I don't even think it needs to be that high tech. How about this:
You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.
Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.
On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.
On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.
In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.
What are you doing wrong? I am connected to my home workstation quite a bit, and my router uses QOS to limit RDP packets to no more than 8 kb/s. I use 1024x768x16 without any problem. It's fast, wicked responsive (I forget where I am sometimes), and the latency is great.
Granted, I have a nice connection back to home - my average ping is about 15 ms.
I'd bet you are seeing bad response due to connection latency.
Why is that everyone in the FOSS community always wants EVERYTHING to be a web-based application.
Is it so hard to imagine that some people really want application state, a really responsive UI, the ability to work with data without many round-trips to the server, etc?
Web-apps are nice, but geez, they aren't the frigging holy grail!
I came up with an idea for a simple and peppy substring searching algorithm that's currently used in a popular piece of P2P software. The period of time between when I came up with the idea and when it shipped in SuSE? I dunno, it was whenever the next SuSE release came out.
What an absurdity. You are talking about compact simple functions. What we are talking about are fundamental changes involving perhaps 10-15 million lines of code.
I think that they might be the most *popular* vendor of a number of things, but still not the first to market
No, you are not following me. I am talking about taking things that are mature, and making them accessible to the masses. FOSS hasn't done that widely, except perhaps FireFox, and a few P2P clients. What FOSS software is in daily use by millions of desktop users? Apache serves 60% of the worlds websites, but what about the rest of the computing world? What about desktop users of all stripes - MacOS, Linux, and Windows? Let me give you a clear concise example of what I am talking about. Microsoft clearly did not invent remote displays of a PC. It's been around for a long, long time. X does it. VNC does it as well. pcAnywhere did on DOS even. Unix has had remote shells for decades. But how many PC users had the ability to access their home PC from work? Or vice-versa? Now this is what I am talking about. At the recent PDC conference MS held they reported statistics like this one: 3 million people in the US use remote desktop daily to connect to their home or work PC. I can understand this. My mother does it. My wife does it. I do it. Why? It's easy, and it's robust. It wasn't first, it wasn't last, it isn't the best solution. What it is ubiquitous. This is advantage. As a developer, I can say that the majority of my user base has access to a feature - remote assistance. As a Linux software developer, can you claim that?
Now, onto VM's: However, in an open source world, it doesn't provide nearly as much a benefit, since most software can just be rebuilt -- Red Hat just sets the --target option and rebuilds for IA64, PPC, i386, or whatever.
I agree. Totally correct. Except that your cross-platform ideas involve the time-consuming and error-prone problems of cross-compiling. I am well aware of the drawbacks and benefits. Sun thought that their idea of a cross-platform binary would change how software was developed and used. They failed. Again, they were not the first, but they were early compared to MS. They have not develivered. There is very little common usuage of Java software except on the server-side (exactly where people have the time and skill to cross-compile). The current batch of software being developed now and released now is based on a VM. That's something Sun has never delivered.
Dan, I *already* have cross-architecture compatibility with native speed and memory use. The only piece of binary software I can think of that I have is the RealPlayer library. Heck, I've co-developed software with a buddy who did his work on a PowerPC laptop. There's no need to resort to an emulation-based system.
There are vast benefits to using compile-once-run-anywhere binaries. Cross-compiling doesn't provide these, and you know it. I too have a system build by hand entirely from source. It doesn't however mean that it's the best solution for every multi-platform scenario. You have to know this, you seem much to knowledgeable to not understand that having multiple-platform binaries make's things confusing for users. The fact is that, despite all the ballyhooing about Linux applications being hardware independent, distributing software is a freaking mess. If you want to save people time and distribute binaries you need to support at least RPM and DEB, plus probably source RPM, provide a big nasty make file (go look at the makefile for XFree86 sometime before you eat lunch!).
Now, there are certainly FOSS VMs with bytecode that exist: rep, emacs, bochs, p
When I want to add a feature, I do a patch and send it to a mailing list. It's pretty easy.
It's evolutionary. Little patches, little by little. There is not a big momentum of new changes being added.
Let me ask you a question. If you had something was truly revolutionary under your hat. You thought it up, coded some proof of concepts. Bamo. Brand new. Big time stuff, what would you do with it? How long would it take to go from your idea to the average user?
d you're using Microsoft as an example of technical innovation
I have never claimed they invented anything. I am saying they brings things *to the market* way before anyone else. Let me ask you this. What percentage of applications of Open Source applications are running on virtual machine. Sun promised the world this a decade ago. But fast forward. 75% of Windows developers are writing products targeted towards.NET. In the next 18-24 months virtually everything released is going to be.NET based. MS has succedded by getting ISVs to write against an entirely new managed code-base. This is a big time innovation. They didnt invent the idea. They didn't create this big idea. They got to the desktop. They brought it to people. Something Unix vendors have been promising the world, and here comes MS last to the game ready to deliver. FOSS is great at having a big pile of IFDEFS and tons of includes to make things work on multiple flavors of FOSS platforms. Good for them. That's been around though for a long time. Here comes MS delivering binary compatibility via a VM. Wow. And they are poised to do it again, and completely nail Linux in the process.
When Longhorn and its technology hits in the next two years, developers will be drinking the cool-aid full-on. It's the ultimate in lockin: make developing apps so much more effective and efficent that you don't want to switch platforms.
I encourage you to go read up some on MSDN about Avalon, XAML, WinFS, and Indigo. Then read some MS blogs for a few hours. If MS pulls of the technology even 1/2 of what they are thinking of, Linux in terms of developer experience is going to be way, way behind.
It's all about "Developers, developers, developers!"
Have you ever heard of ReiserFS4
So how long until I can, as a developer, incorporate serious transaction support into my applications? 1 month, 2 months? 6 months? 12 months? 5 years?
I am sure that will happen sooner than anybody sees WinFS doing anything
Sure, it may go to the kernel. What will anyone be using it for anything? Will it be integrated into applications? Can I open up OpenOffice and roll through automatically journaled versions (just an example) of my document? Can I write applications that work with files atomically? Having it in the kernel is step #1 in getting to step #54, which is having wide access to the features provided by the filesystem.
all this technologies are Open Source. So it is not like nothing new here in Linux
I am not saying anything is new, but where are the implmentations that use it? Where are the vector based toolkits, where are the vector-based rendering extensions on X? Where are they? When can I as a developer count on having them?
I wasn't using ANY GTK1 apps two or three MONTHS after GNOME2 was released, which was a MAJOR switch. I think you should pay more attention to OSS so you can be more informed.
Yet Fedora still ships with some by default. As does Mandrake.
