I have no idea why people who wouldn't buy a television that was designed, built, or sold by an advertizing company so commonly choose to use a web browser that was designed, built, and given away for free by an advertizing company.
He's got a point. Building computers is simply not a terrifically difficult business.
I was in St. Petersburg (Putin's hometown) a few months ago visiting in-laws, and I helped them pick out their first computer from a local vendor. What they got was a pretty nice machine for the money. The selection was good. A fine consumer experience, overall.
Do they need a foreign corporation in that market locally? Would they benefit immensely from that? Not really.
Advertizing-based company undermines user privacy to make money. Film at 11.
Seriously... this is why I'm staying away from Chrome. If Google gets big enough in the browser to start dictating de-facto standards, my privacy will suffer.
Yeah. Exactly. I don't trust chrome, because Google is a company that makes all of its money off of advertizing. Advertizing revenue is inversly proportional to user privacy. We rely on our browsers to protect our privacy via mechanisms like the same origin policy. In the future, as the web evolves, we can expect to need new browser features to protect our privacy.
MS also wants to be heavy into ad revenue, but for now, MS makes its money off of other things, so there isn't as big a conflict for the team picking which featuers make it into IE. In fact, MS is so focused on crushing Google, I could see them championing user privacy and hurting their own ad revenue numbes just to undermine Google.
But of course, Firefox has the least financial interest in undermining privacy. In that department: Firefox > IE >> Chrome.
I wouldn't trust that as much. The smaller hosts simply don't have the software/hardware engineering resources that the big boys do. They can't sink nearly as much up-front into automated diagnostics and repair, and they can't operate on tiny margins, so they're either going to offer less reliable solutions, or more expensive ones.
If you can afford it, I'd recommend a utility computing platform, like Amazon S3 or whatever Google's offering in that space. Verify that they're built out for long-term, fault-tolerant storage (ie: replication + automated verification and repair.)
I wouldn't trust that 100%, though, so keep them locally as well.
What bugs the snot out of me is that a lot of that stuff is documented really well, but only on developers' blogs. What the hell kind of insulting documentation non-strategy is that? And of course, there's no cross-referencing between msdn and "the blogosphere." So you get to churn away at a search engine until you find a blog entry that's kind of addressing what you want to know.
That said, I do like a lot of stuff about C#. Delegates, for example rank high on that list. And C# 3.5 offers some pretty cool new stuff as well. I likey the lambda expressions, inferred typing, and LINQ.
But the documentation does make me cry at night, sometimes. Sometimes.
> There is no safe way to run complex sandboxed code on a user's PC and no safe way to allow sandboxed code access to the network. Either you trust the source of the program and let it do what it needs to do, or you don't trust it and don't allow it to run on your PC at all. How many of these vulnerabilities are we going to run through before we finally figure that out?
I'm not as much a pessimist as you are on this. The fact that so much of attackers' energy goes into circumventing the same origin policy speaks to the theoretical efficacy of the policy. The problem in this case is that the identity of the origin is security-critical, and defined in terms of DNS --a horribly insecure protocol.
If the "origin" the policy speaks to had some intransient relationship to where packets were actually being routed, then the issue in the article wouldn't be a problem. Combine that with solid implementations of the policy, and stop the proliferation of sandboxes that ALL have to be correct (perhaps by replacing Javascript, Java, Flash, ActiveX, et cetera with a unified client-side web programming standard) and browser sandboxing could work okay. A tall order, yes, but a feasible five-to-ten year scenario.
Then you'd still have to worry about XSS, but I think that's a separate problem from sandboxing.
Awesome explanation. The story didn't make any sense to me until I read your explanation of evoloving Cre into something useful for this purpose. Thank you. This is the most nerdly thing I've read all day.
But I have to say that I disagree about needing to be careful about the number of infections in the host cell. HIV infects differentiated cells that do not naturally reproduce, so mutagenesis leading to cancer is unlikely, and killing infected cells is very nearly as useful as curing them. The body can/will always make more.
