"How would they fix this vulnerability at 'design time'? Disable links in IE, OE and Messenger?"
Disable them for untrusted transactions...like auto executing programs? YES.
"Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is."
This would imply that neither Linux or Mac OS is designed with security in mind, because they certainly need patches.
Only on the most superficial levels. It's not quite the same thing if the design encourages bad behavior and the patch doesn't deal with that. If the system can't be secured without a patch it is defective.
In the case of most other popular operating systems, the systems come with services and options that can be insecure turned OFF by default. The patches for security problems deal with situations when the by-default-off defective services are turned ON.
That's why you can't interest most people using non-Microsoft operating systems in virus and spyware detectors...unless they are running a mail filter for Windows users.
The user needs to click on a link in the IM message, and needs to click on 'yes' on the XPSP2 warning about running unkown executables.
Just like the majority of Outlook and many IE hijacks? Microsoft hasn't seemed to have learned from the past at all; they keep repairing the same defects over and over when they could eliminate the problem at design time.
Messenger patched the vulnerability a few weeks ago.
Thanks, though that's beside the point.
Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is.
but there are a number of people in the community who hold a lot of power to persuade and influence.
Yes. They do it with actions. There are hundreads of people in influential positions only because they have gained those positions and respect because of what they do. If any of them suddenly get brain tumors and act out of character... repeatedly... others will replace them.
Remember, you only need consensus, not unanimity.
It's not a democracy, it's a meritocracy with a large trust component. That's why companies are not trusted (a company isn't a person) though people who act in positive ways usually are. Usually...with specific exceptions.
If one or more individuals start towing the Microsoft line -- or any corporate line -- they risk the loss of that trust. Microsoft has shown decisively that they can not be trusted as a company. Microsoft has continually back stabbed other groups and corporations and have done so whenever it suits Microsoft's own purposes. They are only nice till there is a clean way to take over what former or current partners own; they grow to fill all available space and consider nearly all other groups to be threats or markets.
People on the Microsoft payroll are tainted by the association even if they are as individuals worthy of trust and respect and they perform good acts. This is unfortunate, though Microsoft is not a company to get chummy with so distrust is nearly always a smart option with any Microsoft representitive or MS inititive.
Don't get me wrong. I'm as pro-business as they come. My concern with corporate involvement is that the motivations for that involvement have to be in clear view and not ambigious. I wouldn't have a corporation to corporation agreement where the details weren't clear and I didn't know why my partners were likely to do -- or not do -- what I expect them to do.
Sun's involvement with OpenOffice.org is to attack Microsoft. That should be clear to anyone.
IBM's involvement with Eclipse is to grow the service sector and not to loose control entirely to Microsoft; it's better to join in the chaos than it is to gain stability through the efforts of an enemy.
"Why don't we try to make the system really boot faster instead?"
They are. Both the init processes and the device configuration routines are being replaced and profiled...and Red Hat is helping (leading?) these efforts.
"Excel is a fantastically powerful, flexible tool, and also has a portability advantage when working with people who have Office installed, but not Perl or Python (i.e. pretty much everyone)."
So, install Perl and/or Python. They're free and Free...I don't see this as a problem.
Now, PDF is a first-class file format in OS-X, and OpenOffice can create them fairly easily. Building PDF capability into Word must strike Microsoft as being just a little too interoperable.
PDF is mainly a storage and view mechanism; that's where interoperability stops. It's not practical to use it for editing unless you use Adobe's tools and they aren't universally available at any price.
PDFs are the equivelent of dead tree documents translated to computers.
How do you figure? This time Microsoft isn't competing against an overpriced product and overpriced fonts, and there's no groundswell of anger against PDF.
Microsoft isn't going to compete...just as they didn't compete with Adobe the last time. They will just implement it and automatically everyone who gets a new computer after Longhorn is released will get what Microsoft ships. Since it's there, developers will use it.
