yes, security is hard to do, so we need to find alternative ways to protect the everso fragile code we run.
One suggestion I've seen is walling it off in 'fortresses'. Ie you do not directly run sql from code running in the web server, instead you pass fixed requests through to a back-end server process through a well-defined and small interface and have that run the sql (that you do not pass in as a parameter).
Even this is not going to be perfect, but it'll reduce the attack surface significantly. Too bad most programming frameworks and environments are geared up for exactly the wrong 'whatever is the easiest way to code' system. So yes, self-control and common sense.
what you forget is that CPU power requirements are going to be a limiting factor even on desktops - no-one wants a huge electricity bill especially as costs of electricity is going up and up. So all CPUs are being designed with low-power-when-not-stressed modes that ensure your PC doesn't suck up juice when you're just staring at the next/. post thinking "what a numpty!"
So, if *all* CPUs are designed to work low-power, and enhance them to be capped on the power they consume at peak demand, you can put them in a mobile device, tell it 10% peak only, and use the same CPU for the desktop at 100% peak use. Then you can tell that same CPU in the mobile device that it can use 100% peak power use when docked.
Suddenly, your mobile device is as powerful as your desktop, when its plugged into the mains and connected to your monitor/TV via HDMI. Suddenly no-one needs desktops anymore.
Sure, there's heat issues I've ignored here, but this approach has been used in laptops for years.
Well, all that's slightly futuristic, but not massively so. I can imagine desktops being relegated to a niche area as everyone turns to the convenience (and better OSes) of mobile devices.
They had a lot of brand loyalty, and a strong brand if they call pull it together.
there, fixed that for you. No-one has brand loyalty to a hardware manufacturer, no-one buys a Nokia just because its a Nokia. they buy it becuase they know it'll work the same as other nokias and their last phone was of at lteast reasonable quality.
Now its WP7 on Nokias, people will think twice, evaluate other handsets, and probably go with a HTC/Android or iPhone.
you'd probably be surprised by the amount of property speculation going on in corporates. They may not sack all their staff and say "buildings and accountants only from now on", but while the staff continue to do the boring day jobs, the accountants do go and play monopoly.
Often they end up selling offices they own and renting them back, or vice versa. It also often doubles up as a tax dodge too.
I like to think of it as a permanently bound shortcut to a bookmark, even though its really a permanently loaded tab with a website in it.
The concept might have come from Win7s taskbar shortcuts (not that I ever use them, except to open a new innstance of a running app - which is bloody confusing and un-intuitive: if you want a new app, you do not go to a running one and ask for it to start a new version of itself again!)
But adding a few commands to some sites does seems like a good thing: new bug, new tweet, "search and open tab" perhaps. It would particularly be useful for those sites that you don't really want to visit - why would you want to visit twitter (at all:) ) just to send a tweet when you could right click on the 'twitter app tab' and send the tweet directly. I'm not sure twitter's advertisers will be too happy, but sod them.
yep, that's true. As long as I can still do the boring old stuff I used to do in a fast way.. then I'm more than happy for this kind of experimentation to appear. Otherwise, FF is doomed to be just another IE clone:)
I saw the "app tabs" in the current beta, which basically puts a miniature tab (of the favicon) on the browser tab bar. Currently this is little more than a different way of having favourite bookmarks always loaded, but I now see the direction they're taking them. I like it - for the couple of sites I always seem to have open, and I guess if you don't, then you just don't set the 'make app tag' flag and you keep the old website as it was.
In other words - everyone's happy and FF pushes the boundaries of computer GUIs. The next generation of GUIs has got to be cross-platform, HTML is almost certainly what's its going to be like.
yes, but *now* the cat';s out of the bag, he can buy as many as he likes. And as the share price has plummeted (and will go further down later), he can buy twice as many!
I think profit?? is the next step, but I doubt any Nokia investor will be able to do that with their holdings.
One of the key benefits of joining an established ecosystem
are we still talking about the Windows Phone system here? or Silverlight that MS decided wasn't as good as HTML5?
