everybody has heard (and many agree) that any codebase will have x number of bugs (including vulnerabilities) per n lines of code. the more mature the codebase, the fewer bugs may remain, but they are still there. solaris has 'em, linux has 'em, even openbsd has 'em.
no one should doubt the capability of microsoft's core programmers to create solid, robust and secure code. anyone who does, is not being serious.
the problem arises because those same programmers must pack many things into a base os install. for example, to install windows and have it work means i must have the entire windowing system installed and operational. it also means that ie must be there. i have heard from a microsoft employee that if i remove the media player dll from a win2k box that the entire box will cease to function, though i have not confirmed this. i imagine there are others that could be added to this list.
in the unix/linux world i have the option (though imperfect) of leaving out everything except the kernel, core libs, core services and the service / services i want the box to provide. all other code is not only turned off, it just isn't there. which means fewer lines of code, which means fewer vulnerabilities.
last i checked, the majority of vulnerabilities for both win2k and linux came from various 'non-essential' programs, programs like the browser that i don't really need on a webserver. granted, there were quite a few for iis, but even its vulnerabilities come largely from additional, non-essential code that is automatically installed and required to be there, but for non-technical reasons.
therefore, to make a more secure windows, that would conclusively compete with *nix in this arena, microsoft should release a version of windows that can be cut to the bare bones, something i could run headless, without a browser installed, without outlook express installed, etc.
would microsoft business allow such a thing to happen? perhaps not, which means microsoft programmers will forever have the deck stacked steeply against them.
..but doesn't it just make you sick to walk by a burger king and see pictures of frodo on plastic cups in the window?
why do we have to cheapen absolutely everything? can we produce a work for the sake of art or literature, and leave off doing everything to make the most money off it? won't they do just fine without stooping to that level?
this past year i was in charge of a rather large software project at an internet startup (may it rest in peace). i and our other programmer followed very strict oo analysis and design principles (don't think they're very different from most other analysis and design principles), and the author is somewhat correct that the initial design and start of implementation was relatively slow.
however, being in an internet startup, with all the attendant chaos and rapidly changing plans, we very quickly realized the payback on the abstraction investment. as our managers thrashed about trying to please all the various investors / business partners (sometimes changing the whole focus of large portions of the application) we found it relatively straightforward and quick to morph the app in the way we were being led, all without hopelessly breaking our original codebase. i have been on more procedural or data-centric projects where the type of changes we had to do here would simply not have been possible without enormous rewrites. (i have actually been through some of those rewrites and they are very painful.)
yes, cracks were beginning to appear here and there in our model because of all the change, but the entire structure was sensible, and major changes could be effected by modifying implementations in the superclass or overriding methods, etc. in short, rather than waiting three years for the payback (lots of time saved) we enjoyed the payback in under three months.
an added benefit was that our code was so well organized that when i went to technical meetings i could very quickly describe the structure of our app in great detail in a way that even business people could begin to understand, because it was all based upon entities in the domain that they could relate to.
i agree oo can be overhyped, and it is certainly not the silver bullet for all problems, but it isn't difficult and it provides very simple benefits without all that much investment of time and effort.
how would people have felt had all that money been spent, yet the computers still crashed? they're disappointed because the fix worked?
the way people (the media) have reacted to the y2k phenomenon simply proves again how shallow and stupid they can be..and it shows that the media simply live off disaster. the best thing they had in decades was averted, and they're pissed..
what? -- are you a journalism major who wandered onto this site to do some 'research'?
your point about italians, women, blacks, et aliis is a perfect example of the ridiculousness of _most_ journalists, which is why i think you must be one.
journalists _chose_ to be journalists, to go in for cheap & easy pseudo-intellectualism, rumor-mongering, etc. moreover, as there are so many of you clamoring for the limelight you crave, you must often stoop to nonsense to attract some attention (as wired have done, and do). the sad thing is that you take yourselves seriously. (unlike software engineers -- we _never_ take ourselves seriously;-) )
my point was this: when did wired do something really, really hard, like ship a big piece of software? for this 'article', all they need do is send out emails seeking 'nominations', come up with something clever to tack onto the front of it, and 'at the stroke of a pen' castigate and belittle the hurculean and extended efforts of dozens or hundreds of intelligent, hard-working people all for the sake of some lame letterman-like publicity stunt.
none of those wankers would understand five lines of the linux or osx codebases. what gives them the right? the same reasoning, i suppose, that entitles you to make the trite (and entirely irrelevant) inference about my previous post.
so scamper back to reading time magazine or whatever it is you people do when you are not being holier-than-thou, or the trolls may get you..
when was the last time wired shipped any software? like all 'journalists' they are very good at shipping lame-brained assemblages of meaningless words that have no connection to anything..
blurpy
software engineer
(been running 2.4.0-testxx for months now)
how many it staffers do you know who can 'tweak the code--which can only mean 'tweak the kernel code', or possibly 'tweak the gnu tools'.
if by 'tweak' this fellow means, 'install other software', or 'change config files' then he must condemn the entire unix world i suppose.
if he's worried about some it staffer introducing a backdoor and recompiling the kernel, then there really aren't too many that he need worry about. and no unix would be safe from an admin with such expertise and ambition.
his comments sounded like those of someone who has never been in a server room..he's learned all he knows (which is evidently not much) from magazines or videos or something..
