"And I would like to know where you have been living. Mars?
Everybody, his wife and the dog knows there are lots of undocumented APIs, registry variables and other animals inside Windows. Everyone knows Office is promiscuously integrated with Windows, so as to start quicker, so as to look leaner, so that Windows erm "appreciators" can say M$-apps can work better, of course, because the OS is also from M$."
That's nice, but it has absolutely nothing to do with what I said.
"Have you ever read Gartner recommending IIS to be avoided?"
Not lately since the current version of IIS is extermely secure. Hell, even IIS5 has been shored up pretty well.
"People can be lazy, irresponsible and make Firefox insecure, but it requires a lot more effort than IE."
I never said IE was secure, nor did I say firefox wasn't secure. I simply refusted a piece of propaganda that gets spewed all over by people who don't know what they are talking about.
"That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."
I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.
A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.
A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too
There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.
If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.
If read that page you linked to literally, then yes, it does appear that there will be no security hot fixes after mainstream support supposedly ends, but if you take a look at their Service Pack Roadmap page, you'll see that SP3 for XP is planned for AFTER the mainstream support cut-off date. So take off your 'I hate Microsoft' glasses and think logically for a second. Microsoft currently offers no alternative to XP, and judging by the way they operate there might not be one by the time mainstream support supposedly ends. There is no way they could end support at the date they have listed. The date they have listed is a date set according to XP's release date, with the assumption that there would be an alternative for customers to switch to long before that date.
Yeah AV *is* an extra cost. You're right there. You shouldn't have to update them manually though. Any good corporate AV solution will have systems for managing and reporting on AV deployments.
WSUS is a free tool from Microsoft for managing the testing and deployment of hotfixes.
Log files (IMO, the number one annoyance with windows systems) can be managed with scripts by using scheduled tasks, as can other mundane tasks like defragmenting. For Windows 2000 and NT4 which don't come with command line defragmentors there are freetools avaialable that will do the job. Email reports can be sent via email by piping (c:\maintenance.cmd >> c:\daily_report.txt) the output of your scripts to a textfile and using freely available command-line mailer tools to send them.
One very valid complaint is that Windows doesn't come with these tools by default. Once you get everything together though, life becomes much easier.
I won't argue with you that UNIX is easier. An OpenBSD/Postfix box I set up about two years ago has not required a security patch yet, and if not for power outages and physical moves, would have two years of uptime right about now.
"That is if they were doing anything beyond the usual rebooting to fix the occasional glitch."
This "reboot first ask questions later" mentality drives me crazy. I work with some Windows only dudes, and their first reaction to any issue is to reboot the machine. I remember when I first set up an OpenBSD machine to guard our exchange box, there was an issue with a temp directory getting full, and it stopped delivering mail. I get a call, and the first thing they ask is (probably with their itchy trigger finger next to the power button), "should I reboot it?". No!!
"If I had to learn how the system works I wouldn't even know where to start."
Yeah, I grew up with DOS/Windows and slowly taught myself UNIX over the last few years. It seems, with UNIX, once you get it, you've pretty much got it. With Windows once you get it, you find out ten more things you didn't know and end up feeling stupid.
"I thought they are full of fanboys who bash all dissenting opinions to death?"
Yep, that sums up the last gamer board I went to.
I go to the techincal section of the ubisoft far cry messageboard the other day and complain about a few things...
1) The game does not run properly as a limitied user. This is 2006 and we've had a muli-user windows for 10 years. Programs should not require admin in Windows anymore. 2) It crashes to the desktop while loading maps and sometimes during gameplay - this is my major problem.
The members immediately start attacking me..
