AS/400 is actually eServer iSeries (pSeries runs on AIX, and can run a small workload on OS/400 in an LPAR, while iSeries runs on OS/400 and can run a small workload on AIX in an LPAR -- same hardware, actually, but different licenses)
...of poorly designed technology. Of course, a device should act predictable and logical upon wakeup by returning to the same state that it had before it shut down. Everything else is considered irrational behaviour, which adds to software complexity, and therefore, increases the risk of buggy and unstable drivers. And that's basically why computers, especially the low-end ones like PCs, don't work reliably any more.
yeah, and of course, in the 4 million lines of code required to implement all the motion-tracking and image-processing there won't be any more bugs than in the 50 lines of code required to compare two text strings...
There are really lots of voodoo magicians in the HiFi scene; some even pretend that a $4,000.- DIGITAL data transfer cable sounds better than another one for $35.-... well, maybe someone should explain to them what "DIGITAL" actually means and how it works.
There is not much difference between a thick cable for $20 per meter and another thick cable for $400 per meter; get a well-shielded, thick cable with low resistance and everything is fine.
The biggest factors for sound quality are: room acoustics, the loudspeakers, the power amplifier, the preamplifier, any digital/analog converters, then the cables - in this order. Provided you already have GOOD components that fit together, if you really want to further improve the sound quality of your equipment, you have to exchange the weakest part in the chain first - and this will most probably be either the loudspeaker or the power amplifier, not your cables.
Personally, I use speakers from Infinity (the good old IRS series speakers they don't produce anymore:-/) and B&W and power amplifiers from Sunfire and Accuphase with some 6 mm and 4 mm cables, and even most high-end fanatics are surprised about how nice it sounds:-)
Anti-$SOMETHING software is the wrong approach to security, because it is only a reaction to threats that have existed before. Real security is designed to PREVENT security holes.
For example, a worms enters a computer system by exploiting a buffer overflow bug to modify a pointer, which changes the way the program works. Now look at an IBM AS/400, this machine has hardware-supported "pointer-in-memory-protection" (aka tags-active mode), so if a pointer gets overwritten with data, it can not be used anymore; this prevents a worm from entering the computer system, and so you do not need any kind of anti-worm software.
Hardware architecture should have security built-in (such as pointer-protection)
Software should be written correctly; there should be high-quality programming libraries for such simple things like string manipulation (and 99% of all buffer overflows are gone)
Operating systems should have fine-grained privileges and fine-grained access control -- or even capability-based architecture
Operating systems and even some user software should have a Trusted Path for invoking critical functions - especially webbrowsers are missing a feature like this, although it could prevent most spoofing/phishing methods, etc. The system should always make clear to the user what he/she is interacting with (part of trusted computing base, application program, content of application program such as a java applet in a browser window etc.)
If computers were designed this way, all Anti-$SOMETHING software would be unneeded...
really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher)
Negative. At least on one of MY computers (a machine which is running Sun Solaris), the so-called "trusted stripe", a gray bar on the bottom of the desktop, can not be covered by any application.
and cannot be closed by user (the wet dream of any web advertiser).
Any application can draw a system-modal window that looks like a UAC question, and ask for a password; UAC would have to ask for pressing the SAK (Ctrl-Alt-Del) before asking any questions to make it hard to spoof -- which would certainly be annoing.
For example, Trusted Solaris has the nice feature of a so-called "Trusted Stripe"; this is a region on the screen that can't be spoofed by applications (no application can draw onto the trusted stripe, and no window can be on top of it). The Trusted Stripe displays the sensitivity label of the process that has keyboard focus, and if it is a system-generated dialog (such as the logout confirmation), it will say "Trusted Path". There is also a Trusted Path Menu to ensure that security-critical operations can be started in a secure manner.
That is the way to go if you want to build secure operating systems.
The real fun will start if someone manages to let the operating system protect a malware's subjects and objects (processes, files, registry keys, etc.) by using its digital restrictions management or code signature features.
Many tube amps are also in class A and thus avoid the crossover distortion that is audible in the parts per million. Then the clipping characteristics of tubes are much better, whereas when a solid state amp clips, you get huge amounts of transient intermodulation-like effects.
With a good transistor amp (I use a Sunfire Signature Stereo Amp), I don't see a problem here, because:
*) it's a pure Class A, too, so there is no crossover distortion. Even better, it does not get hot and it does not waste power, because of Bob Carver's ingenious tracking-down-converter power-supply.
