Have you ever even used Windows? Do you even have any experience with NTFS acls or windows security models?
Or are you just joining into the mob mentality here?
The UAC prompt doesnt pop up 'every time you click something'. It pops up exactly and precisely when it should (for the home user use case at least): when you try to do something you dont have the privileges to do.
What do you suggest should happen when some random crappy 3rd party software tries to write user settings to the "Program Files" directory, or drop a dll into \windows\system32\? Should that folder tree be made world writeable to ease your pain about having to answer a popup when something is trying to elevate? Maybe MS should make a shim that allows the system to act like XP running as full privs, but really store that stuff somewhere elese. Oh wait, they did that too.
What should the system do when a piece of malware tries to load a new service into the system services? Should it just let them? Should it fail silently? Should it call you personally and ask you on a case-by-case basis?
If your answer is fail-silently, then thats a fair response. But you've got to understand, Windows goes out the door default config'd for a home user. Home users dont know how to deal with trying to install something and having just 'nothing' happen.
In corporates, where the systems are managed professionally, UAC is configured to either fail silently for non-admin accounts, or to prompt for other credentials, or to not prompt at all and 'just work' if running as admin.
Or is there some other amazing new security features in Windows Vista that I'm not aware of?
As I've said to others, you really need to do your own research before trying to sounds like you know what you're talking about, but let me toss out a few:
- Bidirectional firewall (yes, yes, not as good as many commercial ones, but light years better than XP)
- User accounts are non-admin by default (this is the biggest one)
- Whole disk encryption
- Tons of buffer overflow protections: aslr, canarys, verified exceptions, function pointer obfuscation, etc.
- Full support for NX/DEP (enforced in hardware on x64)
- Application isolation (ie, processes running in a lower-priv'd context cannot communicate with, attach to, inject DLLs into, or monitor higher priv'd processes). This and service hardening below eliminates the entire class of attack that used to be called 'shatter' attacks from way back when
- Service Hardening (Mandatory Access Controls). This should be pretty obvious, its MAC for services, so each service can, in addition to running in a low-priv'd user context, can have a whilelisted security settings just for that service.
- Kernel Patch Protection in x64. This is also huge... modifying kernel tables and data structures was used by anti-virus and malware authors alike, and is single-handedly responsible for a great deal of system destabilization in the xp and previous days.
- checksummed system binaries (though not personally sure where the chain of trust starts here, its an interesting questions)
- Sandboxed IE7. IE7 runs as guest, without even the privileges that you, as the user running IE7 have. This is huge, in theory. Unfortunately, MS had to provide a way for plugin makers like Adobe (for flash) to have a little more access. And as a result, the plugin that Adobe write just opens up a gargantuan hole in the sandbox. There's some good articles and past discussion on slashdot about this. It's another case where the OS maker is caught in a catch-22, and they actually did a number of things right.
- Many drivers moved out of the kernel into userland.
This is just the big obvious security related stuff. There's also the recompiling of all the Vista binaries with new compiler flags that does alot more overflow protection in the core system files.
Recently, an article came through about some researchers t
The biggest problem is that they don't have the equivalent of a command line "sudo", but then again, I'm one of the very few people who use a windows command line I'm sure.
The best way to handle this on Vista is to just launch one command prompt as admin, and leave it running all the time. Then you just flip over to it and type your commands, running as admin.
And because lower privilege windows cant send messages to higher priv windows, there's no repeat of the famous old shatter type attacks.
The reason that Vista has a new driver model was that Microsoft wanted to build DRM into its driver model. Unfortunately for Microsoft DRM isn't really a feature, but an anti-feature. No one *wants* a computer that tries to stop them from copying files.
Are you just making up random things that look like factoids to support a later argument?
Very little of that paragraph is factual.
The #1 reason the video drivers (at least the major portion of them) were moved to userspace was because its 'the right thing to do'. Video driver crashes are one of the top causes of XP BSODs. Your reasoning lacks support and logic.
And what Vista computer have you ever seen that stops anyone from copying files? Such a thing does not exist.
Windows Vista, on the other hand, has comparatively little to offer. In fact, in several ways Vista is a step backwards.
You really should do some research. Dont think I'm saying that Vista is perfect, but you trying to suggest that there arent massive internal and technical improvements to Vista is just ignorance. Go read up on Wikipedia or any of dozens of industry blogs & mags that documented it. I'm sick of making links to people who cant be bothered to validate their personal mythologies.
Any user of Vista who has decent drivers for it sees immediately a couple things:
1. It performs much better than XP under heavy disk load, in terms of shell responsiveness. In XP, heavy disk load would bring the desktop to a halt, often even freezing the cursor, which is quite impressive. This doesnt happen any more. The shell can still slow down a bit under heavy load, but it degrades much more gracefully.
2. It lasts much longer than XP before needing reboots, especially under a large amount of hibernates and standbys per day. XP would degrade after a couple weeks, especially under many standbys/hibernates per day, and running leaky apps like Eclipse. This degradation is massively reduced in Vista.
3. The desktop/shell is impervious to interruption. XP would freeze the desktop for any number of reasons, usually around network problems. This _never_ happens on Vista.
4. It's MUCH easier to run as non-admin, due to UAC. UAC may not be perfect, but its light years better than explicit RunAs in XP.
No one wants to pay extra for even more intrusive DRM and a User Account Control that is intrusive without really aiding in system security.
What would you suggest as an alternative to UAC? Would you prefer everyone go back to running as admin? Would you prefer that Program Files and Windows directories not be locked down to non-admins, so that UAC wouldnt be triggered as much by rogue programs?
Suggesting that UAC doesnt improve security at all is absurd. If nothing else, it means that everyone runs as non-admin by default. That right there is so hugely massive, and so long overdue in the windows world, that saying that its not an improvement is just loony.
Microsoft's hardware and software partners were only acting in their own best interest. Microsoft would have done the same thing had the roles been reversed.
This is one of the sensible things you had in your post.
Microsoft is nowadays caught in a catch-22 of sorts. It's customers are primarily Computer OEMs and Intel. It's customers really arent the end-users.
This creates some really problematic dynamics for the long term health of the company.
Apple's got nearly 15% of the U.S. computer market and a whopping 66% of the over $1000 computer market.
That is a fairly outlandish claim (the 66% part). You'll need to back that up with something before it'll get anything but laughs. Big corps dont buy 66% apples. Engineering & CAD/CAM firms dont buy 66% apples. IT folks and developers dont buy 66% apples (though developers is probably the single biggest niche demographic that apple is doing well in).
Anyone who works in this industry and sees the buying patterns sees the 66% as absurd.
Thats why I said Flex/Java|RoR OR Silverlight/.NET.
If you dont like the MS stuff, Flex against a nice foss stack works well and will run on anything.
You dont even need a particularly modern version of Flash for most of the nice Flex stuff to work.
My point was not to pimp Silverlight or Flex specifically, but to propose that type of development as a superior alternative to HTML/Javascript/Ajax/whatever.
