Re: worth undertaking?
on
CNet on WinFS
·
· Score: 1
The recovery of lost damaged files issue is probably why they are going to use NTFS underneath it. Businesses have 10 years of experiance working with NTFS and there are many third party tools.
The database aspect is just what you will see through the shell and the file dialogs. Underneath programs will probably still open and save files the way they always have. New applications that can make use of the database and respond to triggers etc will come online eventually but for backwars compatibility reasons if nothing else the old file system structure must be there underneath.
I expect it won't bother making a database of the entire file system anyway. Why would you want all your system files in there? Just index everything with a user profile and other selected directories like movies, music, pictues etc. Those are the things people spend most time searching for.
Re:Been saying it for years
on
CNet on WinFS
·
· Score: 1
Then make sure you choose the right cup. Or you might find yourself getting very old very fast.
There isn't much wrong with the fundamental componants of Windows. NT underneath is pretty stable and secure.
The out of the box configuration of Win32 API being deeply embedded and lots of interlinked network services running as localsystem by default is where the security issues come from.
There needs to be a cleanup, remove the depandancies, move to a more secure API. Allow users to run without admin rights most of the time without breaking too many older apps etc. These areas are being worked on towards Longhorn, which is probably why it is so delayed. There is no need to fundamentally rewrite the system.
Bandwidth bills? Probably a drop in the ocean compared to all the traffic microsoft.com gets. But they must be paying someone somewhere for all that traffic. Each new message adds something to the total.
If they are saying they can just wash this paste off afterwards, I wonder what keeps it on during the flight. We've seen how well the polysterene isulating foam sticks to the fuel tank during takeoff, what happens if the paste falls off as well? What happens if the shuttle gets wet while it is sitting on the launch pad? I'd have more confidence if they said it couldn't be washed off no matter what happened.
Also since it prevents the transfer of heat from one side of a sheet to the other surely it has huge potential uses for insulation as well.
What can you get a 45-gallon drum of for five bucks that is also biodegradable and non-toxic?
If its so common why hasn't anyone made it before, even by accident?
The win32 API is not part of the kernel executive. It is not the job of the kernel to handle messages at all. Originally the kernel supported OS/2, POSIX and WIN32 APIs. These APIs are implemented as libraries which call native NT functions within the kernel executive. The security features are built into the kernel not into the API.
www.sysinternals.com/ntw2k/info/ntdll.shtml
The messages containing an hWnd window handle are sent to USER32. It then finds the address of the message handling function in the receiving application and calls that passing the message contents as a parameter. There is no reason that USER32 could not verify the identity of the sending process.
In general terms it is useful to be able to send messages from one application to another. Programs such as Girder can be used allow an infra-red remote to control other windows applications by sending WM_COMMAND messages.
The problem with the WM_TIMER message was that it contained an address of a function that would be automatically excuted in the receiving applications address space. Most messages just contain parameters that tell the application what to do. The application has a choice to handle the message or drop it.
The privelege elevation issue only occured because some applications running at a higher system privilege presented a GUI on the desktop of a user with a lower privelege. Best practises are to run high privilege processes without a gui and communicate with a lower privilege frontend using traditional IPC mechanisms. (Not to say MS itself wasn't guilty of this flaw)
There are no messages that will get the kernel to start a process at a higher privelege process than the user is running at. The flaw was exploiting an already running process.
There is no reason to rewrite the NT kernel. It already includes much more fine grained security than Unix systems. Later iterations of Windows have somewhat moved away from the original ideals. Lots of system services running at high privelege, the movement of the GDI into kernel space, most users running as administrator etc. However these are not kernel flaws and can be fixed, possibly at the expense of braking existing applications, without having to rewrite the entire system.
If all you Unix people want to claim superiority you should at least have some idea how the competition actually works.
Yes, thats about the WM_Timer message. That is only part of the Win32 API and not part of the kernel. Thats not an unfixable part of the NT. A move to a different API or a sandbox around the existing API would solve that. The new API in Longhorn will no longer be message based. (apparently)
Basically one application could ask windows start executing code at a given address in the memoryspace of another application. The second application could be running at LocalSystem privileges so the technique could be used for privilege elevation.
Because one process had to use SetTimer to ask windows to call back to the other application it was possible to patch the API to make sure that a process could only request a callback to itself and not another process.