Besides, they can;t run Qt on Windows Phone, then developers would be able to code once and practically run their apps on all competing manufacturers OSs. Microsoft can't have that!
eh? Microsoft deciding that all your old codes are bad and that you shouldn't use them - all those mpeg2, avi, flv, indeo etc.
What doesn't surprise me is that they will allow WebM! But I guess even they recognise that Youtube is the number one reason for video on the web nowadays and that they would have to support whatever Google decides it'll play there. No doubt Microsoft is happy that a monopoly exists:)
The open letter from CEO to everyone has a *lot* of comments. I can paraphrase for you in case you don't want to read them:
"WTF? Goodbye Nokia".
Its a great pity all round. Microsoft *still* won't sell any more phones, Nokia will just destroy itself. Shares down 8% today and I'm sure will fall further.
no, it works in plugins in browsers other than IE. The other browsers have no idea what Silverlight is.
It does make a difference if you've disabled the plugin, not downloaded it, or otherwise run a browser on a platform that doesn't support the plugin. You have to consider that when saying Silverlight is supported as many times it won't be.
Mind you, Silverlight is not supported by Microsoft anyway so the argument is moot:)
you're partly right - webapps are written in script because its easy to do so, not because it makes the best apps. That encourages the crappy devs, but they've been courted by language designers for a while now -.net, java all designed to 'make programming easier', not better.
That evolved the browser/web ecosystem to be a kind of 'lowest common denominator'. A bit like Java's JVM being a platform you develop on instead of developing native apps.
Web is a similar abstraction. We can write thick client, 3 tiers apps using C but everyone has the buzzword of 'the web' in their heads and starts going bonkers with javascript and back-end php or whatnot.
The best apps I've seen are ones that treat the web server as part of the presentation layer and keep it as thin as possible - basically acting as a gateway to the real business logic servers that are written in 'serious' languages. (and then you can replace the webserver front-end with a thick client one if needed)
Still, its probably a good evolution until someone can come up with a better client programming system. I don't think that will happen as we have to have downloaded script clients (or the code will start to be thick-clients again with all the need to install extra stuff that you were originally trying to get away from). Google's native client is a good idea, but I don't think it'll take off.
usually, if I click the 'send feedback to xxx to help improve our products', I expect they will use my data - ie what features I have turned on or off, which ones I use most, that kind of thing. Maybe they'll track what searches I make. That's *my* data I'm supplying to them.
In this case, Microsoft was also taking Google's results - Google's data, not mine.
and yes, I would - if you obtain the data in any way other than the legal, "you bought this so you can now use it" way, then I would consider it copying.
How about this: you do some work, I take that work, pretend that it was mine all along.
One thing you can do to protect yourself from this plagiarism is to put some dodgy data in there - if that gets copied too, you know someone stole from you.
The Ordnance Survey does this, they generate maps and a few of their published work has some errors in there (like a village where none exist in reality), anyone who appears with some map data can then be found out to be stolen if the offending village is present on their map (as the real data will not have it supplied).
Whether search results are in the same league as they are customer-generated is debatable, but it certainly means that Bing is concerned their results are not as good as Googles.
not necessarily - they might have thought it was the ideal "opportunity moment" - attack the system when they're undergoing a transition and not only might they get away undetected, but they might also cause more damage than before (ie with servers turned off ready to be replaced with the new software, the capacity would be reduced).
It isn't necessarily Microsoft fanboi hackers trying to discredit the migration to Linux (and getting their dates cocked up)
I mean, obviously, they've got some kind of research to back it up... But it seems like this would be pretty useless to me. I mean, do people actually follow what they're reading with the mouse cursor?
I know plenty of people who read using their fingers as a pointing device. I don't know, just because you (or I) don't need to do something like that doesn't mean the vast majority of the average user does.
I do, however, sometimes pick the mouse up a little and use the nervous tension in my arm to jiggle it up and down on the mouse-mat (too much coffee I guess). Maybe I'll start getting search results for ADHD meds now:)
its quite true - I had an issue with Redmine recently (it likes to fetch all revisions of an added project, but we have 300,000 of them in our repo), So I could a) complain to the manufacturer and maybe they'd get a fix out, probably in the next version, or b) get in there and make it fetch revs in blocks each time you ask it to.
