If the pixels can respond to any signal within 5 ms, that means the highest framerate that can be displayed without ghosting is 200 fps (1 / 5ms = 200 Hz). Which is more than you should ever need, and a big improvement on current LCD displays (a good consumer display has a ~20ms response time; 1 / 20ms = 50 Hz, not even 60 fps, but good enough for TV's 30 fps.)
If Nike does better, all US-based employees of Nike, from execs down to janitors, benefit. The extra money the US workers earn gets spent in the US, further benefiting other US companies and strengthening the US economy. Maybe those janitors will buy computers, benefiting the tech industry. Also, since anybody can buy shares in Nike, the average US citizen is free to benefit from Nike's success directly as a minor shareholder. You don't need to be a "significant" shareholder to benefit from Nike's success.
Well, it depends on what the purpose of the shadows is. If the purpose of the shadows is to look realistic, the shadow should only appear on the bottom and right of the window (for consistency with most UI toolkits which place the light source at top left). If the purpose of the shadow is to improve usability by making it easier to determine which window has the focus, then the shadow should appear around all edges of the window for maximum "popping off the screen" effect. It may surprise you to learn that OS X's windows have a shadow on all four sides. The left and right shadows are the same size; the top shadow is only a few pixels tall, but it is there; the bottom shadow is the largest. Also, the shadow of the topmost window is significantly larger and darker than other shadows, making it even easier to see the focused window. Apple knows their usability.
I think once the new X.org is released, we're going to see an explosion of new X11 window managers with new fancy eyecandy features such as this, and much more. If you remember back a few years ago, the Linux scene was teeming with window managers of every shape and size (freshmeat is littered with them). People seemed to lose their enthusiasm for writing wacky window managers after KDE and GNOME's windowmanagers got decent theme support, and most of the old X window manager projects died out or at least become smaller. Now, though, the field is wide open for crazy new window manager features. OS X-like window warping or Expos`e, shadows, losing contrast, blurring, sliding, bouncing, squashing, rippling, almost anything is possible now. And these features shouldn't be dismissed as "mere eye candy" either; a lot of these effects can actually make the user experience measurably better. For example shadows make it easier to see the stacking order of windows at a glance; bouncing or stretching catches the eye for a window that needs attention; sliding/scaling windows gives a visual indication of where they're going (instead of popping them in/out when max/minimized); blurring or decreasing contrast makes things appear in the background.
I'm looking forward to the next generation of window managers coming out on Freshmeat in the next year or so. Hopefully we'll see some real innovation that can be folded back into KDE and GNOME's next window managers for the mainstream users.
Oh man, I just had a great idea. What if you incorporated XDelta3 into a Reiser4 filesystem plugin? Versioning built into the filesystem would be an *awesome* feature. I'm sure it's been done before on some other OS, but it could really go mainstream on Linux with Reiser4.
Elegant, but too complex. Just keep a diff from the previous version to the current one, and if they don't have the previous version then just send them the whole file. That way you don't have to keep making and and storing tons of diffs, but the bandwidth for the most common case is still reduced substantially. You might want to keep two or three diffs around if people upgrade infrequently or the software is updated quickly, but after three versions the saved bandwidth is going to be very small compared with the overhead of maintaining this diff sequence (server disk space, processor time, complexity of associated software).
So the moon landing was "profound" and made us "think differently about ourselves", while the Internet is right now changing the face of politics, commerce, social interaction, and society in general? I agree with the grandparent post. If every single Apollo had blown up halfway to the moon, the world as a whole wouldn't be much different today. Maybe manned space travel would have been nipped in the bud, and we woudln't have the space shuttle or the ISS. Maybe we'd "think differently about ourselves". If the Internet hadn't been invented, everyday life for about 12% of the world's population (69% of US population) would be directly affected, and many of the rest would feel the effects too. And we've only gotten started harnessing the Internet's power to change the world. The Internet is a more important development in human history than manned space travel, and it will remain so until the first real colonization of another planet, or the first huge project such as the proposed orbiting solar power stations or moon/asteroid mining stations. (I'm not holding my breath; it will likely be more than a hundred years before the first of these is even attempted).
