Thats pretty unusual, in my experience. Standard practice is to either pass.inc through the asp interepreter or make all your inc files.asp.
In addition, I've never seen nor heard of a site that embedded user/pass for the db in an inc file. The standard practice in that world is to make them application level variables in global.asa.
It uses a SQL Injection exploit to send commands to the DB server. This is an exploit and a vulnerability at the app layer.
Then they dont even TRY to do anything interesting or powerful like own the box at the db layer, since there's no vulnerability to exploit there. They just use common information-schema or other reflective features available in all dbs to find other tables with CLOB columns and modify the data there.
The only thing MS SQL server had to do with this was that the code they wrote to access the inforamtion-schema metadata, was written such that it would only work on ms sql server.
Thats not to say that an exploit was hit or used, just that the code was not platform agnostic.
The script that was injected into the CLOB fields (assuming that at least some would get presented dynamically on some websites) then attempted to hijack the IE browser by exploiting an 18-month-old-patched MDAC flaw on the desktop/IE.
In other words, there's no reason this wasnt done against MySQL or Oracle, they just chose not to. Since there's no exploit being targeted. They just chose not to write code that was db-platform-neutral.
Huh? This had nothing to do with windows, other than they chose an attack implementation that would only work on ms sql server. But there's no exploit at the db layer.
Every DB server allows programmatic views and reflection of structures. They just chose to target sql server and write code that would only work there, rather than generic code, or code that would only work on mysql or oracle.
The app devs allowed arbitrary database commands to be passed to the database. Once thats happened, on any platform, you're exposed.
Good configuration and practices can heavily mitigate even this kind of thing. But the vector they chose, to write tags into CLOB fields, that targeted an ancient MDAC vulnerability in IE web browsers, wouldnt have been stopped by almost any mitigation strategy, other than possibly XSS scrubbing on the other end.
The only significant thing that could be picked out there is 1=1, but thats jsut an easy way to do it, its not required.
The problem isnt in the database at all. The database just gets two commands, where the app programmer intended to send one.
The single most important thing is just for app developers to use prepared statements.
In other words, this is BAD:
sql = "select * from users where userid = '" & request.forms("userid") & "' and passwd = '" & request.forms("passwd") & "'; " execute sql
but this is good:
sql = "select * from users where userid = ? and passwd = ?; " execute sql with parm1 = request.forms("userid"), parm2 = request.forms("passwd")
In the first case, you just pick your username, and enter:
' or 1=1
for the password, and you've logged in. In the second case, you get nothing, because the password wasnt ' or 1=1.
But there ARE many things that can be done to mitigate the damage, even if you're vulnerable to sql injection.
1. Configure DB such that the account the app uses to access doesnt have dba/dbo rights on the database, or sa rights on the db system. That account should just be a regular non-privileged user account. No drop table users allowed.
2. Make sure any 'system hooks' that the db has to the underlying system are disabled. In other words, many databases have some function that allows you to call command line or shell commands. This functionality should be turned off.
3. Make sure the db itself is running as a non-privileged user. Back in the bad old days on windows, everyone ran their MS SQL server as SYSTEM. So that meant that if anyone could run arbitrary commands against the db server, they could effectively run arbitrary commands against the underlying OS. If the sql server runs as a non-priv'd user, then it just gives them the power to hose the sql server data, not the database itself or the underlying system.
There are other things that can be done I'm sure as well, thats just a quick, off the top of my head dump.
But you'll notice that none of these things are things in the db server itself, except maybe #2. Most modern db's have this turned off for non-sa users by default thought.
The rest is all in your app devs, and your system programmers (ie, installation & configuration).
First, this isnt a vulnerability in sql server. It's a sql injection attack. They just happen to have the infection vector assume sql server table structures if they are able to exploit the site.
Second, Sybase and MSSQL shared a code base back in SQL Server 5 days, right after MS bought it from them. They've diverged quite significantly since then.
SQL Injections have nothing to do with IIS or LAMP. It's just bad programmers.
There's a reason why nearly every PHP app in existence is plagued with constant ownership. It's name is sql injection (and misconfiguration by allowing global variable modification).