The patch was issued December 2002. It caused some problems in NT 4 to begin with but they have been resolved. http://www.microsoft.com/technet/treevi ew/?url=/te chnet/security/bulletin/MS02-071.asp
I don't know if this covers every API message that contains a function pointer but it dealt with WM_Timer specifically.
Does the message queue exist within the kernel executive? I thought it was just part of the win32 subsystem. Apparently the new API Avalon moves away from a constant stream of messages to some other mechanism. Regarding the so called "shatter" attack there was a patch for that so that one process cannot send a wm_timer message to another process, it can only reqest one to be sent one back to itself. Perhaps they could now take the win32 GDI componants back out of the kernel now stability and security seems to be a higher priority than performance. I am interested in finding out about any other major flaws in NT, I do believe MS are working to fix most of them. The GDI DrawEscape function that allows raw data to be sent to a from a user process to a graphics driver is being worked on for example,
Thats MSDN subscriptions for developers. The issue is Licensing 6.O "Software Assurance" volume license Subscribers. They get nothing but a free upgrade whenever it becomes available. In this case they will get nothing at all.
I never looked into the details. I'd imagine it would require someone who was both an experianced composer and developer. There was a directmusic studio application that was part of the SDK, I imagine it was much like a MIDI sequencing program with additional support for responding to events and such. Perhaps the triggering of events from within the game was complicated.
It sounded like it had some really interesting potential which never came to fruition.
I have 2, a Mastercard and a Visa. I just had to fill out a form and sign it. Signing the form is your acceptance of the agreement under the consumer credit act. At least in the UK.
I wasn't seriously suggesting she never pay it back. But at least hold off for a while to make the issuer start a serious inquiry into how a card could have been issued without her signature on the form. They will start to take her seriously if she owns them money and they cannot prove that she agreed to the credit agreement.
She should spend a lot of money on the credit card and not pay it back. If anyone asks she should tell them she never signed the credit agreement and is not responsible for repaying it. That will start at least some sort of internal investigation into how a card was issued without her signiture on the form. Couple that with a complaint to the card issuer (Visa, Mastercard, etc) that her information was passed on to other people will result in some sort of action against the company that was signing people up.
MS came up with DirectMusic as a way of creating dynamically changing background music for games and multimedia apps.
The idea is that the piece can change key, tempo, interweave a different theme in a response to changing situations in a game.
They introduced the MS software synth and DLS sound libaries at the same time, so the end result would not be dependant on the user inbuilt midi synthesiser. Higher end soundcard provide hardware support for DLS sythesised music.
Has anyone seen this being used effectively anywhere. It seems most modern games rely on prerecorded mp3 tracks as background music. Some just license the latest pop song rather than composing their own. DirectMusic could have created some really interesting effects.
There is a demo in the DirectX SDK of a barnyard scene an you can inteweave the melodic themes of different animals in real time. Has anyone developed something that makes the most of this technology?
Apparently it is avaiable in the Lithtech engine, but do any games actually use it?
Not always. Sometimes it is just a way of creating lists of valid email addresses that they can sell on to other spammers. I expect a lot of these penis enlargement things do not even exist. It is just used to check which mails bounce and which are actually read. Using an embeded image with a special URL. They can make more money selling your email address to someone else than they can from selling you a product or service.
Why not leave a man made object, or a trail of breadcrumbs behind you? When you see the object in front of you you know you have been around in a loop. Unless you say that someone else in the universe had made an object exactly the same as yours and left at a point on a straight line from where you left yours. But how likely is that? Or you could use quantum entanglement or someting so that you know that the object you have come to is exatly the same one as you left behind. Or just get someone to stand very still and give them a codeword or something. Fly off in a straight line. If you see them again ask them what the code was. Then you know the universe is closed.
"The following example shows an OBJECT tag that loads a control without a prompt from Internet Explorer because the NOEXTERNALDATA attribute is set to true. The control does not receive the URL property."
That last sentance explains it. If you have the NOEXTERNALDATA attribute in the OBJECT tag then the control does not receive the URL property even if one is present in the HTML Source. It will stop the popup from showing but it will also stop the object from fetching the external data. This complies with the patent.
The patent covered the "seamless" embedding of "rich content". With this dialog in place it is no longer seamless, and so doesn't violate the patent anymore. Imagine if there ware 20+ objects embedded in a page, can't say I'm looking forward to it.
