I have started watching videos at Channel 9 that explain in-depth the internals of some core Windows components, which has given me some perspective and respect for those developers. However, even from these videos it is clear that Microsoft has been in the past (and perhaps still is) ruled by a "cowboy coder" culture (revealed for example in the series on the Vista kernel in which they openly discuss their attempts at managing the "state" issue, and talk about the problems due to unscrupulous use of the registry).
I would like to think that Microsoft has finally "got the religion" about reliable code, unit testing, defensive programming, etc. (it seems that many historic decisions were made on disputable performance grounds instead of a long-term view of security implications, and now Microsoft is paying the price).
Is this the case (do you even agree with the premise) and if not, what is Microsoft's strategy for evangelizing safe and robust programming practices (as well as overall architecture) *inside* Microsoft? It seems that the best laid plans of kernel and system architects can be ruined by some guy working on the shell that is getty pressured by marketing to Hurry Up and implement that gee-whiz feature that will "impress" the customer.
(extra cheat question: Raymond Chen has recently posted about "decoy" windows and other hacks that MS has implemented to compensate for badly written application code - as a user, this does not seem to serve my interests. Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that?)
"Get your facts straight, this is not how cross-domain scripting works."
Oh really? You see because I really thought that cross-domain scripting works by a feature that did not exist before.
The point is that cross-site scripting leaks information (or worse) from a trusted site to a non-trusted site. Of course it doesn't "work" through URL pings. Duh. But it is the same class of security problem, genius.
Ever heard of cross-site scripting? "ping" needs at the least to be implemented in such a fashion that only the originating site can get a ping. Any pings to non-originating site should either be blocked wholesale or at least present the user a dialog (Site A is attempting to convey information about your browsing to Site B).
There is a difference between erasing the pain and erasing the memory. I can easily imagine this being used for ill. In fact I can't imagine that it would NOT be used for ill. Any number of atrocities can be carried out if you can conveniently make people "forget" it happened. Gestapo killed your uncle? Forget that. Mr. Dictator annihilates your village with nerve gas? Erase those nagging memories of sallow dead corpses! Did you secretly perform ethnic cleansing or hide illegal weapons? Stay care free with no memory! And finally, were you covertly tortured? Quell that anxiety with a pill!
When you do bad shit or bad shit is done to you, your conscience records it. If we remove conscience we can develop legions of guiltfree zombies or unwitting victims whose clear conscience is just a pill away.
So detaining and torturing "suspects" is just fine right? Nothing needs to be proven as long as the military or some vaguely "intelligence"-related agency says that somebody is a "suspect"? I'm not so craven as to claim that I'm paying my government to "protect me" by violating human rights. In fact I don't think any of it protects me at all. Even if it did it would be craven and dishonest. I can pay my government to protect me by killing every body else. That doesn't make it right. And that shouldn't make it American (tm).
'I'm not sure how else this would be best accomplished'
If you cannot imagine any other way of protecting the country than random indeterminate detention of unnamed number of people (possibly US citizens), secret domestic wiretaps, and torture, than I posit you have a very limited imagination. It seems for the majority of our history we've been able to avoid at least 2 of those on a consistent basis (although I suppose we don't really know for sure).
Yes you can argue technicalities over whether foreign persons detained by the military fall under US due process. You can quibble over the continuum of torture. I suppose you could/attempt/ to justify secret wiretapping ordered by the executive branch against the fourth amendment. But that would be a sad day for this country, and if he haven't already lost it, we would certainly lose the moral highground on which we consistently base our foreign policy.
I'm actually a lot more optimistic about security (specfically Microsoft security) these days. I used to think (probably correctly) that Microsoft was incompetent in this regard. Microsoft has apparently been ruled by the cowboy coders on one side, and the irresponsible marketeers on the other. But watching the various videos (especially the Going Deep series) on Channel 9 (http://channel9.msdn.com/) interviewing lead developers of various areas, I am more and more impressed. Microsoft employs some DAMN SMART people in Microsoft Research and even a lot of their core development areas (kernel, tools). In the vista kernel video you can tell they are pretty embarrassed about the history of Windows, the registry, etc., finally understand there is a problem, and are actively trying to solve it (creating gigantic dependency graphs of binaries, trying to sort out the configuration (they refer to it as "state") issue). Given that a lot of this good stuff can be incorporated into a commercial product without the bastardization of the marketeers and cowboy culture, I'm optimistic. Watch the video about Avalon - what the guys is describing is essentially X11. That's not news to us, but I have to imagine it's revolutionary at Microsoft to break down, admit to themselves that the existing display/rendering technology is shit and inflexible and un-extendable, and pro-actively go about implementing a network-transparent graphics framework that mimics alarmingly technology of their arch-competitor (*nix). If they can do that, I have hope they can bury a lot of the other problems they have caused for themselves and maybe start doing the Right Thing.