The big trouble with all this is that it does take a hacker type (ie me) to do that. If I was not a programmer, I would have problems and I'd have had to take step a above (or hire a hacker type, of course). I think this latter scenario is more typical from the 'OSS is crap' crowd - they feel their inadequacies, poor dears, and don't feel they have the resources to fix any problems,
So OSS could be more popular in their eyes if there were more options for "support" or "custom hacking" available - and more widely publicised, even if it cost a little cash to make the fixes.
But then I guess they'd stop complaining about time being money, and start comaplaining OSS wasn't free enough for them. Perhaps we can never win:)
Here is what happens with an closed source product:
you install it with 1 click, but then spend the next few days going through GUI config screens./ When you do manage to get the product to work, the thing does not work as expected. You spend the next week persuading your boss to send you on a week's training course, for only ten thousand dollars. You come back with a couple of thick binders full of documentation that you already can't remember. You spend a few more days tweaking and hope that it holds up when you take it live.
Much OSS is just the same as Close Source. Much of it is crap, but then much of the really expensive commercial software is equally crap. At least with OSS you don't have to stick with it because your boss who signed off the purchase order doesn't want to admit the project is a failure.OSS support (paid for) is nearly always better focussed on your needs, whereas support for commercial software is practically a marketing gimmick that can't keep up with the stack-it-high sales technique.
As it happens, the good OSS is far better than the commercial stuff. Sure, this doesn't always apply, but to prove a sweeping statement that OSS is crap is just childish.
SOX applies to public companies only. From Wikipedia, it does not appear to place any specific requirements on corporate IT, except that the corporate IT will be audited for compliance with the "normal" parts of the law
aren't most corporate IT departments part of public companies? In which case, storage of old data is a requisite, and besides - backups are a very important part of all IT depts anyway.
Our backup tapes are taken offsite every night as part of normal rotation, and a previous company I worked for just had a fire safe to put tapes in, but still took tapes offsite every week. I think that's standard practice for every IT department worth its salt.
and I guess that's why Google released r5 of their NDK - which basically offers native development for Android (focussed on games, but "you can now build an entire Android application without writing a single line of Java.")
Once there were mainframes and every (big) business had one. They saw the new tiddly, underpowered PCs and thought - WTF are those toys doing here?
Years later, we know the answer to that question. But mainframes are still with us, they are un-sexy, dull, but work.
I think the same is playing out today. PCs are everywhere, but pretty soon everyone will have a phone/tablet/whatnot and PCs will be relegated to the boring, unsexy, business work. Developers will want to work on.NET desktop apps about as much as they currently want to work on COBOL data processing apps. Sales of mobile devices will rocket, but PCs will still be about -just nowhere near as predominant as they are today.
Just as the PC form factor beat the mainframe and big-iron unix servers because they were significantly cheaper and more flexible, the 'armdroids' will beat the PCs for the same reason.
This isn't just about business, consumers will have these types of computing platforms in all kinds of devices - TVs, network media streamers, cars, phones, alarm clocks, shop tills, ATMs, all over the place like a science fiction film. We'll have them because they are cheap and flexible enough to put them in these things.
I know Microsoft is desperately trying to keep up, making Windows 8 work on ARM SoCs, but they miss the point. You will get your bedside radio running software because its cheap enough to get the software/SoC to do so. Paying a licence for each unit sold will make Windows prohibitively expensive when your no-name Chinese manufacturer intends to sell 100 million units.
One requires money to be expended by the end user while the other requires effort of either the developer to bundle the dependency
commercial, closed-source software requires a developer to expend effort too you know. Google can easily release an open source product as easily as Microsoft can release a closed source one. The effort's the same.
Slashdot Mirror
yes, security is hard to do, so we need to find alternative ways to protect the everso fragile code we run.
One suggestion I've seen is walling it off in 'fortresses'. Ie you do not directly run sql from code running in the web server, instead you pass fixed requests through to a back-end server process through a well-defined and small interface and have that run the sql (that you do not pass in as a parameter).