WRT the changes over the years in Access/VBA... yes they were changes, but everything changes all the time. They werent unreasonable or terribly difficult changes, they were just changes. Thats part of the life of an app developers, is everything around you is constantly changing. This is true on any platform.
There's also good technique to writing apps that are more resilient to the changes, like encapsulating tricky stuff so that when you have to upgrade, you only have to do it in one or two places. I mean I know thats elementary software 101.
Horseshit. What Microsoft did was disingenuous. They created a new language, slapped the Visual Basic name on it, then laughed their way to the bank as millions of customers purchased Visual Studio upgrades that would no longer support their existing investments. I will not take the blame for Microsoft's poor actions just because a Microsoft fanboy thinks that they walk on water!
If Microsoft wanted to be straight with their customers, they would have sunset the Visual Basic line altogether. At least then customers would have been clear on the lack of an upgrade path. Either that or they should have made more of an effort to provide backward compatibility for Visual Basic applications. There is absolutely no reason why the.NET platform can't play host to the classic VB APIs. Except for the fact that Microsoft wanted to force their customers to upgrade.
This is part of what I mean. Your comments here imply that you didnt completely and totally understand the relationship between VB6 and VB.NET, LONG before the first VS.NET was released. That is unusual for someone who works full time as a developer (or even a full time IT person who dabbles as a developer).
If this is the case, and you were actually able to be 'tricked' into buyin the first VS.NET because you thought VB.NET was an evolutionary upgrade to VB6, then there's just no way you were doing this for a living, at least not at anything beyond a very junior level (or maybe a hobbyist or 'dabbler' level, and I dont mean these things disparagingly). And I'm not saying this to try to disparage you. What I mean is that all that stuff was VERY well published and understood and documented if this is what you did for a living.
People who did software dev (particularly if it was partially or largely for the MS platform) knew all that. It was in all the articles, all the emails, all the magazines, all the white papers.
There is just no way someone was fully immersed in this industry as a full time developer and was 'tricked' by the VB6 -> VB.NET difference. There was just so very much publicity around all of it. White papers after white papers. Magazine articles.
The way you are characterizing it makes me feel very strongly that you were looking at it from an 'outsiders' perspective, or it was a very small part of your work, such that you really didnt have time to keep up to speed with changes to the industry.
Much like doctors, researchers, lawyers, or any other profession, we have to do forever, continuous, un-ending professional development. You cannot just learn things once in this industry and expect to be able to survive in 5 years without keeping up.
Being a Microsoft fanboy, I'm sure you've read their documentation before.
Let me correct that for you:
Being a professional in my field, I read the documentation about the platforms I deploy on.
See the difference? You need to take the emotion out of your work.
Yeah, so. Screw you and your love for Microsoft. They're assholes, they're open about being assholes, we have piles of court documentation to prove that they're assholes, and yet nitwits like yourself keep kissing up to them. Go figure.
I dont understand the emotional involvement in one company's produc
The fact that you ended this post with a couple Silverlight/Flex fanboi sentences tells me that your javascript knowledge is about as deep as the half dozen library names that you threw out there.
I'm not the guy you responded to, but what you say is one of the inherent problems with app dev using html/dom/javascript. It's intrinsically much more complicated, finicky, and brittle than it needs to be.
You shouldnt have to become an expert on all the major browser's eccentricities, or obscure javascript language features to do this stuff. It's an unnecessary complication that doesnt buy you anything.
Take a flex app, for example. It's a much better user experience, its much faster/cheaper to develop, it takes less time to get to an equivalent maturity of developer experience, and Flash engine is installed on like 99% of the computers out there.
There's just no upside to the javascript/html/dom way of things, and tons of downsides.
About the only thing I can see as an upside is that there is a certain class of developer who likes things that are hard and complex because of the feeling of accomplishment (and eliteness) they get for finally figuring it out. Those folks love JavaScript (and Perl), because you can solve problems in really strange ways. And that sort of thing is fine for personal projects, but its hardly a compelling factor for a real app that has to generate revenue or business.
It's based on web standards that remain frozen once implemented.
Correction. It's based on each browser maker's unique and quirky implementation of how they read the standards.
But since there is no actual reference implementation to compare against, or official conformance tests, there's not really any such thing as a 'standards compliant' browser.
The result is that everyone does things differently.
The same page against FF3, Opera current, IE7, IE6, Safari current on windows, Safari current on Mac, all produce slightly different results. Sometimes the differences are minor, sometimes they are not.
Thats why things like Flex and Silverlight are so compelling. You can develop your front and back end in as little as 1 or 2 languages. And you can use 'real' languages for the UI (I'm being nice to Flex and AS4 here), instead of being forced to use some hodge podge of 10 years of variants of browsers, DOM implementations, and JavaScript implementations. Not to mention the dozens of popular frameworks.
Flex against a Java or RoR backend is compelling in the ISV world. Silverlight against a C#/ASP.NET backend is compelling in the intranet/corporate space. Both are light years more productive and compelling than HTML and JavaScript in the bulk of the use cases.
Microsoft is famous for incompatibly changing APIs from version to version.
A clarification is needed there.
The things you're talking about only really happened to non-professional developers who didnt follow best practices, or tried to get tricky. These are the same kind of developers who tie their java apps to a specific Minor Version or Update level (used to see a ton of these in the big-corp IT world).
It happened with Access VBA from 97->2000
I've supported VBA-intensive Access apps that were created in the 2.0 days that still work quite fine in 2007 (though they tend to be ugly, in comparison to more modern ones).
it happened to.NET
.NET has had some growth, but the API changes have been very reasonable and very minor. And if thats what you do for a living, a complete non-issue.
it happened with VB6->VB.NET
Saying MS broke compatibility between VB6 and VB.NET is just being purposefully disingenuous in an attempt to bolster your argument. Despite the fact that both have "visual" and "basic" in their names, they have very little to do with one another. Sure, as a hobbyist or non-professional looking in, it probably seems like they're related. But its not like anyone actually wanted MS to continue evolving VB6. VB6 was a dead end. It was like halfway to OO, but not quite.
Moving to.NET was the right thing to do for MS. And its not like you have to stop using it. MS has said they'll keep shipping the vb runtime until like 2015 or something. So the corporate legacy apps will work for the foreseeable future, the VB6 IDE still works (with some tweaking on Vista, mind you), and with COM Interop in.NET, you can gradually migrate your apps over, or not, as you desire.
it happens with every version of Windows.
Not really. It happens to developers who write bad software and dont bother to read about or understand the best practices and guidance for the platform they're writing on.
These are the folks who wrote user configuration in C:\Program Files\, or who explicitly checked for admin rights on startup, even if they didnt need it. Or who used hardcoded paths to user directories, rather than the SpecialFolders API.
After doing software primarily targeting the windows platform for a while, you begin to notice a pattern. The world is filled with incompetent programmers who are just barely good enough to get the core functionality up, but cant be bothered to actually figure out how to make it work on the platform. And its by choice, they just dont care, for the most part, in my experience.