If you think this practice is new, you must not have been reading newspapers for very long. Editors have always striven for catchy headlines, sometimes sacrificing a little accuracy in the process. They did it a hundred years ago and they do it today. It's not like there's any mistake or BS in this headline anyway. All they did was use a (reasonably on-topic) buzzword to increase the story's pull. And it worked, and there's nothing at all wrong with that. I'd expect this story to maybe make Slashdot's developer section if some KDE guy submitted it, but the story on CNet with its Google headline made the front page because it caught michael's eye. This is definitely Slashdot front page material, so what are you complaining about?
The people doing the capitalizing here are the journalists, not the KDE people. Probably what happened was a KDE guy mentioned Google once in the middle of a half-hour-long interview, and the reporter then decided to use it as the hook for his article title. And it worked, didn't it? If this article hadn't used the buzzwords "google-like" it would probably never have gotten on CNet and ZDNet, and maybe not even the Slashdot front page.
There aren't links between files on a desktop machine like there are on the Internet, but there is something much better: usage data. You can know exactly which files a user is using, how long, and what they are doing with them. "Recently used files" lists are only beginning of what can be done with this kind of data.
The server load would probably be as bad as an SSL-protected server.
Hm, good point. I guess if SSL servers do it, it must be possible without too much overhead. In fact they don't need to use public key encryption at all; they can just store the AES keys in their database. Then when the game is released they will give you your AES key.
Well, nobody in my family can tell the difference. I've asked them if they can see the artifacts and they always say no. I truly believe that the average American *can't* tell the difference between an uncompressed signal and a compressed DirecTV stream, at least not without a lot of coaching. (By this I mean that if you showed them first an uncompressed signal, and then a DirecTV broacast of something different, they couldn't tell you which was compressed. They could probably tell in a side-by-side comparison). I don't begrudge them their happiness with the digital signal, and I'm not trying to insult people who don't see the artifacts. The only reason I care is that the artifacts bother *me*. If the artifacts bother me but nobody else, for whatever reason, then I won't be able to get digital broadcasts I can watch because DirecTV sure isn't going to make a special broadcast just for me. I'm just amazed that people don't see the artifacts that are obvious to me and complain when their digital broadcast is lower quality than their old analog ones. Why are we even moving to HDTV when DirecTV proves that the quality we have is already more than people really want? Oh that's right, because the government is mandating it. (I haven't seen much HDTV but I suspect it will have the same compression problems, perhaps even worse because they will compress it more).
That's my pet peeve about digital satellite/cable too. They talk about digital quality, but the compression completely kills any possible quality difference. I think DirecTV's broadcasts have been getting more compressed over the years; the compression artifacts are now quite obvious to me whenever I watch TV at my parents' house. (you can see them the most as a blocky blurriness that persists for a few frames after every jump cut, or in busy CG logo-type screens, or in large areas of color with subtle patterns such as cut grass on baseball fields). The worst part is, nobody else seems to notice them. I guess DirecTV has no incentive to keep the quality high when your average American can't tell the difference between pristine and highly compressed video.
They're upset because it automatically cuts up the recording by song, tags it with all the correct artist info from XM's broadcast, and encodes it into an MP3 ready for sharing. If it didn't produce nicely packaged song MP3s, they probably wouldn't care nearly as much (though they might still be assholes and shut this guy down for competing with their upcoming vaporware).
You may be right that they lawyers can't stop this, but they sure can sue over it. You signed some sort of subscriber agreement for your service and it probably gives them power to prohibit you from doing anything they don't want you doing. Rest assured, if the agreement didn't prohibit unauthorized recording before, it will now. Whether it gives them jurisdiction over this guy's business is questionable, but if he used any SDK of theirs in producing his software then he's probably bound by some agreement. The lawyers can use that to beat him into submission with some lawsuits (valid or not, probably doesn't matter).