I don't see how you can ever trust a computerised gambling device anyway. How can you tell if it is based on a random number generation or has a stratergy programmed in? A program will know exactly which cards it has given you and which cards it has left, surely it will always be able to produce a combination to beat you. With all these online flash gambling sites, who checks that they actually have mathematical odds or are just set up to beat you every time?
I'd never heard of a root-kit until last year, but yes it is essentially the same thing. It's pretty scary to me that an OS can be modified so that it doesn't report the presence of paticular files and processes. Someone could be storing a huge ammount of data on your drive and you just can't see it.
Actually I was just trying to come up with a few examples from the book. That whole sequence when ford steals the Multipurpose identity card, which was designed to replace the need for dna scans, retina patterns etc. was extremely funny. I doubt any film will get as far as making that book which is a shame. I can't understand why people don't rate it as highly as the earlier ones. The weakest one to me was So Long.. but Mostly Harmless was really special.
It's not really a hitch-hiker book though. The salmon of doubt is very small part of a new Dirk Gently story. The hitch-hiker bit is "Young Zaphod plays it safe", which was already part of the unlimate hitch-hikers guide book. The rest is selected articles and bits they raided off his hard-disc. It's worth reading but it doesn't add much to the hitch-hiker story.
Personally my favourite one was Mostly Harmless. I think there was much more to think about. The ideas like temporal reverse engineering, the sandwich maker, and reprogramming the computer so even it wouldn't believe it had been reprogrammed were pretty clever.
Erm. Look at the parent you just replied to. You see "Hit Any Key [slashdot.org]" is a link to a Slashdot story from 10 days ago? And what was the subject of that story?
"ricembr noted that compaq has finally provided a FAQ to the world to ask that long standing question where is the any key? Pray that this was added to the FAQ as a joke, and not in response to legitimate need;)"
Which contains a link to exactly the same page you just linked to. The story generated 369 comments. That means your comment was -1 Redundant
Slashdot Mirror
The recovery of lost damaged files issue is probably why they are going to use NTFS underneath it. Businesses have 10 years of experiance working with NTFS and there are many third party tools.
The database aspect is just what you will see through the shell and the file dialogs. Underneath programs will probably still open and save files the way they always have. New applications that can make use of the database and respond to triggers etc will come online eventually but for backwars compatibility reasons if nothing else the old file system structure must be there underneath.
I expect it won't bother making a database of the entire file system anyway. Why would you want all your system files in there? Just index everything with a user profile and other selected directories like movies, music, pictues etc. Those are the things people spend most time searching for.
Then make sure you choose the right cup. Or you might find yourself getting very old very fast.
There isn't much wrong with the fundamental componants of Windows. NT underneath is pretty stable and secure.
The out of the box configuration of Win32 API being deeply embedded and lots of interlinked network services running as localsystem by default is where the security issues come from.
There needs to be a cleanup, remove the depandancies, move to a more secure API. Allow users to run without admin rights most of the time without breaking too many older apps etc. These areas are being worked on towards Longhorn, which is probably why it is so delayed.
There is no need to fundamentally rewrite the system.
Are there any clients for Nokia Series60/Symbian that still work?
I wanna get a 6600 but it sounds like it has been locked out before the phone is even released.
Bandwidth bills?
Probably a drop in the ocean compared to all the traffic microsoft.com gets. But they must be paying someone somewhere for all that traffic. Each new message adds something to the total.
If they are saying they can just wash this paste off afterwards, I wonder what keeps it on during the flight. We've seen how well the polysterene isulating foam sticks to the fuel tank during takeoff, what happens if the paste falls off as well? What happens if the shuttle gets wet while it is sitting on the launch pad?
I'd have more confidence if they said it couldn't be washed off no matter what happened.
Also since it prevents the transfer of heat from one side of a sheet to the other surely it has huge potential uses for insulation as well.
What can you get a 45-gallon drum of for five bucks that is also biodegradable and non-toxic?
If its so common why hasn't anyone made it before, even by accident?
The win32 API is not part of the kernel executive. It is not the job of the kernel to handle messages at all. Originally the kernel supported OS/2, POSIX and WIN32 APIs. These APIs are implemented as libraries which call native NT functions within the kernel executive. The security features are built into the kernel not into the API.
www.sysinternals.com/ntw2k/info/ntdll.shtml
The messages containing an hWnd window handle are sent to USER32. It then finds the address of the message handling function in the receiving application and calls that passing the message contents as a parameter. There is no reason that USER32 could not verify the identity of the sending process.