Well, I don't know what information you got (I'm not disputing it by the way) but when I go to the IRS website I get a fucking goddamn mountain of documents on filing quarerly payments and estimated payments and it was not at ALL clear to me under what conditions I actually have to do that (you indicate that there is some monetary limit...I was unable to determine this). The IRS documentation is so "helpful" I want to strangle myself. They have litanies of "simple" 33-step processes to just determine qualification for a simple line item. Goddamn.
.NET/CLR comes with a pretty comprehensive security model that should essentially deter those types of things. Actually I've never heard of a "Visual Basic" virus kit. Usually even virus kit writers have more respect for themselves than to use VB.
Instead of ad-hoc security sandboxes (jails, chroot, now apparmor) wouldn't it be better to just transition to a managed runtime where all apps get all of this for free? I believe Solaris (and maybe now the Linux kernel) supports some sort of kernel-level filter or instrumentation that can apply a policy on a per-application basis, but it seems like moving to a managed runtime with built-in security sandbox accross the board would be a better idea.
Dude, that is where the Virtual Reality comes in. You see, these "have nots" can be supplied with a technology called (finger quoting) "Virtual Reality". They can sit home and dream they are MegaMario or PacHog or whatever those people play. Plus pot. Lots and lots of pot.
Although possible less susceptible to the vagaries of the random interweb user's opinion, I think it would be incorrect to assume that even traditional encyclopedias were unbiased. In fact, it might be a subtle but homogeneous bias that is undetectable because it is reinforced everywhere and does not stand out.
Are you serious? Did you listen to what they are working on? It's a SHITLOAD (tm) of stuff. They have dependency analysis graphs for over 5000 system binaries, and they have several teams working in coordination to componentize and isolate both the engineering of components, and the configuration of those components, all the while attempting to maintain some semblance of backwards compatibility AND developing a design and engineering ethic so that they can continue such refactoring in the future...not to mention all the "usual" things like re-architecting the kernel and IO subsystems for reliability, recoverability, improving scheduling algorithms for application sets that require low-latency, etc. etc. etc.
I'm no MS fanboy, but damn, you ask a lot. The "Just Fix It Now" mentality is what got them in this horrible mess in the first place, with no consistent guiding principles and long term architecture.
Yeah, Ouch. Although I wouldn't put too much confidence in the PTO as a measure of economic progress, his "position" is fairly naive and inept. I'm hoping this is just some rough draft that is going to be replaced and elaborated. "floating trains" *sigh*
The comments I made about "concepts" notwithstanding, whenever I see a picture of Bjarne Stroustroup it always looks like he spent two nights without sleep trying to debug some diabolical problem or just emerged from under a gigantic pile of bricks that fell on him.
Well, a lot of the improvements seem like simple, natural, extensions whose time has come (and passed)...but as far as "concepts" are concerned..WTF? So not only is there a type system, and a meta-type system (generics) but now we have an additional layer on top of that which is "concepts"? The only clue as to the utility of concepts is the passing mention that it would be "rigid" to impose an interface on code that wants to call a certain generic function/method. Um, HELLO - isn't this the exact philosophy behind the entire OOP type system to begin with?? I mean, exactly how hard a burden is this, given that c++ *already* supports multiple inheritence. It would seem trivial to simply define a "Container" abstract base class (interface) which all STL containers implement, instead of adding this bizarre and arcane new syntax which will be confusing to everybody except maybe a few black magic template developers who will have wet dreams over it. I mean, all type information is already determined STATICALLY by the compiler, so it's not as if you are adding any new convenience for users, because their class will still have to compile statically against the headers of the library that are going to require that their class have a certain "concept". Ugh.
All that, and we still don't have a standard file system of socket API. Come On. For a language whose designers continually go on and on about Real World Applicability (tm) can we for the love of god have a standard library for file system and socket APIs that have been around for 30 years!?
Rant off. Other than that, the updates seem good, and I really hope some progress is made in standardizing libraries. Until then C++ is a language without a platform, a gigantic gilded frigate that has to float in a little puddle due to scarcity of standard libraries.
That's sort of hard in this alphabet soup of acronyms for myriad projects and libraries.