I'm not worried about anybody cracking it before HL2 is released. If Valve was halfway competent with encryption, it will be pretty much uncrackable without the keys. However, once the game is released, Valve has to release the decryption keys so people can play it. I don't see how they can do this in a secure way unless they encrypt it separately with a different key for each person, which would be computationally expensive for their download servers. If they use the same key for any two people, one of them could buy the game and pass the encryption keys to the other (plus any small missing parts that Valve also delivers when the game is shipped).
I once the game is released, though, Valve probably won't be bothering with this pre-load stuff any more. Then they'll only let you download the game if you pay them first. So the window for exploiting this is small; you have to download the preload version now for free (if you can get in) and then wait and hope somebody bothers to come out with a crack for the preload version after the game is released (which may not even happen since it will be useless for non-preload versions). I guess Valve isn't that crazy in offering this option after all.
We can already build single bombs big enough to destroy entire countries at a time. Not even the craziest madman could need or want more than a hundred or so H-bombs, and that many already exist I'm sure. If the bombs get any bigger, they'll destroy both sides in any war. Everyone knows this, so what possible motive could they have for developing bigger bombs? And even if they did make bigger bombs, would we be any worse off? So they could blow up the earth a million times over instead of a thousand times like they can today. At some point it just doesn't matter any more.
The research we should really be worried about at this point is biological; engineered viruses/bacteria are really scary. I would not be surprised if sometime in the next 20-50 years we have enough knowledge to engineer a super-virus that incubates for a week while being transmitted like crazy, then kills within a day, and can be tailored to specific ethinic groups if desired. Genocide in a bottle. Imagine what Osama and friends would do with that kind of power. Our only hope against this sort of attack is a medical defense, but so far defending against viruses has proved much harder and slower work than making them. If this continues to be the case as biological research advances, any small group of people could doom the entire human race with only a small research lab. I find that power in the hands of anybody much more terrifying than hydrogen bombs in the control of a few world leaders.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
I don't know what you believe my original argument is, but it has always been that Heise's so-called "flaws" aren't really flaws because the process of getting around the dialog box is too complex. I argued that users are more likely to follow instructions to click "yes" on the security dialog than to follow Heise's instructions, rendering the "exploit" useless. Later I argued that the "exploit" is useless for currently running viruses as well because there are better ways of running arbitrary code that can't be prevented by Windows. My argument has never been that the dialog box itself is bad; on the contrary I think it is a fine implementation of a reasonably good idea. It is unlikely to be that effective due to the propensity of users to click "yes" whenever asked, but it is a good idea nonetheless. Any improvement helps, no matter how small.
This discussion is about Windows; the things an imaginary secure operating system could do are not relevant. Microsoft cannot give up backwards compatability with older programs and this limits the security they can implement considerably. Windows does not and can not control what's executable in memory on plain x86. As for the last bit about laudability, I completely agree and have not argued otherwise. As I have explained, the dialog is a reasonably good idea.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
I've only been wrong about one thing in this discussion, and in a way that doesn't even affect the validity of my argument. I was mistaken when I said that users had to type arguments. I was not wrong about users having to type, or about the process Heise suggests being invoncenient and difficult for users. You, on the other hand, have been wrong about nearly everything you've said in the latter half of this discussion. You were wrong when you said I was wrong about viruses being able to bypass XP's security. You were wrong when you thought viruses had to download and execute a VNC server to press buttons. You were wrong when you intimated that I was wrong about viruses being able to remove NTFS streams. And furthermore you are wrong again about the operating system controlling what's executable and what's not. Only on the new AMD 64-bit processors with NX is this the case. On regular x86, almost everything is executable all the time. Windows can't even control what gets executed in the processes of programs that are cooperating with it; buffer overflow exploits and the like often allow arbitrary code execution despite attempts to prevent it. How could Windows possibly control the code in a malicious program if it can't even control the code of programs that cooperate?
I sincerely doubt that this "exploit" will lead to more advanced ones. If a scripting exploit has access to cmd and also can have a file downloaded to a known location with content chosen by the script (required for this "exploit"), that script already has enough power to erase the user's hard drive, send their stored personal data and passwords to Russia, or do any number of other nasty things. Executing arbitrary machine code from there is simply a matter of using a suitable buffer overflow in any program on the user's hard drive, regardless of any restrictions Windows puts on launching downloaded exe files.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
In the start menu run dialog, you must type "cmd" and then either type enter or click run. Then after you drag the file, you must focus the command window and type enter again. Is that not typing? Thank you. It may not be a lot of typing, but you must switch from mouse to keyboard at least twice during this process. Every added step reduces the number of people who will follow the procedure, reducing the virus's efficacy dramatically.