If anything, the document format that people are hating right now is Microsoft's own Word format.
Word DOC files do suck. That said, I'l bet that Word will 'work best' with Metro.
To eliminate this connection, you'd have to replace or negate Word as a popular text editing environment.
Personally, I think word processors are throwbacks sutible mainly for legal documents that people want signatures on and want to drop in a file folder to drag out later.
This really annoys me on a regular basis; I tend to get printed copies when I ask for electronic versions...so everything needs to be retyped and entered in a database...and then once again exported so someone can stick a printed copy in a file folder. Bunch of !@#!@# shelf browed primitives!
Remember...no, of course 1/2 of you didn't; you were 5!
OK...for you kiddies out there; Way back in the 90s, Adobe charged an arm and a leg for Postscript ($1,000/printer) and Postscript fonts were expensive. Apple complained. Microsoft complained. Everyone buying a printer complained or wished for a cheap Postscript printer so !!#@$!$ would look right when they printed. Adobe held firm.
Apple decided along with Microsoft to change part of the problem...Postscript fonts. Jointly, they developed TrueType. Adobe held firm...till it was obvious that Postscript was in danger. Rates fell on Poscript licences, though it was too late and TrueType fonts became dominate.
Adobe retrenched and created the Postscript offshoot PDF...and documents became printable and portable again. Adobe became more involved in the detailed document creation process.
Fast forward to now. Microsoft (by themselves) are attempting to complete the job and take Adobe out of the document creation picture. It's not going to be hard for Microsoft to do it this time. Expect a suite of Metro document editing and processing tools from Microsoft around the time Longhorn is released.
The only gift in this? You now have a year and a half to two years to plan.
Spreadsheets can be viewed as a type of programming and this problem has been solved for programming. It's called version control, check the spreadsheet in CVS.
Problem is spreadsheets are often borrowed; "Hey Bob, do you have that timecard?" "Here it is Jack, just erase my numbers." "Thanks Bob!"...and Jack goes off to make formatting changes and adds a few necessary parts or 'cleans it up'.
Being a binary format (unless explicitly saved in a parsable XML format like Oasis OpenDocument), checking it into source control only works to handle the binary blobs.
Personally, I can't get people to use the network let alone check things in/out of source control. I guess if you can get them to use the network, you can version control the directories and use that as both source control and part of your backup system...though you're dealing with people. It's mainly a social issue to do what you ask and not simple to solve.
The two technical issues -- being able to track differences in a meaningful way and to make it versioning transparent to the users -- are hard enough though not at all impossible. The people, though...
Apps, apps, apps. Considering that there's not even a good off-the-shelf business financial package available, I'd say that "ready" is a bit premature. If all you do is basic secretarial stuff (email, documents, etc.), sure, it's fine.
Don't move the goal posts too much.
There are financial applications available for Linux and not just ones that are open source. If you don't like those apps...or don't know about them...how does that automatically make Linux unacceptable? Unless you have legacy accounting apps, it doesn't.
Let's say that printing is equally bad in *nix and Windows*. Well, then, you still have all of the other *nix hurdles...
...and in Windows you have viruses, spyware, the necessity to run some programs as administrator, and the poor overall seperation of users and groups. I could go into additional maddening details, though I'll leave it to you to consider a few dozen more.
Linux is ready and has been for about 5 years. The only thing holding people back is fear of the unknown and legacy support. For new companies or users, it's ready to go.
The latest Linux base plus Gnome or KDE DE are quite easy to use. Flash drives, for example, can be used by just plugging them in and yanking them out when you're done...no click-click unmounting.
As an admin, Linux is a pain for 1 system if you are constantly tweaking it. If you get a good distro and keep with the defaults, most 'problems' don't exist; you haven't created them!
No tool is perfect. A more obvious example to yours is that virus scanners also give false positives -- yet virus scanners are useful.
These tools are guides only. Anyone who treats them as 100% reliable is not a professional admin.