*) yes, tubes have better clipping characteristics. Anyhow, if your amplifier ever clips, then what you really need is a more powerful amplifier, not better clipping characteristics.
When you need sound quality AND power, then the transistor amplifier probably wins; I have never seen tube amps that can match the quality and the power of the Sunfire transistor amps, and even if someone builds one, it will probably cost 10 times as much as the Sunfire.
Actually, when the amplifier lacks the power required to drive the speakers, the speakers will sound inaccurate and overall sound quality will be bad for this reason, despite of good sound characteristics of the amplifier; sufficient power is essential for good sound quality.
No it isn't; a secure attention key can be necessary, but it does not have to be something as stupid as Ctrl-Alt-Del.
We have an z/900 here, which has a B3 Trusted Path Feature, and we're used to pressing the SysReq (System request) key to get to the logon screen, I don't understand why anyone would choose something like Ctrl-Alt-Del. PC keyboards don't have a dedicated SysReq key, but Alt-Print is labeled as "SysReq" - still better than Ctrl-Alt-Del, and it's even labeled correctly on most keyboard.
(and by the way, I have seen some software - mostly computer games - and some other situations where Ctrl-Alt-Del failed to work, so I am not so sure, that this is really a SECURE attention key;-)
Error in slides from Ionescu's talk
on
ReactOS Revealed
·
· Score: 1
Ionescu's talk, page 8: "A secure and reliable OS, written for C2 security level certification, and updated to B1 for Vista."
I am almost sure that this is wrong, because Windows Vista only implements mandatory integrity control (a derivate of the so-called "BiBa" model), but does not implement mandatory access control / information labeling as required by TCSEC B1, therefore not being eligible for B1 evaluation/certification.
There should be multiple independent layers of complexity in software for planes - for example, even if the navigation computer crashes, it should be possible to restart it and to use some minimal setup of the system at least.
Multiple layers could be organized like... * Basic layer: Just show the pilot a map * Next layer: Show the same map, but with GPS calculated position of the plane * Next layer: Show terrain info... etc.
It could even be designed as modules (instead of hierarchical layers), so if one module fails, other modules can still be used.
That's how software can be designed to be highly available, and it really SHOULD be like that in a plane, because it is probably NOT a very fine situation to experience a total computer blackout at 10000ft @ 800mph.
BTW, not getting a timer function right SUCKS. I have written timers for controlling DAT recorders in recording studios, and there is certainly no realistic condition such a timer could ever crash (at least not until 2^64-1 milliseconds after 1996, which is roughly 500 million years from now, hehe:-)
...of how NT-based Systems are misdesigned are the security design and implementation in general.
For example, to get the current SID (Security Identifier, "user id") of the current process on NT, one must: * Open a handle to the current process * With that handle, open a handle to the process token of the current process * Call GetTokenInformation with a NULL pointer to query the length of the data it would return * Allocate memory for a buffer receiving Token Information * Call GetTokenInformation again with a pointer to that buffer * Resolve a pointer in the data received to get the SID_AND_ATTRIBUTES structure * Resolve a pointer in that structure to get the actual SID
The length of the SID is unknown, so to compare two ore more SIDs, one must use additional library functions
After using all that information, don't forget to close all the handles and to free the memory you've allocated.
NOW THE SAME THING ON UNIX: uid_t myUID = getuid();
ONE line of code. Guess on what platform you can mess that up easier.
Or another example: ===================
As a privileged user, create a file in a certain directory.
On NT, you need SeTakeOwnership, SeRestore and SeBackup privileges. You can't use existing applications, because CreateFile() / CreateFileEx() will fail, even when you have the privileges enabled. You have to write your own application, which uses the FILE_FLAG_BACKUP_SEMANTICS flag in these API calls, so the privileges will actually be used (well-designed operating systems use a unified method called privilege bracketing instead of different flags for every system call). Now you could theoretically create the file regardless of the ACL, IF THE DIRECTORY ALREADY EXISTS. If the directory does not exist, you have to create the directory first. Unfortunately, CreateFile() / CreateFileEx() can OPEN directory handles, but you can't create directories using these APIs. But the API for creating directories does not have a FILE_FLAG_BACKUP_SEMANTICS flag, so the privileges are ignored, and you can't create the directory, if you don't have access because of the ACL of the parent directory.