You can dump on Microsoft Office, security, stability, robustness, manageability, PR, Vista, business tactics, business ethics, or just about anything else.
But the health plan doesn't leave much room for ridicule. It does, in fact, cover flying chairs --with no co-pay.
Unless the chair knocks your teeth out, or impacts your eyesight --the dental and vision plans kinda suck.
I've actually read a couple of Mr. Ippolito's posts on this topic, and found them to be more entertaining than demystifying. My read is that he's making a stink of this to soothe a bruised ego. He has clearly taken that paper personally, and is responding to it as a personal attack than as a technical issue.
Some choice quotes from his comments: > NOTHING MochiKit can do is insecure (in this way). Whatever the client sends or decodes is irrelevant. It's a 100% server-side issue. I added comment stripping support so that people would shut up, not because it's useful in theory or practice.
> Brian, are you literate? It certainly doesn't seem like you actually read the post. I'm well aware of what secure code is and how it's done and that's not what bothers me about you, your paper, and the reaction to it. (emphasis added)
While I have added features to make my customers happy, I have never in my professional life told them to their faces that I was only doing something to "make them shut up."
This debate is not technical for this guy. It's personal. Can the attack be modified to work in IE? Can it be generalized to arbitrary objects instead of just arrays? I don't know. I'm more of a server-side guy. But I sure as hell wouldn't take this guy's word for it if he's saying it can't.
I think I'm going to start tagging stories with "googleisgood" or "googleisevil" depending on how I think it reflects on the company. If that catches on, we should be able to gather up-to-the-minute data on whether Google is good or evil.
I believe MS already defers some of the income from Windows sales by considering the product partially delivered and feeds that into the support teams over time. The practice would predate Enron though, and was probably started to keep the stock price stable. Ie: they can show a more steady income stream on paper despite long product cycles.
I wouldn't call it funny: in my (albeit limited) experience, the work generated at home can far exceeed the 40 hours of work taken offshore. I've had offshoring go so poorly that it was cheaper to redo all the work than it was to *sort through* it to salvage what was usable. Seriously.
We paid off the tab, fired the offshoring firm, and automated better at home. We wound up reducing our on-shore costs by about the same amount we were hoping to with the offshoring, only we didn't have to pay the offshoring firm.
This was back when offshoring was a new and hot idea --I doubt a competent manager with offshoring experience could preside over a cluster-f*** like that today. But I think my experience does illustrate a worse case scenario.
Well, genetic coding is pretty cheap in eukaryotes (most of our genetic code doesn't actually *do* anything as far as we can tell) and we aren't designed, so I don't think I buy your theory.
I posit that regeneration is not a selective advantage for most vertebrates. If a "feature" does not have the net result of fostering [more] progeny, then it is not a selective advantage. If a proto-chicken loses a wing or a leg in the wild, it's gonna die *long* before it grows back and benefits from the regrowth. Hence, no selective advantage.
Ironically, being able to grow back something that you *really* need doesn't help you that much because you need it too bad to be able to grow it back.
Lizards and salamanders are an exception. They have this dangly-part that's more likely to get lopped off by predators than the rest and doesn't serve much useful function otherwise. Growing it back means they might evade another predator with the second one, and go on to reproduce again.
Larger vertebrates wouldn't find that feature as useful: a gazelle can't sqeeze into a crack to escape a cheetah, and a mouse's tail isn't as large compared to its body.
Genes that don't provide significant selective advantages tend to mutate away after several generations of inutility. Something like ten or so in e. coli, IIRC. Not sure about other organisms.
No, that's not all they added. I'm running RC1 at home now, and I have to say that the wireless-targetted TCP improvements alone are worth an upgrade to me.
I really like the fact that a lot of my hardware drivers are running with reduced privileges over (under?) XP. I think this is why my machine is crashing less now --my sound card is a POS and the drivers used to routinely crash XP. Now it's more stable with beta Vista drivers than it ever was with the "stable" ones.
I'm also stoked that the OS benchmarks the hardware so users can target their upgrades at their weakest links more easily. I'm pretty technical, and I usually find myself making what are pretty much educated guesses, so I plan to make use of this feature.