CTO are more cautious. They now know the wisdom of not being monotheistic in their practices. I thought we were talking about the SMB space? Most small and medium businesses dont have CTOs.
So again when Microsoft does things like this that 'LOOK' shady (whether they are or not), they will always be interpretted in the most negative light due to their past practices and due to their past relationships they have established with their customers. I'm confused about that statement. What is shady here? Other than idiots like the cnet article author, no reasonable human being would read that blog and think anything shady is going on. Most would just fall asleep because its a blog posting for a very highly specialized audience who work in that specific area.
MS is just creating another licensing option for the SMB space. Do more choices there = teh evil?
And if people feel they may want something like that but not feel comfortable with the pricing scheme, the will evaluate other products from competitors. Or just keep buying the way they've always been buying.
Other than folks who were already techies before starting a business, small business owners just flat dont sit around thinking about software production philosophies or the relative merits of the cathedral vs. the bazaar. It's just not in their world.
I just keep running in to this wall of, well, product X from MS works better/best if you also buy product Y from MS. Yeah, thats what MS does best. In most cases, its not technically required to use their highly compatible other products, but it sure is easy.
They create a situation where its often easier and cheaper to just get farther into the MS pocket. It's not immoral, but it does rub some people the wrong way.
But like it or not, you have to admit that its worked, at least from a business perspective. You have huge segments of the business population that is pure homogenous MS because of this, its just easy. And any other solution requires technical knowledge and integration work.
I was looking at share point for a solution, however, I would have to buy a SQL server license and an MS Windows server license. Just as a heads up, thats not strictly true. If you already own a win2003 server, then you already own sharepoint. And you can use SQL Server 2005 Express (free, no cals) as the backing db store. This only fails if you have a very high traffic sharepoint site or if any one db gets rather large.
So if you already have a win2003 server with extra capacity, then sharepoint is a zero cost thing for you.
There's also hosted Sharepoint from various companies.... which you can get for like $25 per month for 10 accounts and plenty of space.
I didnt think it was that global, but I could be wrong. Could be one of the recent chnages due to the demand given how bad Vista is on many low-end machines sold.
But even that doesnt apply everywhere. Large companies are on custom contracts with MS, and I know of at least one that was told by MS that they would not be given downgrade rights on the desktop OS, unless they bought SA.
In any case, the point is that these subscription programs generally give the company the right to use any extent version of the software that they want across all the covered products.
I must add a "but" though - MS has been known for deviously naming its products before, so it is only normal to doubt their motivations Absolutely they have, no question. They've had some of the best (ie, most effective) marketing teams in the software business for most of their history. They're very good at playing with words.
Kind of off the record, but at present I'm dealing with a "business software" company whose practices (lock-in, DRM, pricing) make MS look like saints. Yeah, there are definitely worse companies. And there are better companies. MS used to be on the loose side of things, compared to most companies, now with activation and WGA, they've flopped over to the irritating side of things.
But yeah, most high-value, low-volume software out there comes with activation or some equivalent. Our software does as well. Our high value software shuts off after the customer stops paying. It sounds nasty, but thats the deal well understood up front, and the nature of that software space (ie, thats what everyone does in that space, and the businesses are prepared to and able to pay). It's not mainstream software by a long shot.
But our other more mainstream software also does activation, but degrades gracefully. If they stop paying, they just stop getting updates and phone support. But the software works forever.
I think you mean, as long as MS' customers stay on the subscription program, they might not be threatened by the BSA. Correct. I thought that was implicit, so didnt state it.
Also, blaming small business IT for not having the resources to manage the completely unmanageable tangle of Microsoft licensing is unfair. Slow down there. I wasnt 'blaming' anyone for anything. I was simply stating what I consider a fact based on a decade plus of experience. Small businesses do not to IT management, or license management well. They also dont do accounting well. Thats not blaming them, thats just a reality of small businesses.
can you tell me off the top of your head how many client access licenses (CALs) can be transferred from a Windows 2000 server to the new Windows Server 2008? Off the top of my head? My first thought is that the windows server 2008 licensing docs probably arent published yet, so the answer may not be 'out there' yet.