Even this is not going to be perfect, but it'll reduce the attack surface significantly. Too bad most programming frameworks and environments are geared up for exactly the wrong 'whatever is the easiest way to code' system. So yes, self-control and common sense.
what you forget is that CPU power requirements are going to be a limiting factor even on desktops - no-one wants a huge electricity bill especially as costs of electricity is going up and up. So all CPUs are being designed with low-power-when-not-stressed modes that ensure your PC doesn't suck up juice when you're just staring at the next /. post thinking "what a numpty!"
So, if *all* CPUs are designed to work low-power, and enhance them to be capped on the power they consume at peak demand, you can put them in a mobile device, tell it 10% peak only, and use the same CPU for the desktop at 100% peak use. Then you can tell that same CPU in the mobile device that it can use 100% peak power use when docked.
Suddenly, your mobile device is as powerful as your desktop, when its plugged into the mains and connected to your monitor/TV via HDMI. Suddenly no-one needs desktops anymore.
Sure, there's heat issues I've ignored here, but this approach has been used in laptops for years.
Well, all that's slightly futuristic, but not massively so. I can imagine desktops being relegated to a niche area as everyone turns to the convenience (and better OSes) of mobile devices.
They had a lot of brand loyalty, and a strong brand if they call pull it together.
there, fixed that for you. No-one has brand loyalty to a hardware manufacturer, no-one buys a Nokia just because its a Nokia. they buy it becuase they know it'll work the same as other nokias and their last phone was of at lteast reasonable quality.
Now its WP7 on Nokias, people will think twice, evaluate other handsets, and probably go with a HTC/Android or iPhone.
you'd probably be surprised by the amount of property speculation going on in corporates. They may not sack all their staff and say "buildings and accountants only from now on", but while the staff continue to do the boring day jobs, the accountants do go and play monopoly.
Often they end up selling offices they own and renting them back, or vice versa. It also often doubles up as a tax dodge too.
I like to think of it as a permanently bound shortcut to a bookmark, even though its really a permanently loaded tab with a website in it.
The concept might have come from Win7s taskbar shortcuts (not that I ever use them, except to open a new innstance of a running app - which is bloody confusing and un-intuitive: if you want a new app, you do not go to a running one and ask for it to start a new version of itself again!)
But adding a few commands to some sites does seems like a good thing: new bug, new tweet, "search and open tab" perhaps. It would particularly be useful for those sites that you don't really want to visit - why would you want to visit twitter (at all :) ) just to send a tweet when you could right click on the 'twitter app tab' and send the tweet directly. I'm not sure twitter's advertisers will be too happy, but sod them.
yep, that's true. As long as I can still do the boring old stuff I used to do in a fast way.. then I'm more than happy for this kind of experimentation to appear. Otherwise, FF is doomed to be just another IE clone :)
I saw the "app tabs" in the current beta, which basically puts a miniature tab (of the favicon) on the browser tab bar. Currently this is little more than a different way of having favourite bookmarks always loaded, but I now see the direction they're taking them. I like it - for the couple of sites I always seem to have open, and I guess if you don't, then you just don't set the 'make app tag' flag and you keep the old website as it was.
In other words - everyone's happy and FF pushes the boundaries of computer GUIs. The next generation of GUIs has got to be cross-platform, HTML is almost certainly what's its going to be like.
yes, but *now* the cat';s out of the bag, he can buy as many as he likes. And as the share price has plummeted (and will go further down later), he can buy twice as many!
I think profit?? is the next step, but I doubt any Nokia investor will be able to do that with their holdings.
One of the key benefits of joining an established ecosystem
are we still talking about the Windows Phone system here? or Silverlight that MS decided wasn't as good as HTML5?
Besides, they can;t run Qt on Windows Phone, then developers would be able to code once and practically run their apps on all competing manufacturers OSs. Microsoft can't have that!
eh? Microsoft deciding that all your old codes are bad and that you shouldn't use them - all those mpeg2, avi, flv, indeo etc.