So, what are you going to do?
One solution would be the following: * Open a handle to the parent directory * Backup the current security descriptor of the directory * Initialize a new security descriptor for the directory * Place your own SID into the security descriptor as owner (see above on how to get your SID, it's a lot of fun) * Initialize a new empty discretionary access control list * Initialize a new access control entry with your SID and a full-access permission * Place the access control entry into the discretionary access control list * Place the discretionary access control list into the security descriptor * Write the new security descriptor to the directory * Then CLOSE the handle and REOPEN the handle to the directory (with different access flags)
Now you can create the file. After you've done that, undo the operations above. If the program gets killed while you're doing that, you have messed up the ACL of the parent directory (because this method is not transaction-safe).
This is maybe the WORST API design I have ever seen.
If you want to do the exactly same thing on, for example, Solaris, you just enable file_dac_write and file_dac_search privileges (from the permitted privilege set into the effective privilege set), create the directory using mkdir() and the file using creat(). No need to write your own program, Solaris has utility programs to let you change the privileges of your shell. Even if you write your own program, privilege bracketing is much easier on Solaris than on NT, although the Solaris privilege model is much more powerful than the one of NT.
=============
There are numerous examples of that sort.
This is why I am totally convinced that NT is a poorly designed operating system. There is no unified API. One system call works c
So the best IT product is one that a) generates money for someone b) has a beautiful user interface
There are a lot of IT products that generate money by generating service requests, trouble tickets, helpdesk calls (etc....) because of their bad quality. I'm not sure whether this should be enough qualification for becoming one of the "Best IT products".
Mostly because it simply makes me ANGRY when I am forced to work with their products, and the software just doesn't work predictably. But actually, I don't hate anyone for being a bad programmer, I hate them for trying to FORCE everyone to use ONLY their products INSTEAD OF BETTER PRODUCTS.
Effectively, my impression is that Microsoft cares more about pushing all competing better products out of the market instead of making their own products better. That is what really makes me angry. They are a marketing/propaganda-based company rather than a technical company.
Why do I think that Microsoft software is bad? Just to name a few examples:
On UNIX, you have/dev/stdin and/dev/stdout. - stdin is a character special file (or a symlink to a special file), and its role is defined by a major/minor node number - stdin is exactly where it was created, commonly in/dev - if it had another filename, it would still work the same way - if it where in another directory, it would still work the same way - if you create a plain text file and call it "stdin", then you have a plain text file; not a stdin device
You can do something like:
Most utilities in Unix write to stdout anyway, but if you have one that writes to a file, you can do the following: $ myprogram_A --outfile/dev/stdout | grep pattern
Everything perfectly consistent, isn't it?
On NT, you have "con" - you can't find con anywhere in the filesystem - but at the same time con IS EVERYWHERE in the filesystem - you can not create a text file named con anywhere in the filesystem, because con is already there, you just can't see it - if con had another filename, i don't know what would happen; i don't even know whether con is actually a file - if you read from con, then it is stdin, but if you write to con, then it is stdout?? or is it stderr? - if con is not stdin, then where is stdin?
How consistent is that?
Now try on NT what you did on Unix (for example, with the registry editor): C:\> regedit/s con | grep pattern
It just doesn't work.
Other examples:
- CreateRemoteThread() - let's just create a new thread at an arbitrary address in some other process' address space. Very bad idea. - Unix's getuid() in NT: GetCurrentProcess(), OpenProcessToken(), GetTokenInformation() (to get the size of the datastructure), GetTokenInformation() again (to get the datastructure), extract SID_AND_ATTRIBUTES struct by resolving a pointer, extract SID by resolving a pointer; and then you still don't know how the size of the SID datastructure, so you need to call some other functions to do something useful with it, for example, to compare the user id of two processes: EqualSid() - NT: TerminateProcess() specifies the exit code of the process that it kills. As you might know, another application may receive this exit code as a some kind of an answer from that process; it could also throw dice, though... - While NT is booting, it can't run windows programs until csrss.exe is running
etc... there are numerous examples...
By the way, there are also a lot of other companies that are not much better (or maybe even worse) than Microsoft. Microsoft is really not the only "bad" company on this planet.