In general terms it is useful to be able to send messages from one application to another. Programs such as Girder can be used allow an infra-red remote to control other windows applications by sending WM_COMMAND messages.
The problem with the WM_TIMER message was that it contained an address of a function that would be automatically excuted in the receiving applications address space. Most messages just contain parameters that tell the application what to do. The application has a choice to handle the message or drop it.
The privelege elevation issue only occured because some applications running at a higher system privilege presented a GUI on the desktop of a user with a lower privelege. Best practises are to run high privilege processes without a gui and communicate with a lower privilege frontend using traditional IPC mechanisms. (Not to say MS itself wasn't guilty of this flaw)
There are no messages that will get the kernel to start a process at a higher privelege process than the user is running at. The flaw was exploiting an already running process.
There is no reason to rewrite the NT kernel. It already includes much more fine grained security than Unix systems. Later iterations of Windows have somewhat moved away from the original ideals. Lots of system services running at high privelege, the movement of the GDI into kernel space, most users running as administrator etc. However these are not kernel flaws and can be fixed, possibly at the expense of braking existing applications, without having to rewrite the entire system.
If all you Unix people want to claim superiority you should at least have some idea how the competition actually works.
Slightly slow with XP eye candy turned on. Great for taking notes, reading /.
www.ncrg.aston.ac.uk/~jamescj/TC1000/photos.html
Yes, thats about the WM_Timer message. That is only part of the Win32 API and not part of the kernel. Thats not an unfixable part of the NT.
i ew/?url=/te chnet/security/bulletin/MS02-071.asp
A move to a different API or a sandbox around the existing API would solve that.
The new API in Longhorn will no longer be message based. (apparently)
Basically one application could ask windows start executing code at a given address in the memoryspace of another application. The second application could be running at LocalSystem privileges so the technique could be used for privilege elevation.
Because one process had to use SetTimer to ask windows to call back to the other application it was possible to patch the API to make sure that a process could only request a callback to itself and not another process.
The patch was issued December 2002.
It caused some problems in NT 4 to begin with but they have been resolved.
http://www.microsoft.com/technet/treev
I don't know if this covers every API message that contains a function pointer but it dealt with WM_Timer specifically.
Does the message queue exist within the kernel executive? I thought it was just part of the win32 subsystem. Apparently the new API Avalon moves away from a constant stream of messages to some other mechanism.
Regarding the so called "shatter" attack there was a patch for that so that one process cannot send a wm_timer message to another process, it can only reqest one to be sent one back to itself.
Perhaps they could now take the win32 GDI componants back out of the kernel now stability and security seems to be a higher priority than performance.
I am interested in finding out about any other major flaws in NT, I do believe MS are working to fix most of them. The GDI DrawEscape function that allows raw data to be sent to a from a user process to a graphics driver is being worked on for example,
Thats MSDN subscriptions for developers. The issue is Licensing 6.O "Software Assurance" volume license Subscribers. They get nothing but a free upgrade whenever it becomes available. In this case they will get nothing at all.
http://www.microsoft.com/licensing/programs/sa/
I never looked into the details. I'd imagine it would require someone who was both an experianced composer and developer. There was a directmusic studio application that was part of the SDK, I imagine it was much like a MIDI sequencing program with additional support for responding to events and such. Perhaps the triggering of events from within the game was complicated.
It sounded like it had some really interesting potential which never came to fruition.
I have 2, a Mastercard and a Visa. I just had to fill out a form and sign it. Signing the form is your acceptance of the agreement under the consumer credit act. At least in the UK.
I wasn't seriously suggesting she never pay it back. But at least hold off for a while to make the issuer start a serious inquiry into how a card could have been issued without her signature on the form. They will start to take her seriously if she owns them money and they cannot prove that she agreed to the credit agreement.
She should spend a lot of money on the credit card and not pay it back. If anyone asks she should tell them she never signed the credit agreement and is not responsible for repaying it.
That will start at least some sort of internal investigation into how a card was issued without her signiture on the form.
Couple that with a complaint to the card issuer (Visa, Mastercard, etc) that her information was passed on to other people will result in some sort of action against the company that was signing people up.