There are dozens of very complete SVG icon sets available NOW for KDE and GNOME.
So is it safe to say that 75% of all desktop icons used by Linux desktop users are SVG based? Can I ship a product that counts on the fact that the icons used on desktops are SVG based? Ohh, I can't? Because hardly anyone uses them.
As a matter of fact, I can't even ship an application that assumes you have KDE, or an application that assumes you Gnome, can I? Can I make assumptions about anything on any typical linux machine? Tell me, what are things that I, as a developer can assume about your box?
Pray tell, what features are those? Journaling? Done. Stability? Done. ACLs? Done. Meta-data? Done.
I tell you what. I've worked on roughly 1000 Linux boxes. I never seen a single one with ACL support enabled. Ever. Just because it exisits doesn't mean it's in use.
Face the facts. A lot of these projects that you tout are dormant, deprecated, not in heavy use, or pet projects.
Maybe, but how many new boxes get installed with ext2?
Most distros default to ext2 or ext3. A few give you options. Most boxes being installed today are not running a nifty new filesystem. They are running crufty versions. A huge majority of boxes will not ever moved to a better filesystem, they will just be upgraded only when replaced. And even then, chances are, they will use an older filesystem like ext2 or an old version of ext3.
It's lame is it? That's why until Win2k, it was more stable (and much faster to boot) at crash recovery than NTFS, MS's highly touted FS?
Win2k was released in 1999. Until then MS didnt have a decent filesystem. I dont deny that. But that doesn't mean state of the art should stop on the Linux side five or six years back. ext2 was great for its time. But lets move on. The fact is that as a developer if you need to write any filesystem specific features in your complex product you have to assume the lowest common denominator of ext2. Any new features offered by new filesystems will be ignored until they gain a strong foothold. As a developer are you going to target 4-5 competing journaling filesystems splitting 10% of the installed base? No, of course not.
What a ridiculous troll! Why is that bound to happen?
Because any change that breaks compatability with any ancient, unmaintained project will be cast-off as incompatible. Any thing that changes the Xlib library more than marginally will be cast-off. Anything that is anything at all different from the status quo will be frowned on.
What a ridiculous troll! Why is that bound to happen? Look at all the OSS projects that are highly active, and have been for years and years. GNOME and KDE are more active than ever, and so is the Linux kernel.
Those are the NAME BRAND FOSS projects. I am talking about the hundreds and hundreds of other applications out there. The ones with 1-10 developers, and that's it.
I hope you will do a bit more research about developments in the FOSS world before running your mouth(errr... fingers).
I am well aware. I am highly involved in the FOSS world. You are completely wrong. Once more for the record, FOSS is great at replicating things. It is not great at driving new things, at making big changes, at making big improvements.
Just because I know you won't take my word for it, here is my opinion from Linus himself:
"In open source, you don't have a circus. You don't see a sudden explosion. It's not done that way."
...
"People complain about how long it takes us to develop new versions, but we made sure that with new upgrades, old programs continue to run."
Also it's good to copy good ideas. It should be encouraged. We don't say Einstein was a really smart guy and we should come up with a better theory of relativity. We build on top of his good ideas and have new exciting quests. When we see something good out there, we tend to find ways that it applies to what we are doing. It's a slow process of improvement.
Face it man. FOSS is good at making software that is stable, static, etc. It is good at taking a 30-year old protocol and adding dozens of extensions to it and upgrading it and making do newish things with crufty hacks. FOSS is great at making software that scratches and itch. Thats it.
Finally, a bit of proof. In 1991, this article on http://freshmeat.net/articles/view/212/">Freshmeat talks about four Journaling file systems: ReiserFS, XFS/Linux,
What spinning or unfair editing took place here?
No, the Microsoft guy said that the security goals set forth are not short term goals, but rather, long terms goals, aka 10 years.
The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said.
At some point people on Slashdot are going to have to come to grips with the fact that there are levels of security. MS is in the middle of a big push to change how they themselves and more importantly their customers think about security.
It's a non-trivial thing. Windows developers haven't been thinking about security until recently. It's been a non-issue until the world and MS made it one.
Getting the core of Microsoft software, applications, services and servers up to date, as well as creating tools that forcefully prod developers into coding effectively and securely is the real big goal of Microsoft's security plan.
Now look at this very short interview. The original question was:
We asked Stephen Toulouse, Microsoft's security program manager, if Redmond is fighting a war it can't win.
That's clearly the question he is responding to in the final "question": "Seems like you're fighting a losing battle.".
Rethink it in light of that question. Security isn't a start at X, arrive at Y, and you are done thing. Any developer knows that.
MS has done the basic things they never did before: disable services by default, enforce passwords, use least privelage practices, and the like. That's step 1. They've gone a head and prodded developers to be more conscious of security problems - that's step 2. They've updated thier own software to be much more resilent to attack. This isn't about just buffer overruns and whatnot. It's about cross-site scripting, phishing, and the like. It's about redesigning things to be secure by default.
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.
When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."
Finally,as an FYI. The rate of security flaws in Windows itself isn't terribly bad. Windows XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.
You're either stupid, ignorant, or willfully lying(FUD).
None of the above, thanks.
Then you go and talk about filesystems and vector graphics, both of which, at present time, FOSS absolutely trumps MS at.
Absolutely untrue. Just because there is a project in existenance doesn't mean that FOSS is trumping MS. MS has an installed base of 500 million running against NTFS - a decent filesystem with features that most FOSS Filesystems don't have - namely ACLs. Now, the vast majority of Linux boxes are running ext2 - essentially a lame-old filesystem maintained for the sake compatiability. That's just a fact. It's sucky for more computing. Not that robust, not that fast, not that efficent, not that great. Now you mention these other projects. Great. Good stuff. I love ReiserFS. Really nice design, so far a pretty decent implementation. How long till thats the de facto standard? Forever? Never? 5 years? No big deal, choice is good, right? Well how about the new features of Reiser4. How long till they are integrated into KDE, Gnome, and the dozens of major Linux distros? When MS releases WinFS all the system applets will make use of it, as well as I am sure Windows Media Player and Office. In the course of a year it will be available to developers to target against 50% or more of the Windows users. How long will it before developers can target Reiser4 for 50% of Linux users? Can you tell me surely that it *ever* will? Can any application vendor in the Linux world, or any developer, ever say that 50% or more of its user base will have a given filesystem? Choice is good, but sometimes, choice stiffles progress, and filesystems are a good one.
Also, most of E17's base libraries are mostly done, and implement a lot of features MS is in the process of "inventing."