It's not like it takes a super genius. Just download the damn guidance doc, read a little bit from MSDN, and follow the instructions.
People who do this stuff, generally, dont have much problems with migrating their apps from version to version.
Now there are some exceptions. IHVs had to completely start from a clean slate on drivers with Vista, and with several previous versions of windows as well. But thats just a reality in that business. It's a known 'cost of doing business'....
Now, back to Silverlight... thats a very mixed bag.
Silverlight lets you write your code in C#, Ruby, Python. The alternative, Flex, lets you write in... JavaScript. Sure its a version of JavaScript that has mutated and evolved to be OO and (can be) strongly typed. But why in the heck would you ever choose to develop an application in JavaScript if you dont have to.
Unfortunately, the tradeoff is, as you say, risk of platform restriction.
Silverlight is, in many, many ways, the superior product, technically. Flash/Flex suffers from too many limitations due to its origins as a movie/animation maker. And JavaScript sucks, although their AS4 is leaps and bounds better than the common 'browser based' javascript. But silverlight is very young, and you might get screwed if the desktop OS demographics change significantly in the next 5 years.
The #1 primary thing for myself and most folks is data integrity.
End-to-end checksumming and automatic recovery. It's so huge it just blows by most people.
Most current systems (at least in the mainstream x86/x64 world) have ridiculously high error rates and data corruption rates.
The systems have evolved over the years with this a known factor, and so systems are reasonably robust to that decay, at least at the lower level. But its a real problems.
System busses introduce errors. Network cards (particularly TOE) introduce errors. Disk controllers, cables, and drives introduce errors. Non ecc memory introduces huge amounts of errors.
(When I say 'high' and 'huge' I mean at volume. When you've got machines constantly thrashing a large disk pool 24 hours a day, 7 days a week, 52 weeks a year, for the lifetime of the system, even 1 error in a trillian ops becomes quite significant.)
Now mind you, many high end SAN systems give you nice snapshotting, mirroring, etc features. But with ZFS you get the data integrity goodness, PLUS snapshotting, mirroring, pooling, etc, for free and open source, without having to pay 6-figures USD for SAN equipment.
Except that microsoft ended up certifying a whole bunch of hardware 'vista ready' that clearly was not.
More or less. To be more accurate, MS caved to some of the computer manufacturers and hardware suppliers (Intel) to lower the specs on what a 'Vista Capable' machine was. MS doesnt actually certify the hardware, they just publish specs and (I believe) certify the company to be authorized to use those stickers and that language.
The OEMs then added fuel to the fire by taking these marginal machines, loading them up with completely un-ready and unstable drivers, and adding a bunch of trialware. All of which served to really destabilize an already marginal system.
Compare that to buying high end corporate/engineering equipment (like much of the HP Compaq lines intended for engineering use) with Vista, that ships with a full set of x86 and x64 drivers. These machines run Vista quite well, albeit requiring more hardware than XP did.
Just goes to show how a company can produce an adequate product from a technical standpoint* but still completely destroy themselves on packaging, marketing, and distribution. If MS could have (without running afould of US or EU anti-trust issues) demanded that OEMs only ship clean machines with written-for-vista drivers, and would have set the 'Vista Capable' at an appropriate level, this would have gone completely differently.
Thanks for adding such an informed, educated, and insightful post to the discussion.
How about instead of making random uninformed comments, go read up on wikipedia and see what's actually been done.
That doesnt mean you have to like Vista or Microsoft, but at least be informed as to the fact that Vista is a completely different beast from XP. There are many, many, many under the hood changes in Vista that we (ISVs and IT support businesses) have been asking for, for the better part of a decade.
Yes, MS did a shitty job with the marketing, distribution, and packaging of Vista. But dont ignore the very real (and so long overdue) improvements they did make to the core of Windows.
Let me be more specific, so that you dont get too caught up on my 'halfway to vista' comment, and use that (rather than the obvious point) to comment on:
Completely re-writing the desktop imaging/management system on XP to support a compositing system like Vista uses, including pulling the bulk of the video drivers out, is major, major surgery on XP. If you actually did that to XP, it would result in a system that would need all new types of drivers for video cards.
Not to mention changes to the kernel to support some sort of mini-driver (to do all the kernel level calls that the video driver themselves used to do, and are no longer able to do since they run in user-space.)
If you do that, you've got something that is fundamentally not XP, is not driver or image or kernel compatible.
If Saab made a car that could only run on some super high-test gasoline that is not sold in gas stations, would you say that "the gasoline was not ready for it" or that "it was a stupid design and poor business decision to release it"?
How could you possibly suggest that what you've written is a valid parallel.
You're suggesting that hardware didnt exist that would run Vista decently. This is obviously and trivially not the case.
A better analogy was to say that Saab release a vehicle that claimed it ran fine on 87 octane gas, but in actually, it ran like crap all the time, unless you used 92 octane gas. (ie, a parallel on the Vista Ready campaign).
Make sure you check out the AC posting reply to yours with the Raymond Chen blog link.
Very very fascinating (new info to me) and explains why some people dont see it (myself) and some do (you). It's likely a function of the hardware you tend to buy.
Some manufacturers do a better job with things like the USB serial numbers than others. And in fact, I'm not surprised, as I tend to buy Microsoft keyboards & mice (which work flawlessly, regardless of usb port, and the natural line of keyboards are the kings), and only higher end, corporate-class stuff (ie, stuff that we know works well in a managed IT environment).
I pretty much never deal with anything but this kind of equipment, and never with white-box stuff.
So this resonates with what I've seen... I figured it was quality vs. non-quality drivers, but it looks like its the serial numbers mostly on the device itself.
Anyway, good discussion and I'm glad the AC chimed in with that Raymond Chen link.
It also explains why it seems to happen more often with low end equipment, than higher end corporate class or name brand equipment.
For example, it explains why I never see it (havent for years, other than in low-end printers), as a function of the type and quality of hardware I buy.
Thanks again for the incredibly informative post. You deserve a +5 informative on that.
Either I didnt do a good job explaining myself or you didnt read closely.
My point was that the resource locations for configuration is non-obvious, non-intuitive on all the platforms, until you get experienced on them.
The registry stuff, or Windows C:\users\... (C:\Documents and Settings\ on XP) is non-obvious, but there is a consistency, once you get some experience.
Likewise, on a Unix-alike, the locations of things are very non-obvious, but once you get used to it, there is consistency, at least across similar distros.
This was in response to the GP saying that Unix config locations was obvious and intuitive (like anyone could know that ip config stuff was in/etc/hosts from first principles). My point was that on both sides, nothign is intuitive or obvious until you know the system.
But also in both cases, once you know the system, its very consistent and predictable.
Unfortunately, what you find on/. so much is people that have spent so much time in Unix world, that they think everyone is born knowing about unix stuff, and Windows seems alien. When the reality is that its all alien, until you get used to it.