If it is, then it depends hugely on the type of volume licensing program the people are on, and what type of CALs they had, and whether they had SA (or the pre-SA equivalent).
In a medium or big business, they've probably got Core CALs as part of an enterprise subscription, so they dont have to even think about things like that. It's just automaticaly covered.
In a small business, where all CALs were bought with OEM versions of windows 2000? They're probably screwed and need to re-buy CALs with their 2008 purchase. But if they bought SA or Upgrade Advantage and kept it current, then its a non-issue. They're just automatically covered.
Did you know that Microsoft can't even keep it's server certificates up to date? Look a little closer. The cert isnt expired. It was just issued by a CA that isnt in the chain of trust on Firefox or Opera (or probably any browser but IE). Not nearly as stupid, but still pretty stupid.
Read all the licenses, and get back to me about the CALs. Until then, STFU about ignorance. Wow, way to get unnecessarily nasty for no reason. The question about getting your data out of Exchange was silly, you've got to admit. If you're up to speed on exchange, then you know better. If you're not up to speed on it, then you're ranting about something that you're ignorant about, and you should know better. In either case, it was a pretty silly semi-rhetorical question.
Yeah, its not simple. I'm the only vista box in my company so that I can figure out all the breakages and pain, and prepare the rest of our staff to support it. And to make sure our software works on Vista. (it does, and did so without any modification. but we make boring (but profitable) business software.)
Cant speak to Hyperion. It's not a product we use or support.
It's a real shame too, because there were many a software company that used an embedded IE for a large chunk of their app UI on windows systems for rich client apps (*cough* quickbooks *cough*). This looked promising a while ago, but is a major disaster now. A number of companies got burned by that when IE started getting all locked down and not very useful any more.
However, the only thing I'm worried about is what conditions might come with the license... will Microsoft attempt to force organizations to upgrade in order to renew their subscriptions? No. In fact, the reality is often the opposite.
In large businesses, MS has taken to using the following tactic: If the org doesnt buy an enterprise subscription with SA, they get no downgrade rights.
What this effectively means is that, for businesses who arent ready to migrate to Vista, they are often forced to get into these subscription programs, because its the only program that gives you open downgrade rights.
Buying retail, for example, doesnt give you downgrade rights. OEM software (for the most part, the recent Vista and XP business notwithstanding) generally doesnt give you downgrading rights.
These licensing programs, while offensive to some people, are actually very nice for the operational side of IT in a business. You dont worry about whether a specific machine is licensed. Your whole org is just automatically licensed based on headcount. And you can install any version of the software you want. And you get lots of free support from MS, etc.
Okay, while I dont think you said anything particularly ridiculous, this shouldnt have been modded up to 5 insightful.
The problem is that the submitter and the author of the original article are both techno-dweebs. They therefore assume that everyone is clairvoyant, knows everything that they know and are capable of reading their minds. This article is a small business licensing blog on msdn. It's targeted primarily to ms partners and other businesses who service the smb market with ms software.
In other words, this is a HIGHLY focused article, for a very narrow and highly specialized audience.
For those of us who work in this space, the article was crystal clear, and absolutely unambiguous.
If you dont understand it, then the article was not written for you. This is not me trying to bash or criticize you, just that its a highly specialized area that you're not part of.
Just like if I was reading a blog for AI researchers, where I wouldnt understand some of the terms. But I'm not going to complain that they're being unreasonable. I'm just not that specialized.
In a perfect world, Slashdot would've rejected the submission for failing to clarify what "SMB" means. This kind of thing shouldnt be making it to slashdot at all. Unfortunately, anything with MS in it fosters huge quantities of ignorant posting by people with a crusade to fight. And that drives ad revenue.
From the rather short article. Allow me to quote:
At the end of the initial term, clients have the options to continue the subscription, buy out the subscription to own the licenses, or to end the subscription. So you can run as eternal subscriptions, which is like a lease. You can own it, which is not like a lease. Or you can 'lease' it for a while then walk away from it.
Under this program, you CAN choose to treat it like a lease, but you can also choose to own the software.