Same with graphics. I am thrilled that X.org is making progress withe XFree codebase. How long will that last? If the changes start to get radical, or break *any* compatibility, the progress will die on the vine. Heck, if it even requires a recompile of an application binary it will probably die. Let's be clear as well. The only X.org exisits is because of a license change in the XFree project. How long until X.org faces the same red-tape laden decline as X.org? I am not saying it will die, but progress will slow, then stop, and then the software will be in "patch" only mode just XFree86 is now.
We will see over time who is right. My guess is that I am right. MS has an OS now that they can move with ease right now - XP. Longhorn is going to incorporate things that are hard, unsexy, and unrewarding for FOSS developers to release. I didn't even touch Indigo - a middleware layer that is ambitious and needed in many cases.
As a final note, let me ask you this. We know that FOSS is good at replicating things - cloning things. Thats' the whole idea behind the Linux project in the beginning anyways: to make a free Unix-ish project. What we haven't seen much of from the FOSS world is really getting big changes to the wider non-geek world. Firefox is really the first project to make a strong attempt and meet some success. What MS is doing is taking things that are normally OS-geek projects- graphics, filesystem, messagining and networking - and making them big name features. These are the types of things that FOSS isn't good at doing quickly. The great filesystems that the FOSS "owns" are great - JFS/XFS/ext3/ReiserFS, etc are really good stuff, and given some more time to mature they each easily become industry standards. But the fragmented nature of the FOSS world means that none will gain promienence, and that for the foreseeable future, most users will stick with ext2 or maybe ext3. This creats a lack of demand for new user-space applications that utilize the enhanced functionality of ReiserFS or JFS or any future projects. It means that new projects are shoehorned into the same feature set that ext2 provides. Users continue to use the "locate"
At this point in MS's life, being co-dependent on Intel or AMD is crazy. The way technology on the hardware side is progressing, MS could decide to close up and become 100% closed in terms of hardware. Or it could go multi-platform. Either way,.NET is a huge leaping point for this type of thinking. When everything runs against.NET, switching to a new platform is a matter of using another base OS, implementing a nice.NET runtime, and being done with it.
Also, in a few years, without a doubt, the MS monopoly on the desktop will be officially vacated. When a solid 10-15% of users use MacOSX or Linux courts will agree that MS isn't a monopoly on desktops anymore, and MS will be completely unrestricted in terms of pricing, licensing, and lock-in.
It's still a DOS prompt as far as I'm concerned.
That's fine, but its like me calling modern Linux distros the same as System V. It's just not true, but maybe if you reduce everything to the most basic level it works as an analogy.
Usually I see this kind of thing posted by someone who had been using Windows 95 and got a new computer loaded with XP from mom and dad for Christmas.
I am well aware of the versions all along the way. But Win2k was not the final destination merge (especially because WinME was sold at the same time). XP is final merge. And you know what? It works surprisingly well. Users who dont know anything can move to it without feeling the pain. And, for example, where my wife works 15 year old 16-bit DOS applications replete with TSRs, legacy file access, and statically mapped memory segments runs. Pretty amazing.
On the GUI scaling thing: X has done this for years. Try gimp2 on a 150dpi display and a 75dpi display. The fonts, dialogs, and most of the graphical elements all resize automatically.
It's gawd-awful ugly with most applications! Most applications just scale either (1) in fixed increments (2x, 3x, etc) or not at all, leaving a gigantic empty workspace with tiny tiny elements. Crappy. Same with Windows and with some MacOS X apps. But regardless, lets say GTK and QT switch. HOw long until thats in every app? How long until SVG icons are standard across the FOSS world?
Windows-on-Windows-on-x86-emulator?
Not needed! With MS's resources, they just need to target a.NET runtime on a new platform. That's 90% of the effort required to switch from x86. Most new software being written now is.NET based. That means in 5 years, almost all reasonably current software will be able to run on any complete.NET environment.
Microsoft also tried for a very long time to hack and upgrade their old OS, also designed for single user with no networking
While DOS was still vogue, MS recognized that it was drastically limited, and began work on a New Technology. That was NT. They maintained both lines - improving and upgrading the technology behind NT until it could provide a consistent user experience with the legacy line.
It may not have been planned, but MS did a great job merging two completely seperate code bases. The DOS/Win9x codebase merged against the NT base under XP, and now, within 3 years, 50% of Windows users on the desktop run XP. The next 25% will be there within another year (the last 25% will probably take a decade; many will not move to XP until they are forced to by hardware failure, and that's their right).
and Apple's last chance to survive was to purchase NeXT, with their Unix experience, and thus MacOS X was born.
Don't forget that in there was CEO who had no idea of the business. That's an important factor, remember.
There are many similarities with Windows and Longhorn
Not as many as you pretend, let's think it through.
Microsoft has already moved the majority of it's users to an operating system that is truly mutlitasking, has fine networking support, and is in fact the industry standard for desktop operating systems. Not that it's the best mind you - but rather the industry standard. What Longhorn is adding is not core bits needed for a modern operating system. XP has those. The fact remains that if everything stayed where they are, MS could milk XP for 10 years. But of course, what MS wants is to continue to be dominant for decades, and that's where Longhorn enters. Let's face it, XP is good enough for just about every current Windows user. It performs fairly well, it's straightforward to install, it supports basically the entire universe of x86 hardware, it's cheap enough for OEMs to use, it's easy enough for users, powerful enough for administrators, flexible enough for developers, etc. It's certainly not perfect.
With Longhorn, MS is exploiting the weaknesses of the FOSS world, so they can continue to dominate the business, corporate, and home desktop market. What isn't FOSS good at doing? Changing rapidly. If a group of programmers get together and code some great new thing, it'd take years of flamefests and discussion to get to the majority of Linux users. Plus chances are it will fork within a few versions and the talent pool will be split. Add to this the fact that much of the really hardwork in software engineering is shunned - people want to work on the stuff they want - not the stuff that others want them to.
So this is what is MS thinking: implement the things that FOSS world can't do thanks to its red-tape laden world-view. Implement a filesystem layer that provides nifty functions that while aren't new are new in this scale. Writing a similiar filesystem and getting it into use in the FOSS world would not happen, or if it did, take a decade. Re-write the graphical subsystem to use strictly vectored screen elements. This is a huge boon to developers - any GUI programmer can tell you what a pain it is thinking about how your application will look at 800x600, at 1600x1200, etc. Will that panel here look funny since it will 99% empty at 1600x1200? Sure different programming enviornments will physically scale the interface for you, but how will it look, feel, and work? Enter Avalon, MS's solution. Screen elements will stay the same size while you increase resolution, but your workspace will gain resolution and capability. All of the sudden you can edit a large image in Photoshop on your high-resolution monitor without all the widgets becoming microscopic. How long would it take for the FOSS world to replicate this? X is completely widget agnostic. Every application or desktop environment has it's own set of widgets with it's own code tree and it's own egos. Not only would X have to ma
Why not? If google teamed up on a little joint venture with a well devleoped Linux distrobution, I could see deeper desktop penetration of Linux just because of the Google brandname.