IANAH, so to speak
Obviously YANAH. Are you even a programmer at all? Yes, a virus could click the "yes" button, that doesn't require downloading a separate VNC server. How do you think the VNC server does it? The VNC server is just another program, it calls Windows API functions to do its job. The virus can call the same functions the VNC server does, and it doesn't need to download anything to do it.
You just don't get it. Once the virus is running on your computer under your user account, it can do anything YOU can do, and anything that any program you _might_ run could do, automatically. It has COMPLETE CONTROL. It can call whatever functions it likes, run whatever programs it likes, read or write whatever files it likes, change whatever settings it likes, and control other programs as it sees fit. Windows doesn't limit the virus after you have run it, because it isn't smart enough to know the difference between a program you wanted to run and a virus you ran by accident.
That's rather the point I was making...
No, you were making the point that cmd allowed users to easily bypass the protection and run a downloaded exe, and I was refuting it by pointing out that it really wasn't so easy for users. Programs running on the computer will always be able to bypass the protection and run arbitrary code, because Windows has no direct control over what code a program executes or where that code came from. The key is stopping users from running viruses in the first place because once the virus is running you're toast. This security warning dialog is only intended to help stop users from running downloaded viruses through Windows Explorer. It does not, cannot, and was never intended to serve as a defense against running virus code.
Actually I think the dialog is a good idea and it may even be effective at reducing the number of viruses of the "user downloads and runs it manually" type. For the reasons stated in previous posts, I sincerely doubt that large numbers of users will be both willing and able to follow a multi-step procedure involving typing and command lines, simply on the advice of a random email. If a new virus proves me wrong, then MS should add the warning dialog to cmd as well. But there's nothing MS can do to prevent a running virus from downloading and executing whatever it likes.
... and other companies quickly rose to snap up the profit opportunities in the markets left underserved by the collapse of the previous companies. You make it sound as if companies going out of business is bad. It's good! Old obsolete companies going out of business makes room for the new innovative ones. Some people lose their jobs, but on average it's only because what they were doing was inefficient and capitalism is correcting the inefficiency in the only way possible (forcing them to get new jobs even though they don't want to). It's not necessarily "fair" for everyone; but on average it works out to a better result.
Yes, there are capitalist shitholes too, but communism has no US, Japan, UK, etc etc to boast of. The capitalist successes are numerous; the communist successes are nonexistant. China doesn't count; their recent economic successes are entirely due to capitalism. Their motives for becoming capitalist are irrelevant. Calling Canada a socialist state is laughable; nationalized health care does not a socialist state make. Many European countries have a lot of social programs but they are still fundamentally based in the capitalist system.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
That "exploit" is not worded very well (to work it would have to explain more thoroughly how to run "cmd" since most users won't know you have to use the "run" start menu item), requires users to type in two places (granted, they're not typing arguments), requires users to save the executable and locate it afterwards, and requires users to correctly manage the input focus between several windows (users are likely to simply drag the file from Explorer to the cmd window, which leaves the focus on the executable's icon in Explorer, meaning that pressing Enter will display the warning dialog as usual. An extra click is required to focus cmd before pressing Enter, but this is non-obvious). Also it doesn't work with the.gif trick, so it requires a mail system that accepts executable attatchments and a mail client that allows you to save executables (unlike the last several versions of Outlook). In other words, this virus is DOA.