Consumers (especially in SMB) are not that dumb and they are seeing added expense in this day and age as something their wallets cannot endure. The more you tack on an expense, the more the wonder why they shouldn't get this for free and begin to look for an alternative. You've got this backwards.
Businesses in the SMB space, and the MS partners and IT servicing businesses in that space, have been clamoring for this, or something like it, for years.
SMBs are die-hard MS buyers, but historically terrible at proper license management.
This makes it easy. This creates predictable fixed costs that can be budgeted out 3 years into the future, rather than be hit by unexpected purchases.
This is 'a good thing' because its what the market wants and has been demanding for years.
The level of ignorant ranting on posts just goes through the roof when it involves MS, doesnt it?
Don't forget that autos and houses get reposessed, but you get to keep the belongings you have inside them. Can the same be said for the information that is stored on an Exchange server? Yes. What a silly question.
The APIs are well documented. There are tremendous tools for importing and exporting, but from Microsoft and the ecosystem.
Microsoft's new licensing program will give the BSA a ready made target list. You've got it backwards.
The reason the BSA succeeds so often is because SMBs are historically terrible at IT management, including the subset of that which is licensing management.
This new program, since its an all-encompassing subscription program, is done per-FTE. This means, if a small business is on it, its nearly impossible for them to be out of compliance.
Compare that to the more typical situation for the small business, where they buy all their software with hardware, and then 'reuse' installation discs and product keys.
If every one of MS' customers went on a subscription program, the BSA would be nearly put out of business, at least for enforcement of MS software.
*sigh*
I still think we can count on MS's choice of that word as an attempt to tap into the present-day "common" definition of "open" and (because of) open-source's good reputation. No.
First, this is only 'common' usage within a small subset of the IT industry.
This licensing program is focused on the SMB market, and the MS Partners that service that market with IT services.
Small business owners and managers have never heard of open source, it doesnt mean to them what it does to you.
MS Partners have heard of open source, but they have this concept of words meaning different things in different contexts. See, the use of the words 'Open' and 'Value' in the Microsoft licensing programs go back a long ways, at least a decade. They're just re-using and re-combining parts and pieces of their extent terms.
It is a common business tactic to try to convince a customer even through subtle means that his product has "similarities" with a better-reputed one - even if it doesn't. Words mean everything to many. You're right. But this is not that case. This communication was targeted at IT within SMB or the IT servicing businesses (many of which are MS partners). For those folks (who obviously doesnt include you), this is clear and precise.
It's a variation on the very old Microsoft Open License program, for SMBs. In this case, Open means not open source, but Open as-in no-contract. Open licensing is where you buy if you're too big to buy retail or all OEM, but too small to buy on Select or enterprise subscriptions.
If this was an article on the deep innards of Oracle licensing, and one word somewhere in there was the word 'open', would we be having this conversation?
Good Lord the ignorance in slashdot is astonishing sometimes.
The word 'open' is not copyrighted by the open source community. It has other meanings beyond your tiny limited world.
Please, tell me how this is "open"? After all, that is a marketing term MS used to describe this. You know, "open". So as an "SMB", I get "value" from this being an new "open" option? Open is a term that has been used in Microsoft licensing programs for more than a decade.
It doesnt mean what you think it does.
What 'open' refers to here is an alternative to Select or other contractual-based pricing. Any business who needs to buy in small volume can buy on the Open program without having to sign a contract with microsoft.
Thats why its called open.
There is (theoretically) a value here because SMBs struggle with licensing.
Set aside your religion for a moment. Realize that, despite your personal evangelical beliefs, most SMBs will buy Microsoft software. So thats a given.
In that situation, they struggle. The smaller end buys all their MS software with hardware. This is basically bringing the subscription model that big companies have to the SMB sector.
For those companies who would like to operate that way, this is an advantage. For them, they select a basket of products, which has a per-fte cost per year. They then pay per-fte at that cost, then re-up each year as their FTE changes.
It gives these groups a new ability to not worry about license management, and just install what they need.