If you know enough about your systems that these are false positives, you can document each false positive so that as your systems change or the scanner tools are updates you can tell what is a potential problem and what is not.
If the 'security company' supposedly did a complete audit and does not have a reply to what you find, they ripped off your company.
If they were hired to do a basic review not a complete audit, you can't blaim them. The folks who hired them to do a minimal job got exactly what they asked for.
So why are some people naturally well disposed to figure out how to use search engines and email while others think of a computer as a magical device they cannot use?
Overload, capacity, and interest. People can't know everything, so they choose some things and deal with those. If they can borrow your brain and experience to do things they aren't interested in or do not have the time to deal with, they may be doing the smart thing. (Or they may be dumb as rocks and can't figure anything out by themselves.)
As for myself, I know a little about computers...though I'm not foolish enough to say I know everything or even quite a bit to my peers. To some, I'm a super guru, though this is not even close to true.
Re:Not quite
on
Voom No More
·
· Score: 1, Insightful
Today the world got a little fuzzier
No, today America got fuzzier. Yes, there is a difference.
So, the world doesn't include any of America? (Which America, btw...North, South, or did you mean a specific nation?)
Keep in mind that if the UI or backend changes on a regular basis, you will also be making substantial changes to the automated tests. Part of this can be delt with by a good tool automatically, though for most substantive changes or ones that change the workflow in even minor ways that will not be the case.
Also, people tend to think that automated testing takes less time...it *CAN* though expect that on many projects it will take much more time as automated tests are detailed and implementation specific; you can't create tests at the spec level unless your specs are detailed design documents too and even then only in a limited way.
The time savings kicks in when you want to frequently repeat the tests across the whole project when even minor changes are made to the code in one place. It also allows you to be somewhat certian that only the things you expect to change do indeed change.
If you do not have the budget or time to do complete manual tests, forget about autmating it unless you are dealing with a very static project that requires excessively detailed testing.
I expect people to disagree on much of what I wrote above...when they do, keep in mind that situations can differ. These are just general rules of thumb and worked for the vast majority of projects I've been on.
Slashdot Mirror
"How would they fix this vulnerability at 'design time'? Disable links in IE, OE and Messenger?" Disable them for untrusted transactions...like auto executing programs? YES.
This would imply that neither Linux or Mac OS is designed with security in mind, because they certainly need patches.
Only on the most superficial levels. It's not quite the same thing if the design encourages bad behavior and the patch doesn't deal with that. If the system can't be secured without a patch it is defective.
In the case of most other popular operating systems, the systems come with services and options that can be insecure turned OFF by default. The patches for security problems deal with situations when the by-default-off defective services are turned ON.
That's why you can't interest most people using non-Microsoft operating systems in virus and spyware detectors...unless they are running a mail filter for Windows users.
Just like the majority of Outlook and many IE hijacks? Microsoft hasn't seemed to have learned from the past at all; they keep repairing the same defects over and over when they could eliminate the problem at design time.
Thanks, though that's beside the point.
Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is.
We [explitve deleted] know that!They don't seem to be listening. AGAIN.
Yes. They do it with actions. There are hundreads of people in influential positions only because they have gained those positions and respect because of what they do. If any of them suddenly get brain tumors and act out of character ... repeatedly ... others will replace them.
Remember, you only need consensus, not unanimity.
It's not a democracy, it's a meritocracy with a large trust component. That's why companies are not trusted (a company isn't a person) though people who act in positive ways usually are. Usually...with specific exceptions.
If one or more individuals start towing the Microsoft line -- or any corporate line -- they risk the loss of that trust. Microsoft has shown decisively that they can not be trusted as a company. Microsoft has continually back stabbed other groups and corporations and have done so whenever it suits Microsoft's own purposes. They are only nice till there is a clean way to take over what former or current partners own; they grow to fill all available space and consider nearly all other groups to be threats or markets.