cheers,
Slashdot Mirror
everybody has heard (and many agree) that any codebase will have x number of bugs (including vulnerabilities) per n lines of code. the more mature the codebase, the fewer bugs may remain, but they are still there. solaris has 'em, linux has 'em, even openbsd has 'em.
no one should doubt the capability of microsoft's core programmers to create solid, robust and secure code. anyone who does, is not being serious.
the problem arises because those same programmers must pack many things into a base os install. for example, to install windows and have it work means i must have the entire windowing system installed and operational. it also means that ie must be there. i have heard from a microsoft employee that if i remove the media player dll from a win2k box that the entire box will cease to function, though i have not confirmed this. i imagine there are others that could be added to this list.
in the unix/linux world i have the option (though imperfect) of leaving out everything except the kernel, core libs, core services and the service / services i want the box to provide. all other code is not only turned off, it just isn't there. which means fewer lines of code, which means fewer vulnerabilities.
last i checked, the majority of vulnerabilities for both win2k and linux came from various 'non-essential' programs, programs like the browser that i don't really need on a webserver. granted, there were quite a few for iis, but even its vulnerabilities come largely from additional, non-essential code that is automatically installed and required to be there, but for non-technical reasons.
therefore, to make a more secure windows, that would conclusively compete with *nix in this arena, microsoft should release a version of windows that can be cut to the bare bones, something i could run headless, without a browser installed, without outlook express installed, etc.
would microsoft business allow such a thing to happen? perhaps not, which means microsoft programmers will forever have the deck stacked steeply against them.
its too bad.
..but doesn't it just make you sick to walk by a burger king and see pictures of frodo on plastic cups in the window?
why do we have to cheapen absolutely everything? can we produce a work for the sake of art or literature, and leave off doing everything to make the most money off it? won't they do just fine without stooping to that level?
it sucks.
this past year i was in charge of a rather large software project at an internet startup (may it rest in peace). i and our other programmer followed very strict oo analysis and design principles (don't think they're very different from most other analysis and design principles), and the author is somewhat correct that the initial design and start of implementation was relatively slow.
however, being in an internet startup, with all the attendant chaos and rapidly changing plans, we very quickly realized the payback on the abstraction investment. as our managers thrashed about trying to please all the various investors / business partners (sometimes changing the whole focus of large portions of the application) we found it relatively straightforward and quick to morph the app in the way we were being led, all without hopelessly breaking our original codebase. i have been on more procedural or data-centric projects where the type of changes we had to do here would simply not have been possible without enormous rewrites. (i have actually been through some of those rewrites and they are very painful.)
yes, cracks were beginning to appear here and there in our model because of all the change, but the entire structure was sensible, and major changes could be effected by modifying implementations in the superclass or overriding methods, etc. in short, rather than waiting three years for the payback (lots of time saved) we enjoyed the payback in under three months.
an added benefit was that our code was so well organized that when i went to technical meetings i could very quickly describe the structure of our app in great detail in a way that even business people could begin to understand, because it was all based upon entities in the domain that they could relate to.
i agree oo can be overhyped, and it is certainly not the silver bullet for all problems, but it isn't difficult and it provides very simple benefits without all that much investment of time and effort.
blurpy
how would people have felt had all that money been spent, yet the computers still crashed? they're disappointed because the fix worked?
the way people (the media) have reacted to the y2k phenomenon simply proves again how shallow and stupid they can be..and it shows that the media simply live off disaster. the best thing they had in decades was averted, and they're pissed..
blurpy
what? -- are you a journalism major who wandered onto this site to do some 'research'?
;-) )
your point about italians, women, blacks, et aliis is a perfect example of the ridiculousness of _most_ journalists, which is why i think you must be one.
journalists _chose_ to be journalists, to go in for cheap & easy pseudo-intellectualism, rumor-mongering, etc. moreover, as there are so many of you clamoring for the limelight you crave, you must often stoop to nonsense to attract some attention (as wired have done, and do). the sad thing is that you take yourselves seriously. (unlike software engineers -- we _never_ take ourselves seriously
my point was this: when did wired do something really, really hard, like ship a big piece of software? for this 'article', all they need do is send out emails seeking 'nominations', come up with something clever to tack onto the front of it, and 'at the stroke of a pen' castigate and belittle the hurculean and extended efforts of dozens or hundreds of intelligent, hard-working people all for the sake of some lame letterman-like publicity stunt.
none of those wankers would understand five lines of the linux or osx codebases. what gives them the right? the same reasoning, i suppose, that entitles you to make the trite (and entirely irrelevant) inference about my previous post.
so scamper back to reading time magazine or whatever it is you people do when you are not being holier-than-thou, or the trolls may get you..
when was the last time wired shipped any software? like all 'journalists' they are very good at shipping lame-brained assemblages of meaningless words that have no connection to anything.. blurpy software engineer (been running 2.4.0-testxx for months now)
how many it staffers do you know who can 'tweak the code--which can only mean 'tweak the kernel code', or possibly 'tweak the gnu tools'. if by 'tweak' this fellow means, 'install other software', or 'change config files' then he must condemn the entire unix world i suppose. if he's worried about some it staffer introducing a backdoor and recompiling the kernel, then there really aren't too many that he need worry about. and no unix would be safe from an admin with such expertise and ambition. his comments sounded like those of someone who has never been in a server room..he's learned all he knows (which is evidently not much) from magazines or videos or something.. cheers,