I have a Deskpro XL right here with that plug staring right at me, and it's nothing more than a keyboard/mouse/sound in/sound out combined into a single cable. A special keyboard ('voystra?')has a built-in speaker, vol knob, and mic/line out/mouse jacks.
However, I will back up your story that we got other Compaq 'workstation' Pentium Pro machines in the 1996 timeframe that had USB ports. They were covered with little stickers explaining how software support was pending.
An operating system is "software that controls the operation of a computer and directs the processing of programs (as by assigning storage space in memory and controlling input and output functions)."
Well, you'd have to have your head in an hole to be ignorant of the more common definition of "things that come on the CD with what is formally defined as an operating system". This is the definition that's far more relevant to everyone not writing a computer science textbook.
Even the GNU GPL uses the term "operating system" in this sense (calling a compiler a "major component" of the OS) and that's the legal document that allows the whole thing to be shipped.
Personally, I think the concept of a "distribution" or "operating environment" is marketing claptrap that hinges on an obscure technical point, but is designed to obscure the incompatibilities between different Linux-based OSes. Calling the different OSes themselves "Linux" (as Linus allows) is also a little white lie.
Also -- "User selects YES to every prompt without reading it".
(I once was prompted to run an ActiveX control called "IE Destroyer" -- it was signed and everything. This was in the early 4.0 days, so I think it was targetted at 3.0's terrible policies. But I imagine that a large number of users would install and run it without hesitation.)
Yeah, if you dig around in Windows you can eventually find a device designed to control LaserDisc players.
This is legacy from the old days when a "multimedia" computer meant one that was hooked up to play synchronized audio/video from external devices. Even Apple IIs managed to serve in this roll. (The only time I saw this in use was some console that they got in my high school that allowed one to select and view different college commercials from LD.)
Yeah, I neglected NS plugins. Although, I don't know if I've ever seen a 'single-purpose' plug-in. But anytime the user has to install something, you've got a potential security problem.
Why does my IE report "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.0.2914)" then?
Considering that ActiveX allows everything else, I don't see why it couldn't run a.NET applet. (Although applets are so unsexy at this point from a marketing standpoint, I can see why MS might downplay this facility.)
VBScript and JavaScript need to go through COM objects to do file IO because there's no built-in facility. However, when running in the browser, there's a very limited range of objects they can access that prevents anything nasty happening.
PerlScript does have Perl's bulit-in file IO, but by default it only runs from sites defined to be in the "Local" zone. link. But it's a good point that WSH's installable language facility could be a security risk with the wrong language runtime.
IE ships with ActiveX/COM support, which provides a language-independent mechanism to plug anything you want into your browser. The user gets code-signing and some level of download control, but ultimately there's no 'sandbox' to prevent that code from doing what it wants (deleting your home directory, e-mail bomb, etc). They've been ripped for the security implications, as anyone who reads Slashdot knows.
Netscape chose the safe route and only provided Java applet support. This relies on the Java security model to protect the user through sandboxing from anything that they might automatically download, but locks you into Java. Mozilla/NS6 may allow some sort of XPCOM application to be downloaded and installed, but it's not as seamless as ActiveX.
The important point is that you don't get 'unsafe' languages like C++ and Perl in your browser without the security implications that everyone's roasted Microsoft's ass over.
The MS.NET approach will be the hybrid. While you still have a Java-like runtime that has a security model, at least you won't be locked into a particular language.
Sorry if I was not clear IUSR_foo is an unprivledged account. IIS needs LocalSystem so that it has the privs to switch process ownership to IUSR_foo to run scripts.
IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user
This is wrong. IIS runs as LocalSystem, which pretty much has full rights to the local machine, and more privs than Administrator for certain things.
There's a good reason for this -- It needs system access so that it can use security impersonation and run scripts as the local user (IUSR_foo or who ever's logged in). The problem is, if someone finds a bug before the user identity is switched, they've owned the machine.
(I think IIS 5 does support non-System users, but you lose the ability to impersonate someone else.)