It's not a conspiracy to rule the world, or to rape your momma. It's just responding to a long-term demand from this sector, for simpler licensing in the MS world.
but I've read somewhere that you can max. utilize something like 1.7 gb (eg. in Photoshop)? Without PAE, processes running on 32-bit windows can only use a max of 2GB per process.
Using PAE, it can go arbitrarily large until you hit (64GB - system usage).
However, at least as I undertand it, apps must be written to use PAE, they dont just get it for free. The memory allocation & mgmt stuff has to be done a bit differently. But thats at the edge of my knowledge on this stuff, I dont do C/C++ stuff at this level.
Here you are a 100 % wrong - at least in DK. I did NOT get ANY choice between 32/64 bits install. That does suck.
I dont understand why the behavior is so different between models and classes even within the the same company.
I guess we've been lucky, the HP kit we've looked at since Vista time is all specced for 32 or 64 bit, with full support for both on HP. Maybe some lines they just dont have the drivers certified for 64-bit, and the hardware makers wont help.
There are some levels of 'works with Vista' certification that requires IHVs to release both 32-bit and 64-bit drivers to get the certification. But maybe thats not true with system OEMs or something.
I know the retail versions of the OS have both... but I dont know anyone who buys these things off the retail shelf.
Good luck. I cant wait for a few more years to go by and we leave all this 32-bit/64-bit crap behind us, and the world just migrates to 64-bit goodness.
Slashdot Mirror
Umm, what?
I think you need to re-read the article.
Your post which so snidely seems to imply that this was a result of non-ansi sql, or some vulnerability in an MS product, is woefully off base.
Thats pretty unusual, in my experience. Standard practice is to either pass .inc through the asp interepreter or make all your inc files .asp.
In addition, I've never seen nor heard of a site that embedded user/pass for the db in an inc file. The standard practice in that world is to make them application level variables in global.asa.
Yeah, little places like bn.com, microsoft.com, msnbc.com, nasdaq.com, etc.
Seriously though, yeah, MS SQL is widely used for corporate built web apps exposed to the world.
LOL are you serious?
Google for phpBB and "sql injection".
g phpbb "sql injection"
"Results 1 - 10 of about 226,000"
Or just google for any php app and "sql injection" and you get the same sort of thing.
PHP in particular seems designed to explicitly make it really easy to be pwned by the world.
In addition to Kalriath's response, its been many years since it was a default configuration of MS SQL server to install as SYSTEM.
No, it doesnt.
It uses a SQL Injection exploit to send commands to the DB server. This is an exploit and a vulnerability at the app layer.
Then they dont even TRY to do anything interesting or powerful like own the box at the db layer, since there's no vulnerability to exploit there. They just use common information-schema or other reflective features available in all dbs to find other tables with CLOB columns and modify the data there.
The only thing MS SQL server had to do with this was that the code they wrote to access the inforamtion-schema metadata, was written such that it would only work on ms sql server.
Thats not to say that an exploit was hit or used, just that the code was not platform agnostic.
The script that was injected into the CLOB fields (assuming that at least some would get presented dynamically on some websites) then attempted to hijack the IE browser by exploiting an 18-month-old-patched MDAC flaw on the desktop/IE.
In other words, there's no reason this wasnt done against MySQL or Oracle, they just chose not to. Since there's no exploit being targeted. They just chose not to write code that was db-platform-neutral.
Huh? This had nothing to do with windows, other than they chose an attack implementation that would only work on ms sql server. But there's no exploit at the db layer.
Every DB server allows programmatic views and reflection of structures. They just chose to target sql server and write code that would only work there, rather than generic code, or code that would only work on mysql or oracle.
The app devs allowed arbitrary database commands to be passed to the database. Once thats happened, on any platform, you're exposed.
Good configuration and practices can heavily mitigate even this kind of thing. But the vector they chose, to write tags into CLOB fields, that targeted an ancient MDAC vulnerability in IE web browsers, wouldnt have been stopped by almost any mitigation strategy, other than possibly XSS scrubbing on the other end.
How do you scrub this:
select * from users where 1=1; drop table users;
The only significant thing that could be picked out there is 1=1, but thats jsut an easy way to do it, its not required.