People on the Microsoft payroll are tainted by the association even if they are as individuals worthy of trust and respect and they perform good acts. This is unfortunate, though Microsoft is not a company to get chummy with so distrust is nearly always a smart option with any Microsoft representitive or MS inititive.
Don't get me wrong. I'm as pro-business as they come. My concern with corporate involvement is that the motivations for that involvement have to be in clear view and not ambigious. I wouldn't have a corporation to corporation agreement where the details weren't clear and I didn't know why my partners were likely to do -- or not do -- what I expect them to do.
Sun's involvement with OpenOffice.org is to attack Microsoft. That should be clear to anyone.
IBM's involvement with Eclipse is to grow the service sector and not to loose control entirely to Microsoft; it's better to join in the chaos than it is to gain stability through the efforts of an enemy.
"Why don't we try to make the system really boot faster instead?"
They are. Both the init processes and the device configuration routines are being replaced and profiled...and Red Hat is helping (leading?) these efforts.
"Excel is a fantastically powerful, flexible tool, and also has a portability advantage when working with people who have Office installed, but not Perl or Python (i.e. pretty much everyone)." So, install Perl and/or Python. They're free and Free...I don't see this as a problem.
PDF is mainly a storage and view mechanism; that's where interoperability stops. It's not practical to use it for editing unless you use Adobe's tools and they aren't universally available at any price.
PDFs are the equivelent of dead tree documents translated to computers.
Microsoft isn't going to compete...just as they didn't compete with Adobe the last time. They will just implement it and automatically everyone who gets a new computer after Longhorn is released will get what Microsoft ships. Since it's there, developers will use it.
Word DOC files do suck. That said, I'l bet that Word will 'work best' with Metro.
To eliminate this connection, you'd have to replace or negate Word as a popular text editing environment.
Personally, I think word processors are throwbacks sutible mainly for legal documents that people want signatures on and want to drop in a file folder to drag out later.
This really annoys me on a regular basis; I tend to get printed copies when I ask for electronic versions...so everything needs to be retyped and entered in a database...and then once again exported so someone can stick a printed copy in a file folder. Bunch of !@#!@# shelf browed primitives!
OK...for you kiddies out there; Way back in the 90s, Adobe charged an arm and a leg for Postscript ($1,000/printer) and Postscript fonts were expensive. Apple complained. Microsoft complained. Everyone buying a printer complained or wished for a cheap Postscript printer so !!#@$!$ would look right when they printed. Adobe held firm.
Apple decided along with Microsoft to change part of the problem...Postscript fonts. Jointly, they developed TrueType. Adobe held firm...till it was obvious that Postscript was in danger. Rates fell on Poscript licences, though it was too late and TrueType fonts became dominate.
Adobe retrenched and created the Postscript offshoot PDF...and documents became printable and portable again. Adobe became more involved in the detailed document creation process.
Fast forward to now. Microsoft (by themselves) are attempting to complete the job and take Adobe out of the document creation picture. It's not going to be hard for Microsoft to do it this time. Expect a suite of Metro document editing and processing tools from Microsoft around the time Longhorn is released.
The only gift in this? You now have a year and a half to two years to plan.
Problem is spreadsheets are often borrowed; "Hey Bob, do you have that timecard?" "Here it is Jack, just erase my numbers." "Thanks Bob!" ...and Jack goes off to make formatting changes and adds a few necessary parts or 'cleans it up'.
Being a binary format (unless explicitly saved in a parsable XML format like Oasis OpenDocument), checking it into source control only works to handle the binary blobs.
Personally, I can't get people to use the network let alone check things in/out of source control. I guess if you can get them to use the network, you can version control the directories and use that as both source control and part of your backup system...though you're dealing with people. It's mainly a social issue to do what you ask and not simple to solve.
The two technical issues -- being able to track differences in a meaningful way and to make it versioning transparent to the users -- are hard enough though not at all impossible. The people, though...