The only way people would switch to this desktop OS would be if they could only google with it. If they made this happen, they'd be busted down on hard by the DOJ for the most clear Sherman violation in decades.
Have you read about all the new bugs that are being found in SP2.
Yes, and most of what is written is junk.
There are compaints about how the SP2 security panel can be spoofed.
Yes, they are uninformed compliants.
This allows a person to trick people into thinking their firewall and virus scan are all on and working normally.
Any person?
Microsoft's response... (paraphrased quote) "We are busy with other more important bugs at the time, don't bother us with these tivialities."
Umm.. no, thats a blantant distortion.
Here is the story you don't want to know:
A program running locally on the XP SP2 machine has the ability to overwrite the data store used to track and display the various updated components in XP SP2.
This isn't a remote vulnerability. It means that, simply put, a program can constantly overwrite the data that would indicate a virus scan hasn't taken place in 15 days, or that the firewall is off or open on certain ports, etc.
To have this "vulernability" be "exploited", first the protection would have to be subverted/turned off by the user. Nothing in this "exploit" allows an application to disable the features, just make them look as though they are in place. So after a program infilitrates the system and is running as an Administrator, it would be able to make the user think that the protection they already disabled was in fact running.
This is not a big deal. For example, let's say I had a program I could find a way to get onto a box with root access. I could just easily, if not more easily, spoof the security center interface and make it say what ever I wanted. I could just as easily spoof it to say "OH NO, GO DOWNLOAD THIS PATCH".
The point being this is a hole in the design or implementation. It's a social engineering attack. To be useful, the user would have to disable the protection on the machine; the user would then have to be convinced to download the trojan; the user would have to be induced to run the trojan; and the user would have to believe that he/she was in fact protected despite knowingly disabling the protection.
The nature of any operating system is that it responds to users actions. If any person/program can convince any user on any operating system to run any malicious binary as root/Administrator/etc than that box is exploitable by means of social engineering. Big deal. That's not new, it's not a security vulnerability per se, it's not anything but human nature.
That is one possibility. Another possibility is that they were jobless and facing eviction in two weeks and so a few thousand dollars looked like a grand opportunity.
I tell you what. I've been there. There is no need to ever be evicted. Jobless? Okay. Fix that. Go to a temp agency. Go to a fast food place. Go to a 24 hour gas station. Go to the hot dog factory in the bad part of town. There are very, very, very few places in the US where healthy adult men cannot find a job for minimum wage. In the course of a month, 3 guys earning 5.25 an hour working a 30 hour work week can earn $1,890, and take home between $1100 to $1400 of it. If all 5 guys had a job, working 30 hours a week making 5.25 an hour they'd be taking home $2000-$2300 in that month. More than enough to pay reasonable rent, healthy rations of food, and basic recreation.
But let's be real. These guys didn't want to work hard for money. They wanted it easy. They thought they were smarter than the average person, and didn't think they should be subjected to minimum wage jobs. I mean, hey, they were geeks, and geeks shouldn't have to do that "type" of work, right?
These guys were hired guns, hired because they already were knee deep in the cracker subculture that is all-too prevalent amoung geeks who think they are better than everyone else, smarter than everyone else, and who have a nasty sense of entitlement.
This wasn't a little DDoS. These guys had farms of bots - 5k-10k of them. It was a multi-week, pre-meditated, refined criminal operation. Two weeks worth of DDoS?
I don't care if they were living on Ramen noodles, they don't deserve the level of sympathy you show. If this had of been them throwing thier own bandwidth at a single site on a single occasion, well, that'd be one thing. But this is an entirely different scale of operaton.
Thus Microsoft has saved us from nothing, and made everyone's lives more difficult.
No, that's false. Javascript can be controlled in other fashions. For example, I (when using IE), do not have it enabled at all. It's just plain off. That is an accetpable way to browse: javascript turned off. There is no accepted way of disabling META tags. The META refresh is a NON-STANDARDS compliant hack that violated the whole idea of META tags to begin with. The bottom line is that the browser should not go where the server tells it, it should go where the user tells it.
MS has eliminated this Netscape induced abomination, and it's about time.
No, this should be exposed and derided for what it is: the Emperor's New Clothes
Maybe you are being a bit over-harsh here?
Recognizing improvements is just that: noticing when things get better, worse, or stay the same.
If this was truly "the emperor's new clothes" then you would be saying that this version of XP is no more secure than any other.. and that is provably false..
Denying that there are levels of security is absurd.. XP SP2 is significantly more secure than the original version, than Windows 2000, than 98, etc.
What do you mean? I just ordered a retail copy of XP direct from MS late last week.. I received it.. opened it up.. and bingo.. prepatched to SP2. You don't think they only sell the original release do you?
SP2 was "RTM"'d (released to manufacturers) early for a reason...
Re:I'm sorry, were you expecting better?
on
XP2 Spotted In The Wild
·
· Score: 4, Informative
For example, XP SP2 now modifies IE to reject redirects. i.e. If you have a redirect page to forward someone to your new website
META REFRESH is not a good way to redirect people, and furthermore, it's not standards compliant. Allowing META REFRESH to direct users around the web without their consent is deceptive, and a major usability problem for users.
One of the big goals of SP2 was to improve the web browsing experience for users tired of getting hijacked by bad nasty web pages that intentionally use seemingly harmless methods to corral, trap, and frustrate users.
A lot of people use the META REFRESH directive to move them to a new URL once an old one has expired. Even on FireFox/Mozilla this can be used to trap users, enable phishing, and the like.
Better methods when you can addresses is to:
Use server side URL rewriting, like in mod_rewrite or like available in IIS
Display a simple page with a large clear hyperlink and message to update the original link
Display a simple page like above and use a simple Javascript to move the user (unlike META commands, the Javascript can be disabled).
Use the appropriate 3xx HTTP status code and let the client handle the change appropriately
I work for one and it is making more money than ever.
Which one? I track various telecom stock performance and key performance indicators aren't good across the industry.
Also, some of the most profitable wireless companies are only wireless companies - without dead-weight strapped to the back.
