successfullly making it do a lot already. To call it crap is to be wrong by example -- Microsoft platforms are carrying email, they're storing data, they're sending messages all over the place. Any director can see that today with their own eyes.
And they really, really don't want to be called "dumb" for having spent millions on a platform that could have been Linux for 1/10th the price. People who make decisions like that don't let those bad words enter their ears -- they shoot the messengers instead.
The emperor does indeed have fine clothes, tailored by Bill Gates, and they look very nice to me. Look, you can almost see the reflection of my paycheck in them.
We've seen that. I think it was the "Cheese" worm that was trying to come around and patch systems infected by the "Lion" worm. (Yup, confirmed, Google is my evil friend.) Noel Davis summed it up well: "These systems may have much greater problems than the Lion worm -- many more problems than another worm, no matter how friendly, can hope to fix."
I think you're missing some clues here. These certainly are not all "moms" computers. 40 of the machines that joined the botnet during the chat in TFA were State of Texas computers, sitting in some government office building somewhere.
Big organizations (large corporations, governments) use ActiveX in their web "apps" all the time for various software functions. Shutting off ActiveX might mean turning off their ability to fill out their time sheets, or request vacation days, or reenroll in their health insurance plans. They may use ActiveX for requesting cubicle moves, new phone lines, or to request a janitor come fix a stopped toilet.
Microsoft planted these dependencies very deeply and very deliberately, guaranteeing vendor lock-in. They're not going away just because of some security hole.
Others are using a "cellular" or P2P model -- instead of a central IRC-style server, the bots are chatting only with the PC that infected them. It makes rolling up a botnet and tracking it back to "node zero" very difficult.
The nice thing about the botnets (from the operators perspective) is the ease with which he can roll out updated software. Shadowcrew getting too close? New code time!
From what I've seen of the chat logs of these botnet operators (interviews, news articles, etc.) they typically don't speak English-as-a-first-language, which implies they're operating outside of the USA.
Many of these operators work out of countries that have police who can barely keep up with the local street crime. Their police certainly don't have time to worry about some rich guy's PC in the USA. And given the current state of dislike for the U.S. that's found across the world, it's possible the local police would refuse to cooperate with an American investigation.
And if they do say they'll cooperate, chances are not bad that if one of these officers was tasked with busting someone running a botnet from a cafe, they'd say "I hear you're hacking PCs in the USA and made $10,000. For $5,000 I'll let you know if Interpol starts asking about you."
But if a naked woman were to pop up in front of me, I assure you my woman would be there to block her. :-/
Firefox's cookie manager is close to useless once the list has more than a handful of cookies in it. It's sorted alphabetically by then name of the host that issued the cookie, which is often unrelated to the name of the site you're at. Let's say you wanted to whitelist your cookie from xfire. Would you look for that cookie under "x", for xfire.com? Or "w", for www.xfire.com? Would you believe "d" for dcs.xfire.com? Yeah, that's intuitive.
Cookie Button (and there are other similar extensions, I seem to recall playing with Add'n'Edit Cookies, too) makes it easy. That's the whole idea behind extensions -- if someone doesn't like something, they're free to write a replacement that they think is better.
I have taken to AdBlocking virtually every site that delivers third party scripts. I started out blocking just the annoying ad scripts, but I'm now blocking falkag, google-analytics, interclick, scripps, sageanalyst, adsonar, statcounter, sitemeter, feedburner, tribalfusion, linksynergy, atwola, imr-worldwide -- virtually any third party site script I encouter, and specifically sites that are trying to track eyeballs.
Sure, I have to go look at AdBlock to see if there's a script to kill, but it usually works out that sites that have an in-your-face advertisement also have a set of scripts. So in the bin they all go, with the bonus that blocking the tracking scripts from the ugly sites blocks them from the good sites, too.
I run with "prompt always" too. I differ from you in that for the most part I reject all cookies by default, unless it's a forum or some place I'm interested in creating or maintaining a longer-term relationship. Occasionally I'll be too quick to say no, and Cookie Button makes it darned easy to go back and reenable them. Firefox's cookie manager is horrible to navigate -- it's virtually unusable after you've built up a list of a thousand different sites that you've rejected or accepted at some time in the past.
Even if the /. ads were more muted or more relevant than most, at least some of them were flashy-blinky things, so out they all went.
Now, another link on the main page from hungry4revenue.com can query that cookie. Technically, it's still a first party cookie, because it was placed there by hungry4revenue.com's server. If it's rejected, they redirect you to a "Sorry, you are rejecting cookies from us and/or ads from ads-r-us.com, and that's how we pay for this site. If you really want to view our cool stuff, please reenable them."