Re:Try be inovative instead of just replicate ?
on
Linux on the Desktop
·
· Score: 1
Well, I'm not trying to overstate Microsoft's responsiveness to their customers, which I personally know is a particular form of Kafkesque torture. But if a big Fortune 500 customer calls them and asks for a StarOffice 6 import filter or something else compatible with MS's overall goals, it will appear.
Mozilla, while a great product, is a terrible example of a user-driven project. It's unstated goal is "Do everything that Netscape Communicator did, but make it better and more standards-compliant". How did Communicator get it's feature list? Same marketing weenies that you decry. It doesn't take much hanging around Bugzilla to see their attitude towards popular user enhancement requests. Some examples:
+ SMIME instead of PGP.
+ Browser is hardwired to use Mozilla mail, even though the code exists to do otherwise. Strangely, IE doesn't mind if you want to use Mozilla mail (or anything else).
Besides, lumping big Fortune 500 open source projects like Mozilla or StarOffice in with the AbiWords and KWords of the world is a mistake because the projects are managed entirely differently, and Sun and AOL certainly have their share of marketing weenies. Which brings us back to the original topic -- Linux is probably OK for the corporate desktop, assuming that you aren't tied to Win32-specific vertical or inhouse software, you can managage your fileformats, and if you are using big corporate-sponsored stuff like StarOffice and Mozilla.
Re:Try be inovative instead of just replicate ?
on
Linux on the Desktop
·
· Score: 1
I agree that is the point, but I just don't think that the people who promote Linux (etc) as a Windows replacement get it.
If it's not a customer-driven product, customers might rightfully find it inferior to products that are highly customer-driven (like Microsoft's). You can't expect them to see the value in programmer-driven approaches (such as having 32 word processor file formats). Even the benign statement "Competition is good" is a headache for Mr. MIS Manager in many situations.
Re:Try be inovative instead of just replicate ?
on
Linux on the Desktop
·
· Score: 2
OK, XML is arguably better than other formats because it's somewhat self-documenting and there's commonly available tools.
But, if these formats aren't documented, and if OSS App #1 doesn't have the code to open OSS App #2's formats (and visa-versa), the XML-ness of the format means nothing in the real world.
I had to say it, but businesses care more about defacto standards than open specs. They want to hear that "If you switch to a Linux desktop, you can use Sun StarOffice (or whatever) as MS Office replacement and send documents to any other Linux user." They don't want to hear "We've got 10 incompatible and half-finished office suites! Pick any one you like and start hacking the code. But emacs and TeX rulez!".
Problem is tho in a 'free software' environment, nobody's going to pick a winner and centralize development efforts on that product. This point is where the culture of Linux runs counter to the marketing efforts of it's advocates that want to see it as a Microsoft replacement (when it's not intended to be such).
FYI: Talkback was introduced by good ol' closed source Netscape at 4.5 or so. Of course, talkback itself had the nasty habit of crashing, so most disabled it.
You have no idea how small-minded many/most municipalities are in the US. There are still significant parts of the country where access to alcohol is banned or severely restricted, softcore mags like Playboy is essentially banned, and stores are ordered closed on Sundays. It's not your "best friends", it's your minister, your mayor, and all the pious guys at the Elk Club.
It's easy for TimeWarner or AT+T to ignore these yahoos. A municipal bit-pipe would mostly could and would be legally censored according to "community standards".
Right -- if FedEx etc was so hot on Basic Letter service, I'm sure they'd find amiable congressmen that were willing to fully privitize the post office. What we have here is Libertarian ideology, which as usual is completely politically disconnected.
As a side note, anyone interested in postal politics should read "The Crying of Lot 49".
Late followup, but it sounds like this won't be sufficent to clean the system. Bits from NTBugTraq:
Virus sets IE5 to IE4 compatibility mode (apparently to circumvent
security) and crashes Explorer.exe when IE is launched. IExplore.exe
appears to be hacked, and there is now a hidden IExplore.exe (note the
space before the extension) in same directory.
IIS console hacked: New MMC.EXE placed in \WINNT directory, which may
override original version in \WINNT\System32.
EXE files placed into TEMP directory. Note that most/all hacked EXE
files are flagged Hidden.
NT Account "Guest" was made a member of the NT "Administrators" group!
And maybe more... looks nasty enough to warrent a reinstall.