Also, if you think a puny dialog box is going to stop a running virus from executing whatever it likes, you must not have a very good grasp of what it means to have compromised a machine. Once a machine is compromised, the virus can do *anything it wants* that is within the capabilities of the user account it has compromised. The virus could press the "yes" button on the security dialog automatically before the user sees it. It could remove the NTFS stream that marks the executable as downloaded from the Internet. It could use the same system call "cmd" uses to run the code without the warning dialog. It could read the code directly into memory and execute it in its own process, bypassing any Windows restrictions on executable files. It could do any of a million other things to execute code.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 2, Informative
Heise is! Didn't you even notice the "sample email worm" given by heise? How did this get modified informative? Stupid crack-smoking mods. Aren't you familiar with the oh-so-popular "email with executable attatched that the user must manually run to start the virus"? Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.
Slashdot Mirror
If the pixels can respond to any signal within 5 ms, that means the highest framerate that can be displayed without ghosting is 200 fps (1 / 5ms = 200 Hz). Which is more than you should ever need, and a big improvement on current LCD displays (a good consumer display has a ~20ms response time; 1 / 20ms = 50 Hz, not even 60 fps, but good enough for TV's 30 fps.)
If Nike does better, all US-based employees of Nike, from execs down to janitors, benefit. The extra money the US workers earn gets spent in the US, further benefiting other US companies and strengthening the US economy. Maybe those janitors will buy computers, benefiting the tech industry. Also, since anybody can buy shares in Nike, the average US citizen is free to benefit from Nike's success directly as a minor shareholder. You don't need to be a "significant" shareholder to benefit from Nike's success.
Well, it depends on what the purpose of the shadows is. If the purpose of the shadows is to look realistic, the shadow should only appear on the bottom and right of the window (for consistency with most UI toolkits which place the light source at top left). If the purpose of the shadow is to improve usability by making it easier to determine which window has the focus, then the shadow should appear around all edges of the window for maximum "popping off the screen" effect. It may surprise you to learn that OS X's windows have a shadow on all four sides. The left and right shadows are the same size; the top shadow is only a few pixels tall, but it is there; the bottom shadow is the largest. Also, the shadow of the topmost window is significantly larger and darker than other shadows, making it even easier to see the focused window. Apple knows their usability.
I'm looking forward to the next generation of window managers coming out on Freshmeat in the next year or so. Hopefully we'll see some real innovation that can be folded back into KDE and GNOME's next window managers for the mainstream users.
Oh man, I just had a great idea. What if you incorporated XDelta3 into a Reiser4 filesystem plugin? Versioning built into the filesystem would be an *awesome* feature. I'm sure it's been done before on some other OS, but it could really go mainstream on Linux with Reiser4.
Elegant, but too complex. Just keep a diff from the previous version to the current one, and if they don't have the previous version then just send them the whole file. That way you don't have to keep making and and storing tons of diffs, but the bandwidth for the most common case is still reduced substantially. You might want to keep two or three diffs around if people upgrade infrequently or the software is updated quickly, but after three versions the saved bandwidth is going to be very small compared with the overhead of maintaining this diff sequence (server disk space, processor time, complexity of associated software).
I wonder how many other little features Google has hidden away? Their documentation is good, but it doesn't list everything.
So the moon landing was "profound" and made us "think differently about ourselves", while the Internet is right now changing the face of politics, commerce, social interaction, and society in general? I agree with the grandparent post. If every single Apollo had blown up halfway to the moon, the world as a whole wouldn't be much different today. Maybe manned space travel would have been nipped in the bud, and we woudln't have the space shuttle or the ISS. Maybe we'd "think differently about ourselves". If the Internet hadn't been invented, everyday life for about 12% of the world's population (69% of US population) would be directly affected, and many of the rest would feel the effects too. And we've only gotten started harnessing the Internet's power to change the world. The Internet is a more important development in human history than manned space travel, and it will remain so until the first real colonization of another planet, or the first huge project such as the proposed orbiting solar power stations or moon/asteroid mining stations. (I'm not holding my breath; it will likely be more than a hundred years before the first of these is even attempted).
Maybe somebody's created automated tools to exploit the 1GB of space to post porn or warez or something for download.