At this point, of course, I'd personally say "no thanks, your stuff isn't that cool" and move on.
Remember, no web site ever went broke underestimating the stupidity of the American public.
Even if every geek out there installed Firefox and AdBlock, that leaves 80+% of the machines belonging to the great unwashed masses who can punch all the monkeys they want. As long as Joe Sixpack is out there generating eyeballs for these sites, I'm going to free ride the whole trip.
Besides, I figure I'm just saving Doubleclick the bandwidth. It's not like I've ever purchased anything at all from an on-line ad, targeted or not. All my purchases have been driven by me, through Google/Froogle searches, pricewatch, Amazon, ebay, etc. I do not follow ad links.
But assert() does indeed allow you to break into the debugger, as long as you've compiled with the debug version of the C runtime libraries. As a matter of fact, the debug version of assert() pops up a message box allowing you to choose Abort, Retry, Ignore. Also, don't forget to hit F12 to break into the debugger at any random time, like if you need to check the call stack to figure out how the hell you got to that weird message box :-)
If you're interested in further debugging tools in the language, the _Crt* family of functions is really useful. If you discover a repeatable memory leak, for example, _CrtSetBreakAlloc() can set a breakpoint on the allocation that caused it. (You can even run this in "immediate" mode in a watch window, assuming you haven't passed the allocation that's burning you.) Don't get me wrong, it's nicer to have DevPartner than to have to code up a special test function call, but it never hurts to have more than one tool in the toolbox.
I think the rest of your points are more personal preferences that work well for you -- I dislike the single menubar interface, for example. And have found very few tasks that I couldn't write in command shell language that I could write in ksh, csh or bash. They may be a bit less elegant (ok, a sh!tload less elegant :-) but most things are still possible.
(My biggest hangup in the command shell is the lack of the back-quote execution, particularly in the SET command, where you can assign a shell variable to the output of a program. The only workaround I've found so far is that I can perform command execution inside a FOR statement, and assign the output to the FOR iterator. But that's a crock.)
Next, it wasn't even Sony employees who came up with the rootkit solution. It was an external company who sold it to them. I'm betting with you on this one, that most folks at Sony did not even understand the implications of what they had purchased -- they just bought a new "high-tech" protection system that hid itself.
However, I disagree with your last assertion. The protection scheme consisted of two parts, one of which was exactly the definition of a rootkit -- software that surrepetitiously modified the OS to hide its existence from everyone, including the OS itself. The installer even installed the rootkit prior to the acceptance of the EULA, and didn't uninstall if the EULA was not accepted. Calling it a rootkit brings in exactly the correct connotations. You should be absolutely outraged if you find it on your computer, and you should be appalled at a corporation that stoops to not only stealing part of your computer from you, but opens your computer up to other security weaknesses.
But yeah, their remote controls aren't too bad (a bit Sony-centric, but that's to be expected.) And their TV pictures are pretty good.
I gave up liking Sony products after my last CD/DVD player purchase. The player did not support VCD / SVCD, Picture CD or any other home-burned formats that had already become commonplace at that time. They have simply been heading in the DRM direction ever since before the MiniDisc came out, and I've frankly had it with them. The rootkit was the last straw -- I've completely stopped buying Sony anything, and when friends and family ask me to help buy their equipment, I'm even steering them away from Sony.
Anyway, they've outlived their value to me.
What they're doing with .NET is making the sandbox completely policy driven. Let's say that a trojan in a Word document sends a bunch of spam emails. The administrator can specifically turn off the permission to "send email from application X" or "send email from any application other than Outlook" or "require human confirmation before sending email from any application other than Outlook."
So that's the rose-colored glasses view that they're selling to companies.
Reality is likely to be a bit different. The Microsoft people I've talked to have shown no ability to differentiate between "security policies" and "computer security". They run around and say "if you change John's logon to prevent him from using DCOM to sending emails he can't get a spammer worm." That's a policy. The worm, of course, isn't going to care about DCOM. It doesn't stop the worm from opening a socket to the local SMTP server and writing "from: spammer@cheapdrugs.com / to: spammee@unlucky.net".
This is an attempt by the more security-wise OS teams to impose restrictions on the security-unwise application teams. It certainly can help reduce the problem -- if it's adopted. But the adoption will come with a price. DRM gets to be a policy, just like security. I'm saying "no" to Vista until I see what can be turned off.
The deal with MSIL is that they run it through a verifier. Only things that have appropriate permissions can do restricted stuff -- your company might want a policy that prohibits you from writing to any folder other than "My Documents", for example, and they may prohibit any code existing in "My Documents" from being executed. No more spyware, no more browser-based attacks. Assuming it's all verified .NET code, that is.