Finally, I'm going to like it when my family is on it and they call me up and ask me to fix their computers, because Vista tracks some performance and stability heuristics, and has a tool that graphs these metrics alongside software installation/update events. Because, you know: my parents never do *anything* to make their machine slow down or destabilize. Never.
Where in the world you want to work is flexible at either company. I turned down my MS job offer primarily because I didn't want to move to Seattle, and would have much preferred moving back to the Bay Area where I could reconnect with the friends and family I left behind when I went to college.
My MS recruiter called me back a few weeks after I turned them down with an offer to interview with Hotmail at the MS campus in Mountain View, which is just a few blocks from Google's main campus. (It's the campus to which most of the Sillicon Valley companies MS buys wind up moving.)
Both MS and Google have offices all over the world. Though I would imagine MS has more.
Re:YouTube has a lot posibilities
on
Ballmer Sounds Off
·
· Score: 2, Funny
> Does it sound like a business model? Yep, I think so. > Is it highly overpriced? Up to Google, > Is it good? For them, for a while, for sure.
When did you get a Slashdot account, Secretary Rumsfeld?
Patch turnaround time doesn't matter all that much.
What really matters is probably something like the mean time to patch install on vulnerable systems as measured from the time of vulnerability disclosure, or the % of patched hosts after a given fixed time period. Think about it: if you turn out a patch in 30 minutes, but it takes on average six months for the patch to get installed, how much did that marvelous engineering feat really matter?
It might matter a lot to a few people, but by assumption (6 month average patch rate) it didn't mean much to the average user.
Slashdot Mirror
I have no idea why people who wouldn't buy a television that was designed, built, or sold by an advertizing company so commonly choose to use a web browser that was designed, built, and given away for free by an advertizing company.
He's got a point. Building computers is simply not a terrifically difficult business.
I was in St. Petersburg (Putin's hometown) a few months ago visiting in-laws, and I helped them pick out their first computer from a local vendor. What they got was a pretty nice machine for the money. The selection was good. A fine consumer experience, overall.
Do they need a foreign corporation in that market locally? Would they benefit immensely from that? Not really.
I suspect it's probably more about TV than music.
Gyms often have the audio for their TVs pumped out over short-range radio. Zunes have radio. Ipods don't.
Advertizing-based company undermines user privacy to make money. Film at 11.
Seriously... this is why I'm staying away from Chrome. If Google gets big enough in the browser to start dictating de-facto standards, my privacy will suffer.
Yeah. Exactly. I don't trust chrome, because Google is a company that makes all of its money off of advertizing. Advertizing revenue is inversly proportional to user privacy. We rely on our browsers to protect our privacy via mechanisms like the same origin policy. In the future, as the web evolves, we can expect to need new browser features to protect our privacy.
MS also wants to be heavy into ad revenue, but for now, MS makes its money off of other things, so there isn't as big a conflict for the team picking which featuers make it into IE. In fact, MS is so focused on crushing Google, I could see them championing user privacy and hurting their own ad revenue numbes just to undermine Google.
But of course, Firefox has the least financial interest in undermining privacy. In that department: Firefox > IE >> Chrome.
I wouldn't trust that as much. The smaller hosts simply don't have the software/hardware engineering resources that the big boys do. They can't sink nearly as much up-front into automated diagnostics and repair, and they can't operate on tiny margins, so they're either going to offer less reliable solutions, or more expensive ones.
If you can afford it, I'd recommend a utility computing platform, like Amazon S3 or whatever Google's offering in that space. Verify that they're built out for long-term, fault-tolerant storage (ie: replication + automated verification and repair.)
I wouldn't trust that 100%, though, so keep them locally as well.
He's trying to find an opportunity to bash Microsoft!
Thank you. This is pure Goodness.
Hallelujah, brother!