If you think this practice is new, you must not have been reading newspapers for very long. Editors have always striven for catchy headlines, sometimes sacrificing a little accuracy in the process. They did it a hundred years ago and they do it today. It's not like there's any mistake or BS in this headline anyway. All they did was use a (reasonably on-topic) buzzword to increase the story's pull. And it worked, and there's nothing at all wrong with that. I'd expect this story to maybe make Slashdot's developer section if some KDE guy submitted it, but the story on CNet with its Google headline made the front page because it caught michael's eye. This is definitely Slashdot front page material, so what are you complaining about?
The people doing the capitalizing here are the journalists, not the KDE people. Probably what happened was a KDE guy mentioned Google once in the middle of a half-hour-long interview, and the reporter then decided to use it as the hook for his article title. And it worked, didn't it? If this article hadn't used the buzzwords "google-like" it would probably never have gotten on CNet and ZDNet, and maybe not even the Slashdot front page.
There aren't links between files on a desktop machine like there are on the Internet, but there is something much better: usage data. You can know exactly which files a user is using, how long, and what they are doing with them. "Recently used files" lists are only beginning of what can be done with this kind of data.
Hm, good point. I guess if SSL servers do it, it must be possible without too much overhead. In fact they don't need to use public key encryption at all; they can just store the AES keys in their database. Then when the game is released they will give you your AES key.
Well, nobody in my family can tell the difference. I've asked them if they can see the artifacts and they always say no. I truly believe that the average American *can't* tell the difference between an uncompressed signal and a compressed DirecTV stream, at least not without a lot of coaching. (By this I mean that if you showed them first an uncompressed signal, and then a DirecTV broacast of something different, they couldn't tell you which was compressed. They could probably tell in a side-by-side comparison). I don't begrudge them their happiness with the digital signal, and I'm not trying to insult people who don't see the artifacts. The only reason I care is that the artifacts bother *me*. If the artifacts bother me but nobody else, for whatever reason, then I won't be able to get digital broadcasts I can watch because DirecTV sure isn't going to make a special broadcast just for me. I'm just amazed that people don't see the artifacts that are obvious to me and complain when their digital broadcast is lower quality than their old analog ones. Why are we even moving to HDTV when DirecTV proves that the quality we have is already more than people really want? Oh that's right, because the government is mandating it. (I haven't seen much HDTV but I suspect it will have the same compression problems, perhaps even worse because they will compress it more).
Well maybe you didn't use a pen to write your name on a piece of paper for them, but I'm sure you're bound by some sort of subscriber agreement.
That's my pet peeve about digital satellite/cable too. They talk about digital quality, but the compression completely kills any possible quality difference. I think DirecTV's broadcasts have been getting more compressed over the years; the compression artifacts are now quite obvious to me whenever I watch TV at my parents' house. (you can see them the most as a blocky blurriness that persists for a few frames after every jump cut, or in busy CG logo-type screens, or in large areas of color with subtle patterns such as cut grass on baseball fields). The worst part is, nobody else seems to notice them. I guess DirecTV has no incentive to keep the quality high when your average American can't tell the difference between pristine and highly compressed video.
You may be right that they lawyers can't stop this, but they sure can sue over it. You signed some sort of subscriber agreement for your service and it probably gives them power to prohibit you from doing anything they don't want you doing. Rest assured, if the agreement didn't prohibit unauthorized recording before, it will now. Whether it gives them jurisdiction over this guy's business is questionable, but if he used any SDK of theirs in producing his software then he's probably bound by some agreement. The lawyers can use that to beat him into submission with some lawsuits (valid or not, probably doesn't matter).
I once the game is released, though, Valve probably won't be bothering with this pre-load stuff any more. Then they'll only let you download the game if you pay them first. So the window for exploiting this is small; you have to download the preload version now for free (if you can get in) and then wait and hope somebody bothers to come out with a crack for the preload version after the game is released (which may not even happen since it will be useless for non-preload versions). I guess Valve isn't that crazy in offering this option after all.
The research we should really be worried about at this point is biological; engineered viruses/bacteria are really scary. I would not be surprised if sometime in the next 20-50 years we have enough knowledge to engineer a super-virus that incubates for a week while being transmitted like crazy, then kills within a day, and can be tailored to specific ethinic groups if desired. Genocide in a bottle. Imagine what Osama and friends would do with that kind of power. Our only hope against this sort of attack is a medical defense, but so far defending against viruses has proved much harder and slower work than making them. If this continues to be the case as biological research advances, any small group of people could doom the entire human race with only a small research lab. I find that power in the hands of anybody much more terrifying than hydrogen bombs in the control of a few world leaders.