For the software errors, do they mean the problems listed here?
Don't move the goal posts too much.
There are financial applications available for Linux and not just ones that are open source. If you don't like those apps...or don't know about them...how does that automatically make Linux unacceptable? Unless you have legacy accounting apps, it doesn't.
Linux 5 years ago was well beyond what was acceptable 10 years ago from Windows. Windows was usable so...why couldn't Linux be usable?
ZEALOT is a word is overused and damn inaccurate. It's like calling me a wife beater...so, how am I supposed to respond? Apoligize?
...and in Windows you have viruses, spyware, the necessity to run some programs as administrator, and the poor overall seperation of users and groups. I could go into additional maddening details, though I'll leave it to you to consider a few dozen more.
Linux is ready and has been for about 5 years. The only thing holding people back is fear of the unknown and legacy support. For new companies or users, it's ready to go.
The latest Linux base plus Gnome or KDE DE are quite easy to use. Flash drives, for example, can be used by just plugging them in and yanking them out when you're done...no click-click unmounting.
As an admin, Linux is a pain for 1 system if you are constantly tweaking it. If you get a good distro and keep with the defaults, most 'problems' don't exist; you haven't created them!
These tools are guides only. Anyone who treats them as 100% reliable is not a professional admin.
If you know enough about your systems that these are false positives, you can document each false positive so that as your systems change or the scanner tools are updates you can tell what is a potential problem and what is not.
If the 'security company' supposedly did a complete audit and does not have a reply to what you find, they ripped off your company.
If they were hired to do a basic review not a complete audit, you can't blaim them. The folks who hired them to do a minimal job got exactly what they asked for.
v.5 did crash quite a bit, esp. the browser plugin. Very frustrating. It was comparitively ugly too.
You expect the vendors to give better advice?
From another angle: Even smart, experienced, people benifit from asking basic and potentially stupid questions. If they listen.
I call that "The Columbo Method" after the TV detective of the same name.
Overload, capacity, and interest. People can't know everything, so they choose some things and deal with those. If they can borrow your brain and experience to do things they aren't interested in or do not have the time to deal with, they may be doing the smart thing. (Or they may be dumb as rocks and can't figure anything out by themselves.)
As for myself, I know a little about computers...though I'm not foolish enough to say I know everything or even quite a bit to my peers. To some, I'm a super guru, though this is not even close to true.
No, today America got fuzzier. Yes, there is a difference.
So, the world doesn't include any of America? (Which America, btw...North, South, or did you mean a specific nation?)
Nit pick and be prepaired to be nit picked back.
Tried it. Got 30% on one instance and 17% each for up to 8 instances (when I stopped). Plenty of remaining space to run many instances of this loop.
OS & tools: Linux: Fedora Core 3 with latest updates.
Hardware: P4 3ghz with hyperthreading enabled.
Keep in mind that if the UI or backend changes on a regular basis, you will also be making substantial changes to the automated tests. Part of this can be delt with by a good tool automatically, though for most substantive changes or ones that change the workflow in even minor ways that will not be the case.
Also, people tend to think that automated testing takes less time...it *CAN* though expect that on many projects it will take much more time as automated tests are detailed and implementation specific; you can't create tests at the spec level unless your specs are detailed design documents too and even then only in a limited way.
The time savings kicks in when you want to frequently repeat the tests across the whole project when even minor changes are made to the code in one place. It also allows you to be somewhat certian that only the things you expect to change do indeed change.
If you do not have the budget or time to do complete manual tests, forget about autmating it unless you are dealing with a very static project that requires excessively detailed testing.
I expect people to disagree on much of what I wrote above...when they do, keep in mind that situations can differ. These are just general rules of thumb and worked for the vast majority of projects I've been on.
Are you sure about that?
"I wish to complain about this tribble what I purchased not half an hour ago from this very boutique." ...