Does anyone want to start a "Why do you hate Symantec" thread now?;-)
DoD TCSEC B1 Security has absolutely NOTHING to do with signing drivers oder other files. B1 Security is about information labeling, aka Mandatory Access Controls. B1 security subsystems place sensitivity labels and compartment labels on every subject and object, and these labels will be maintained and enforced by the system automatically. Users can't change these labels, but administrators (security officers) can; B1 is NOT about digital rights management, encryption or signing, it's not about locking out administrators from their own machines, it's about automatically enforcing confidentiality of data. Administrators can, of course, override this sort of protection (for example, on Solaris, with file_mac_read, file_mac_write and similar privileges)
Simply signing drivers does not establish a B1 compliant security policy.
You are right with most of your arguments. I think, they are trying to secure computers against the computer's security officer (administrator), which is a concept that is broken by design.
Either the so-called computer will not be able to work like a computer any more (computer = free programmable device), or the "security" (or rather, obscurity) model will not be able to protect the data reliably.
You know that no foreign agent or enemy can break in and send info to you or anyone else in the system, pretending to be someone you trust.
If the software is buggy, then you can, no matter whether you use the TPM or not.
If the software is absolutely correct, then you can't, not matter whether you use the TPM or not.
The TPM can be used for encryption, but we already have strong enough encryption without the TPM.
There is also a major risk: If somebody manages to take control of the TPM chip inside an army laptop, the TPM chip can be used by the hacker to protect viruses, worms, trojan horses or other malware from access by army administrators, and the attack may then remain unnoticed.
Here in the north-east of lower austria, we have most of our wiring systems underground (power grid, phone/isdn/dsl, etc.), and we are quite happy about that. Probably, the only disadvantage is the higher installation and maintenance costs, which includes additional cost for patching streets after installation of cables that cross streets or run parallel to streets and similar things. However, our general experience is, that underground power lines are extremely reliable compared to overhead power lines. For example, they also never get torn down and never get hit by lightning strokes...
There may be many IT jobs, but most of them are totally uninteresting. In most companies I see a few hundred people troubleshooting PC problems, reconnecting network drives, reconnecting printers, reinstalling drivers, correcting Word/Excel macros that where broken by the last Office update, reinstalling the same software over and over again all the time, while some 8 people manage the 4 or 5 Unix-, Mainframe-, AS/400- (or whatever-) boxes that actually run the business, and some 15 programmers design, implement and test the software for those machines...
1. [...] open source as 'more likely to break applications' [...]
2. [...] SAP's management primarily views open source as a threat to its business [...]
Perfectly consistent, if they think that 1.) is true, then 2.) is only a logical consequence, because until now it has always been SAP's job to break things...
Processor sets allow binding processes to a set of processors (for example, if you have 10 processors, and you want a process to run only on CPUs 2, 5, 6, 8, you can create a pset of these CPUs and bind the process to the pset rather than to a single processor, so if the process has multiple threads, these threads can spread to multiple CPUs inside the pset, but not all CPUs in the entire system).
However, I don't see what this has to do with hyperthreading. I don't know if there is a hyperthreading-specific feature in Solaris, but there is at least a cache-affinity feature, that tries to dispatch a process to same CPU always. On Hyperthreading-CPUs, it would at least try to keep the process on the same hyperthread (because it sees each hyperthread as one CPU), and an hyperthreading-specific extension would be to keep the process on the same CPU, but possibly on a different hyperthread (because that does not matter, as two hyperthreads on the same CPUs share the same cache memory, and that's what FreeBSD does).
You can even see how cache affinity works, provided you've got an SMP box. Just start a process with no more than a single compute-intensive thread, and you will see one CPU running at 100% for some time, while the others are idle (only every few seconds, the process will probably jump to another CPU). If there where no cache affinity, you would see all n CPUs running at approximately (100 / n) percent of load, because the process would be dispatched to any free CPU, regardless of where it had been dispatched previously (and as you are monitoring CPU load in steps of one second or so, and the process' time slice is only about 60 ms, you will see some load on all CPUs where the process had been running in the last second).
(Note: you can monitor CPU load per CPU using 'mpstat', as most GUI performance meter only show total system load, but not load per CPU)
Slashdot Mirror
AS/400 is actually eServer iSeries (pSeries runs on AIX, and can run a small workload on OS/400 in an LPAR, while iSeries runs on OS/400 and can run a small workload on AIX in an LPAR -- same hardware, actually, but different licenses)
...of poorly designed technology. Of course, a device should act predictable and logical upon wakeup by returning to the same state that it had before it shut down. Everything else is considered irrational behaviour, which adds to software complexity, and therefore, increases the risk of buggy and unstable drivers.