Slashdot Mirror
I don't even think it needs to be that high tech. How about this:
You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.
Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.
On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.
On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.
In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.
What are you doing wrong? I am connected to my home workstation quite a bit, and my router uses QOS to limit RDP packets to no more than 8 kb/s. I use 1024x768x16 without any problem. It's fast, wicked responsive (I forget where I am sometimes), and the latency is great.
Granted, I have a nice connection back to home - my average ping is about 15 ms.
I'd bet you are seeing bad response due to connection latency.
Why is that everyone in the FOSS community always wants EVERYTHING to be a web-based application.
Is it so hard to imagine that some people really want application state, a really responsive UI, the ability to work with data without many round-trips to the server, etc?
Web-apps are nice, but geez, they aren't the frigging holy grail!
I came up with an idea for a simple and peppy substring searching algorithm that's currently used in a popular piece of P2P software. The period of time between when I came up with the idea and when it shipped in SuSE? I dunno, it was whenever the next SuSE release came out.
What an absurdity. You are talking about compact simple functions. What we are talking about are fundamental changes involving perhaps 10-15 million lines of code.
I think that they might be the most *popular* vendor of a number of things, but still not the first to market
No, you are not following me. I am talking about taking things that are mature, and making them accessible to the masses. FOSS hasn't done that widely, except perhaps FireFox, and a few P2P clients. What FOSS software is in daily use by millions of desktop users? Apache serves 60% of the worlds websites, but what about the rest of the computing world? What about desktop users of all stripes - MacOS, Linux, and Windows? Let me give you a clear concise example of what I am talking about. Microsoft clearly did not invent remote displays of a PC. It's been around for a long, long time. X does it. VNC does it as well. pcAnywhere did on DOS even. Unix has had remote shells for decades. But how many PC users had the ability to access their home PC from work? Or vice-versa? Now this is what I am talking about. At the recent PDC conference MS held they reported statistics like this one: 3 million people in the US use remote desktop daily to connect to their home or work PC. I can understand this. My mother does it. My wife does it. I do it. Why? It's easy, and it's robust. It wasn't first, it wasn't last, it isn't the best solution. What it is ubiquitous. This is advantage. As a developer, I can say that the majority of my user base has access to a feature - remote assistance. As a Linux software developer, can you claim that?
Now, onto VM's:
However, in an open source world, it doesn't provide nearly as much a benefit, since most software can just be rebuilt -- Red Hat just sets the --target option and rebuilds for IA64, PPC, i386, or whatever.
I agree. Totally correct. Except that your cross-platform ideas involve the time-consuming and error-prone problems of cross-compiling. I am well aware of the drawbacks and benefits. Sun thought that their idea of a cross-platform binary would change how software was developed and used. They failed. Again, they were not the first, but they were early compared to MS. They have not develivered. There is very little common usuage of Java software except on the server-side (exactly where people have the time and skill to cross-compile). The current batch of software being developed now and released now is based on a VM. That's something Sun has never delivered.
Dan, I *already* have cross-architecture compatibility with native speed and memory use. The only piece of binary software I can think of that I have is the RealPlayer library. Heck, I've co-developed software with a buddy who did his work on a PowerPC laptop. There's no need to resort to an emulation-based system.
There are vast benefits to using compile-once-run-anywhere binaries. Cross-compiling doesn't provide these, and you know it. I too have a system build by hand entirely from source. It doesn't however mean that it's the best solution for every multi-platform scenario. You have to know this, you seem much to knowledgeable to not understand that having multiple-platform binaries make's things confusing for users. The fact is that, despite all the ballyhooing about Linux applications being hardware independent, distributing software is a freaking mess. If you want to save people time and distribute binaries you need to support at least RPM and DEB, plus probably source RPM, provide a big nasty make file (go look at the makefile for XFree86 sometime before you eat lunch!).
Now, there are certainly FOSS VMs with bytecode that exist: rep, emacs, bochs, p
When I want to add a feature, I do a patch and send it to a mailing list. It's pretty easy.
.NET. In the next 18-24 months virtually everything released is going to be .NET based. MS has succedded by getting ISVs to write against an entirely new managed code-base. This is a big time innovation. They didnt invent the idea. They didn't create this big idea. They got to the desktop. They brought it to people. Something Unix vendors have been promising the world, and here comes MS last to the game ready to deliver. FOSS is great at having a big pile of IFDEFS and tons of includes to make things work on multiple flavors of FOSS platforms. Good for them. That's been around though for a long time. Here comes MS delivering binary compatibility via a VM. Wow. And they are poised to do it again, and completely nail Linux in the process.
It's evolutionary. Little patches, little by little. There is not a big momentum of new changes being added.
Let me ask you a question. If you had something was truly revolutionary under your hat. You thought it up, coded some proof of concepts. Bamo. Brand new. Big time stuff, what would you do with it? How long would it take to go from your idea to the average user?
d you're using Microsoft as an example of technical innovation
I have never claimed they invented anything. I am saying they brings things *to the market* way before anyone else. Let me ask you this. What percentage of applications of Open Source applications are running on virtual machine. Sun promised the world this a decade ago. But fast forward. 75% of Windows developers are writing products targeted towards
When Longhorn and its technology hits in the next two years, developers will be drinking the cool-aid full-on. It's the ultimate in lockin: make developing apps so much more effective and efficent that you don't want to switch platforms.
I encourage you to go read up some on MSDN about Avalon, XAML, WinFS, and Indigo. Then read some MS blogs for a few hours. If MS pulls of the technology even 1/2 of what they are thinking of, Linux in terms of developer experience is going to be way, way behind.
It's all about "Developers, developers, developers!"
Have you ever heard of ReiserFS4
So how long until I can, as a developer, incorporate serious transaction support into my applications? 1 month, 2 months? 6 months? 12 months? 5 years?
I am sure that will happen sooner than anybody sees WinFS doing anything
Sure, it may go to the kernel. What will anyone be using it for anything? Will it be integrated into applications? Can I open up OpenOffice and roll through automatically journaled versions (just an example) of my document? Can I write applications that work with files atomically? Having it in the kernel is step #1 in getting to step #54, which is having wide access to the features provided by the filesystem.
all this technologies are Open Source. So it is not like nothing new here in Linux
I am not saying anything is new, but where are the implmentations that use it? Where are the vector based toolkits, where are the vector-based rendering extensions on X? Where are they? When can I as a developer count on having them?
I wasn't using ANY GTK1 apps two or three MONTHS after GNOME2 was released, which was a MAJOR switch. I think you should pay more attention to OSS so you can be more informed.
Yet Fedora still ships with some by default. As does Mandrake.