SFP is a good idea because it's practically the only way to defeat the numerous shitty installers out there that want to install their 'special' system DLLs from 1996.
SFP is horridly implemented because as you note, it covers utilities like notepad.exe, and my favorite, certain fonts.
It also broke MS's 'Securing IIS 4.0' document which recommended that you delete OS2.DLL, POSIX.DLL (etc), and move your executable commands to a different directory.
Due to what I can only hope is a bug in IE, this type of file will *automatically* execute.
In the Windows 'Folder Options' Dialog, there's settings for each file type, including "Confirm Open After Download" -- which is a highly suspect feature that allows users to seemless open (possibly virus laden) Microsoft Office documents and so on.
A year or more ago, I went through and enabled this setting for pretty much everything I could find (mainly MSO types). I just double-checked and a few MSO types had reverted, but it's currently enabled for.EML and.NWS (Outlook Express types).
I'm curious what this setting is on a virgin box -- anyone want to take a look?
First of all, the current topic is a "Microsoft Internet Information Services Worm" and nobody is saying otherwise.
Second, in the SirCam threads on Slashdot, we had 200 people, including CmdrTaco calling it a "Microsoft Outlook Virus/Worm", when in fact it was not. It was a Win32 program that was completely mail-client independant, although it would grep the Windows Address Book (used by Outlook in some configurations, but not others) and IE's cache directories. Lots of "advocates" that were discredited by not getting their facts straignt.
Although, I agree with the point -- Calling something a "VBS Virus" is retarded given that there's nothing particularly special about the Visual Basic Script language that makes these viruses possible.
It is hard to disagree. However i think last time around they were more costly because they were doing things like using SCSI across the line. Maybe next time around (if there is one!) they will try harder. Or maybe not.
If we wanted to time-travel back to a time when Apple had a chance to be the majority system, we'd be back in the late 1980s. A few thoughts on the issue:
+ Apple was making a ridiculous 60% margin on their machines back in the 80s. They did save up a bunch of cash for the rough times, but this "BMW marketing" hurt them in the long run.
+ They purpously segmented their market in the 80s by refusing to produce cheap color Macs. Instead they lied with "Apple II Forever!" and pawned a bunch of dead-end IIgs machines onto educational and home customers. (There was also the significant wasted engineering work done on the IIgs -- it had a better GUI than Windows 3, for example.)
+ Apple has always used a bunch of custom chips. The production of these chips has limited their total production capacity. They've never been able supply more than a fraction of the market (by themselves). Even internally, they never got a standard motherboard until the Return of Steve Jobs days.
+ They turned down many offers to licence their OS in the 80s (Bill Gates, Andy Grove, HP, IBM...)
+ It took far too long to get their shit together with a 'real' OS. This goes back to an aborted merger with Sun in the 80s.
+ They refused to play nice on corporate networks - wouldn't support any protocol but AppleTalk, and so on.
+ Jean-Louis Gassee, later of Be, was the prime architect of their 1980s exclusionary strategy. Maybe thats why they weren't too keen on having him back.
Yeah, it's understandable that VA (the hardware company) was funding this because a few years down the road they might have been in the position to compete with Sun and IBM in what's left of the 'workstation' market.
There's also the more general theory that with more 3D game support, Linux would get more uses, and some of that money might trickle back to VA. (It's analogous to Microsoft and Apple investing lots of money into CD-ROM technology in the 80s. They never made much money directly, but the widescale adoption of CD-ROMs indirectly allowed them to increase their sales.)
But, it was a long-term bet, and when you are a piddly company on the edge of existence, long-term bets aren't the best idea. Kinda like how Corel though they could do a Linux distro and 2-5 years out sell more Office Suites because of it.
The course of the discussion seems to be that Netscape/Outlook/Mozilla does NOT have built-in encryption, when in fact they all do. The problem is that it's SMIME and not PGP/GPG.
SMIME is certainly geared more towards corporate usage (with a real CA heirarchy rather than PGP's trust model), but it's real encryption and it works.
Netscape (now iPlanet) sells a 'Certificate Server' for use with SMIME mail and other things. That explains their relative lack of interest in PGP for Mozilla.