And that's basically why computers, especially the low-end ones like PCs, don't work reliably any more.
yeah, and of course, in the 4 million lines of code required to implement all the motion-tracking and image-processing there won't be any more bugs than in the 50 lines of code required to compare two text strings...
There are really lots of voodoo magicians in the HiFi scene; some even pretend that a $4,000.- DIGITAL data transfer cable sounds better than another one for $35.- ... well, maybe someone should explain to them what "DIGITAL" actually means and how it works.
:-/) and B&W and power amplifiers from Sunfire and Accuphase with some 6 mm and 4 mm cables, and even most high-end fanatics are surprised about how nice it sounds :-)
There is not much difference between a thick cable for $20 per meter and another thick cable for $400 per meter; get a well-shielded, thick cable with low resistance and everything is fine.
The biggest factors for sound quality are: room acoustics, the loudspeakers, the power amplifier, the preamplifier, any digital/analog converters, then the cables - in this order. Provided you already have GOOD components that fit together, if you really want to further improve the sound quality of your equipment, you have to exchange the weakest part in the chain first - and this will most probably be either the loudspeaker or the power amplifier, not your cables.
Personally, I use speakers from Infinity (the good old IRS series speakers they don't produce anymore
Anti-$SOMETHING software is the wrong approach to security, because it is only a reaction to threats that have existed before. Real security is designed to PREVENT security holes.
For example, a worms enters a computer system by exploiting a buffer overflow bug to modify a pointer, which changes the way the program works. Now look at an IBM AS/400, this machine has hardware-supported "pointer-in-memory-protection" (aka tags-active mode), so if a pointer gets overwritten with data, it can not be used anymore; this prevents a worm from entering the computer system, and so you do not need any kind of anti-worm software.
Hardware architecture should have security built-in (such as pointer-protection)
Software should be written correctly; there should be high-quality programming libraries for such simple things like string manipulation (and 99% of all buffer overflows are gone)
Operating systems should have fine-grained privileges and fine-grained access control -- or even capability-based architecture
Operating systems and even some user software should have a Trusted Path for invoking critical functions - especially webbrowsers are missing a feature like this, although it could prevent most spoofing/phishing methods, etc.
The system should always make clear to the user what he/she is interacting with (part of trusted computing base, application program, content of application program such as a java applet in a browser window etc.)
If computers were designed this way, all Anti-$SOMETHING software would be unneeded...
really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher)
Negative. At least on one of MY computers (a machine which is running Sun Solaris), the so-called "trusted stripe", a gray bar on the bottom of the desktop, can not be covered by any application.
and cannot be closed by user (the wet dream of any web advertiser).
"kill -9" will assuredly close it.
Any application can draw a system-modal window that looks like a UAC question, and ask for a password; UAC would have to ask for pressing the SAK (Ctrl-Alt-Del) before asking any questions to make it hard to spoof -- which would certainly be annoing.
For example, Trusted Solaris has the nice feature of a so-called "Trusted Stripe"; this is a region on the screen that can't be spoofed by applications (no application can draw onto the trusted stripe, and no window can be on top of it). The Trusted Stripe displays the sensitivity label of the process that has keyboard focus, and if it is a system-generated dialog (such as the logout confirmation), it will say "Trusted Path". There is also a Trusted Path Menu to ensure that security-critical operations can be started in a secure manner.
That is the way to go if you want to build secure operating systems.
The real fun will start if someone manages to let the operating system protect a malware's subjects and objects (processes, files, registry keys, etc.) by using its digital restrictions management or code signature features.
[...cut...]
true
Many tube amps are also in class A and thus avoid the crossover distortion that is audible in the parts per million. Then the clipping characteristics of tubes are much better, whereas when a solid state amp clips, you get huge amounts of transient intermodulation-like effects.
With a good transistor amp (I use a Sunfire Signature Stereo Amp), I don't see a problem here, because:
*) it's a pure Class A, too, so there is no crossover distortion. Even better, it does not get hot and it does not waste power, because of Bob Carver's ingenious tracking-down-converter power-supply.