Yes, the paths and typical locations of things in the windows registry isnt exactly intuitive, and you have to be experienced. Once you are, everything has a predictable place, and its all relatively straightforward.
Lets compare it to Linux. The paths and typical location of configuration files arent exactly intuitive (why would configuration go into an etcetera folder???, wouldnt a config folder make more sense?), and you have to be experienced. Once you are, everything has a predictable place (at least within similar distros) and its all relatively straightforward.
The two systems are about equally complex and non-intuitive, until you get used to them.
You know, I've seen someone else in this thread comment on that.
Are you sure that isnt something you saw waaaaay back in the windows 2000 days and just assumed it never changed?
I ask because thats something I never see either... havent for years.
I've NEVER seen that happen with mice, keyboards, or mass storage on XP or Vista.
I have seen that happen with those craptastical fargo ID card printers on XP.
And come to think of it, I have seen that with some very low end printers on XP.
In fact, the only place I've ever seen it happen on XP or newer was with printers, and only very very crappy low end ones (or specialty ones with poorly designed drivers). The vast, vast majority of printers dont display that behavior, in my experience. Of course, the vast majority of printers I deal with, both in-house and with clients, are network printers, so my sample size of USB locally connected printers the past few years isnt very big.
My guess is that its something that most device manufacturers can choose to solve at the driver level, and some are just too lazy....
Just as a test, I just moved my wireless keyboard/mouse usb plug to a port I'm positive it never has been in before (on the other side of the laptop, in an inconvenient location) and within ~1 second it effortlessly just continued working.
Maybe its just something thats a polish level of feature on the drivers, and some manufacturers just dont bother.
When was the last time you had to install special Linux drivers for a thumb drive or a digital camera?
Never... but then again, havent seen that in Windows since Windows 2000 either, so not sure why you would bring that up as a comparison.
I've _never_ seen that for windows xp or vista. Some older cameras dont present themselves as mass storage devices on their USB connections, but that was their developer choice, not a windows thing.
Other than that, dont confuse the camera manufacturer WANTING you to install their 200MB pile of crap software to actually needing to do anything other than plug in the USB connector (or pull the memory card out and plugging that into the memory stick drive).
Maybe I'm picking here.... but this really doesnt make sense.
An 'economy' in the sense you're speaking of is just the emergent behaviors of aggregates of individual choices and interactions (ie, where do I spend my scarce energy, etc).
It doesnt have to use currency as the medium of exchange to be an economy. Heck, governments are in the business of being monopolies in the economy of violence. It's not possible to not participate in that.
I dont think you have a realistic view of the software world.
Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday.
Because in most cases, this causes more problems than it solves. Huge huge numbers of people blindly apply (or fast-track minimal testing) of critical security patches. If they make 'stop-gap' patches, they will have a high failure rate (since they're rushed).
So as the software vendor, you're faced with a cost-benefit judgement call. How serious is the exploit? How active is active exploits occurring in the wild? Compare that against the cost and bad press if something goes wrong with a stop-gap (ie, rushed) patch.
Most of the time, the perceived cost-benefit goes towards waiting, and releasing a well-tested patch.
With some exceptions, most critical security patches arent being widely used before they're publicly known. But the second you release a patch, it only takes a couple days (at most) to reverse engineer the patch and produce a new exploit tool.
But this is why, every once in a while, MS DOES release a patch out of cycle. It basically is when the active exploits occurring in the wild look bad enough that its worth the risk to release a rushed patch (which has its own risk of problems).
You're trying to make something appear simple, while in reality it is a horribly complex guessing game of cost/benefit and risk/reward. And its made worse because no one ever has all the information as to actual use of a zero-day exploit.
All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.
Not really. What it does (at least if done intelligently) is to give the security vendors enough information to create signatures. It wont be perfect, but it'll be far, far better than nothing.
I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it!
Cash != software quality. Thats not how it works. You get good software quality by hiring top notch people and having good leadership. MS DOES hire some of the brightest people in the world, but not too many of them work on Windows. The problem is really good people can command great salaries AND interesting work. And not too many people are interested in userland windows dev.
With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.
Medical Equipment software is GROSSLY badly developed quite often. But its not equivalent. A large percentage of it runs on equipment with no network connections, or semi-private network connections.
Medical Equipment also gets the perceived perception because it has such a horrendous beaureacratic process to make ANY change, so it tends to not change (which creates its own security problems).
Lastly, Medical Equipment software has a massively narrowed range of devices it has to run on, and things it has to do (ie, support). An operating system like Windows, on the other hand, has to be able to run on nearly anything, support nearly any amount of add-on hardware, and be hugely friendly to 3rd party app developers.
You're not comparing apples to apples. You're comparing apples to cardboard.
Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.
Compared to what? You cant compare total dollar impact, but have to use dollar impact per unit deployed. You're acting like any other software in wide use hasnt had massive security problems before. They all have. The impact is much
I still, throughout my entire life, have never been able to get any form of Linux running on a laptop I've owned (either personally or through job).
Not once. And these are all high end corporate class machines from Dell and HP. Like the ones that hundreds of millions of other corporate types are using and buying daily.
Ubuntu 8.04 LiveCD wont even run on this laptop. The standard install disc NEVER works on any machine I've ever seen, apparently because the 'splash' screen is a problem. The first step after install from the alternate disc is always to edit grub to disable the splash. Otherwise you never get a screen, and cannot even pull up a terminal. How could the splash option in grub boot result in a terminal not being available? This is not something I understand.
I mean what the hell. Didnt these guys ever hear of a generic software VGA driver, like every other OS on the planet has to fall back on?
And wireless never works. Ever. On any laptop I've ever used.
Even when I recruit the local Linux expert, he spends many hours, and then just shakes his head and gives up. And on the current laptop, thats with the Intel 4965agn, which has a freaking open source driver from Intel. It still doesnt work. And the approach taken to saving WPA keys, where you are expected to enter them in every time you connect? Thats just terrible.
On the flip side, I've had huge success with using Linux running as a guest in VMWare to serve some specific services. Works pretty darn flawlessly, actually. I've had a copy of Kubuntu running on VMWare server on my windows laptop host for years, for various purposes, and it works great. But on real-world hardware? Never.
At the moment Linux and other Unices are purely for deep specialists. And this doesnt mean the millions of rabid 'I use linux' people out there, who rant and rave about how awesome Linux is and how bad Windows is, but then have no freaking idea how to do simple things like switch a linux box from static to dhcp. I mean its just sad.
So it certainly has its place, and 'its place' is growing yearly. But its nothing even remotely like what you're suggesting, at least in my experience.
Slashdot Mirror
Have you ever even used Windows? Do you even have any experience with NTFS acls or windows security models?
Or are you just joining into the mob mentality here?
The UAC prompt doesnt pop up 'every time you click something'. It pops up exactly and precisely when it should (for the home user use case at least): when you try to do something you dont have the privileges to do.