There are dozens of very complete SVG icon sets available NOW for KDE and GNOME.
So is it safe to say that 75% of all desktop icons used by Linux desktop users are SVG based? Can I ship a product that counts on the fact that the icons used on desktops are SVG based? Ohh, I can't? Because hardly anyone uses them.
As a matter of fact, I can't even ship an application that assumes you have KDE, or an application that assumes you Gnome, can I? Can I make assumptions about anything on any typical linux machine? Tell me, what are things that I, as a developer can assume about your box?
Pray tell, what features are those? Journaling? Done. Stability? Done. ACLs? Done. Meta-data? Done.
...
I tell you what. I've worked on roughly 1000 Linux boxes. I never seen a single one with ACL support enabled. Ever. Just because it exisits doesn't mean it's in use.
Face the facts. A lot of these projects that you tout are dormant, deprecated, not in heavy use, or pet projects.
Maybe, but how many new boxes get installed with ext2?
Most distros default to ext2 or ext3. A few give you options. Most boxes being installed today are not running a nifty new filesystem. They are running crufty versions. A huge majority of boxes will not ever moved to a better filesystem, they will just be upgraded only when replaced. And even then, chances are, they will use an older filesystem like ext2 or an old version of ext3.
It's lame is it? That's why until Win2k, it was more stable (and much faster to boot) at crash recovery than NTFS, MS's highly touted FS?
Win2k was released in 1999. Until then MS didnt have a decent filesystem. I dont deny that. But that doesn't mean state of the art should stop on the Linux side five or six years back. ext2 was great for its time. But lets move on. The fact is that as a developer if you need to write any filesystem specific features in your complex product you have to assume the lowest common denominator of ext2. Any new features offered by new filesystems will be ignored until they gain a strong foothold. As a developer are you going to target 4-5 competing journaling filesystems splitting 10% of the installed base? No, of course not.
What a ridiculous troll! Why is that bound to happen?
Because any change that breaks compatability with any ancient, unmaintained project will be cast-off as incompatible. Any thing that changes the Xlib library more than marginally will be cast-off. Anything that is anything at all different from the status quo will be frowned on.
What a ridiculous troll! Why is that bound to happen? Look at all the OSS projects that are highly active, and have been for years and years. GNOME and KDE are more active than ever, and so is the Linux kernel.
Those are the NAME BRAND FOSS projects. I am talking about the hundreds and hundreds of other applications out there. The ones with 1-10 developers, and that's it.
I hope you will do a bit more research about developments in the FOSS world before running your mouth(errr... fingers).
I am well aware. I am highly involved in the FOSS world. You are completely wrong. Once more for the record, FOSS is great at replicating things. It is not great at driving new things, at making big changes, at making big improvements.
Just because I know you won't take my word for it, here is my opinion from Linus himself:
"In open source, you don't have a circus. You don't see a sudden explosion. It's not done that way."
"People complain about how long it takes us to develop new versions, but we made sure that with new upgrades, old programs continue to run."
Also it's good to copy good ideas. It should be encouraged. We don't say Einstein was a really smart guy and we should come up with a better theory of relativity. We build on top of his good ideas and have new exciting quests. When we see something good out there, we tend to find ways that it applies to what we are doing. It's a slow process of improvement.
Face it man. FOSS is good at making software that is stable, static, etc. It is good at taking a 30-year old protocol and adding dozens of extensions to it and upgrading it and making do newish things with crufty hacks. FOSS is great at making software that scratches and itch. Thats it.
Finally, a bit of proof. In 1991, this article on http://freshmeat.net/articles/view/212/">Freshmeat talks about four Journaling file systems: ReiserFS, XFS/Linux,
What spinning or unfair editing took place here?
No, the Microsoft guy said that the security goals set forth are not short term goals, but rather, long terms goals, aka 10 years.
The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said.
At some point people on Slashdot are going to have to come to grips with the fact that there are levels of security. MS is in the middle of a big push to change how they themselves and more importantly their customers think about security.
It's a non-trivial thing. Windows developers haven't been thinking about security until recently. It's been a non-issue until the world and MS made it one.
Getting the core of Microsoft software, applications, services and servers up to date, as well as creating tools that forcefully prod developers into coding effectively and securely is the real big goal of Microsoft's security plan.
Now look at this very short interview. The original question was:
We asked Stephen Toulouse, Microsoft's security program manager, if Redmond is fighting a war it can't win.
That's clearly the question he is responding to in the final "question": "Seems like you're fighting a losing battle.".
Rethink it in light of that question. Security isn't a start at X, arrive at Y, and you are done thing. Any developer knows that.
MS has done the basic things they never did before: disable services by default, enforce passwords, use least privelage practices, and the like. That's step 1. They've gone a head and prodded developers to be more conscious of security problems - that's step 2. They've updated thier own software to be much more resilent to attack. This isn't about just buffer overruns and whatnot. It's about cross-site scripting, phishing, and the like. It's about redesigning things to be secure by default.
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.
When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."
Finally,as an FYI. The rate of security flaws in Windows itself isn't terribly bad. Windows XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.
You're either stupid, ignorant, or willfully lying(FUD).
None of the above, thanks.
Then you go and talk about filesystems and vector graphics, both of which, at present time, FOSS absolutely trumps MS at.
Absolutely untrue. Just because there is a project in existenance doesn't mean that FOSS is trumping MS. MS has an installed base of 500 million running against NTFS - a decent filesystem with features that most FOSS Filesystems don't have - namely ACLs. Now, the vast majority of Linux boxes are running ext2 - essentially a lame-old filesystem maintained for the sake compatiability. That's just a fact. It's sucky for more computing. Not that robust, not that fast, not that efficent, not that great. Now you mention these other projects. Great. Good stuff. I love ReiserFS. Really nice design, so far a pretty decent implementation. How long till thats the de facto standard? Forever? Never? 5 years? No big deal, choice is good, right? Well how about the new features of Reiser4. How long till they are integrated into KDE, Gnome, and the dozens of major Linux distros? When MS releases WinFS all the system applets will make use of it, as well as I am sure Windows Media Player and Office. In the course of a year it will be available to developers to target against 50% or more of the Windows users. How long will it before developers can target Reiser4 for 50% of Linux users? Can you tell me surely that it *ever* will? Can any application vendor in the Linux world, or any developer, ever say that 50% or more of its user base will have a given filesystem? Choice is good, but sometimes, choice stiffles progress, and filesystems are a good one.
Also, most of E17's base libraries are mostly done, and implement a lot of features MS is in the process of "inventing."