*) yes, tubes have better clipping characteristics. Anyhow, if your amplifier ever clips, then what you really need is a more powerful amplifier, not better clipping characteristics.
When you need sound quality AND power, then the transistor amplifier probably wins; I have never seen tube amps that can match the quality and the power of the Sunfire transistor amps, and even if someone builds one, it will probably cost 10 times as much as the Sunfire.
Actually, when the amplifier lacks the power required to drive the speakers, the speakers will sound inaccurate and overall sound quality will be bad for this reason, despite of good sound characteristics of the amplifier; sufficient power is essential for good sound quality.
Now I know why all these other guys are driving around like braindead morons in their cars. Maybe I should stop using INDICATOR LIGHTS...
ROFL
No it isn't; a secure attention key can be necessary, but it does not have to be something as stupid as Ctrl-Alt-Del.
;-)
We have an z/900 here, which has a B3 Trusted Path Feature, and we're used to pressing the SysReq (System request) key to get to the logon screen, I don't understand why anyone would choose something like Ctrl-Alt-Del. PC keyboards don't have a dedicated SysReq key, but Alt-Print is labeled as "SysReq" - still better than Ctrl-Alt-Del, and it's even labeled correctly on most keyboard.
(and by the way, I have seen some software - mostly computer games - and some other situations where Ctrl-Alt-Del failed to work, so I am not so sure, that this is really a SECURE attention key
Ionescu's talk, page 8:
"A secure and reliable OS, written for C2 security level certification, and updated to B1 for Vista."
I am almost sure that this is wrong, because Windows Vista only implements mandatory integrity control (a derivate of the so-called "BiBa" model), but does not implement mandatory access control / information labeling as required by TCSEC B1, therefore not being eligible for B1 evaluation/certification.
1) How do you make something like a really big gun that can shoot things in second life? ;-)
2) Where is the microsoft headquarters in second life?
There should be multiple independent layers of complexity in software for planes - for example, even if the navigation computer crashes, it should be possible to restart it and to use some minimal setup of the system at least.
:-)
Multiple layers could be organized like...
* Basic layer: Just show the pilot a map
* Next layer: Show the same map, but with GPS calculated position of the plane
* Next layer: Show terrain info... etc.
It could even be designed as modules (instead of hierarchical layers), so if one module fails, other modules can still be used.
That's how software can be designed to be highly available, and it really SHOULD be like that in a plane, because it is probably NOT a very fine situation to experience a total computer blackout at 10000ft @ 800mph.
BTW, not getting a timer function right SUCKS. I have written timers for controlling DAT recorders in recording studios, and there is certainly no realistic condition such a timer could ever crash (at least not until 2^64-1 milliseconds after 1996, which is roughly 500 million years from now, hehe
...of how NT-based Systems are misdesigned are the security design and implementation in general.
For example, to get the current SID (Security Identifier, "user id") of the current process on NT, one must:
* Open a handle to the current process
* With that handle, open a handle to the process token of the current process
* Call GetTokenInformation with a NULL pointer to query the length of the data it would return
* Allocate memory for a buffer receiving Token Information
* Call GetTokenInformation again with a pointer to that buffer
* Resolve a pointer in the data received to get the SID_AND_ATTRIBUTES structure
* Resolve a pointer in that structure to get the actual SID
The length of the SID is unknown, so to compare two ore more SIDs, one must use additional library functions
After using all that information, don't forget to close all the handles and to free the memory you've allocated.
NOW THE SAME THING ON UNIX:
uid_t myUID = getuid();
ONE line of code. Guess on what platform you can mess that up easier.
Or another example:
===================
As a privileged user, create a file in a certain directory.
On NT, you need SeTakeOwnership, SeRestore and SeBackup privileges.
You can't use existing applications, because CreateFile() / CreateFileEx() will fail, even when you have the privileges enabled. You have to write your own application, which uses the FILE_FLAG_BACKUP_SEMANTICS flag in these API calls, so the privileges will actually be used (well-designed operating systems use a unified method called privilege bracketing instead of different flags for every system call).
Now you could theoretically create the file regardless of the ACL, IF THE DIRECTORY ALREADY EXISTS.
If the directory does not exist, you have to create the directory first.
Unfortunately, CreateFile() / CreateFileEx() can OPEN directory handles, but you can't create directories using these APIs. But the API for creating directories does not have a FILE_FLAG_BACKUP_SEMANTICS flag, so the privileges are ignored, and you can't create the directory, if you don't have access because of the ACL of the parent directory.