What bugs the snot out of me is that a lot of that stuff is documented really well, but only on developers' blogs. What the hell kind of insulting documentation non-strategy is that? And of course, there's no cross-referencing between msdn and "the blogosphere." So you get to churn away at a search engine until you find a blog entry that's kind of addressing what you want to know.
That said, I do like a lot of stuff about C#. Delegates, for example rank high on that list. And C# 3.5 offers some pretty cool new stuff as well. I likey the lambda expressions, inferred typing, and LINQ.
But the documentation does make me cry at night, sometimes. Sometimes.
Five years.
> There is no safe way to run complex sandboxed code on a user's PC and no safe way to allow sandboxed code access to the network. Either you trust the source of the program and let it do what it needs to do, or you don't trust it and don't allow it to run on your PC at all. How many of these vulnerabilities are we going to run through before we finally figure that out?
I'm not as much a pessimist as you are on this. The fact that so much of attackers' energy goes into circumventing the same origin policy speaks to the theoretical efficacy of the policy. The problem in this case is that the identity of the origin is security-critical, and defined in terms of DNS --a horribly insecure protocol.
If the "origin" the policy speaks to had some intransient relationship to where packets were actually being routed, then the issue in the article wouldn't be a problem. Combine that with solid implementations of the policy, and stop the proliferation of sandboxes that ALL have to be correct (perhaps by replacing Javascript, Java, Flash, ActiveX, et cetera with a unified client-side web programming standard) and browser sandboxing could work okay. A tall order, yes, but a feasible five-to-ten year scenario.
Then you'd still have to worry about XSS, but I think that's a separate problem from sandboxing.
Awesome explanation. The story didn't make any sense to me until I read your explanation of evoloving Cre into something useful for this purpose. Thank you. This is the most nerdly thing I've read all day.
But I have to say that I disagree about needing to be careful about the number of infections in the host cell. HIV infects differentiated cells that do not naturally reproduce, so mutagenesis leading to cancer is unlikely, and killing infected cells is very nearly as useful as curing them. The body can/will always make more.
You can dump on Microsoft Office, security, stability, robustness, manageability, PR, Vista, business tactics, business ethics, or just about anything else.
But the health plan doesn't leave much room for ridicule. It does, in fact, cover flying chairs --with no co-pay.
Unless the chair knocks your teeth out, or impacts your eyesight --the dental and vision plans kinda suck.
I've actually read a couple of Mr. Ippolito's posts on this topic, and found them to be more entertaining than demystifying. My read is that he's making a stink of this to soothe a bruised ego. He has clearly taken that paper personally, and is responding to it as a personal attack than as a technical issue.
Some choice quotes from his comments:
> NOTHING MochiKit can do is insecure (in this way). Whatever the client sends or decodes is irrelevant. It's a 100% server-side issue. I added comment stripping support so that people would shut up, not because it's useful in theory or practice.
> Brian, are you literate? It certainly doesn't seem like you actually read the post. I'm well aware of what secure code is and how it's done and that's not what bothers me about you, your paper, and the reaction to it. (emphasis added)
While I have added features to make my customers happy, I have never in my professional life told them to their faces that I was only doing something to "make them shut up."
This debate is not technical for this guy. It's personal. Can the attack be modified to work in IE? Can it be generalized to arbitrary objects instead of just arrays? I don't know. I'm more of a server-side guy. But I sure as hell wouldn't take this guy's word for it if he's saying it can't.
Curious. With javascript hijacking attacks just discovered a few weeks ago, security was not a consideration in the evaluation at all.
I'm a bit disappointed.
Excellent question.
I think I'm going to start tagging stories with "googleisgood" or "googleisevil" depending on how I think it reflects on the company. If that catches on, we should be able to gather up-to-the-minute data on whether Google is good or evil.
God bless Web 2.0.
I believe MS already defers some of the income from Windows sales by considering the product partially delivered and feeds that into the support teams over time. The practice would predate Enron though, and was probably started to keep the stock price stable. Ie: they can show a more steady income stream on paper despite long product cycles.
:)
If only Apple were so savvy!