The problem isnt in the database at all. The database just gets two commands, where the app programmer intended to send one.
The single most important thing is just for app developers to use prepared statements.
In other words, this is BAD:
sql = "select * from users where userid = '" & request.forms("userid") & "' and passwd = '" & request.forms("passwd") & "'; "
execute sql
but this is good:
sql = "select * from users where userid = ? and passwd = ?; "
execute sql with parm1 = request.forms("userid"), parm2 = request.forms("passwd")
In the first case, you just pick your username, and enter:
' or 1=1
for the password, and you've logged in. In the second case, you get nothing, because the password wasnt ' or 1=1.
But there ARE many things that can be done to mitigate the damage, even if you're vulnerable to sql injection.
1. Configure DB such that the account the app uses to access doesnt have dba/dbo rights on the database, or sa rights on the db system. That account should just be a regular non-privileged user account. No drop table users allowed.
2. Make sure any 'system hooks' that the db has to the underlying system are disabled. In other words, many databases have some function that allows you to call command line or shell commands. This functionality should be turned off.
3. Make sure the db itself is running as a non-privileged user. Back in the bad old days on windows, everyone ran their MS SQL server as SYSTEM. So that meant that if anyone could run arbitrary commands against the db server, they could effectively run arbitrary commands against the underlying OS. If the sql server runs as a non-priv'd user, then it just gives them the power to hose the sql server data, not the database itself or the underlying system.
There are other things that can be done I'm sure as well, thats just a quick, off the top of my head dump.
But you'll notice that none of these things are things in the db server itself, except maybe #2. Most modern db's have this turned off for non-sa users by default thought.
The rest is all in your app devs, and your system programmers (ie, installation & configuration).
First, this isnt a vulnerability in sql server. It's a sql injection attack. They just happen to have the infection vector assume sql server table structures if they are able to exploit the site.
Second, Sybase and MSSQL shared a code base back in SQL Server 5 days, right after MS bought it from them. They've diverged quite significantly since then.
Are you being serious?
SQL Injections have nothing to do with IIS or LAMP. It's just bad programmers.
There's a reason why nearly every PHP app in existence is plagued with constant ownership. It's name is sql injection (and misconfiguration by allowing global variable modification).
You're barking up the wrong tree here.
MS is just creating another licensing option for the SMB space. Do more choices there = teh evil? And if people feel they may want something like that but not feel comfortable with the pricing scheme, the will evaluate other products from competitors. Or just keep buying the way they've always been buying.
Other than folks who were already techies before starting a business, small business owners just flat dont sit around thinking about software production philosophies or the relative merits of the cathedral vs. the bazaar. It's just not in their world.
They create a situation where its often easier and cheaper to just get farther into the MS pocket. It's not immoral, but it does rub some people the wrong way.
But like it or not, you have to admit that its worked, at least from a business perspective. You have huge segments of the business population that is pure homogenous MS because of this, its just easy. And any other solution requires technical knowledge and integration work. I was looking at share point for a solution, however, I would have to buy a SQL server license and an MS Windows server license. Just as a heads up, thats not strictly true. If you already own a win2003 server, then you already own sharepoint. And you can use SQL Server 2005 Express (free, no cals) as the backing db store. This only fails if you have a very high traffic sharepoint site or if any one db gets rather large.
So if you already have a win2003 server with extra capacity, then sharepoint is a zero cost thing for you.
There's also hosted Sharepoint from various companies
I didnt think it was that global, but I could be wrong. Could be one of the recent chnages due to the demand given how bad Vista is on many low-end machines sold.
But even that doesnt apply everywhere. Large companies are on custom contracts with MS, and I know of at least one that was told by MS that they would not be given downgrade rights on the desktop OS, unless they bought SA.
In any case, the point is that these subscription programs generally give the company the right to use any extent version of the software that they want across all the covered products.
But yeah, most high-value, low-volume software out there comes with activation or some equivalent. Our software does as well. Our high value software shuts off after the customer stops paying. It sounds nasty, but thats the deal well understood up front, and the nature of that software space (ie, thats what everyone does in that space, and the businesses are prepared to and able to pay). It's not mainstream software by a long shot.