Same with graphics. I am thrilled that X.org is making progress withe XFree codebase. How long will that last? If the changes start to get radical, or break *any* compatibility, the progress will die on the vine. Heck, if it even requires a recompile of an application binary it will probably die. Let's be clear as well. The only X.org exisits is because of a license change in the XFree project. How long until X.org faces the same red-tape laden decline as X.org? I am not saying it will die, but progress will slow, then stop, and then the software will be in "patch" only mode just XFree86 is now.
We will see over time who is right. My guess is that I am right. MS has an OS now that they can move with ease right now - XP. Longhorn is going to incorporate things that are hard, unsexy, and unrewarding for FOSS developers to release. I didn't even touch Indigo - a middleware layer that is ambitious and needed in many cases.
As a final note, let me ask you this. We know that FOSS is good at replicating things - cloning things. Thats' the whole idea behind the Linux project in the beginning anyways: to make a free Unix-ish project. What we haven't seen much of from the FOSS world is really getting big changes to the wider non-geek world. Firefox is really the first project to make a strong attempt and meet some success. What MS is doing is taking things that are normally OS-geek projects- graphics, filesystem, messagining and networking - and making them big name features. These are the types of things that FOSS isn't good at doing quickly. The great filesystems that the FOSS "owns" are great - JFS/XFS/ext3/ReiserFS, etc are really good stuff, and given some more time to mature they each easily become industry standards. But the fragmented nature of the FOSS world means that none will gain promienence, and that for the foreseeable future, most users will stick with ext2 or maybe ext3. This creats a lack of demand for new user-space applications that utilize the enhanced functionality of ReiserFS or JFS or any future projects. It means that new projects are shoehorned into the same feature set that ext2 provides. Users continue to use the "locate"
At this point in MS's life, being co-dependent on Intel or AMD is crazy. The way technology on the hardware side is progressing, MS could decide to close up and become 100% closed in terms of hardware. Or it could go multi-platform. Either way, .NET is a huge leaping point for this type of thinking. When everything runs against .NET, switching to a new platform is a matter of using another base OS, implementing a nice .NET runtime, and being done with it.
Also, in a few years, without a doubt, the MS monopoly on the desktop will be officially vacated. When a solid 10-15% of users use MacOSX or Linux courts will agree that MS isn't a monopoly on desktops anymore, and MS will be completely unrestricted in terms of pricing, licensing, and lock-in.
It's still a DOS prompt as far as I'm concerned.
That's fine, but its like me calling modern Linux distros the same as System V. It's just not true, but maybe if you reduce everything to the most basic level it works as an analogy.
Usually I see this kind of thing posted by someone who had been using Windows 95 and got a new computer loaded with XP from mom and dad for Christmas.
I am well aware of the versions all along the way. But Win2k was not the final destination merge (especially because WinME was sold at the same time). XP is final merge. And you know what? It works surprisingly well. Users who dont know anything can move to it without feeling the pain. And, for example, where my wife works 15 year old 16-bit DOS applications replete with TSRs, legacy file access, and statically mapped memory segments runs. Pretty amazing.
On the GUI scaling thing: X has done this for years. Try gimp2 on a 150dpi display and a 75dpi display. The fonts, dialogs, and most of the graphical elements all resize automatically.
It's gawd-awful ugly with most applications! Most applications just scale either (1) in fixed increments (2x, 3x, etc) or not at all, leaving a gigantic empty workspace with tiny tiny elements. Crappy. Same with Windows and with some MacOS X apps. But regardless, lets say GTK and QT switch. HOw long until thats in every app? How long until SVG icons are standard across the FOSS world?
At the rate FOSS moves, very long time.
Windows-on-Windows-on-x86-emulator? .NET runtime on a new platform. That's 90% of the effort required to switch from x86. Most new software being written now is .NET based. That means in 5 years, almost all reasonably current software will be able to run on any complete .NET environment.
Not needed! With MS's resources, they just need to target a
Microsoft also tried for a very long time to hack and upgrade their old OS, also designed for single user with no networking
While DOS was still vogue, MS recognized that it was drastically limited, and began work on a New Technology. That was NT. They maintained both lines - improving and upgrading the technology behind NT until it could provide a consistent user experience with the legacy line.
It may not have been planned, but MS did a great job merging two completely seperate code bases. The DOS/Win9x codebase merged against the NT base under XP, and now, within 3 years, 50% of Windows users on the desktop run XP. The next 25% will be there within another year (the last 25% will probably take a decade; many will not move to XP until they are forced to by hardware failure, and that's their right).
and Apple's last chance to survive was to purchase NeXT, with their Unix experience, and thus MacOS X was born.
Don't forget that in there was CEO who had no idea of the business. That's an important factor, remember.
There are many similarities with Windows and Longhorn
Not as many as you pretend, let's think it through.
Microsoft has already moved the majority of it's users to an operating system that is truly mutlitasking, has fine networking support, and is in fact the industry standard for desktop operating systems. Not that it's the best mind you - but rather the industry standard. What Longhorn is adding is not core bits needed for a modern operating system. XP has those. The fact remains that if everything stayed where they are, MS could milk XP for 10 years. But of course, what MS wants is to continue to be dominant for decades, and that's where Longhorn enters. Let's face it, XP is good enough for just about every current Windows user. It performs fairly well, it's straightforward to install, it supports basically the entire universe of x86 hardware, it's cheap enough for OEMs to use, it's easy enough for users, powerful enough for administrators, flexible enough for developers, etc. It's certainly not perfect.
With Longhorn, MS is exploiting the weaknesses of the FOSS world, so they can continue to dominate the business, corporate, and home desktop market. What isn't FOSS good at doing? Changing rapidly. If a group of programmers get together and code some great new thing, it'd take years of flamefests and discussion to get to the majority of Linux users. Plus chances are it will fork within a few versions and the talent pool will be split. Add to this the fact that much of the really hardwork in software engineering is shunned - people want to work on the stuff they want - not the stuff that others want them to.
So this is what is MS thinking: implement the things that FOSS world can't do thanks to its red-tape laden world-view. Implement a filesystem layer that provides nifty functions that while aren't new are new in this scale. Writing a similiar filesystem and getting it into use in the FOSS world would not happen, or if it did, take a decade. Re-write the graphical subsystem to use strictly vectored screen elements. This is a huge boon to developers - any GUI programmer can tell you what a pain it is thinking about how your application will look at 800x600, at 1600x1200, etc. Will that panel here look funny since it will 99% empty at 1600x1200? Sure different programming enviornments will physically scale the interface for you, but how will it look, feel, and work? Enter Avalon, MS's solution. Screen elements will stay the same size while you increase resolution, but your workspace will gain resolution and capability. All of the sudden you can edit a large image in Photoshop on your high-resolution monitor without all the widgets becoming microscopic. How long would it take for the FOSS world to replicate this? X is completely widget agnostic. Every application or desktop environment has it's own set of widgets with it's own code tree and it's own egos. Not only would X have to ma
Why not? If google teamed up on a little joint venture with a well devleoped Linux distrobution, I could see deeper desktop penetration of Linux just because of the Google brandname.