What doesn't surprise me is that they will allow WebM! But I guess even they recognise that Youtube is the number one reason for video on the web nowadays and that they would have to support whatever Google decides it'll play there. No doubt Microsoft is happy that a monopoly exists :)
The best one according to PCPro's megatest of phones is the HTC Desire. They do a version of it with a slide-out keyboard called the Desire Z
the keyboard is very very good, we have them on our (windows 6.5) phones and although everyone hates the OS, they like the keyboards a lot.
The open letter from CEO to everyone has a *lot* of comments. I can paraphrase for you in case you don't want to read them:
"WTF? Goodbye Nokia".
Its a great pity all round. Microsoft *still* won't sell any more phones, Nokia will just destroy itself. Shares down 8% today and I'm sure will fall further.
no, it works in plugins in browsers other than IE. The other browsers have no idea what Silverlight is.
It does make a difference if you've disabled the plugin, not downloaded it, or otherwise run a browser on a platform that doesn't support the plugin. You have to consider that when saying Silverlight is supported as many times it won't be.
Mind you, Silverlight is not supported by Microsoft anyway so the argument is moot :)
you're partly right - webapps are written in script because its easy to do so, not because it makes the best apps. That encourages the crappy devs, but they've been courted by language designers for a while now - .net, java all designed to 'make programming easier', not better.
That evolved the browser/web ecosystem to be a kind of 'lowest common denominator'. A bit like Java's JVM being a platform you develop on instead of developing native apps.
Web is a similar abstraction. We can write thick client, 3 tiers apps using C but everyone has the buzzword of 'the web' in their heads and starts going bonkers with javascript and back-end php or whatnot.
The best apps I've seen are ones that treat the web server as part of the presentation layer and keep it as thin as possible - basically acting as a gateway to the real business logic servers that are written in 'serious' languages. (and then you can replace the webserver front-end with a thick client one if needed)
Still, its probably a good evolution until someone can come up with a better client programming system. I don't think that will happen as we have to have downloaded script clients (or the code will start to be thick-clients again with all the need to install extra stuff that you were originally trying to get away from). Google's native client is a good idea, but I don't think it'll take off.
nor are search *results*.
usually, if I click the 'send feedback to xxx to help improve our products', I expect they will use my data - ie what features I have turned on or off, which ones I use most, that kind of thing. Maybe they'll track what searches I make. That's *my* data I'm supplying to them.
In this case, Microsoft was also taking Google's results - Google's data, not mine.
and yes, I would - if you obtain the data in any way other than the legal, "you bought this so you can now use it" way, then I would consider it copying.
How about this: you do some work, I take that work, pretend that it was mine all along.
One thing you can do to protect yourself from this plagiarism is to put some dodgy data in there - if that gets copied too, you know someone stole from you.
The Ordnance Survey does this, they generate maps and a few of their published work has some errors in there (like a village where none exist in reality), anyone who appears with some map data can then be found out to be stolen if the offending village is present on their map (as the real data will not have it supplied).
Whether search results are in the same league as they are customer-generated is debatable, but it certainly means that Bing is concerned their results are not as good as Googles.
not necessarily - they might have thought it was the ideal "opportunity moment" - attack the system when they're undergoing a transition and not only might they get away undetected, but they might also cause more damage than before (ie with servers turned off ready to be replaced with the new software, the capacity would be reduced).
It isn't necessarily Microsoft fanboi hackers trying to discredit the migration to Linux (and getting their dates cocked up)
I mean, obviously, they've got some kind of research to back it up... But it seems like this would be pretty useless to me. I mean, do people actually follow what they're reading with the mouse cursor?
I know plenty of people who read using their fingers as a pointing device. I don't know, just because you (or I) don't need to do something like that doesn't mean the vast majority of the average user does.
I do, however, sometimes pick the mouse up a little and use the nervous tension in my arm to jiggle it up and down on the mouse-mat (too much coffee I guess). Maybe I'll start getting search results for ADHD meds now :)
its quite true - I had an issue with Redmine recently (it likes to fetch all revisions of an added project, but we have 300,000 of them in our repo), So I could a) complain to the manufacturer and maybe they'd get a fix out, probably in the next version, or b) get in there and make it fetch revs in blocks each time you ask it to.
