He let the adobe installer have admin access to his machine, and you know what? It made changes to his machine that made it hard to hack the adobe products.
Why this is a big surprise to anybody is beyond me.
This isnt MS conspiring with Adobe for special privs, this is an ignorant users who doesnt understand how the system works and is crying foul over nonsense.
Windows was NOT cooperating with any vendor to do some great evil here.
The END-USER made a choice to let the Adobe installer have full rights to his machine.
When he made that choice, the installer did some things he didnt like.
He then, insanely, blamed Microsoft for his choice to give the Adobe full admin rights to his machine, when he didnt like the changes the adobe product made.
There is never a case where you cant change files, edit them, rename them, etc. There are just ignorant users, who dont understand how the system works.
In Vista and W7 there are some folders that are locked down by default such that even admins dont (by default) have rights to change things.
But you know what? An admin can change anything in the system, so you just change the perms to allow yourself to do what you need to do.
The problem here isnt the great big evil windows coming to get you all, its that some windows users are idiots, and dont have a clue how the system works. So when something happens that they dont understand, they have a conniption and go screaming bloody murder.
This was pure PEBCAK, with some Adobe installer shittiness thrown in.
I don't use PS so I can't comment on that but in XP Pro every program that wanted firewall access got a nice popup saying "This program wants a firewall exception" and you had the choices of "Unblock/Keep Blocking/Ask Me Later" so I don't see where the problem is with XP.
I think you're missing the poster's point.
He chose to run the PS installer with an admin account, and the installer made programmatic changes to the firewall config.
Thats it. The problem is that the poster thinks this is some sort of grand conspiracy, rather than just Adobe refining/changing their installer from the XP days.
I think what you're missing is that your alleged pure technical superiority is meaningless in the real world.
Computers & OS's are just tools.
If the OS tool of windows has some other tools (software) or compatibility that you need, but the other tool (linux) doesnt, then all the alleged technical superiority in the world doesnt matter.
Just like if theoretically Betamax was a technically superior product, that means all home users should have bought betamax rather than VHS, and be damned that they couldnt rent any videos to watch on it?
Couldn't they keep releasing patches as holes were discovered and simply provide the means for their clients to decide when to install them at their discretion?
Yes, thats how it always worked, and still does.
You seem to be suggesting that at one point that Microsoft would 'force' (somehow) customers to apply the patch. This has never been the case and doesnt even make sense.
The piece you're missing is that once MS releases a patch, the black hats reverse engineer the patches, and within a few days to a week can have a working exploit in the wild.
So in the real world, exploits for a patch necessarily follow the release of that patch by a few days to a week.
In that situation (which describes the real world situation) its much better to lump them all together and do them once per month.
The exception is when there are active exploits going on in the wild already. At that point, there's no downside to releasing the patch.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
It is a feature, by the definition of their customers.
MS used to release them as soon as they were complete, and their entire corporate community was in an uproar because it was non-stop.
So they moved to a monthly cycle because thats what their customers wanted.
If you were in the industry at this time and had responsibility of windows machines during this period you would know this.
There's another non-obvious phenomena here. A large portion of the exploits encountered in the wild are written exclusively by analyzing the patches.
In other words, a large number of patches dont have any circulating exploits until the patches are released, at which point it takes a few days to a week to get exploits in the wild, based on the patch diffs.
You're arguing a point that sounds reasonable when you dont have much experience with the situation, but doesnt actually work in the real world.
Remember that Microsoft does not really have any costs
Wow. Spoken like someone who has never run a business or paid salaries to reps, support staff, distribution, or sales reps.
It's not like they have a huge campus with massive infrastructure costs, or run their own health care administration or retirement plans or anything.
Go look at their SEC statements sometime, you'll see how much it costs to run their organization. Sure, they make great profits, but that doesnt negate a very real and very large cost to run the business.
Then wait for your Microsoft rep to show up and offer the incentives.
Incentives for what?
You do realize that MS pricing to higher ed is near zero, right? It's literally just token amounts, a few dollars here and there for most things.
Mandate ODF for any document that crosses the barrier between the school and the students.
And how exactly do you do that? With the magical Kender Spoon of Authority? If you worked in higher ed you would realize how effective most commands from above work on faculty (ie, the only people who accept documents like that from students).
Blackboard is a never ending cause of cross platform pain (at least it was a couple of years ago) so ditch it.
Wow, I love your business sense. It's not cross-platform, so lets just ditch it. Works real good with your customers cause now they can just go back to pen and paper, which works so well.
Or maybe you'll replace it with moodle? Have you ever actually done that?
After this step students should be able to use whatever the heck they want.