I really really hope, and hope somebody can confirm this, that at the end of the day there is a STRONG inclination to:
* developer a SINGLE (SINGLE! (SINGLE!! (i mean it))) X server binary which can either render through hardware acceleration OR software, which can be determined dynamically at startup (through configuration or auto-detection), as well as the slew of other acronyms. A separate standalone OpenGL-only X server would be a configuration, maintenance and end-user documentation nightmare.
All this stuff sounds really really cool, but it all appears very fragmented, with each fragment dependent on some other alpha-quality fragment that has not yet been merged into anything other than a nice dream.
So I really hope all these exciting fragments get unified under a consistent X server and set of modules/libraries, instead of remaining really enticing fragments forever.
"left-wingers on this site would have blamed the US."
What does left-winged-ness have to do with anything? If anything I'd expect it would be "right-wingers" which would be more reticent to hand sovereignty over to an ostensibly corrupt or non-free nation (I know nothing about Kazakhstan...I'm using this inferred assumption by the original post for the purposes of argument), based on the rhetoric and bravado (not to mention explicitly static out-right goals) of the last few years.
In any case how is ICANN culpable (for all its ills) for any of this? It's not ICANN's problem that these governments suck. ICANN isn't (or at least should not be) a political body. If the rest of the world has a problem with these countries then by all means they should raise those issues at a political level. If there are serious concerns about Kazakhstan's government, then I think ICANN would be one of the least relevant of all places to raise the issue. ("Global leaders sanction Kazakhstan's government by prohibiting the World Hopscotch League from playing there")
I don't think this was a scientific decision. The question is whether non-science is taught in science classrooms. Who gets to decide what science and non-science is? Well, *scientists*. If you want to learn fantasy be my guest and attend (at your own expense, on your own time) a parochial school. But it doesn't belong in the nation's classroom. School is for education not indoctrination.
What? Of course C++ can make guarantees about object types. You have to use the C++ dynamic casts to use these guarantees if you want to cast, which in general should be avoided if possible.
Slashdot Mirror
I have started watching videos at Channel 9 that explain in-depth the internals of some core Windows components, which has given me some perspective and respect for those developers. However, even from these videos it is clear that Microsoft has been in the past (and perhaps still is) ruled by a "cowboy coder" culture (revealed for example in the series on the Vista kernel in which they openly discuss their attempts at managing the "state" issue, and talk about the problems due to unscrupulous use of the registry).
I would like to think that Microsoft has finally "got the religion" about reliable code, unit testing, defensive programming, etc. (it seems that many historic decisions were made on disputable performance grounds instead of a long-term view of security implications, and now Microsoft is paying the price).
Is this the case (do you even agree with the premise) and if not, what is Microsoft's strategy for evangelizing safe and robust programming practices (as well as overall architecture) *inside* Microsoft? It seems that the best laid plans of kernel and system architects can be ruined by some guy working on the shell that is getty pressured by marketing to Hurry Up and implement that gee-whiz feature that will "impress" the customer.
(extra cheat question: Raymond Chen has recently posted about "decoy" windows and other hacks that MS has implemented to compensate for badly written application code - as a user, this does not seem to serve my interests. Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that?)
"Get your facts straight, this is not how cross-domain scripting works."
Oh really? You see because I really thought that cross-domain scripting works by a feature that did not exist before.
The point is that cross-site scripting leaks information (or worse) from a trusted site to a non-trusted site. Of course it doesn't "work" through URL pings. Duh. But it is the same class of security problem, genius.
And you are modded 0. That is just...appropriate.
Ever heard of cross-site scripting? "ping" needs at the least to be implemented in such a fashion that only the originating site can get a ping. Any pings to non-originating site should either be blocked wholesale or at least present the user a dialog (Site A is attempting to convey information about your browsing to Site B).
There is a difference between erasing the pain and erasing the memory. I can easily imagine this being used for ill. In fact I can't imagine that it would NOT be used for ill. Any number of atrocities can be carried out if you can conveniently make people "forget" it happened. Gestapo killed your uncle? Forget that. Mr. Dictator annihilates your village with nerve gas? Erase those nagging memories of sallow dead corpses! Did you secretly perform ethnic cleansing or hide illegal weapons? Stay care free with no memory! And finally, were you covertly tortured? Quell that anxiety with a pill!
When you do bad shit or bad shit is done to you, your conscience records it. If we remove conscience we can develop legions of guiltfree zombies or unwitting victims whose clear conscience is just a pill away.
So detaining and torturing "suspects" is just fine right? Nothing needs to be proven as long as the military or some vaguely "intelligence"-related agency says that somebody is a "suspect"? I'm not so craven as to claim that I'm paying my government to "protect me" by violating human rights. In fact I don't think any of it protects me at all. Even if it did it would be craven and dishonest. I can pay my government to protect me by killing every body else. That doesn't make it right. And that shouldn't make it American (tm).