What do you suggest should happen when some random crappy 3rd party software tries to write user settings to the "Program Files" directory, or drop a dll into \windows\system32\? Should that folder tree be made world writeable to ease your pain about having to answer a popup when something is trying to elevate? Maybe MS should make a shim that allows the system to act like XP running as full privs, but really store that stuff somewhere elese. Oh wait, they did that too.
What should the system do when a piece of malware tries to load a new service into the system services? Should it just let them? Should it fail silently? Should it call you personally and ask you on a case-by-case basis?
If your answer is fail-silently, then thats a fair response. But you've got to understand, Windows goes out the door default config'd for a home user. Home users dont know how to deal with trying to install something and having just 'nothing' happen.
In corporates, where the systems are managed professionally, UAC is configured to either fail silently for non-admin accounts, or to prompt for other credentials, or to not prompt at all and 'just work' if running as admin.
Or is there some other amazing new security features in Windows Vista that I'm not aware of?
As I've said to others, you really need to do your own research before trying to sounds like you know what you're talking about, but let me toss out a few:
- Bidirectional firewall (yes, yes, not as good as many commercial ones, but light years better than XP)
- User accounts are non-admin by default (this is the biggest one)
- Whole disk encryption
- Tons of buffer overflow protections: aslr, canarys, verified exceptions, function pointer obfuscation, etc.
- Full support for NX/DEP (enforced in hardware on x64)
- Application isolation (ie, processes running in a lower-priv'd context cannot communicate with, attach to, inject DLLs into, or monitor higher priv'd processes). This and service hardening below eliminates the entire class of attack that used to be called 'shatter' attacks from way back when
- Service Hardening (Mandatory Access Controls). This should be pretty obvious, its MAC for services, so each service can, in addition to running in a low-priv'd user context, can have a whilelisted security settings just for that service.
- Kernel Patch Protection in x64. This is also huge ... modifying kernel tables and data structures was used by anti-virus and malware authors alike, and is single-handedly responsible for a great deal of system destabilization in the xp and previous days.
- checksummed system binaries (though not personally sure where the chain of trust starts here, its an interesting questions)
- Sandboxed IE7. IE7 runs as guest, without even the privileges that you, as the user running IE7 have. This is huge, in theory. Unfortunately, MS had to provide a way for plugin makers like Adobe (for flash) to have a little more access. And as a result, the plugin that Adobe write just opens up a gargantuan hole in the sandbox. There's some good articles and past discussion on slashdot about this. It's another case where the OS maker is caught in a catch-22, and they actually did a number of things right.
- Many drivers moved out of the kernel into userland.
This is just the big obvious security related stuff. There's also the recompiling of all the Vista binaries with new compiler flags that does alot more overflow protection in the core system files.
Recently, an article came through about some researchers t
The biggest problem is that they don't have the equivalent of a command line "sudo", but then again, I'm one of the very few people who use a windows command line I'm sure.
The best way to handle this on Vista is to just launch one command prompt as admin, and leave it running all the time. Then you just flip over to it and type your commands, running as admin.
And because lower privilege windows cant send messages to higher priv windows, there's no repeat of the famous old shatter type attacks.
Seriously man, you should stop.
You made up some random claims (probably just parroting Gutmann without any personal experience), and you got called on them.
Man up and let it go.
Microsoft and Vista have plenty of legitimate challenges you can complain about without making random crap up to better fit in with the /. crowd.
The reason that Vista has a new driver model was that Microsoft wanted to build DRM into its driver model. Unfortunately for Microsoft DRM isn't really a feature, but an anti-feature. No one *wants* a computer that tries to stop them from copying files.
Are you just making up random things that look like factoids to support a later argument?
Very little of that paragraph is factual.
The #1 reason the video drivers (at least the major portion of them) were moved to userspace was because its 'the right thing to do'. Video driver crashes are one of the top causes of XP BSODs. Your reasoning lacks support and logic.
And what Vista computer have you ever seen that stops anyone from copying files? Such a thing does not exist.
Windows Vista, on the other hand, has comparatively little to offer. In fact, in several ways Vista is a step backwards.
You really should do some research. Dont think I'm saying that Vista is perfect, but you trying to suggest that there arent massive internal and technical improvements to Vista is just ignorance. Go read up on Wikipedia or any of dozens of industry blogs & mags that documented it. I'm sick of making links to people who cant be bothered to validate their personal mythologies.
Any user of Vista who has decent drivers for it sees immediately a couple things:
1. It performs much better than XP under heavy disk load, in terms of shell responsiveness. In XP, heavy disk load would bring the desktop to a halt, often even freezing the cursor, which is quite impressive. This doesnt happen any more. The shell can still slow down a bit under heavy load, but it degrades much more gracefully.
2. It lasts much longer than XP before needing reboots, especially under a large amount of hibernates and standbys per day. XP would degrade after a couple weeks, especially under many standbys/hibernates per day, and running leaky apps like Eclipse. This degradation is massively reduced in Vista.
3. The desktop/shell is impervious to interruption. XP would freeze the desktop for any number of reasons, usually around network problems. This _never_ happens on Vista.
4. It's MUCH easier to run as non-admin, due to UAC. UAC may not be perfect, but its light years better than explicit RunAs in XP.
No one wants to pay extra for even more intrusive DRM and a User Account Control that is intrusive without really aiding in system security.
What would you suggest as an alternative to UAC? Would you prefer everyone go back to running as admin? Would you prefer that Program Files and Windows directories not be locked down to non-admins, so that UAC wouldnt be triggered as much by rogue programs?
Suggesting that UAC doesnt improve security at all is absurd. If nothing else, it means that everyone runs as non-admin by default. That right there is so hugely massive, and so long overdue in the windows world, that saying that its not an improvement is just loony.
Microsoft's hardware and software partners were only acting in their own best interest. Microsoft would have done the same thing had the roles been reversed.
This is one of the sensible things you had in your post.
Microsoft is nowadays caught in a catch-22 of sorts. It's customers are primarily Computer OEMs and Intel. It's customers really arent the end-users.
This creates some really problematic dynamics for the long term health of the company.
Apple's got nearly 15% of the U.S. computer market and a whopping 66% of the over $1000 computer market.
That is a fairly outlandish claim (the 66% part). You'll need to back that up with something before it'll get anything but laughs. Big corps dont buy 66% apples. Engineering & CAD/CAM firms dont buy 66% apples. IT folks and developers dont buy 66% apples (though developers is probably the single biggest niche demographic that apple is doing well in).
Anyone who works in this industry and sees the buying patterns sees the 66% as absurd.
Thats why I said Flex/Java|RoR OR Silverlight/.NET.
If you dont like the MS stuff, Flex against a nice foss stack works well and will run on anything.
You dont even need a particularly modern version of Flash for most of the nice Flex stuff to work.
My point was not to pimp Silverlight or Flex specifically, but to propose that type of development as a superior alternative to HTML/Javascript/Ajax/whatever.
That is awesome.
I guess infinity is a better answer than an exception. :)
Wow, your rant was even longer than mine.
I'll try to respond to some high points.