For the most part, students want the most expensive thing they can get for free or near-free. Hence why they all want office 2007 and CS4. Most non-CS students would rather torrent a hacked office 2007 with 90% likelihood of included spyware/trojans than just use free open office.
Wow, you wrote quite a novel based off a completely false axiom.
Students *DO NOT* obtain license for MS-Office for home/personal laptops. They officially have *TO PAY* to get the same software that everyone else is getting for free and that everyone has declared necessary. (Usually, the students actually end up pirating it).
Yeah, at most universities students have to pay somewhere between $5 and $15 for Office.
And thats the cheapest price point. Departments pay $50-100 for production use.
Academics get it for free with MSDNAA for teaching use, but not for real work.
If all you do is really light email, then Evolution or Thunderbird or whatever will work fine, despite both being horrendously buggy.
But in a professional capacity, you need scheduling, groups, single-sign-on, offline-support, and a whole host of other niceties that you get from Outlook and Exchange.
If you have never had this kind of a job, then thats fine. But dont assume that its not very very common.
For a 'road-warrior' or a 'cube-warrior' type of job, of which there are a _lot_ in higher ed and large organizations, very few things can beat Outlook + Exchange. Add in a Blackberry with BES and its just unbeatable (albeit expensive).
The OSS things out there that try to compete with Outlook and Exchange do it fairly poorly. Zimbra, Citadel, etc. They all work great if you can handle a web interface as your primary UI for Email/scheduling/pim. But for the real power users, who need something a little more powerful, they just dont compare.
I've been involved in some comparisons. They really dont.
They want a system that is secure, costs less but also works with all computers being brought into the network.
I dont understand where this misconception is that all you have to do is throw in a linux box, and everything is magically secure.
If you do any work in higher ed, you realize how often unix boxen of all size and shape are constantly being hacked. Constantly.
And you know what, its for the same reason that windows boxes get hacked. Bad sysadmins who dont lock down their machines, dont patch their machines, and dont use strong passwords.
Office 2007 Enterprise runs ~$70 per seat for a perpetual license at a large university.
To save $100,000 per year, you'd have to be buying ~1500 Office Enterprise licenses per year, every year.
Campus agreement costs are much lower.
You really cant compete with Microsoft on cost in Education, they price it nearly zero.
So then you want to spend $100,000 a year on 15-20 techs. That would mean you're paying the techs $5000 per year.
And all of the transition work, the planning, the document switching, and the training are going to be done by student workers getting paid $5000 per year?
A competent sysadmin can set up a mail server without too much effort. Unless your university is tiny and not technically oriented, I do not think asking for competent sysadmins is terribly unfair.
This stuff kills me.
I dont think there is a University small enough on the planet that its email needs could be satisfied by 'a mail server setup by a sysadmin'.
Most university email servers I've seen involve 3 or 4 racks of servers (mostly disk drives) at the primary site, very expensive, very complicated storage virtualization equipment inside them, and then a similar setup on the cold site.
And the drive failures are like a couple a week, due to the fact that there are a LOT of drives, and they are being pounded nearly 24x7.
This doesnt even get into rules processing (which can be horrifically computationally expensive), spam protection, backups, and calendering.
The reason Universities look at things like live.com or gmail for student email needs is that the volume is so very high that its hideously expensive to operate in-house. Staff, Faculty & Affiliate email & calendaring needs are simpler and more constant, and are often served by Exchange or something similar.
Students are more likely to be used to or open to using something else.
Cant agree. Students like getting non-free stuff for free or cheap.
So most (non-CS students) would rather bittorrent Vista and Office 2007 than they would use Linux.
In most schools, what you're paying for tuition is only a small fraction of what it costs to have you as a student. The rest comes from state allocations, donations, indirect cost funding from grants, etc.
Go look at the technology store, or bookstore, or whatever it is for colleges you're familiar with.
A large number of them have the departmental licensing pricing right on the website, for all the world to see.
For an example, at my alum:
Office Enterprise 2007 - $72 per seat OneNote 2007 - $9 per seat Vista Business - $53 per seat Windows 2008 Standard - $90 server license, $6 per cal Windows 2008 Enterprise - $300 server license Exchange 2007 Enterprise - $800 server license, $3 per cal Visual Studio Pro - $70 per seat
Higher Ed prices for Microsoft software is very low, and is not a big secret.
The prices are similarly low for campus agreements, with FTE-based pricing and points and re-ups and such.
Hell, I just about fell over when I discovered,installing the 'network' version of Quickbook 2008, that it sticks a file on a network share with a lockfile
Slightly off-topic from the main thread, but you need to make sure you are installing the server portion of quickbooks if you're running it that way.