Far Cry fanbois: "WTF? Why are you trying to run the game as a limited user?!!! You have to run the game as admin because Windows' faulty design makes you!" Me: "What the heck are you talking about? No you don't, and no it doesn't." Far Cry fanbois: "Yes it does. Try running a Windows domain for a living some time and you'll see" Me: Actually, I do run a Windows domain for a living. 1000 Windows computers and no one has admin rights to their local machine. Far Cry fanbois:You have to run the game as an admin user. This is unsupported and is what is causing your problems. Me:Nowhere on the far cry support site or the docs does it say anything anoput running as admin. Anyway, I fixed the issues cause by running as non admin and it works now with my limited account. My problem now is the random crashes. Far Cry fanbois:(quickly changing the subject) Your card is unsupported. You should turn your graphics settings down to "low". Me: Actually my card is supported. Otherwise my model wouldn't be listed on the UBISoft website under the *recommended* hardware section. "low" craphics settings look like ass, and I'm getting good framerates. I'm not going to turn my settings down. Far Cry fanbois: But it says "DirectX 9.0b compatible card". Your card only supports DirectX8 at the hardware level, therefore it is unsupported. Me: DirectX 9.0 compatible doesn't mean the card supports every directx9 feature on the hardware. For the last time, my card is supported. Far Cry fanbois: But I used to run that old ass card of yours and the game crashed all the time when I did. After I bought my [insert insanely expensive video card here] the game has never crashed. You need to turn your settings down. Me:I am getting 30-45FPS with my current settings. If I turn it down, it looks like ass. I'm not going to turn it down. The game should not crash just becuase I'm fuilly utilizing my hardware. Far Cry fanbois: You have to turn your settings down. DirectX has to emulate features your graphics card doesn't support, and that's why it is crashing. Me: That's bullshit. Emulating a couple of features in software should not cause the program to crash. The game is crashing because it is buggy. Is there any extra logging I can turn on so I can maybe get a usefull error message? Far Cry fanbois: You can do extra logging by typing blah blah in the console...but I'm telling you, you have to turn your settings down because your card is unsupported. Me: Fuck you all and goodbye.
"Their main argument seemed to be "we'll install the defaults for the particular Linux distribution, because the users/sysadmins wouldn't have the knowledge to do anything else"."
Judging by the things I've see from linux users say, that argument might be just be valid.
"In almost every company I've worked[*], there have always been at least 3 times as many windows support team members than unix sysadmins,"
So the Windows admin were incompetent. Don't be shocked. It's actually very common. So what do you think is a good staff/computer ratio? 1/50? 1/150? 1/300?
"Unix is _seriously_ easier to admin effectively."
I agree with you - I don't have to touch the UNIX machines I run very often - but Windows is not very hard either if you use the plethora of tools the Microsoft makes available to do the job.
"Also, unlike MS-SQL, Oracle is pretty much non-existant in the small business space where networks and patching are haphazard. Your typical Enterprise Oracle install is firewalled up the wazoo."
...you're right.
Oracle's crap security record isn't a good thing, but I seriously doubt if there will be any huge outbreaks of Oracle worms. I think the hole the SQL Slammer took advantage of an eight-months-patched vulnerability. I actually had a couple of SQL servers that were unpatched, and a third SQL server on our network that was being maintained by an outside contractor got infected. My servers didn't get touched because I had an IPSEC policy enabled that limited SQL communication to the two machines that they needed to talk to. It turns out the contrator had done a full public>nat translation on the firewall top the box, so the server was, in effect, sitting wide open on the net. That stupid worm DoS'd our internal network to the point of outside requests for our website being ignored.
But it's not even in the "Small Business" area where Microsoft products tend to go unpatched. I've visited large organizations where their MS SQL servers have SA passwords of "SA". CNN and SBC got hosed by Sasser (or whatever the last worm was).
Even if the behavior is by design, the results of it are exactly the same as other image processing flaws, and it can be fixed just the same. Have a nice one yourself.
I never said open source was a bad thing, or there was a downside. Just that that particular 'benefit' is overrated. Firefox bugs are certainly fixed faster than IE bugs - but according to my logs half of firefox users who hit my website still run vulnerable versions.
"If viewing an image file (even in preview mode) is now defined as "user interaction," I guess 2006 opens a whole new definition of "user errors."
Image processing buffer overflows have been discovered numberous occasions in the past and have not just affected Windows. This is not some "new breed" of flaw.
"this exploit allows all sorts of local user exploits in a corporate environment."
Define, 'local user exploit'. Any malware code running at any level is a bad thing, but I seriosly doubt if any of these exploits are going to bother with people that aren't running as an administrator. All of the examples I've seen assume admin rights and die when they can't drop their load in the system32 directory.
Slashdot Mirror
"And I would like to know where you have been living. Mars?
Everybody, his wife and the dog knows there are lots of undocumented APIs, registry variables and other animals inside Windows. Everyone knows Office is promiscuously integrated with Windows, so as to start quicker, so as to look leaner, so that Windows erm "appreciators" can say M$-apps can work better, of course, because the OS is also from M$."
That's nice, but it has absolutely nothing to do with what I said.
"Have you ever read Gartner recommending IIS to be avoided?"
Not lately since the current version of IIS is extermely secure. Hell, even IIS5 has been shored up pretty well.
"People can be lazy, irresponsible and make Firefox insecure, but it requires a lot more effort than IE."
I never said IE was secure, nor did I say firefox wasn't secure. I simply refusted a piece of propaganda that gets spewed all over by people who don't know what they are talking about.
"That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."
I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.
A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.
A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too
There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.