/attempt/ to justify secret wiretapping ordered by the executive branch against the fourth amendment. But that would be a sad day for this country, and if he haven't already lost it, we would certainly lose the moral highground on which we consistently base our foreign policy.
'I'm not sure how else this would be best accomplished'
If you cannot imagine any other way of protecting the country than random indeterminate detention of unnamed number of people (possibly US citizens), secret domestic wiretaps, and torture, than I posit you have a very limited imagination. It seems for the majority of our history we've been able to avoid at least 2 of those on a consistent basis (although I suppose we don't really know for sure).
Yes you can argue technicalities over whether foreign persons detained by the military fall under US due process. You can quibble over the continuum of torture. I suppose you could
I'm actually a lot more optimistic about security (specfically Microsoft security) these days. I used to think (probably correctly) that Microsoft was incompetent in this regard. Microsoft has apparently been ruled by the cowboy coders on one side, and the irresponsible marketeers on the other. But watching the various videos (especially the Going Deep series) on Channel 9 (http://channel9.msdn.com/) interviewing lead developers of various areas, I am more and more impressed. Microsoft employs some DAMN SMART people in Microsoft Research and even a lot of their core development areas (kernel, tools). In the vista kernel video you can tell they are pretty embarrassed about the history of Windows, the registry, etc., finally understand there is a problem, and are actively trying to solve it (creating gigantic dependency graphs of binaries, trying to sort out the configuration (they refer to it as "state") issue). Given that a lot of this good stuff can be incorporated into a commercial product without the bastardization of the marketeers and cowboy culture, I'm optimistic. Watch the video about Avalon - what the guys is describing is essentially X11. That's not news to us, but I have to imagine it's revolutionary at Microsoft to break down, admit to themselves that the existing display/rendering technology is shit and inflexible and un-extendable, and pro-actively go about implementing a network-transparent graphics framework that mimics alarmingly technology of their arch-competitor (*nix). If they can do that, I have hope they can bury a lot of the other problems they have caused for themselves and maybe start doing the Right Thing.
;)
ok, enough </fanboy>
Well, I don't know what information you got (I'm not disputing it by the way) but when I go to the IRS website I get a fucking goddamn mountain of documents on filing quarerly payments and estimated payments and it was not at ALL clear to me under what conditions I actually have to do that (you indicate that there is some monetary limit...I was unable to determine this). The IRS documentation is so "helpful" I want to strangle myself. They have litanies of "simple" 33-step processes to just determine qualification for a simple line item. Goddamn.
.NET/CLR comes with a pretty comprehensive security model that should essentially deter those types of things. Actually I've never heard of a "Visual Basic" virus kit. Usually even virus kit writers have more respect for themselves than to use VB.
Instead of ad-hoc security sandboxes (jails, chroot, now apparmor) wouldn't it be better to just transition to a managed runtime where all apps get all of this for free? I believe Solaris (and maybe now the Linux kernel) supports some sort of kernel-level filter or instrumentation that can apply a policy on a per-application basis, but it seems like moving to a managed runtime with built-in security sandbox accross the board would be a better idea.
Dude, that is where the Virtual Reality comes in. You see, these "have nots" can be supplied with a technology called (finger quoting) "Virtual Reality". They can sit home and dream they are MegaMario or PacHog or whatever those people play. Plus pot. Lots and lots of pot.
Although possible less susceptible to the vagaries of the random interweb user's opinion, I think it would be incorrect to assume that even traditional encyclopedias were unbiased. In fact, it might be a subtle but homogeneous bias that is undetectable because it is reinforced everywhere and does not stand out.
Are you serious? Did you listen to what they are working on? It's a SHITLOAD (tm) of stuff. They have dependency analysis graphs for over 5000 system binaries, and they have several teams working in coordination to componentize and isolate both the engineering of components, and the configuration of those components, all the while attempting to maintain some semblance of backwards compatibility AND developing a design and engineering ethic so that they can continue such refactoring in the future...not to mention all the "usual" things like re-architecting the kernel and IO subsystems for reliability, recoverability, improving scheduling algorithms for application sets that require low-latency, etc. etc. etc.
I'm no MS fanboy, but damn, you ask a lot. The "Just Fix It Now" mentality is what got them in this horrible mess in the first place, with no consistent guiding principles and long term architecture.