Slashdot Mirror
What you are thinking of is NOT a USB connector.
I have a Deskpro XL right here with that plug staring right at me, and it's nothing more than a keyboard/mouse/sound in/sound out combined into a single cable. A special keyboard ('voystra?')has a built-in speaker, vol knob, and mic/line out/mouse jacks.
However, I will back up your story that we got other Compaq 'workstation' Pentium Pro machines in the 1996 timeframe that had USB ports. They were covered with little stickers explaining how software support was pending.
An operating system is "software that controls the operation of a computer and directs the processing of programs (as by assigning storage space in memory and controlling input and output functions)."
Well, you'd have to have your head in an hole to be ignorant of the more common definition of "things that come on the CD with what is formally defined as an operating system". This is the definition that's far more relevant to everyone not writing a computer science textbook.
Even the GNU GPL uses the term "operating system" in this sense (calling a compiler a "major component" of the OS) and that's the legal document that allows the whole thing to be shipped.
Personally, I think the concept of a "distribution" or "operating environment" is marketing claptrap that hinges on an obscure technical point, but is designed to obscure the incompatibilities between different Linux-based OSes. Calling the different OSes themselves "Linux" (as Linus allows) is also a little white lie.
Also -- "User selects YES to every prompt without reading it".
(I once was prompted to run an ActiveX control called "IE Destroyer" -- it was signed and everything. This was in the early 4.0 days, so I think it was targetted at 3.0's terrible policies. But I imagine that a large number of users would install and run it without hesitation.)
I posted this already, but IE reports the .NET CLR version in the User Agent string. Hmmm....
Yeah, if you dig around in Windows you can eventually find a device designed to control LaserDisc players.
This is legacy from the old days when a "multimedia" computer meant one that was hooked up to play synchronized audio/video from external devices. Even Apple IIs managed to serve in this roll. (The only time I saw this in use was some console that they got in my high school that allowed one to select and view different college commercials from LD.)
Yeah, I neglected NS plugins. Although, I don't know if I've ever seen a 'single-purpose' plug-in. But anytime the user has to install something, you've got a potential security problem.
Why does my IE report "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.2914)" then?
.NET applet. (Although applets are so unsexy at this point from a marketing standpoint, I can see why MS might downplay this facility.)
Considering that ActiveX allows everything else, I don't see why it couldn't run a
VBScript and JavaScript need to go through COM objects to do file IO because there's no built-in facility. However, when running in the browser, there's a very limited range of objects they can access that prevents anything nasty happening.
PerlScript does have Perl's bulit-in file IO, but by default it only runs from sites defined to be in the "Local" zone. link. But it's a good point that WSH's installable language facility could be a security risk with the wrong language runtime.
IE ships with ActiveX/COM support, which provides a language-independent mechanism to plug anything you want into your browser. The user gets code-signing and some level of download control, but ultimately there's no 'sandbox' to prevent that code from doing what it wants (deleting your home directory, e-mail bomb, etc). They've been ripped for the security implications, as anyone who reads Slashdot knows.
.NET approach will be the hybrid. While you still have a Java-like runtime that has a security model, at least you won't be locked into a particular language.
Netscape chose the safe route and only provided Java applet support. This relies on the Java security model to protect the user through sandboxing from anything that they might automatically download, but locks you into Java. Mozilla/NS6 may allow some sort of XPCOM application to be downloaded and installed, but it's not as seamless as ActiveX.
The important point is that you don't get 'unsafe' languages like C++ and Perl in your browser without the security implications that everyone's roasted Microsoft's ass over.
The MS
Sorry if I was not clear IUSR_foo is an unprivledged account. IIS needs LocalSystem so that it has the privs to switch process ownership to IUSR_foo to run scripts.
IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user
This is wrong. IIS runs as LocalSystem, which pretty much has full rights to the local machine, and more privs than Administrator for certain things.
There's a good reason for this -- It needs system access so that it can use security impersonation and run scripts as the local user (IUSR_foo or who ever's logged in). The problem is, if someone finds a bug before the user identity is switched, they've owned the machine.
(I think IIS 5 does support non-System users, but you lose the ability to impersonate someone else.)