It will run with a standard file-shared db (ie, old style) if you force it to, but the performance is pretty bad.
The standard way with quickbooks for the past few years is to install the server, which intercepts all requests and handles locking itself on the server.
I thought the criticism was that the way they are reducing the popup frequency, is by "auto-escalating" applications to higher access levels.
What you thought was incorrect.
In the default Win7 UAC mode, certain system components that are signed by Microsoft get elevated without a prompt.
Think of it this way. I install some app that accesses a file in program files. In order to do that I have to grand access privs, so it's now been escalated. Now that program has a browser component, that can be exploited. The exploit can take advantage of parent app's auto-escalation to gain access to the program files directory.
So you're saying that the installer that you escalated has escalated rights? Thats correct. If the installer has an exploit, then yes, it will get owned. Same as if apt-get had an exploit, it could get owned while you're doing sudo apt-get.
If you're trying to suggest that by escalating the installER that the installED program gets auto-escalated, then you are not understanding the system.
That is not a secure design. And it should be pointed out more often, that Unix, Linux, Mac OS X, these have all had better models for decades. MS really has no excuse for not having this fixed by now.
The 'that' which you're referring to here is not representative of anything in reality. It's your inaccurate internal model of how you think it works based on some things you read here on slashdot.
Slashdot Mirror
The story is not true, the poster is an idiot.
He let the adobe installer have admin access to his machine, and you know what? It made changes to his machine that made it hard to hack the adobe products.
Why this is a big surprise to anybody is beyond me.
This isnt MS conspiring with Adobe for special privs, this is an ignorant users who doesnt understand how the system works and is crying foul over nonsense.
Windows was NOT cooperating with any vendor to do some great evil here.
The END-USER made a choice to let the Adobe installer have full rights to his machine.
When he made that choice, the installer did some things he didnt like.
He then, insanely, blamed Microsoft for his choice to give the Adobe full admin rights to his machine, when he didnt like the changes the adobe product made.
There is never a case where you cant change files, edit them, rename them, etc. There are just ignorant users, who dont understand how the system works.
This is precisely that case.
Windows didnt "do" anything here.
The poster is an idiot.
In Vista and W7 there are some folders that are locked down by default such that even admins dont (by default) have rights to change things.
But you know what? An admin can change anything in the system, so you just change the perms to allow yourself to do what you need to do.
The problem here isnt the great big evil windows coming to get you all, its that some windows users are idiots, and dont have a clue how the system works. So when something happens that they dont understand, they have a conniption and go screaming bloody murder.
This was pure PEBCAK, with some Adobe installer shittiness thrown in.
I don't use PS so I can't comment on that but in XP Pro every program that wanted firewall access got a nice popup saying "This program wants a firewall exception" and you had the choices of "Unblock/Keep Blocking/Ask Me Later" so I don't see where the problem is with XP.
I think you're missing the poster's point.
He chose to run the PS installer with an admin account, and the installer made programmatic changes to the firewall config.
Thats it. The problem is that the poster thinks this is some sort of grand conspiracy, rather than just Adobe refining/changing their installer from the XP days.
Why would you need it? NTFS is a journalling file system, so you dont, except in very extraordinary cases, need something like chkdsk.
It's not like running on ext2 or fat, where if you crash, you need to do a disk check/fsck on next startup.
I think what you're missing is that your alleged pure technical superiority is meaningless in the real world.
Computers & OS's are just tools.
If the OS tool of windows has some other tools (software) or compatibility that you need, but the other tool (linux) doesnt, then all the alleged technical superiority in the world doesnt matter.
Just like if theoretically Betamax was a technically superior product, that means all home users should have bought betamax rather than VHS, and be damned that they couldnt rent any videos to watch on it?
Couldn't they keep releasing patches as holes were discovered and simply provide the means for their clients to decide when to install them at their discretion?
Yes, thats how it always worked, and still does.
You seem to be suggesting that at one point that Microsoft would 'force' (somehow) customers to apply the patch. This has never been the case and doesnt even make sense.
The piece you're missing is that once MS releases a patch, the black hats reverse engineer the patches, and within a few days to a week can have a working exploit in the wild.
So in the real world, exploits for a patch necessarily follow the release of that patch by a few days to a week.
In that situation (which describes the real world situation) its much better to lump them all together and do them once per month.
The exception is when there are active exploits going on in the wild already. At that point, there's no downside to releasing the patch.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
It is a feature, by the definition of their customers.
MS used to release them as soon as they were complete, and their entire corporate community was in an uproar because it was non-stop.