WRT the changes over the years in Access/VBA ... yes they were changes, but everything changes all the time. They werent unreasonable or terribly difficult changes, they were just changes. Thats part of the life of an app developers, is everything around you is constantly changing. This is true on any platform.
There's also good technique to writing apps that are more resilient to the changes, like encapsulating tricky stuff so that when you have to upgrade, you only have to do it in one or two places. I mean I know thats elementary software 101.
Horseshit. What Microsoft did was disingenuous. They created a new language, slapped the Visual Basic name on it, then laughed their way to the bank as millions of customers purchased Visual Studio upgrades that would no longer support their existing investments. I will not take the blame for Microsoft's poor actions just because a Microsoft fanboy thinks that they walk on water!
If Microsoft wanted to be straight with their customers, they would have sunset the Visual Basic line altogether. At least then customers would have been clear on the lack of an upgrade path. Either that or they should have made more of an effort to provide backward compatibility for Visual Basic applications. There is absolutely no reason why the .NET platform can't play host to the classic VB APIs. Except for the fact that Microsoft wanted to force their customers to upgrade.
This is part of what I mean. Your comments here imply that you didnt completely and totally understand the relationship between VB6 and VB.NET, LONG before the first VS.NET was released. That is unusual for someone who works full time as a developer (or even a full time IT person who dabbles as a developer).
If this is the case, and you were actually able to be 'tricked' into buyin the first VS.NET because you thought VB.NET was an evolutionary upgrade to VB6, then there's just no way you were doing this for a living, at least not at anything beyond a very junior level (or maybe a hobbyist or 'dabbler' level, and I dont mean these things disparagingly). And I'm not saying this to try to disparage you. What I mean is that all that stuff was VERY well published and understood and documented if this is what you did for a living.
People who did software dev (particularly if it was partially or largely for the MS platform) knew all that. It was in all the articles, all the emails, all the magazines, all the white papers.
There is just no way someone was fully immersed in this industry as a full time developer and was 'tricked' by the VB6 -> VB.NET difference. There was just so very much publicity around all of it. White papers after white papers. Magazine articles.
The way you are characterizing it makes me feel very strongly that you were looking at it from an 'outsiders' perspective, or it was a very small part of your work, such that you really didnt have time to keep up to speed with changes to the industry.
Much like doctors, researchers, lawyers, or any other profession, we have to do forever, continuous, un-ending professional development. You cannot just learn things once in this industry and expect to be able to survive in 5 years without keeping up.
Being a Microsoft fanboy, I'm sure you've read their documentation before.
Let me correct that for you:
Being a professional in my field, I read the documentation about the platforms I deploy on.
See the difference? You need to take the emotion out of your work.
Yeah, so. Screw you and your love for Microsoft. They're assholes, they're open about being assholes, we have piles of court documentation to prove that they're assholes, and yet nitwits like yourself keep kissing up to them. Go figure.
I dont understand the emotional involvement in one company's produc
The fact that you ended this post with a couple Silverlight/Flex fanboi sentences tells me that your javascript knowledge is about as deep as the half dozen library names that you threw out there.
I'm not the guy you responded to, but what you say is one of the inherent problems with app dev using html/dom/javascript. It's intrinsically much more complicated, finicky, and brittle than it needs to be.
You shouldnt have to become an expert on all the major browser's eccentricities, or obscure javascript language features to do this stuff. It's an unnecessary complication that doesnt buy you anything.
Take a flex app, for example. It's a much better user experience, its much faster/cheaper to develop, it takes less time to get to an equivalent maturity of developer experience, and Flash engine is installed on like 99% of the computers out there.
There's just no upside to the javascript/html/dom way of things, and tons of downsides.
About the only thing I can see as an upside is that there is a certain class of developer who likes things that are hard and complex because of the feeling of accomplishment (and eliteness) they get for finally figuring it out. Those folks love JavaScript (and Perl), because you can solve problems in really strange ways. And that sort of thing is fine for personal projects, but its hardly a compelling factor for a real app that has to generate revenue or business.
It's based on web standards that remain frozen once implemented.
Correction. It's based on each browser maker's unique and quirky implementation of how they read the standards.
But since there is no actual reference implementation to compare against, or official conformance tests, there's not really any such thing as a 'standards compliant' browser.
The result is that everyone does things differently.
The same page against FF3, Opera current, IE7, IE6, Safari current on windows, Safari current on Mac, all produce slightly different results. Sometimes the differences are minor, sometimes they are not.
Thats why things like Flex and Silverlight are so compelling. You can develop your front and back end in as little as 1 or 2 languages. And you can use 'real' languages for the UI (I'm being nice to Flex and AS4 here), instead of being forced to use some hodge podge of 10 years of variants of browsers, DOM implementations, and JavaScript implementations. Not to mention the dozens of popular frameworks.
Flex against a Java or RoR backend is compelling in the ISV world. Silverlight against a C#/ASP.NET backend is compelling in the intranet/corporate space. Both are light years more productive and compelling than HTML and JavaScript in the bulk of the use cases.
Microsoft is famous for incompatibly changing APIs from version to version.
A clarification is needed there.
The things you're talking about only really happened to non-professional developers who didnt follow best practices, or tried to get tricky. These are the same kind of developers who tie their java apps to a specific Minor Version or Update level (used to see a ton of these in the big-corp IT world).
It happened with Access VBA from 97->2000
I've supported VBA-intensive Access apps that were created in the 2.0 days that still work quite fine in 2007 (though they tend to be ugly, in comparison to more modern ones).
it happened to .NET
.NET has had some growth, but the API changes have been very reasonable and very minor. And if thats what you do for a living, a complete non-issue.
it happened with VB6->VB.NET
Saying MS broke compatibility between VB6 and VB.NET is just being purposefully disingenuous in an attempt to bolster your argument. Despite the fact that both have "visual" and "basic" in their names, they have very little to do with one another. Sure, as a hobbyist or non-professional looking in, it probably seems like they're related. But its not like anyone actually wanted MS to continue evolving VB6. VB6 was a dead end. It was like halfway to OO, but not quite.
Moving to .NET was the right thing to do for MS. And its not like you have to stop using it. MS has said they'll keep shipping the vb runtime until like 2015 or something. So the corporate legacy apps will work for the foreseeable future, the VB6 IDE still works (with some tweaking on Vista, mind you), and with COM Interop in .NET, you can gradually migrate your apps over, or not, as you desire.
it happens with every version of Windows.
Not really. It happens to developers who write bad software and dont bother to read about or understand the best practices and guidance for the platform they're writing on.
These are the folks who wrote user configuration in C:\Program Files\, or who explicitly checked for admin rights on startup, even if they didnt need it. Or who used hardcoded paths to user directories, rather than the SpecialFolders API.
After doing software primarily targeting the windows platform for a while, you begin to notice a pattern. The world is filled with incompetent programmers who are just barely good enough to get the core functionality up, but cant be bothered to actually figure out how to make it work on the platform. And its by choice, they just dont care, for the most part, in my experience.