But our other more mainstream software also does activation, but degrades gracefully. If they stop paying, they just stop getting updates and phone support. But the software works forever.
If it is, then it depends hugely on the type of volume licensing program the people are on, and what type of CALs they had, and whether they had SA (or the pre-SA equivalent).
In a medium or big business, they've probably got Core CALs as part of an enterprise subscription, so they dont have to even think about things like that. It's just automaticaly covered.
In a small business, where all CALs were bought with OEM versions of windows 2000? They're probably screwed and need to re-buy CALs with their 2008 purchase. But if they bought SA or Upgrade Advantage and kept it current, then its a non-issue. They're just automatically covered. Did you know that Microsoft can't even keep it's server certificates up to date? Look a little closer. The cert isnt expired. It was just issued by a CA that isnt in the chain of trust on Firefox or Opera (or probably any browser but IE). Not nearly as stupid, but still pretty stupid. Read all the licenses, and get back to me about the CALs. Until then, STFU about ignorance. Wow, way to get unnecessarily nasty for no reason. The question about getting your data out of Exchange was silly, you've got to admit. If you're up to speed on exchange, then you know better. If you're not up to speed on it, then you're ranting about something that you're ignorant about, and you should know better. In either case, it was a pretty silly semi-rhetorical question.
Yeah, its not simple. I'm the only vista box in my company so that I can figure out all the breakages and pain, and prepare the rest of our staff to support it. And to make sure our software works on Vista. (it does, and did so without any modification. but we make boring (but profitable) business software.)
Cant speak to Hyperion. It's not a product we use or support.
It's a real shame too, because there were many a software company that used an embedded IE for a large chunk of their app UI on windows systems for rich client apps (*cough* quickbooks *cough*). This looked promising a while ago, but is a major disaster now. A number of companies got burned by that when IE started getting all locked down and not very useful any more.
In large businesses, MS has taken to using the following tactic: If the org doesnt buy an enterprise subscription with SA, they get no downgrade rights.
What this effectively means is that, for businesses who arent ready to migrate to Vista, they are often forced to get into these subscription programs, because its the only program that gives you open downgrade rights.
Buying retail, for example, doesnt give you downgrade rights. OEM software (for the most part, the recent Vista and XP business notwithstanding) generally doesnt give you downgrading rights.
These licensing programs, while offensive to some people, are actually very nice for the operational side of IT in a business. You dont worry about whether a specific machine is licensed. Your whole org is just automatically licensed based on headcount. And you can install any version of the software you want. And you get lots of free support from MS, etc.
In other words, this is a HIGHLY focused article, for a very narrow and highly specialized audience.
For those of us who work in this space, the article was crystal clear, and absolutely unambiguous.
If you dont understand it, then the article was not written for you. This is not me trying to bash or criticize you, just that its a highly specialized area that you're not part of.
Just like if I was reading a blog for AI researchers, where I wouldnt understand some of the terms. But I'm not going to complain that they're being unreasonable. I'm just not that specialized. In a perfect world, Slashdot would've rejected the submission for failing to clarify what "SMB" means. This kind of thing shouldnt be making it to slashdot at all. Unfortunately, anything with MS in it fosters huge quantities of ignorant posting by people with a crusade to fight. And that drives ad revenue.
Therefore the articles get posted.
Under this program, you CAN choose to treat it like a lease, but you can also choose to own the software.
Could you not even be bothered to read the article? It was short.
Under this program, businesses can:
1. Do eternal subscriptions. Under this format, businesses can claim the software as business expenses, which are pre-tax.
2. Buy the software after the initial period. This makes it a depreciable asset (in some cases).
3. Do #1 for a while and then walk away.
Businesses in the SMB space, and the MS partners and IT servicing businesses in that space, have been clamoring for this, or something like it, for years.
SMBs are die-hard MS buyers, but historically terrible at proper license management.
This makes it easy. This creates predictable fixed costs that can be budgeted out 3 years into the future, rather than be hit by unexpected purchases.
This is 'a good thing' because its what the market wants and has been demanding for years.
It's just data stored in an ESE database.