So they moved to a monthly cycle because thats what their customers wanted.
If you were in the industry at this time and had responsibility of windows machines during this period you would know this.
There's another non-obvious phenomena here. A large portion of the exploits encountered in the wild are written exclusively by analyzing the patches.
In other words, a large number of patches dont have any circulating exploits until the patches are released, at which point it takes a few days to a week to get exploits in the wild, based on the patch diffs.
You're arguing a point that sounds reasonable when you dont have much experience with the situation, but doesnt actually work in the real world.
Remember that Microsoft does not really have any costs
Wow. Spoken like someone who has never run a business or paid salaries to reps, support staff, distribution, or sales reps.
It's not like they have a huge campus with massive infrastructure costs, or run their own health care administration or retirement plans or anything.
Go look at their SEC statements sometime, you'll see how much it costs to run their organization. Sure, they make great profits, but that doesnt negate a very real and very large cost to run the business.
Then wait for your Microsoft rep to show up and offer the incentives.
Incentives for what?
You do realize that MS pricing to higher ed is near zero, right? It's literally just token amounts, a few dollars here and there for most things.
Mandate ODF for any document that crosses the barrier between the school and the students.
And how exactly do you do that? With the magical Kender Spoon of Authority? If you worked in higher ed you would realize how effective most commands from above work on faculty (ie, the only people who accept documents like that from students).
Blackboard is a never ending cause of cross platform pain (at least it was a couple of years ago) so ditch it.
Wow, I love your business sense. It's not cross-platform, so lets just ditch it. Works real good with your customers cause now they can just go back to pen and paper, which works so well.
Or maybe you'll replace it with moodle? Have you ever actually done that?
After this step students should be able to use whatever the heck they want.
For the most part, students want the most expensive thing they can get for free or near-free. Hence why they all want office 2007 and CS4. Most non-CS students would rather torrent a hacked office 2007 with 90% likelihood of included spyware/trojans than just use free open office.
You do realize that what you describe is in no way how it works in the real world, right?
At least for state/public schools, the tuition cost has nothing to do with financing or grants available.
The way tuition & fees are set isnt always sane, but its nothing like you are suggesting.
You've obviously never worked in higher ed.
Microsoft offers extremely low cost on all their software for education.
It's so cheap its hard for even free to compete with it, due to switching costs and retraining and user complaining and the like.
But it has nothing to do with back room deals and under the table payments.
It's just how MS sells software to higher ed, and its universal. You dont have to do anything special as a university to get it.
MSDNAA does NOT in any way, shape, or form cover Microsoft products for staff/faculty use. It also doesnt include Office in any way, for anyone.
MSDNAA is PURELY for student use and teaching use.
Universities are specifically prohibited from using MSDNAA for actual production work on the organization, only for teaching in a classroom.
Most universities that have a relationship with Microsoft can offer Office to students for very cheap, anwhere from $5-15 to $75 at the higher end.
You've obviously seen bits and pieces of how this works at higher ed, without getting the whole picture.
Wow, you wrote quite a novel based off a completely false axiom.
Students *DO NOT* obtain license for MS-Office for home/personal laptops. They officially have *TO PAY* to get the same software that everyone else is getting for free and that everyone has declared necessary. (Usually, the students actually end up pirating it).
Yeah, at most universities students have to pay somewhere between $5 and $15 for Office.
And thats the cheapest price point. Departments pay $50-100 for production use.
Academics get it for free with MSDNAA for teaching use, but not for real work.
If all you do is really light email, then Evolution or Thunderbird or whatever will work fine, despite both being horrendously buggy.
But in a professional capacity, you need scheduling, groups, single-sign-on, offline-support, and a whole host of other niceties that you get from Outlook and Exchange.
If you have never had this kind of a job, then thats fine. But dont assume that its not very very common.
For a 'road-warrior' or a 'cube-warrior' type of job, of which there are a _lot_ in higher ed and large organizations, very few things can beat Outlook + Exchange. Add in a Blackberry with BES and its just unbeatable (albeit expensive).
The OSS things out there that try to compete with Outlook and Exchange do it fairly poorly. Zimbra, Citadel, etc. They all work great if you can handle a web interface as your primary UI for Email/scheduling/pim. But for the real power users, who need something a little more powerful, they just dont compare.
I've been involved in some comparisons. They really dont.
They want a system that is secure, costs less but also works with all computers being brought into the network.
I dont understand where this misconception is that all you have to do is throw in a linux box, and everything is magically secure.
If you do any work in higher ed, you realize how often unix boxen of all size and shape are constantly being hacked. Constantly.