It's not like it takes a super genius. Just download the damn guidance doc, read a little bit from MSDN, and follow the instructions.
People who do this stuff, generally, dont have much problems with migrating their apps from version to version.
Now there are some exceptions. IHVs had to completely start from a clean slate on drivers with Vista, and with several previous versions of windows as well. But thats just a reality in that business. It's a known 'cost of doing business'. ...
Now, back to Silverlight ... thats a very mixed bag.
Silverlight lets you write your code in C#, Ruby, Python. The alternative, Flex, lets you write in ... JavaScript. Sure its a version of JavaScript that has mutated and evolved to be OO and (can be) strongly typed. But why in the heck would you ever choose to develop an application in JavaScript if you dont have to.
Unfortunately, the tradeoff is, as you say, risk of platform restriction.
Silverlight is, in many, many ways, the superior product, technically. Flash/Flex suffers from too many limitations due to its origins as a movie/animation maker. And JavaScript sucks, although their AS4 is leaps and bounds better than the common 'browser based' javascript. But silverlight is very young, and you might get screwed if the desktop OS demographics change significantly in the next 5 years.
The #1 primary thing for myself and most folks is data integrity.
End-to-end checksumming and automatic recovery. It's so huge it just blows by most people.
Most current systems (at least in the mainstream x86/x64 world) have ridiculously high error rates and data corruption rates.
The systems have evolved over the years with this a known factor, and so systems are reasonably robust to that decay, at least at the lower level. But its a real problems.
System busses introduce errors. Network cards (particularly TOE) introduce errors. Disk controllers, cables, and drives introduce errors. Non ecc memory introduces huge amounts of errors.
(When I say 'high' and 'huge' I mean at volume. When you've got machines constantly thrashing a large disk pool 24 hours a day, 7 days a week, 52 weeks a year, for the lifetime of the system, even 1 error in a trillian ops becomes quite significant.)
Now mind you, many high end SAN systems give you nice snapshotting, mirroring, etc features. But with ZFS you get the data integrity goodness, PLUS snapshotting, mirroring, pooling, etc, for free and open source, without having to pay 6-figures USD for SAN equipment.
Except that microsoft ended up certifying a whole bunch of hardware 'vista ready' that clearly was not.
More or less. To be more accurate, MS caved to some of the computer manufacturers and hardware suppliers (Intel) to lower the specs on what a 'Vista Capable' machine was. MS doesnt actually certify the hardware, they just publish specs and (I believe) certify the company to be authorized to use those stickers and that language.
The OEMs then added fuel to the fire by taking these marginal machines, loading them up with completely un-ready and unstable drivers, and adding a bunch of trialware. All of which served to really destabilize an already marginal system.
Compare that to buying high end corporate/engineering equipment (like much of the HP Compaq lines intended for engineering use) with Vista, that ships with a full set of x86 and x64 drivers. These machines run Vista quite well, albeit requiring more hardware than XP did.
Just goes to show how a company can produce an adequate product from a technical standpoint* but still completely destroy themselves on packaging, marketing, and distribution. If MS could have (without running afould of US or EU anti-trust issues) demanded that OEMs only ship clean machines with written-for-vista drivers, and would have set the 'Vista Capable' at an appropriate level, this would have gone completely differently.
Thanks for adding such an informed, educated, and insightful post to the discussion.
How about instead of making random uninformed comments, go read up on wikipedia and see what's actually been done.
That doesnt mean you have to like Vista or Microsoft, but at least be informed as to the fact that Vista is a completely different beast from XP. There are many, many, many under the hood changes in Vista that we (ISVs and IT support businesses) have been asking for, for the better part of a decade.
Yes, MS did a shitty job with the marketing, distribution, and packaging of Vista. But dont ignore the very real (and so long overdue) improvements they did make to the core of Windows.
*sigh*
Let me be more specific, so that you dont get too caught up on my 'halfway to vista' comment, and use that (rather than the obvious point) to comment on:
Completely re-writing the desktop imaging/management system on XP to support a compositing system like Vista uses, including pulling the bulk of the video drivers out, is major, major surgery on XP. If you actually did that to XP, it would result in a system that would need all new types of drivers for video cards.
Not to mention changes to the kernel to support some sort of mini-driver (to do all the kernel level calls that the video driver themselves used to do, and are no longer able to do since they run in user-space.)
If you do that, you've got something that is fundamentally not XP, is not driver or image or kernel compatible.
If Saab made a car that could only run on some super high-test gasoline that is not sold in gas stations, would you say that "the gasoline was not ready for it" or that "it was a stupid design and poor business decision to release it"?
How could you possibly suggest that what you've written is a valid parallel.
You're suggesting that hardware didnt exist that would run Vista decently. This is obviously and trivially not the case.
A better analogy was to say that Saab release a vehicle that claimed it ran fine on 87 octane gas, but in actually, it ran like crap all the time, unless you used 92 octane gas. (ie, a parallel on the Vista Ready campaign).
You really should consider reading up a little bit on Aero and the compositing window manager in Vista.
Just 'slapping' it on XP is not as simple as you seem to be suggesting.
If nothing else, it would force a bunch of changes to the core, to pull out the video drivers to userspace (like it is in Vista).
And then you're halfway to re-inventing Vista anyway.
Make sure you check out the AC posting reply to yours with the Raymond Chen blog link.
Very very fascinating (new info to me) and explains why some people dont see it (myself) and some do (you). It's likely a function of the hardware you tend to buy.
Some manufacturers do a better job with things like the USB serial numbers than others. And in fact, I'm not surprised, as I tend to buy Microsoft keyboards & mice (which work flawlessly, regardless of usb port, and the natural line of keyboards are the kings), and only higher end, corporate-class stuff (ie, stuff that we know works well in a managed IT environment).
I pretty much never deal with anything but this kind of equipment, and never with white-box stuff.
So this resonates with what I've seen ... I figured it was quality vs. non-quality drivers, but it looks like its the serial numbers mostly on the device itself.
Anyway, good discussion and I'm glad the AC chimed in with that Raymond Chen link.
Wish I could give you big props, but you're AC.
This was an excellent find, and good to know.
It also explains why it seems to happen more often with low end equipment, than higher end corporate class or name brand equipment.
For example, it explains why I never see it (havent for years, other than in low-end printers), as a function of the type and quality of hardware I buy.
Thanks again for the incredibly informative post. You deserve a +5 informative on that.
Either I didnt do a good job explaining myself or you didnt read closely.
My point was that the resource locations for configuration is non-obvious, non-intuitive on all the platforms, until you get experienced on them.
The registry stuff, or Windows C:\users\... (C:\Documents and Settings\ on XP) is non-obvious, but there is a consistency, once you get some experience.
Likewise, on a Unix-alike, the locations of things are very non-obvious, but once you get used to it, there is consistency, at least across similar distros.
This was in response to the GP saying that Unix config locations was obvious and intuitive (like anyone could know that ip config stuff was in /etc/hosts from first principles). My point was that on both sides, nothign is intuitive or obvious until you know the system.