The only way people would switch to this desktop OS would be if they could only google with it. If they made this happen, they'd be busted down on hard by the DOJ for the most clear Sherman violation in decades.
Have you read about all the new bugs that are being found in SP2.
Yes, and most of what is written is junk.
There are compaints about how the SP2 security panel can be spoofed.
Yes, they are uninformed compliants.
This allows a person to trick people into thinking their firewall and virus scan are all on and working normally.
Any person?
Microsoft's response... (paraphrased quote) "We are busy with other more important bugs at the time, don't bother us with these tivialities."
Umm.. no, thats a blantant distortion.
Here is the story you don't want to know:
A program running locally on the XP SP2 machine has the ability to overwrite the data store used to track and display the various updated components in XP SP2.
This isn't a remote vulnerability. It means that, simply put, a program can constantly overwrite the data that would indicate a virus scan hasn't taken place in 15 days, or that the firewall is off or open on certain ports, etc.
To have this "vulernability" be "exploited", first the protection would have to be subverted/turned off by the user. Nothing in this "exploit" allows an application to disable the features, just make them look as though they are in place. So after a program infilitrates the system and is running as an Administrator, it would be able to make the user think that the protection they already disabled was in fact running.
This is not a big deal. For example, let's say I had a program I could find a way to get onto a box with root access. I could just easily, if not more easily, spoof the security center interface and make it say what ever I wanted. I could just as easily spoof it to say "OH NO, GO DOWNLOAD THIS PATCH".
The point being this is a hole in the design or implementation. It's a social engineering attack. To be useful, the user would have to disable the protection on the machine; the user would then have to be convinced to download the trojan; the user would have to be induced to run the trojan; and the user would have to believe that he/she was in fact protected despite knowingly disabling the protection.
The nature of any operating system is that it responds to users actions. If any person/program can convince any user on any operating system to run any malicious binary as root/Administrator/etc than that box is exploitable by means of social engineering. Big deal. That's not new, it's not a security vulnerability per se, it's not anything but human nature.
That is one possibility. Another possibility is that they were jobless and facing eviction in two weeks and so a few thousand dollars looked like a grand opportunity.
I tell you what. I've been there. There is no need to ever be evicted. Jobless? Okay. Fix that. Go to a temp agency. Go to a fast food place. Go to a 24 hour gas station. Go to the hot dog factory in the bad part of town. There are very, very, very few places in the US where healthy adult men cannot find a job for minimum wage. In the course of a month, 3 guys earning 5.25 an hour working a 30 hour work week can earn $1,890, and take home between $1100 to $1400 of it. If all 5 guys had a job, working 30 hours a week making 5.25 an hour they'd be taking home $2000-$2300 in that month. More than enough to pay reasonable rent, healthy rations of food, and basic recreation.
But let's be real. These guys didn't want to work hard for money. They wanted it easy. They thought they were smarter than the average person, and didn't think they should be subjected to minimum wage jobs. I mean, hey, they were geeks, and geeks shouldn't have to do that "type" of work, right?
These guys were hired guns, hired because they already were knee deep in the cracker subculture that is all-too prevalent amoung geeks who think they are better than everyone else, smarter than everyone else, and who have a nasty sense of entitlement.
a little DDoS doesn't look that bad
Umm, no.
This wasn't a little DDoS. These guys had farms of bots - 5k-10k of them. It was a multi-week, pre-meditated, refined criminal operation. Two weeks worth of DDoS?
I don't care if they were living on Ramen noodles, they don't deserve the level of sympathy you show. If this had of been them throwing thier own bandwidth at a single site on a single occasion, well, that'd be one thing. But this is an entirely different scale of operaton.
Thus Microsoft has saved us from nothing, and made everyone's lives more difficult.
No, that's false. Javascript can be controlled in other fashions. For example, I (when using IE), do not have it enabled at all. It's just plain off. That is an accetpable way to browse: javascript turned off. There is no accepted way of disabling META tags. The META refresh is a NON-STANDARDS compliant hack that violated the whole idea of META tags to begin with. The bottom line is that the browser should not go where the server tells it, it should go where the user tells it.
MS has eliminated this Netscape induced abomination, and it's about time.
No, this should be exposed and derided for what it is: the Emperor's New Clothes
Maybe you are being a bit over-harsh here?
Recognizing improvements is just that: noticing when things get better, worse, or stay the same.
If this was truly "the emperor's new clothes" then you would be saying that this version of XP is no more secure than any other.. and that is provably false..
Denying that there are levels of security is absurd.. XP SP2 is significantly more secure than the original version, than Windows 2000, than 98, etc.
What do you mean? I just ordered a retail copy of XP direct from MS late last week.. I received it.. opened it up.. and bingo.. prepatched to SP2. You don't think they only sell the original release do you?
SP2 was "RTM"'d (released to manufacturers) early for a reason...
META REFRESH is not a good way to redirect people, and furthermore, it's not standards compliant. Allowing META REFRESH to direct users around the web without their consent is deceptive, and a major usability problem for users.
One of the big goals of SP2 was to improve the web browsing experience for users tired of getting hijacked by bad nasty web pages that intentionally use seemingly harmless methods to corral, trap, and frustrate users.
A lot of people use the META REFRESH directive to move them to a new URL once an old one has expired. Even on FireFox/Mozilla this can be used to trap users, enable phishing, and the like.
Better methods when you can addresses is to:
Use server side URL rewriting, like in mod_rewrite or like available in IIS
Display a simple page with a large clear hyperlink and message to update the original link
Display a simple page like above and use a simple Javascript to move the user (unlike META commands, the Javascript can be disabled).
Use the appropriate 3xx HTTP status code and let the client handle the change appropriately
That's "out of box" as in now service packs applied, no patches, no firewall.
"Out of the box" as of last week for me was XP with SP2 slipstreamed into the distribution.
Just an FYI for you.
I work for one and it is making more money than ever.
Which one? I track various telecom stock performance and key performance indicators aren't good across the industry.
Also, some of the most profitable wireless companies are only wireless companies - without dead-weight strapped to the back.