And you know what, its for the same reason that windows boxes get hacked. Bad sysadmins who dont lock down their machines, dont patch their machines, and dont use strong passwords.
A ton of Universities already are using Microsoft live or gmail for student email.
But its very difficult to move away from something with real calendaring & resource scheduling for staff & faculty in higher ed.
Thats why you see so many large universities with their students on gmail, but still have a big fat Exchange server for the staff & faculty.
I see you've never worked in higher ed before. :)
Your numbers make no sense.
Office 2007 Enterprise runs ~$70 per seat for a perpetual license at a large university.
To save $100,000 per year, you'd have to be buying ~1500 Office Enterprise licenses per year, every year.
Campus agreement costs are much lower.
You really cant compete with Microsoft on cost in Education, they price it nearly zero.
So then you want to spend $100,000 a year on 15-20 techs. That would mean you're paying the techs $5000 per year.
And all of the transition work, the planning, the document switching, and the training are going to be done by student workers getting paid $5000 per year?
A competent sysadmin can set up a mail server without too much effort. Unless your university is tiny and not technically oriented, I do not think asking for competent sysadmins is terribly unfair.
This stuff kills me.
I dont think there is a University small enough on the planet that its email needs could be satisfied by 'a mail server setup by a sysadmin'.
Most university email servers I've seen involve 3 or 4 racks of servers (mostly disk drives) at the primary site, very expensive, very complicated storage virtualization equipment inside them, and then a similar setup on the cold site.
And the drive failures are like a couple a week, due to the fact that there are a LOT of drives, and they are being pounded nearly 24x7.
This doesnt even get into rules processing (which can be horrifically computationally expensive), spam protection, backups, and calendering.
The reason Universities look at things like live.com or gmail for student email needs is that the volume is so very high that its hideously expensive to operate in-house. Staff, Faculty & Affiliate email & calendaring needs are simpler and more constant, and are often served by Exchange or something similar.
Students are more likely to be used to or open to using something else.
Cant agree. Students like getting non-free stuff for free or cheap.
So most (non-CS students) would rather bittorrent Vista and Office 2007 than they would use Linux.
In most schools, what you're paying for tuition is only a small fraction of what it costs to have you as a student. The rest comes from state allocations, donations, indirect cost funding from grants, etc.
Now thats just not true at all.
Go look at the technology store, or bookstore, or whatever it is for colleges you're familiar with.
A large number of them have the departmental licensing pricing right on the website, for all the world to see.
For an example, at my alum:
Office Enterprise 2007 - $72 per seat
OneNote 2007 - $9 per seat
Vista Business - $53 per seat
Windows 2008 Standard - $90 server license, $6 per cal
Windows 2008 Enterprise - $300 server license
Exchange 2007 Enterprise - $800 server license, $3 per cal
Visual Studio Pro - $70 per seat
Higher Ed prices for Microsoft software is very low, and is not a big secret.
The prices are similarly low for campus agreements, with FTE-based pricing and points and re-ups and such.
You dont have to be an admin to do debugging.
You just have to be part of the group that is setup when you install VS that has those rights.
Hell, I just about fell over when I discovered,installing the 'network' version of Quickbook 2008, that it sticks a file on a network share with a lockfile
Slightly off-topic from the main thread, but you need to make sure you are installing the server portion of quickbooks if you're running it that way.
It will run with a standard file-shared db (ie, old style) if you force it to, but the performance is pretty bad.
The standard way with quickbooks for the past few years is to install the server, which intercepts all requests and handles locking itself on the server.
I thought the criticism was that the way they are reducing the popup frequency, is by "auto-escalating" applications to higher access levels.
What you thought was incorrect.
In the default Win7 UAC mode, certain system components that are signed by Microsoft get elevated without a prompt.
Think of it this way. I install some app that accesses a file in program files. In order to do that I have to grand access privs, so it's now been escalated. Now that program has a browser component, that can be exploited. The exploit can take advantage of parent app's auto-escalation to gain access to the program files directory.
So you're saying that the installer that you escalated has escalated rights? Thats correct. If the installer has an exploit, then yes, it will get owned. Same as if apt-get had an exploit, it could get owned while you're doing sudo apt-get.
If you're trying to suggest that by escalating the installER that the installED program gets auto-escalated, then you are not understanding the system.
That is not a secure design. And it should be pointed out more often, that Unix, Linux, Mac OS X, these have all had better models for decades. MS really has no excuse for not having this fixed by now.
The 'that' which you're referring to here is not representative of anything in reality. It's your inaccurate internal model of how you think it works based on some things you read here on slashdot.