[ warning: descending into speculative anti-MS, anti-.NET rant here ]
Once enough of the business world has their code ported to .NET, MS intends for Info Security groups to swoop through corporations turning on all these wonderous restrictions that will keep the corporate computers safe. [ *cough* ]
Well, that's their plan, anyway. It goes hand-in-glove with the TCPA and unTrustworthy Computing. Ultimately only pure code will get signed, and only signed code will be allowed to run. Oh, and while they're at it, only official, currently-licensed copies of Word, Excel, Office, Outlook, etc., will be permitted to run. Have you tithed Bill this month? Well, let's just check the records before we let you go running Word now, shall we? Hmm... that copy of Access looks like it's about to expire. You might want to have your boss pay the license bills a little quicker next month.
I'm thinking there was a lot of repetition there. I have one and I have figured out maybe a dozen or two, tops. I wonder if he isn't claiming different "targets" as different "uses". Perhaps his descriptions run along the lines of these:
- Measure the height of a tree.
- Measure the height of a wall.
- Measure the height of a tower.
- Measure the height of a man standing next to a tower.
Seriously, though, there certainly are many unique uses, although I have to believe most of them involve only using the alidade as a fancy protractor. Very few involve the rete -- time and direction being pretty much it. (Although I suppose he probably figured out how to use the stars as reference points for indirectly measuring angles between horizontal objects.)The original developer had his "submit image here" web page load the image into some Windows "object" format, and then do a bunch of tests, like 'reject if is it > 500 pixels wide' and 'warn if color depth > 2' and 'reject if not .BMP format'. But this is horrible for the users -- they may not have the image in the required format, and some won't have the knowledge to get it into the format we require.
I told him to just inline imagemagick's convert function, and output the exact format he requires. The sanitization is now very simple: if imagemagick can read it and successfully convert it to the desired format, it's good. That means we don't even have to tell our users to use .BMP or .GIF or .whatever -- if they can get us an image in a format recognized by imagemagick, we can use it. We've published guidelines that say "if you make your image conform to such-and-such attributes, our output will be as good as we can possibly make it." We're not promising an image that is horribly tortured by Imagemagick will print as well as they desire, but at least our app won't crash if they try to feed us garbage, or try to blow us up with a 10MB .TIFF or .WMF.
There's a related feature you'll find on upper end plumbing, too, where they feed toilet a mix of cold and hot water. It keeps the tank from forming condensation after flushing.
Inductive water heaters can save a lot of money when the fuel to heat a traditional tank is very expensive. They don't offer enough flow for high volume applications, but they only consume energy when you are using the water.
I'd like to better synchronize my TV sets. Right now, I have a digital cable box/DVR for the HDTV, a ReplayTV decoding and recording the analog cable in the living room, a Hauppauge analog computer tuner tied to the cable in the computer room, and a straight analog TV in the kitchen. All four of them are starkly out of sync, usually by a few seconds. If all four are loud enough to hear simultaneously, it's like living in "Row, Row, Row your Boat" land.
( I have a Logitech Harmony 880 remote right now, and I love what it did for the HDTV setup. It's 100% wife friendly. As a matter of fact, it's 100% Luddite aunt-and-uncle friendly, too, so I bought one for them. I found the biggest advantage of the Harmony over the Pronto is the default setups are almost perfect out of the box. I hated having to train or hunt down .CCF files for every random device. )
If my wife liked background music more, I'd want a synchronized whole-house audio system. I'm a bit leery of the ethernet-based setups, as I was at a restaurant when one unit near us went out of sync with the others -- ouch.
I'd like my home heating system available via the web using my cell phone. I want to be able to go on vacation, and have the heat pump keep the house at a maintenance level while I'm gone, but allow me to check on it. Then, when I'm driving home (or at the airport or wherever) I can access it remotely to tell it "we're coming home now, bring up the heat (or bring on the A/C) and run the fan at full speed to stir up the air." I already have a brand-new fancy two-stage furnace and heat pump, with a house humidifier in the system. And I have a brand new very fancy setback thermostat to run it all, but it has no external communications capability (as far as I know.)
I'd like the security system to recognize when we've left. It doesn't have to know where we all are, but it should know when nobody's home and arm itself. As a matter of fact, a cell phone portal for the security system would probably work OK too, but wouldn't be as important. At least then I could check to see if I set the alarm or not.
In the kitchen, I currently have an LCD TV. It has input connectors for a PC, but because there is no good place in a kitchen for a keyboard and mouse, I don't have a PC there. A stowable keyboard might be an OK choice, but I'm thinking along the lines of a "video keyboard" like someone developed for the Palm platform. It consists of a laser diode with a mask shaped like a keyboard -- it projects a keyboard image via laser light. And it has a camera that watches for finger touches on the surface. Very clever, and would be perfect for a kitchen counter where cleanliness is always an issue. The keyboard laser could even be motion activated -- don't display the keyboard unless someone is standing in front of it, for example.