The idea is that the piece can change key, tempo, interweave a different theme in a response to changing situations in a game. They introduced the MS software synth and DLS sound libaries at the same time, so the end result would not be dependant on the user inbuilt midi synthesiser. Higher end soundcard provide hardware support for DLS sythesised music.
Has anyone seen this being used effectively anywhere. It seems most modern games rely on prerecorded mp3 tracks as background music. Some just license the latest pop song rather than composing their own. DirectMusic could have created some really interesting effects.
There is a demo in the DirectX SDK of a barnyard scene an you can inteweave the melodic themes of different animals in real time. Has anyone developed something that makes the most of this technology?
Apparently it is avaiable in the Lithtech engine, but do any games actually use it?
Not always. Sometimes it is just a way of creating lists of valid email addresses that they can sell on to other spammers.
I expect a lot of these penis enlargement things do not even exist. It is just used to check which mails bounce and which are actually read. Using an embeded image with a special URL.
They can make more money selling your email address to someone else than they can from selling you a product or service.
Thanks
+5 Funny
Why not leave a man made object, or a trail of breadcrumbs behind you? When you see the object in front of you you know you have been around in a loop.
Unless you say that someone else in the universe had made an object exactly the same as yours and left at a point on a straight line from where you left yours. But how likely is that?
Or you could use quantum entanglement or someting so that you know that the object you have come to is exatly the same one as you left behind.
Or just get someone to stand very still and give them a codeword or something. Fly off in a straight line. If you see them again ask them what the code was. Then you know the universe is closed.
"The following example shows an OBJECT tag that loads a control without a prompt from Internet Explorer because the NOEXTERNALDATA attribute is set to true. The control does not receive the URL property."
That last sentance explains it. If you have the NOEXTERNALDATA attribute in the OBJECT tag then the control does not receive the URL property even if one is present in the HTML Source.
It will stop the popup from showing but it will also stop the object from fetching the external data.
This complies with the patent.
The patent covered the "seamless" embedding of "rich content". With this dialog in place it is no longer seamless, and so doesn't violate the patent anymore. Imagine if there ware 20+ objects embedded in a page, can't say I'm looking forward to it.
I don't see how you can ever trust a computerised gambling device anyway. How can you tell if it is based on a random number generation or has a stratergy programmed in? A program will know exactly which cards it has given you and which cards it has left, surely it will always be able to produce a combination to beat you. With all these online flash gambling sites, who checks that they actually have mathematical odds or are just set up to beat you every time?
I'd never heard of a root-kit until last year, but yes it is essentially the same thing. It's pretty scary to me that an OS can be modified so that it doesn't report the presence of paticular files and processes. Someone could be storing a huge ammount of data on your drive and you just can't see it.
Actually I was just trying to come up with a few examples from the book. That whole sequence when ford steals the Multipurpose identity card, which was designed to replace the need for dna scans, retina patterns etc. was extremely funny.
I doubt any film will get as far as making that book which is a shame. I can't understand why people don't rate it as highly as the earlier ones. The weakest one to me was So Long.. but Mostly Harmless was really special.
It's not really a hitch-hiker book though. The salmon of doubt is very small part of a new Dirk Gently story. The hitch-hiker bit is "Young Zaphod plays it safe", which was already part of the unlimate hitch-hikers guide book. The rest is selected articles and bits they raided off his hard-disc. It's worth reading but it doesn't add much to the hitch-hiker story.
Personally my favourite one was Mostly Harmless.
I think there was much more to think about. The ideas like temporal reverse engineering, the sandwich maker, and reprogramming the computer so even it wouldn't believe it had been reprogrammed were pretty clever.
Voyager, Series 3, Distant Origin
"Computer, display the likely appearance of this creature given 300 million years of evolution"
How long did it take to get a result?
About half a second.
Erm. Look at the parent you just replied to.
;)"
You see "Hit Any Key [slashdot.org]" is a link to a Slashdot story from 10 days ago?
And what was the subject of that story?
"ricembr noted that compaq has finally provided a FAQ to the world to ask that long standing question where is the any key? Pray that this was added to the FAQ as a joke, and not in response to legitimate need
Which contains a link to exactly the same page you just linked to.
The story generated 369 comments.
That means your comment was -1 Redundant
Thanks for playing
HAND