Well, I'm not trying to overstate Microsoft's responsiveness to their customers, which I personally know is a particular form of Kafkesque torture. But if a big Fortune 500 customer calls them and asks for a StarOffice 6 import filter or something else compatible with MS's overall goals, it will appear.
Mozilla, while a great product, is a terrible example of a user-driven project. It's unstated goal is "Do everything that Netscape Communicator did, but make it better and more standards-compliant". How did Communicator get it's feature list? Same marketing weenies that you decry. It doesn't take much hanging around Bugzilla to see their attitude towards popular user enhancement requests. Some examples:
+ SMIME instead of PGP.
+ Browser is hardwired to use Mozilla mail, even though the code exists to do otherwise. Strangely, IE doesn't mind if you want to use Mozilla mail (or anything else).
Besides, lumping big Fortune 500 open source projects like Mozilla or StarOffice in with the AbiWords and KWords of the world is a mistake because the projects are managed entirely differently, and Sun and AOL certainly have their share of marketing weenies. Which brings us back to the original topic -- Linux is probably OK for the corporate desktop, assuming that you aren't tied to Win32-specific vertical or inhouse software, you can managage your fileformats, and if you are using big corporate-sponsored stuff like StarOffice and Mozilla.
I agree that is the point, but I just don't think that the people who promote Linux (etc) as a Windows replacement get it.
If it's not a customer-driven product, customers might rightfully find it inferior to products that are highly customer-driven (like Microsoft's). You can't expect them to see the value in programmer-driven approaches (such as having 32 word processor file formats). Even the benign statement "Competition is good" is a headache for Mr. MIS Manager in many situations.
OK, XML is arguably better than other formats because it's somewhat self-documenting and there's commonly available tools.
But, if these formats aren't documented, and if OSS App #1 doesn't have the code to open OSS App #2's formats (and visa-versa), the XML-ness of the format means nothing in the real world.
I had to say it, but businesses care more about defacto standards than open specs. They want to hear that "If you switch to a Linux desktop, you can use Sun StarOffice (or whatever) as MS Office replacement and send documents to any other Linux user." They don't want to hear "We've got 10 incompatible and half-finished office suites! Pick any one you like and start hacking the code. But emacs and TeX rulez!".
Problem is tho in a 'free software' environment, nobody's going to pick a winner and centralize development efforts on that product. This point is where the culture of Linux runs counter to the marketing efforts of it's advocates that want to see it as a Microsoft replacement (when it's not intended to be such).
FYI: Talkback was introduced by good ol' closed source Netscape at 4.5 or so. Of course, talkback itself had the nasty habit of crashing, so most disabled it.
You have no idea how small-minded many/most municipalities are in the US. There are still significant parts of the country where access to alcohol is banned or severely restricted, softcore mags like Playboy is essentially banned, and stores are ordered closed on Sundays. It's not your "best friends", it's your minister, your mayor, and all the pious guys at the Elk Club.
It's easy for TimeWarner or AT+T to ignore these yahoos. A municipal bit-pipe would mostly could and would be legally censored according to "community standards".
Right -- if FedEx etc was so hot on Basic Letter service, I'm sure they'd find amiable congressmen that were willing to fully privitize the post office. What we have here is Libertarian ideology, which as usual is completely politically disconnected.
As a side note, anyone interested in postal politics should read "The Crying of Lot 49".
Late followup, but it sounds like this won't be sufficent to clean the system. Bits from NTBugTraq:
.exe (note the
... looks nasty enough to warrent a reinstall.
Virus sets IE5 to IE4 compatibility mode (apparently to circumvent
security) and crashes Explorer.exe when IE is launched. IExplore.exe
appears to be hacked, and there is now a hidden IExplore
space before the extension) in same directory.
IIS console hacked: New MMC.EXE placed in \WINNT directory, which may
override original version in \WINNT\System32.
EXE files placed into TEMP directory. Note that most/all hacked EXE
files are flagged Hidden.
NT Account "Guest" was made a member of the NT "Administrators" group!
And maybe more
SFP is a good idea because it's practically the only way to defeat the numerous shitty installers out there that want to install their 'special' system DLLs from 1996.