Oh, and I'd like to have a refrigerator / freezer alarm that would alert me if the temperature goes too high.
If I had a PC in the kitchen, it'd be nice to keep the grocery list on line, accessible via cell phone browser.
I have a washer and dryer in the basement. I would like to be able to know when the clothes are clean and dry upstairs, so I can go down and put the next load in. I'd also like to be able to find out how many minutes are left in the cycle -- there's an LED digital count down on the front of each, so the machines obviously know it.
I'd like to be notified when the water softener is low on salt.
The basement water alarm should be tied into the system, too, as should fire/smoke detectors, CO
Right now the network companies enjoy "common carrier" status. If you download child porn, or transmit a virus to another person's computer, or even run a botnet, the network operator isn't responsible for your actions. You are, because the network isn't really equipped to censor all inappropriate messages.
Well, now Shaw Cable is saying "hey, look at this VOIP call, we think it's 'bad' data, so we're going to slow it down." Effectively, they're passing "judgement" over the bits they carry. Once they start doing that, they're no longer pure common carriers -- they're refusing to haul bits for the competition. And by doing that, they've shown that they have the ability to censor bad stuff. They may end up responsible for all of the crap that they allow to flow through their network. Do they really want to put themselves in that position?
All a defense lawyer has to do is say "well, Shaw, if you block VOIP, you must have pretty good blocking technology. Why don't you block these botnets, and worms, and viruses, and child pornographers, and terrorists, and all these other things that are much more important to our society? Don't tell me you can't, because you can obviously block things when it increases your profit." At that point, he drills the guy with "since you could have blocked Code Red but chose not to, your customers should line up to sue you for failing to protect them."
Of course, IANAL. But I saw one on TV once, and I'm pretty sure that's what he would have done in this case.
Sorry, I live in the corporate world. We don't get out much. What do you mean by the crack about "standards-based"? Years ago, Gartner told us that "everyone" was writing these in ActiveX controls. Our on-site Microsoft consultants helped us write them. Microsoft Premier Support helped us upgrade by porting our web pages to ASP.NET. And we're running IIS 7.0 on Windows Server 2003. How much more standards-based can we get?
</sarcasm>
Seriously, your idea of what might happen in corporate America is pretty damn far from reality. Most of what passes for infrastructure architecture around here is stupid, blind following of Gartner research reports and on-site Microsoft technical consultants whispering ".NET would solve this problem" any time they're within earshot of a senior group manager or director.
The thought process is that companies like Gartner have fabulously expensive consultants who do all this "research" (*cough* surfing pcweek.com *cough*) and they must be right because we're paying them so much money.
And M$ is the answer, simply because that's our platform. Someone made a decision ten years ago to install M$. We have millions and millions of dollars invested in it. Good money after bad? Sure. Silk purses and sow's ears? Damn right. But NOBODY higher up listens when we tell them that it's a bad decision. And do you know why that is? Because we're successfullly making it do a lot already. To call it crap is to be wrong by example -- Microsoft platforms are carrying email, they're storing data, they're sending messages all over the place. Any director can see that today with their own eyes.
And they really, really don't want to be called "dumb" for having spent millions on a platform that could have been Linux for 1/10th the price. People who make decisions like that don't let those bad words enter their ears -- they shoot the messengers instead.
The emperor does indeed have fine clothes, tailored by Bill Gates, and they look very nice to me. Look, you can almost see the reflection of my paycheck in them.
That plus a few curious slashdotters will probably slow their spam chatter for a few days.
You really are an incurable optimist, aren't you?
We've seen that. I think it was the "Cheese" worm that was trying to come around and patch systems infected by the "Lion" worm. (Yup, confirmed, Google is my evil friend.) Noel Davis summed it up well: "These systems may have much greater problems than the Lion worm -- many more problems than another worm, no matter how friendly, can hope to fix."
I think you're missing some clues here. These certainly are not all "moms" computers. 40 of the machines that joined the botnet during the chat in TFA were State of Texas computers, sitting in some government office building somewhere.
Big organizations (large corporations, governments) use ActiveX in their web "apps" all the time for various software functions. Shutting off ActiveX might mean turning off their ability to fill out their time sheets, or request vacation days, or reenroll in their health insurance plans. They may use ActiveX for requesting cubicle moves, new phone lines, or to request a janitor come fix a stopped toilet.
Microsoft planted these dependencies very deeply and very deliberately, guaranteeing vendor lock-in. They're not going away just because of some security hole.