If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.
http://www.ss64.com/nt/mountvol.html
/S /B c:\*.html > c:\filelist.txt /F "delims=" %i in (c:\filelist.txt) do "C:\Program Files\7-Zip\7z.exe" a -tzip c:\myhtmlfiles.zip "%i" /s /q c:\filelist.txt
/etc/fstab"."
/?
But how can the OP search for files and "[zip] and [send] them to a specific folder
dir
for
del
"That seems at least as complex as "man mount ; edit
But a little less complex than....
mountvol
Well you might have had a different model from mine.
"The inconsistency of experience only underscores my point, IMHO."
Inconsistent experience compared to what? linux?
If read that page you linked to literally, then yes, it does appear that there will be no security hot fixes after mainstream support supposedly ends, but if you take a look at their Service Pack Roadmap page, you'll see that SP3 for XP is planned for AFTER the mainstream support cut-off date. So take off your 'I hate Microsoft' glasses and think logically for a second. Microsoft currently offers no alternative to XP, and judging by the way they operate there might not be one by the time mainstream support supposedly ends. There is no way they could end support at the date they have listed. The date they have listed is a date set according to XP's release date, with the assumption that there would be an alternative for customers to switch to long before that date.
"That means no *security* patches."
No it doesn't.
I have a hauppauge card. I've installed the drivers from both the CD and from their website with no problem.
PEBKAC?
I don't auto update servers either. I release them using WSUS and do them manually. But for the 1000 desktops....
Yeah AV *is* an extra cost. You're right there. You shouldn't have to update them manually though. Any good corporate AV solution will have systems for managing and reporting on AV deployments.
WSUS is a free tool from Microsoft for managing the testing and deployment of hotfixes.
Log files (IMO, the number one annoyance with windows systems) can be managed with scripts by using scheduled tasks, as can other mundane tasks like defragmenting. For Windows 2000 and NT4 which don't come with command line defragmentors there are free tools avaialable that will do the job. Email reports can be sent via email by piping (c:\maintenance.cmd >> c:\daily_report.txt) the output of your scripts to a textfile and using freely available command-line mailer tools to send them.
Security and other logs can be dumped to a freely available database automatically using freely avaiable tools.
One very valid complaint is that Windows doesn't come with these tools by default. Once you get everything together though, life becomes much easier.
I won't argue with you that UNIX is easier. An OpenBSD/Postfix box I set up about two years ago has not required a security patch yet, and if not for power outages and physical moves, would have two years of uptime right about now.
"There doesn't seem to be anything like the LDP for Windows."
:)
Sure there is. It's called "Google"
Seriously though, Microsoft's site does have a ton of "HOWTOS" that show how to do thousands of things.
Their internal search has always blown though. I just Google and put "site:microsoft.com" in the search.
"You have to pay for more software to keep those systems up and running and up-to-date."
No you don't. I wasn't talking about anything that cost money.
"not so with Windows servers who need constant attention."
If your Windows servers need constant attention, then they are not set up correctly.
"That is if they were doing anything beyond the usual rebooting to fix the occasional glitch."
This "reboot first ask questions later" mentality drives me crazy. I work with some Windows only dudes, and their first reaction to any issue is to reboot the machine. I remember when I first set up an OpenBSD machine to guard our exchange box, there was an issue with a temp directory getting full, and it stopped delivering mail. I get a call, and the first thing they ask is (probably with their itchy trigger finger next to the power button), "should I reboot it?". No!!
"If I had to learn how the system works I wouldn't even know where to start."
Yeah, I grew up with DOS/Windows and slowly taught myself UNIX over the last few years. It seems, with UNIX, once you get it, you've pretty much got it. With Windows once you get it, you find out ten more things you didn't know and end up feeling stupid.
"I thought they are full of fanboys who bash all dissenting opinions to death?"
Yep, that sums up the last gamer board I went to.
I go to the techincal section of the ubisoft far cry messageboard the other day and complain about a few things...
1) The game does not run properly as a limitied user. This is 2006 and we've had a muli-user windows for 10 years. Programs should not require admin in Windows anymore.
2) It crashes to the desktop while loading maps and sometimes during gameplay - this is my major problem.
The members immediately start attacking me..
Far Cry fanbois: "WTF? Why are you trying to run the game as a limited user?!!! You have to run the game as admin because Windows' faulty design makes you!"
Me: "What the heck are you talking about? No you don't, and no it doesn't."
Far Cry fanbois: "Yes it does. Try running a Windows domain for a living some time and you'll see"
Me: Actually, I do run a Windows domain for a living. 1000 Windows computers and no one has admin rights to their local machine.
Far Cry fanbois:You have to run the game as an admin user. This is unsupported and is what is causing your problems.