But also in both cases, once you know the system, its very consistent and predictable.
Unfortunately, what you find on /. so much is people that have spent so much time in Unix world, that they think everyone is born knowing about unix stuff, and Windows seems alien. When the reality is that its all alien, until you get used to it.
You're being disingenuous.
Yes, the paths and typical locations of things in the windows registry isnt exactly intuitive, and you have to be experienced. Once you are, everything has a predictable place, and its all relatively straightforward.
Lets compare it to Linux. The paths and typical location of configuration files arent exactly intuitive (why would configuration go into an etcetera folder???, wouldnt a config folder make more sense?), and you have to be experienced. Once you are, everything has a predictable place (at least within similar distros) and its all relatively straightforward.
The two systems are about equally complex and non-intuitive, until you get used to them.
You know, I've seen someone else in this thread comment on that.
Are you sure that isnt something you saw waaaaay back in the windows 2000 days and just assumed it never changed?
I ask because thats something I never see either ... havent for years.
I've NEVER seen that happen with mice, keyboards, or mass storage on XP or Vista.
I have seen that happen with those craptastical fargo ID card printers on XP.
And come to think of it, I have seen that with some very low end printers on XP.
In fact, the only place I've ever seen it happen on XP or newer was with printers, and only very very crappy low end ones (or specialty ones with poorly designed drivers). The vast, vast majority of printers dont display that behavior, in my experience. Of course, the vast majority of printers I deal with, both in-house and with clients, are network printers, so my sample size of USB locally connected printers the past few years isnt very big.
My guess is that its something that most device manufacturers can choose to solve at the driver level, and some are just too lazy. ...
Just as a test, I just moved my wireless keyboard/mouse usb plug to a port I'm positive it never has been in before (on the other side of the laptop, in an inconvenient location) and within ~1 second it effortlessly just continued working.
Maybe its just something thats a polish level of feature on the drivers, and some manufacturers just dont bother.
When was the last time you had to install special Linux drivers for a thumb drive or a digital camera?
Never ... but then again, havent seen that in Windows since Windows 2000 either, so not sure why you would bring that up as a comparison.
I've _never_ seen that for windows xp or vista. Some older cameras dont present themselves as mass storage devices on their USB connections, but that was their developer choice, not a windows thing.
Other than that, dont confuse the camera manufacturer WANTING you to install their 200MB pile of crap software to actually needing to do anything other than plug in the USB connector (or pull the memory card out and plugging that into the memory stick drive).
I don't trust economies
Maybe I'm picking here .... but this really doesnt make sense.
An 'economy' in the sense you're speaking of is just the emergent behaviors of aggregates of individual choices and interactions (ie, where do I spend my scarce energy, etc).
It doesnt have to use currency as the medium of exchange to be an economy. Heck, governments are in the business of being monopolies in the economy of violence. It's not possible to not participate in that.
I dont think you have a realistic view of the software world.
Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday.
Because in most cases, this causes more problems than it solves. Huge huge numbers of people blindly apply (or fast-track minimal testing) of critical security patches. If they make 'stop-gap' patches, they will have a high failure rate (since they're rushed).
So as the software vendor, you're faced with a cost-benefit judgement call. How serious is the exploit? How active is active exploits occurring in the wild? Compare that against the cost and bad press if something goes wrong with a stop-gap (ie, rushed) patch.
Most of the time, the perceived cost-benefit goes towards waiting, and releasing a well-tested patch.
With some exceptions, most critical security patches arent being widely used before they're publicly known. But the second you release a patch, it only takes a couple days (at most) to reverse engineer the patch and produce a new exploit tool.
But this is why, every once in a while, MS DOES release a patch out of cycle. It basically is when the active exploits occurring in the wild look bad enough that its worth the risk to release a rushed patch (which has its own risk of problems).
You're trying to make something appear simple, while in reality it is a horribly complex guessing game of cost/benefit and risk/reward. And its made worse because no one ever has all the information as to actual use of a zero-day exploit.
All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.
Not really. What it does (at least if done intelligently) is to give the security vendors enough information to create signatures. It wont be perfect, but it'll be far, far better than nothing.
I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it!
Cash != software quality. Thats not how it works. You get good software quality by hiring top notch people and having good leadership. MS DOES hire some of the brightest people in the world, but not too many of them work on Windows. The problem is really good people can command great salaries AND interesting work. And not too many people are interested in userland windows dev.
With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.
Medical Equipment software is GROSSLY badly developed quite often. But its not equivalent. A large percentage of it runs on equipment with no network connections, or semi-private network connections.
Medical Equipment also gets the perceived perception because it has such a horrendous beaureacratic process to make ANY change, so it tends to not change (which creates its own security problems).
Lastly, Medical Equipment software has a massively narrowed range of devices it has to run on, and things it has to do (ie, support). An operating system like Windows, on the other hand, has to be able to run on nearly anything, support nearly any amount of add-on hardware, and be hugely friendly to 3rd party app developers.
You're not comparing apples to apples. You're comparing apples to cardboard.
Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.
Compared to what? You cant compare total dollar impact, but have to use dollar impact per unit deployed. You're acting like any other software in wide use hasnt had massive security problems before. They all have. The impact is much
Cant speak for the_mink, but I have.
I still, throughout my entire life, have never been able to get any form of Linux running on a laptop I've owned (either personally or through job).
Not once. And these are all high end corporate class machines from Dell and HP. Like the ones that hundreds of millions of other corporate types are using and buying daily.
Ubuntu 8.04 LiveCD wont even run on this laptop. The standard install disc NEVER works on any machine I've ever seen, apparently because the 'splash' screen is a problem. The first step after install from the alternate disc is always to edit grub to disable the splash. Otherwise you never get a screen, and cannot even pull up a terminal. How could the splash option in grub boot result in a terminal not being available? This is not something I understand.
I mean what the hell. Didnt these guys ever hear of a generic software VGA driver, like every other OS on the planet has to fall back on?
And wireless never works. Ever. On any laptop I've ever used.
Even when I recruit the local Linux expert, he spends many hours, and then just shakes his head and gives up. And on the current laptop, thats with the Intel 4965agn, which has a freaking open source driver from Intel. It still doesnt work. And the approach taken to saving WPA keys, where you are expected to enter them in every time you connect? Thats just terrible.
On the flip side, I've had huge success with using Linux running as a guest in VMWare to serve some specific services. Works pretty darn flawlessly, actually. I've had a copy of Kubuntu running on VMWare server on my windows laptop host for years, for various purposes, and it works great. But on real-world hardware? Never.
At the moment Linux and other Unices are purely for deep specialists. And this doesnt mean the millions of rabid 'I use linux' people out there, who rant and rave about how awesome Linux is and how bad Windows is, but then have no freaking idea how to do simple things like switch a linux box from static to dhcp. I mean its just sad.
So it certainly has its place, and 'its place' is growing yearly. But its nothing even remotely like what you're suggesting, at least in my experience.