*ducks*
I wouldn't call it funny: in my (albeit limited) experience, the work generated at home can far exceeed the 40 hours of work taken offshore. I've had offshoring go so poorly that it was cheaper to redo all the work than it was to *sort through* it to salvage what was usable. Seriously.
We paid off the tab, fired the offshoring firm, and automated better at home. We wound up reducing our on-shore costs by about the same amount we were hoping to with the offshoring, only we didn't have to pay the offshoring firm.
This was back when offshoring was a new and hot idea --I doubt a competent manager with offshoring experience could preside over a cluster-f*** like that today. But I think my experience does illustrate a worse case scenario.
Right. Only they're not in trouble.
Well, genetic coding is pretty cheap in eukaryotes (most of our genetic code doesn't actually *do* anything as far as we can tell) and we aren't designed, so I don't think I buy your theory.
I posit that regeneration is not a selective advantage for most vertebrates. If a "feature" does not have the net result of fostering [more] progeny, then it is not a selective advantage. If a proto-chicken loses a wing or a leg in the wild, it's gonna die *long* before it grows back and benefits from the regrowth. Hence, no selective advantage.
Ironically, being able to grow back something that you *really* need doesn't help you that much because you need it too bad to be able to grow it back.
Lizards and salamanders are an exception. They have this dangly-part that's more likely to get lopped off by predators than the rest and doesn't serve much useful function otherwise. Growing it back means they might evade another predator with the second one, and go on to reproduce again.
Larger vertebrates wouldn't find that feature as useful: a gazelle can't sqeeze into a crack to escape a cheetah, and a mouse's tail isn't as large compared to its body.
Genes that don't provide significant selective advantages tend to mutate away after several generations of inutility. Something like ten or so in e. coli, IIRC. Not sure about other organisms.
No, that's not all they added. I'm running RC1 at home now, and I have to say that the wireless-targetted TCP improvements alone are worth an upgrade to me.
o ws_Vista
I really like the fact that a lot of my hardware drivers are running with reduced privileges over (under?) XP. I think this is why my machine is crashing less now --my sound card is a POS and the drivers used to routinely crash XP. Now it's more stable with beta Vista drivers than it ever was with the "stable" ones.
I'm also stoked that the OS benchmarks the hardware so users can target their upgrades at their weakest links more easily. I'm pretty technical, and I usually find myself making what are pretty much educated guesses, so I plan to make use of this feature.
Finally, I'm going to like it when my family is on it and they call me up and ask me to fix their computers, because Vista tracks some performance and stability heuristics, and has a tool that graphs these metrics alongside software installation/update events. Because, you know: my parents never do *anything* to make their machine slow down or destabilize. Never.
So, yeah. There are plenty of crunchy bits in addition to the UI improvements. Here's a pretty good list:
http://en.wikipedia.org/wiki/Features_new_to_Wind
There are some things I don't like, but I like it enough that I plan on building a new box for it when it ships.
Where in the world you want to work is flexible at either company. I turned down my MS job offer primarily because I didn't want to move to Seattle, and would have much preferred moving back to the Bay Area where I could reconnect with the friends and family I left behind when I went to college.
My MS recruiter called me back a few weeks after I turned them down with an offer to interview with Hotmail at the MS campus in Mountain View, which is just a few blocks from Google's main campus. (It's the campus to which most of the Sillicon Valley companies MS buys wind up moving.)
Both MS and Google have offices all over the world. Though I would imagine MS has more.
> Does it sound like a business model? Yep, I think so.
> Is it highly overpriced? Up to Google,
> Is it good? For them, for a while, for sure.
When did you get a Slashdot account, Secretary Rumsfeld?
Patch turnaround time doesn't matter all that much.
What really matters is probably something like the mean time to patch install on vulnerable systems as measured from the time of vulnerability disclosure, or the % of patched hosts after a given fixed time period. Think about it: if you turn out a patch in 30 minutes, but it takes on average six months for the patch to get installed, how much did that marvelous engineering feat really matter?
It might matter a lot to a few people, but by assumption (6 month average patch rate) it didn't mean much to the average user.