SFP is horridly implemented because as you note, it covers utilities like notepad.exe, and my favorite, certain fonts.
It also broke MS's 'Securing IIS 4.0' document which recommended that you delete OS2.DLL, POSIX.DLL (etc), and move your executable commands to a different directory.
It looks like this was patched in March:
Microsoft Security Bulletin (MS01-020) Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Due to what I can only hope is a bug in IE, this type of file will *automatically* execute.
.EML and .NWS (Outlook Express types).
In the Windows 'Folder Options' Dialog, there's settings for each file type, including "Confirm Open After Download" -- which is a highly suspect feature that allows users to seemless open (possibly virus laden) Microsoft Office documents and so on.
A year or more ago, I went through and enabled this setting for pretty much everything I could find (mainly MSO types). I just double-checked and a few MSO types had reverted, but it's currently enabled for
I'm curious what this setting is on a virgin box -- anyone want to take a look?
First of all, the current topic is a "Microsoft Internet Information Services Worm" and nobody is saying otherwise.
Second, in the SirCam threads on Slashdot, we had 200 people, including CmdrTaco calling it a "Microsoft Outlook Virus/Worm", when in fact it was not. It was a Win32 program that was completely mail-client independant, although it would grep the Windows Address Book (used by Outlook in some configurations, but not others) and IE's cache directories. Lots of "advocates" that were discredited by not getting their facts straignt.
Although, I agree with the point -- Calling something a "VBS Virus" is retarded given that there's nothing particularly special about the Visual Basic Script language that makes these viruses possible.
It is hard to disagree. However i think last time around they were more costly because they were doing things like using SCSI across the line. Maybe next time around (if there is one!) they will try harder. Or maybe not.
If we wanted to time-travel back to a time when Apple had a chance to be the majority system, we'd be back in the late 1980s. A few thoughts on the issue:
+ Apple was making a ridiculous 60% margin on their machines back in the 80s. They did save up a bunch of cash for the rough times, but this "BMW marketing" hurt them in the long run.
+ They purpously segmented their market in the 80s by refusing to produce cheap color Macs. Instead they lied with "Apple II Forever!" and pawned a bunch of dead-end IIgs machines onto educational and home customers. (There was also the significant wasted engineering work done on the IIgs -- it had a better GUI than Windows 3, for example.)
+ Apple has always used a bunch of custom chips. The production of these chips has limited their total production capacity. They've never been able supply more than a fraction of the market (by themselves). Even internally, they never got a standard motherboard until the Return of Steve Jobs days.
+ They turned down many offers to licence their OS in the 80s (Bill Gates, Andy Grove, HP, IBM...)
+ It took far too long to get their shit together with a 'real' OS. This goes back to an aborted merger with Sun in the 80s.
+ They refused to play nice on corporate networks - wouldn't support any protocol but AppleTalk, and so on.
+ Jean-Louis Gassee, later of Be, was the prime architect of their 1980s exclusionary strategy. Maybe thats why they weren't too keen on having him back.
Yeah, it's understandable that VA (the hardware company) was funding this because a few years down the road they might have been in the position to compete with Sun and IBM in what's left of the 'workstation' market.
There's also the more general theory that with more 3D game support, Linux would get more uses, and some of that money might trickle back to VA. (It's analogous to Microsoft and Apple investing lots of money into CD-ROM technology in the 80s. They never made much money directly, but the widescale adoption of CD-ROMs indirectly allowed them to increase their sales.)
But, it was a long-term bet, and when you are a piddly company on the edge of existence, long-term bets aren't the best idea. Kinda like how Corel though they could do a Linux distro and 2-5 years out sell more Office Suites because of it.
The course of the discussion seems to be that Netscape/Outlook/Mozilla does NOT have built-in encryption, when in fact they all do. The problem is that it's SMIME and not PGP/GPG.
SMIME is certainly geared more towards corporate usage (with a real CA heirarchy rather than PGP's trust model), but it's real encryption and it works.
Netscape (now iPlanet) sells a 'Certificate Server' for use with SMIME mail and other things. That explains their relative lack of interest in PGP for Mozilla.