This discussion is about Windows; the things an imaginary secure operating system could do are not relevant. Microsoft cannot give up backwards compatability with older programs and this limits the security they can implement considerably. Windows does not and can not control what's executable in memory on plain x86. As for the last bit about laudability, I completely agree and have not argued otherwise. As I have explained, the dialog is a reasonably good idea.
I sincerely doubt that this "exploit" will lead to more advanced ones. If a scripting exploit has access to cmd and also can have a file downloaded to a known location with content chosen by the script (required for this "exploit"), that script already has enough power to erase the user's hard drive, send their stored personal data and passwords to Russia, or do any number of other nasty things. Executing arbitrary machine code from there is simply a matter of using a suitable buffer overflow in any program on the user's hard drive, regardless of any restrictions Windows puts on launching downloaded exe files.
IANAH, so to speak
Obviously YANAH. Are you even a programmer at all? Yes, a virus could click the "yes" button, that doesn't require downloading a separate VNC server. How do you think the VNC server does it? The VNC server is just another program, it calls Windows API functions to do its job. The virus can call the same functions the VNC server does, and it doesn't need to download anything to do it.
You just don't get it. Once the virus is running on your computer under your user account, it can do anything YOU can do, and anything that any program you _might_ run could do, automatically. It has COMPLETE CONTROL. It can call whatever functions it likes, run whatever programs it likes, read or write whatever files it likes, change whatever settings it likes, and control other programs as it sees fit. Windows doesn't limit the virus after you have run it, because it isn't smart enough to know the difference between a program you wanted to run and a virus you ran by accident.
That's rather the point I was making...
No, you were making the point that cmd allowed users to easily bypass the protection and run a downloaded exe, and I was refuting it by pointing out that it really wasn't so easy for users. Programs running on the computer will always be able to bypass the protection and run arbitrary code, because Windows has no direct control over what code a program executes or where that code came from. The key is stopping users from running viruses in the first place because once the virus is running you're toast. This security warning dialog is only intended to help stop users from running downloaded viruses through Windows Explorer. It does not, cannot, and was never intended to serve as a defense against running virus code.
Actually I think the dialog is a good idea and it may even be effective at reducing the number of viruses of the "user downloads and runs it manually" type. For the reasons stated in previous posts, I sincerely doubt that large numbers of users will be both willing and able to follow a multi-step procedure involving typing and command lines, simply on the advice of a random email. If a new virus proves me wrong, then MS should add the warning dialog to cmd as well. But there's nothing MS can do to prevent a running virus from downloading and executing whatever it likes.
Yes, there are capitalist shitholes too, but communism has no US, Japan, UK, etc etc to boast of. The capitalist successes are numerous; the communist successes are nonexistant. China doesn't count; their recent economic successes are entirely due to capitalism. Their motives for becoming capitalist are irrelevant. Calling Canada a socialist state is laughable; nationalized health care does not a socialist state make. Many European countries have a lot of social programs but they are still fundamentally based in the capitalist system.
Also, if you think a puny dialog box is going to stop a running virus from executing whatever it likes, you must not have a very good grasp of what it means to have compromised a machine. Once a machine is compromised, the virus can do *anything it wants* that is within the capabilities of the user account it has compromised. The virus could press the "yes" button on the security dialog automatically before the user sees it. It could remove the NTFS stream that marks the executable as downloaded from the Internet. It could use the same system call "cmd" uses to run the code without the warning dialog. It could read the code directly into memory and execute it in its own process, bypassing any Windows restrictions on executable files. It could do any of a million other things to execute code.
Heise is! Didn't you even notice the "sample email worm" given by heise? How did this get modified informative? Stupid crack-smoking mods. Aren't you familiar with the oh-so-popular "email with executable attatched that the user must manually run to start the virus"? Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.