So, what are you going to do?
One solution would be the following:
* Open a handle to the parent directory
* Backup the current security descriptor of the directory
* Initialize a new security descriptor for the directory
* Place your own SID into the security descriptor as owner (see above on how to get your SID, it's a lot of fun)
* Initialize a new empty discretionary access control list
* Initialize a new access control entry with your SID and a full-access permission
* Place the access control entry into the discretionary access control list
* Place the discretionary access control list into the security descriptor
* Write the new security descriptor to the directory
* Then CLOSE the handle and REOPEN the handle to the directory (with different access flags)
Now you can create the file. After you've done that, undo the operations above. If the program gets killed while you're doing that, you have messed up the ACL of the parent directory (because this method is not transaction-safe).
This is maybe the WORST API design I have ever seen.
If you want to do the exactly same thing on, for example, Solaris, you just enable file_dac_write and file_dac_search privileges (from the permitted privilege set into the effective privilege set), create the directory using mkdir() and the file using creat().
No need to write your own program, Solaris has utility programs to let you change the privileges of your shell. Even if you write your own program, privilege bracketing is much easier on Solaris than on NT, although the Solaris privilege model is much more powerful than the one of NT.
=============
There are numerous examples of that sort.
This is why I am totally convinced that NT is a poorly designed operating system. There is no unified API. One system call works c
counter-argument: if they were intelligent, they would never have started using active-x
So the best IT product is one that
...) because of their bad quality. I'm not sure whether this should be enough qualification for becoming one of the "Best IT products".
a) generates money for someone
b) has a beautiful user interface
There are a lot of IT products that generate money by generating service requests, trouble tickets, helpdesk calls (etc.
Mostly because it simply makes me ANGRY when I am forced to work with their products, and the software just doesn't work predictably. But actually, I don't hate anyone for being a bad programmer, I hate them for trying to FORCE everyone to use ONLY their products INSTEAD OF BETTER PRODUCTS.
/dev/stdin and /dev/stdout. /dev
/dev/stdout | grep pattern
/s con | grep pattern
;-)
Effectively, my impression is that Microsoft cares more about pushing all competing better products out of the market instead of making their own products better. That is what really makes me angry. They are a marketing/propaganda-based company rather than a technical company.
Why do I think that Microsoft software is bad?
Just to name a few examples:
On UNIX, you have
- stdin is a character special file (or a symlink to a special file), and its role is defined by a major/minor node number
- stdin is exactly where it was created, commonly in
- if it had another filename, it would still work the same way
- if it where in another directory, it would still work the same way
- if you create a plain text file and call it "stdin", then you have a plain text file; not a stdin device
You can do something like:
Most utilities in Unix write to stdout anyway, but if you have one that writes to a file, you can do the following:
$ myprogram_A --outfile
Everything perfectly consistent, isn't it?
On NT, you have "con"
- you can't find con anywhere in the filesystem
- but at the same time con IS EVERYWHERE in the filesystem
- you can not create a text file named con anywhere in the filesystem, because con is already there, you just can't see it
- if con had another filename, i don't know what would happen; i don't even know whether con is actually a file
- if you read from con, then it is stdin, but if you write to con, then it is stdout?? or is it stderr?
- if con is not stdin, then where is stdin?
How consistent is that?
Now try on NT what you did on Unix (for example, with the registry editor):
C:\> regedit
It just doesn't work.
Other examples:
- CreateRemoteThread() - let's just create a new thread at an arbitrary address in some other process' address space. Very bad idea.
- Unix's getuid() in NT: GetCurrentProcess(), OpenProcessToken(), GetTokenInformation() (to get the size of the datastructure), GetTokenInformation() again (to get the datastructure), extract SID_AND_ATTRIBUTES struct by resolving a pointer, extract SID by resolving a pointer; and then you still don't know how the size of the SID datastructure, so you need to call some other functions to do something useful with it, for example, to compare the user id of two processes: EqualSid()
- NT: TerminateProcess() specifies the exit code of the process that it kills. As you might know, another application may receive this exit code as a some kind of an answer from that process; it could also throw dice, though...
- While NT is booting, it can't run windows programs until csrss.exe is running
etc... there are numerous examples...