Yeah, Ouch. Although I wouldn't put too much confidence in the PTO as a measure of economic progress, his "position" is fairly naive and inept. I'm hoping this is just some rough draft that is going to be replaced and elaborated. "floating trains" *sigh*
The comments I made about "concepts" notwithstanding, whenever I see a picture of Bjarne Stroustroup it always looks like he spent two nights without sleep trying to debug some diabolical problem or just emerged from under a gigantic pile of bricks that fell on him.
h .jpg (some poor guy's home page, can't find this image elsewhere on google images)
http://www.lstud.ii.uib.no/~s1099/images/Bjarne_t
I think he needs a vacation and some sort of spa treatment.
Well, a lot of the improvements seem like simple, natural, extensions whose time has come (and passed)...but as far as "concepts" are concerned..WTF? So not only is there a type system, and a meta-type system (generics) but now we have an additional layer on top of that which is "concepts"? The only clue as to the utility of concepts is the passing mention that it would be "rigid" to impose an interface on code that wants to call a certain generic function/method. Um, HELLO - isn't this the exact philosophy behind the entire OOP type system to begin with?? I mean, exactly how hard a burden is this, given that c++ *already* supports multiple inheritence. It would seem trivial to simply define a "Container" abstract base class (interface) which all STL containers implement, instead of adding this bizarre and arcane new syntax which will be confusing to everybody except maybe a few black magic template developers who will have wet dreams over it. I mean, all type information is already determined STATICALLY by the compiler, so it's not as if you are adding any new convenience for users, because their class will still have to compile statically against the headers of the library that are going to require that their class have a certain "concept". Ugh.
All that, and we still don't have a standard file system of socket API. Come On. For a language whose designers continually go on and on about Real World Applicability (tm) can we for the love of god have a standard library for file system and socket APIs that have been around for 30 years!?
Rant off. Other than that, the updates seem good, and I really hope some progress is made in standardizing libraries. Until then C++ is a language without a platform, a gigantic gilded frigate that has to float in a little puddle due to scarcity of standard libraries.
"So don't worry about that."
That's sort of hard in this alphabet soup of acronyms for myriad projects and libraries.
I really really hope, and hope somebody can confirm this, that at the end of the day there is a STRONG inclination to:
* developer a SINGLE (SINGLE! (SINGLE!! (i mean it))) X server binary which can either render through hardware acceleration OR software, which can be determined dynamically at startup (through configuration or auto-detection), as well as the slew of other acronyms. A separate standalone OpenGL-only X server would be a configuration, maintenance and end-user documentation nightmare.
All this stuff sounds really really cool, but it all appears very fragmented, with each fragment dependent on some other alpha-quality fragment that has not yet been merged into anything other than a nice dream.
So I really hope all these exciting fragments get unified under a consistent X server and set of modules/libraries, instead of remaining really enticing fragments forever.
"left-wingers on this site would have blamed the US."
What does left-winged-ness have to do with anything? If anything I'd expect it would be "right-wingers" which would be more reticent to hand sovereignty over to an ostensibly corrupt or non-free nation (I know nothing about Kazakhstan...I'm using this inferred assumption by the original post for the purposes of argument), based on the rhetoric and bravado (not to mention explicitly static out-right goals) of the last few years.
In any case how is ICANN culpable (for all its ills) for any of this? It's not ICANN's problem that these governments suck. ICANN isn't (or at least should not be) a political body. If the rest of the world has a problem with these countries then by all means they should raise those issues at a political level. If there are serious concerns about Kazakhstan's government, then I think ICANN would be one of the least relevant of all places to raise the issue. ("Global leaders sanction Kazakhstan's government by prohibiting the World Hopscotch League from playing there")
Andy Warhol's corpse has risen and is rampaging through the streets.
Which is really beside the point which is that command shells have had tab autocompletion for a LONG freaking time now.
I don't think this was a scientific decision. The question is whether non-science is taught in science classrooms. Who gets to decide what science and non-science is? Well, *scientists*. If you want to learn fantasy be my guest and attend (at your own expense, on your own time) a parochial school. But it doesn't belong in the nation's classroom. School is for education not indoctrination.
Whuffie is much better. You don't have to keep it climate controlled, it never gets rotten and has no weight!
Choose: happiness, or truth
There are 11 kinds of people in the world, those who understand binary and those who don't and those who make jokes about it.
What? Of course C++ can make guarantees about object types. You have to use the C++ dynamic casts to use these guarantees if you want to cast, which in general should be avoided if possible.
I'm a Java developer and have to agree somewhat.
"designed with a theoretical basis in mind."
Huh? It was re-marketed after it wasn't successful as "Oak", a TV set-top-box language!