The APIs are well documented. There are tremendous tools for importing and exporting, but from Microsoft and the ecosystem. Microsoft's new licensing program will give the BSA a ready made target list. You've got it backwards.
The reason the BSA succeeds so often is because SMBs are historically terrible at IT management, including the subset of that which is licensing management.
This new program, since its an all-encompassing subscription program, is done per-FTE. This means, if a small business is on it, its nearly impossible for them to be out of compliance.
Compare that to the more typical situation for the small business, where they buy all their software with hardware, and then 'reuse' installation discs and product keys.
If every one of MS' customers went on a subscription program, the BSA would be nearly put out of business, at least for enforcement of MS software.
First, this is only 'common' usage within a small subset of the IT industry.
This licensing program is focused on the SMB market, and the MS Partners that service that market with IT services.
Small business owners and managers have never heard of open source, it doesnt mean to them what it does to you.
MS Partners have heard of open source, but they have this concept of words meaning different things in different contexts. See, the use of the words 'Open' and 'Value' in the Microsoft licensing programs go back a long ways, at least a decade. They're just re-using and re-combining parts and pieces of their extent terms. It is a common business tactic to try to convince a customer even through subtle means that his product has "similarities" with a better-reputed one - even if it doesn't. Words mean everything to many. You're right. But this is not that case. This communication was targeted at IT within SMB or the IT servicing businesses (many of which are MS partners). For those folks (who obviously doesnt include you), this is clear and precise.
It's a variation on the very old Microsoft Open License program, for SMBs. In this case, Open means not open source, but Open as-in no-contract. Open licensing is where you buy if you're too big to buy retail or all OEM, but too small to buy on Select or enterprise subscriptions.
If this was an article on the deep innards of Oracle licensing, and one word somewhere in there was the word 'open', would we be having this conversation?
The word 'open' is not copyrighted by the open source community. It has other meanings beyond your tiny limited world. Please, tell me how this is "open"? After all, that is a marketing term MS used to describe this. You know, "open". So as an "SMB", I get "value" from this being an new "open" option? Open is a term that has been used in Microsoft licensing programs for more than a decade.
It doesnt mean what you think it does.
What 'open' refers to here is an alternative to Select or other contractual-based pricing. Any business who needs to buy in small volume can buy on the Open program without having to sign a contract with microsoft.
Thats why its called open.
There is (theoretically) a value here because SMBs struggle with licensing.
Set aside your religion for a moment. Realize that, despite your personal evangelical beliefs, most SMBs will buy Microsoft software. So thats a given.
In that situation, they struggle. The smaller end buys all their MS software with hardware. This is basically bringing the subscription model that big companies have to the SMB sector.
For those companies who would like to operate that way, this is an advantage. For them, they select a basket of products, which has a per-fte cost per year. They then pay per-fte at that cost, then re-up each year as their FTE changes.
It gives these groups a new ability to not worry about license management, and just install what they need.
It's not a conspiracy to rule the world, or to rape your momma. It's just responding to a long-term demand from this sector, for simpler licensing in the MS world.
Using PAE, it can go arbitrarily large until you hit (64GB - system usage).
However, at least as I undertand it, apps must be written to use PAE, they dont just get it for free. The memory allocation & mgmt stuff has to be done a bit differently. But thats at the edge of my knowledge on this stuff, I dont do C/C++ stuff at this level. Here you are a 100 % wrong - at least in DK. I did NOT get ANY choice between 32/64 bits install. That does suck.
I dont understand why the behavior is so different between models and classes even within the the same company.
I guess we've been lucky, the HP kit we've looked at since Vista time is all specced for 32 or 64 bit, with full support for both on HP. Maybe some lines they just dont have the drivers certified for 64-bit, and the hardware makers wont help.
There are some levels of 'works with Vista' certification that requires IHVs to release both 32-bit and 64-bit drivers to get the certification. But maybe thats not true with system OEMs or something.
I know the retail versions of the OS have both
Good luck. I cant wait for a few more years to go by and we leave all this 32-bit/64-bit crap behind us, and the world just migrates to 64-bit goodness.