The big trouble with all this is that it does take a hacker type (ie me) to do that. If I was not a programmer, I would have problems and I'd have had to take step a above (or hire a hacker type, of course). I think this latter scenario is more typical from the 'OSS is crap' crowd - they feel their inadequacies, poor dears, and don't feel they have the resources to fix any problems,
So OSS could be more popular in their eyes if there were more options for "support" or "custom hacking" available - and more widely publicised, even if it cost a little cash to make the fixes.
But then I guess they'd stop complaining about time being money, and start comaplaining OSS wasn't free enough for them. Perhaps we can never win :)
Here is what happens with an open source product:
Here is what happens with an closed source product:
you install it with 1 click, but then spend the next few days going through GUI config screens./
When you do manage to get the product to work, the thing does not work as expected.
You spend the next week persuading your boss to send you on a week's training course, for only ten thousand dollars.
You come back with a couple of thick binders full of documentation that you already can't remember.
You spend a few more days tweaking and hope that it holds up when you take it live.
Much OSS is just the same as Close Source. Much of it is crap, but then much of the really expensive commercial software is equally crap. At least with OSS you don't have to stick with it because your boss who signed off the purchase order doesn't want to admit the project is a failure.OSS support (paid for) is nearly always better focussed on your needs, whereas support for commercial software is practically a marketing gimmick that can't keep up with the stack-it-high sales technique.
As it happens, the good OSS is far better than the commercial stuff. Sure, this doesn't always apply, but to prove a sweeping statement that OSS is crap is just childish.
IANAL but...
SOX applies to public companies only. From Wikipedia, it does not appear to place any specific requirements on corporate IT, except that the corporate IT will be audited for compliance with the "normal" parts of the law
aren't most corporate IT departments part of public companies? In which case, storage of old data is a requisite, and besides - backups are a very important part of all IT depts anyway.
Our backup tapes are taken offsite every night as part of normal rotation, and a previous company I worked for just had a fire safe to put tapes in, but still took tapes offsite every week. I think that's standard practice for every IT department worth its salt.
a NAT per ISP instead of per user.... well, I suppose something has to be done about the imminent shortage of IPv4 addresses :)
and I guess that's why Google released r5 of their NDK - which basically offers native development for Android (focussed on games, but "you can now build an entire Android application without writing a single line of Java.")
Fool me 4 times, shame on both of us.
Fool me 4 times, chances are 5 and 6 times are going to happen too :)
Think of things like they were years ago.
Once there were mainframes and every (big) business had one. They saw the new tiddly, underpowered PCs and thought - WTF are those toys doing here?
Years later, we know the answer to that question. But mainframes are still with us, they are un-sexy, dull, but work.
I think the same is playing out today. PCs are everywhere, but pretty soon everyone will have a phone/tablet/whatnot and PCs will be relegated to the boring, unsexy, business work. Developers will want to work on .NET desktop apps about as much as they currently want to work on COBOL data processing apps. Sales of mobile devices will rocket, but PCs will still be about -just nowhere near as predominant as they are today.
Just as the PC form factor beat the mainframe and big-iron unix servers because they were significantly cheaper and more flexible, the 'armdroids' will beat the PCs for the same reason.
This isn't just about business, consumers will have these types of computing platforms in all kinds of devices - TVs, network media streamers, cars, phones, alarm clocks, shop tills, ATMs, all over the place like a science fiction film. We'll have them because they are cheap and flexible enough to put them in these things.
I know Microsoft is desperately trying to keep up, making Windows 8 work on ARM SoCs, but they miss the point. You will get your bedside radio running software because its cheap enough to get the software/SoC to do so. Paying a licence for each unit sold will make Windows prohibitively expensive when your no-name Chinese manufacturer intends to sell 100 million units.
One requires money to be expended by the end user while the other requires effort of either the developer to bundle the dependency
commercial, closed-source software requires a developer to expend effort too you know. Google can easily release an open source product as easily as Microsoft can release a closed source one. The effort's the same.