By the way, there are also a lot of other companies that are not much better (or maybe even worse) than Microsoft. Microsoft is really not the only "bad" company on this planet.
Does anyone want to start a "Why do you hate Symantec" thread now?
DoD TCSEC B1 Security has absolutely NOTHING to do with signing drivers oder other files. B1 Security is about information labeling, aka Mandatory Access Controls. B1 security subsystems place sensitivity labels and compartment labels on every subject and object, and these labels will be maintained and enforced by the system automatically.
Users can't change these labels, but administrators (security officers) can; B1 is NOT about digital rights management, encryption or signing, it's not about locking out administrators from their own machines, it's about automatically enforcing confidentiality of data. Administrators can, of course, override this sort of protection (for example, on Solaris, with file_mac_read, file_mac_write and similar privileges)
Simply signing drivers does not establish a B1 compliant security policy.
You are right with most of your arguments. I think, they are trying to secure computers against the computer's security officer (administrator), which is a concept that is broken by design.
Either the so-called computer will not be able to work like a computer any more (computer = free programmable device), or the "security" (or rather, obscurity) model will not be able to protect the data reliably.
You know that no foreign agent or enemy can break in and send info to you or anyone else in the system, pretending to be someone you trust.
If the software is buggy, then you can, no matter whether you use the TPM or not.
If the software is absolutely correct, then you can't, not matter whether you use the TPM or not.
The TPM can be used for encryption, but we already have strong enough encryption without the TPM.
There is also a major risk: If somebody manages to take control of the TPM chip inside an army laptop, the TPM chip can be used by the hacker to protect viruses, worms, trojan horses or other malware from access by army administrators, and the attack may then remain unnoticed.
Here in the north-east of lower austria, we have most of our wiring systems underground (power grid, phone/isdn/dsl, etc.), and we are quite happy about that. Probably, the only disadvantage is the higher installation and maintenance costs, which includes additional cost for patching streets after installation of cables that cross streets or run parallel to streets and similar things.
However, our general experience is, that underground power lines are extremely reliable compared to overhead power lines. For example, they also never get torn down and never get hit by lightning strokes...
There may be many IT jobs, but most of them are totally uninteresting. In most companies I see a few hundred people troubleshooting PC problems, reconnecting network drives, reconnecting printers, reinstalling drivers, correcting Word/Excel macros that where broken by the last Office update, reinstalling the same software over and over again all the time, while some 8 people manage the 4 or 5 Unix-, Mainframe-, AS/400- (or whatever-) boxes that actually run the business, and some 15 programmers design, implement and test the software for those machines...
1. [...] open source as 'more likely to break applications' [...]
;-)
2. [...] SAP's management primarily views open source as a threat to its business [...]
Perfectly consistent, if they think that 1.) is true, then 2.) is only a logical consequence, because until now it has always been SAP's job to break things...
Processor sets allow binding processes to a set of processors (for example, if you have 10 processors, and you want a process to run only on CPUs 2, 5, 6, 8, you can create a pset of these CPUs and bind the process to the pset rather than to a single processor, so if the process has multiple threads, these threads can spread to multiple CPUs inside the pset, but not all CPUs in the entire system).
However, I don't see what this has to do with hyperthreading. I don't know if there is a hyperthreading-specific feature in Solaris, but there is at least a cache-affinity feature, that tries to dispatch a process to same CPU always. On Hyperthreading-CPUs, it would at least try to keep the process on the same hyperthread (because it sees each hyperthread as one CPU), and an hyperthreading-specific extension would be to keep the process on the same CPU, but possibly on a different hyperthread (because that does not matter, as two hyperthreads on the same CPUs share the same cache memory, and that's what FreeBSD does).
You can even see how cache affinity works, provided you've got an SMP box. Just start a process with no more than a single compute-intensive thread, and you will see one CPU running at 100% for some time, while the others are idle (only every few seconds, the process will probably jump to another CPU). If there where no cache affinity, you would see all n CPUs running at approximately (100 / n) percent of load, because the process would be dispatched to any free CPU, regardless of where it had been dispatched previously (and as you are monitoring CPU load in steps of one second or so, and the process' time slice is only about 60 ms, you will see some load on all CPUs where the process had been running in the last second).
(Note: you can monitor CPU load per CPU using 'mpstat', as most GUI performance meter only show total system load, but not load per CPU)