Me:Nowhere on the far cry support site or the docs does it say anything anoput running as admin. Anyway, I fixed the issues cause by running as non admin and it works now with my limited account. My problem now is the random crashes.
Far Cry fanbois:(quickly changing the subject) Your card is unsupported. You should turn your graphics settings down to "low".
Me: Actually my card is supported. Otherwise my model wouldn't be listed on the UBISoft website under the *recommended* hardware section. "low" craphics settings look like ass, and I'm getting good framerates. I'm not going to turn my settings down.
Far Cry fanbois: But it says "DirectX 9.0b compatible card". Your card only supports DirectX8 at the hardware level, therefore it is unsupported.
Me: DirectX 9.0 compatible doesn't mean the card supports every directx9 feature on the hardware. For the last time, my card is supported.
Far Cry fanbois: But I used to run that old ass card of yours and the game crashed all the time when I did. After I bought my [insert insanely expensive video card here] the game has never crashed. You need to turn your settings down.
Me:I am getting 30-45FPS with my current settings. If I turn it down, it looks like ass. I'm not going to turn it down. The game should not crash just becuase I'm fuilly utilizing my hardware.
Far Cry fanbois: You have to turn your settings down. DirectX has to emulate features your graphics card doesn't support, and that's why it is crashing.
Me: That's bullshit. Emulating a couple of features in software should not cause the program to crash. The game is crashing because it is buggy. Is there any extra logging I can turn on so I can maybe get a usefull error message?
Far Cry fanbois: You can do extra logging by typing blah blah in the console...but I'm telling you, you have to turn your settings down because your card is unsupported.
Me: Fuck you all and goodbye.
Note to self: Read posts out loud before hitting submit - especially when there is no edit button.
"Their main argument seemed to be "we'll install the defaults for the particular Linux distribution, because the users/sysadmins wouldn't have the knowledge to do anything else"."
Judging by the things I've see from linux users say, that argument might be just be valid.
It was a joke dude. :)
"In almost every company I've worked[*], there have always been at least 3 times as many windows support team members than unix sysadmins,"
So the Windows admin were incompetent. Don't be shocked. It's actually very common. So what do you think is a good staff/computer ratio? 1/50? 1/150? 1/300?
"Unix is _seriously_ easier to admin effectively."
I agree with you - I don't have to touch the UNIX machines I run very often - but Windows is not very hard either if you use the plethora of tools the Microsoft makes available to do the job.
"Sasser (the MS-SQL worm) "
...you're right.
You're thinking of "slammer", but....
"Also, unlike MS-SQL, Oracle is pretty much non-existant in the small business space where networks and patching are haphazard. Your typical Enterprise Oracle install is firewalled up the wazoo."
Oracle's crap security record isn't a good thing, but I seriously doubt if there will be any huge outbreaks of Oracle worms. I think the hole the SQL Slammer took advantage of an eight-months-patched vulnerability. I actually had a couple of SQL servers that were unpatched, and a third SQL server on our network that was being maintained by an outside contractor got infected. My servers didn't get touched because I had an IPSEC policy enabled that limited SQL communication to the two machines that they needed to talk to. It turns out the contrator had done a full public>nat translation on the firewall top the box, so the server was, in effect, sitting wide open on the net. That stupid worm DoS'd our internal network to the point of outside requests for our website being ignored. But it's not even in the "Small Business" area where Microsoft products tend to go unpatched. I've visited large organizations where their MS SQL servers have SA passwords of "SA". CNN and SBC got hosed by Sasser (or whatever the last worm was).
Touch a nerve, did I?
Even if the behavior is by design, the results of it are exactly the same as other image processing flaws, and it can be fixed just the same. Have a nice one yourself.
I never said open source was a bad thing, or there was a downside. Just that that particular 'benefit' is overrated. Firefox bugs are certainly fixed faster than IE bugs - but according to my logs half of firefox users who hit my website still run vulnerable versions.
...how many vulns would be found if anywhere near the number of people used (i.e., cared) about OSX as they do Windows.
I don't buy that argument for a second. What percentage of discovered bugs do you think are actually found by looking at the source code of a program?
"If viewing an image file (even in preview mode) is now defined as "user interaction," I guess 2006 opens a whole new definition of "user errors."
Image processing buffer overflows have been discovered numberous occasions in the past and have not just affected Windows. This is not some "new breed" of flaw.
"this exploit allows all sorts of local user exploits in a corporate environment."
Define, 'local user exploit'. Any malware code running at any level is a bad thing, but I seriosly doubt if any of these exploits are going to bother with people that aren't running as an administrator. All of the examples I've seen assume admin rights and die when they can't drop their load in the system32 directory.