His logic is true if you want to make such a decision before you run the software (which, if you want a secure system, is what ought to happen before you run any software). Without the signature, you don't have any way or knowing where the software came from or if it's been modified since you last looked at it.
How you go about creating and applying that 'signature' may vary, but the concept itself is true.
Merely having a signature doesn't imply that the software you're using isn't going to do something you don't like. What it does is tell who created the binary. Otherwise you have no way of knowing if the binary is legit, something else entirely, has some sort of backdoor, etc.
So while you may be getting Gator, you know you're getting gator, and can rest at ease knowing that you aren't really getting Microsoft Bob.
Another benefit of a signed binary is that you can (in theory; not sure if Windows allows it in this case and I'm too lazy to look it up) provide a way to treat software as "unsafe" if it has a certain signature.
This isn't so much about the value of the options as it is the cost to the company.
It costs the company $0 when they issue the option, and some amout >0 when the option is exercised.
If the company gave out a million options this year, it didn't cost them anything. However, if they report it cost $2 million, and 3 years later when the options are excercised it actually cost them $30 million, the reporting didn't do a damn bit of good.
What they ought to do is show the number of outstanding options and the Potential cost to the company at various price points, so you can get an idea of a companies obligation and the potential impact of the options. They should also expense options when they are excercised, as they cost the company money at that point in time.
The exploits I've seen depend on url parsing bugs; the exploiter must have some knowledge of the sites in the trusted zone in order to succeed. If you only place a site in the trusted zone long enough to download the control you're interested in, add it to the approved list, then remove that site from the trusted zone there shouldn't be any risk.
The other ways to bypass the security zones involve viewing non-html file types (ex:.chm,.hta); viewing those types of files ignores any settings you may have set in IE all together, and restricting access to a single directory does not limit the damage they can do.
I haven't seen "dozens" of alerts about these though, nor have I seen many exploits as they are rather difficult to take advantage of. There are lots of problems where "trusted" is listed in the description which has nothing to do with zone settings (most are related to cross site scripting and spoofing).
Of course, if I'm not looking in the right place I'd be interested in reading the information you found.
You can get this same set of functionality by adding 'trusted' sites (ie: sites you are willing to run ActiveX controls on) to the trusted sites zone. Modify the internet zone activex setting which turns on/off activex controls to "administrator approved". If there is an ActiveX control you know is safe and want to be viewable in the "internet zone", add the control to the list of administrator approved controls.
Wish SP2 you also have the ability to disable specific ActiveX controls so that they'll never run.
It isn't quite that bad, though it is a figure higher than 50%. Additionally, the top 5% of Americans earn more than 50% of income generated in this country (not much more, but it is more). The latter figure is not to be confused with TAXABLE income, of which the top 5% earn less than 50% of.
and you asked farmers in the 17th century what they wanted out of their horses, all of them would want a horse that could pull a bit bigger plough, had a bit better endurance, and ate a little less. None of them would have said "Hey, what if we could replace the horse with a tractor".
And if you were doing your job right, you would analyze the farmer's problem. In this particular case, the farmer may be asking for specific attributes in a horse, but what they really want to do is plow more land faster at a lower cost.
If the only way you can solve that problem is breeding a better horse, so be it. But that analasis does not prevent you from coming up with a solution that does not involve a horse.
Chicken and the egg scenario. If the competitor is better, and the only thing they did was copy your product, then how is it a superior product? They obviously did something else other than clone the competition.
Obviously you don't spend 5 minutes with a customer and ask a customer, "hey, what do you want to do" and then go off and do exactly that. You figure out what problem it is they're trying to solve, and get an understanding of the core issues at play. Then you talk to more customers and repeat the process. From there you can organize that information to get an idea of how much need there is for a certain set of functionality. If one customer wants one feature, but 800 want another one, you start working on the solution to the problem 800 of your customers want.
This is customer oriented/focused development.
If you just go out and solve random problems that nobody has a need for, you risk losing focus on what really matters -- the people who buy your software. Nobody upgrades because a package does something new they don't care about -- they upgrade because it solves a problem they're having.
This kind of development isn't "catchup" -- it isn't "bug fixing". It's identifying what people need, and then coming up with a solution for them that solves the problem they're having; this doesn't mean that it solves only that narrowly defined problem. The thing is, when you do this kind of work, you ARE solving problems people have before they encounter them (in addition to solving problems some of your customers already have).
There is plenty of innovation that can occur by doing this, and I personally think you get a lot more useful innovation following this process. You'll certainly do better than copying the features in competing products.
Given a choice between problems your customers currently have, and problems that you think your customers might have in the future, it is generally better to solve the former. And believe me, there is never a shortage of problems your customers want you to solve.
Microsoft is well-known to have labs that run Linux. There was a story, albeit a while ago, of a Linux webserver running on someone's desktop at Microsoft. They are also believed to be the mysterious bulk-purchaser of a large number of Red Hat 9 CD-ROMs in that specific part of Redmond.
How much do you want to bet those labs are not run/managed by their IT department?
Microsoft owns Hotmail, and although some Hotmail machines are Windows, they also use FreeBSD.
Hotmail isn't run by their IT department.
There have been Unix and Linux versions of Windows products, in the past, though they never got much past beta. What did they write these on? Tin foil?
Product development groups are not run by their IT department.
What about the Microsoft Office suite for Apple? MacOS ain't Windows, either.
The Mac BU isn't run by the IT department.
Netcraft reports that a LARGE number of.MSN.COM machines run an "unknown OS", which certainly isn't Windows.
Using a product and finding what doesn't work or what it doesn't do is the easiest way to improve it. When was the last time you compared two pieces of software side by side? I'd be willing to bet that you used one piece of software, got frusted at something it didn't do that you wanted to do, THEN tried the other piece of software.
Besides, this is the IT department for crying out loud; ie: not a product development group. If their IT department can't use the software they create, they can't very well go out and tell other companies that it'll solve their problems now can they?
2) No digital preview. This seems to me a horrible and unnecessary flaw in digital SLRs. With a good non-SLR camera I can preview motion blur in my photographs and manually adjust exposure settings for time exposures while seeing the results in real time.
There are two reasons for this:
1) Typically there is a mirror blocking the sensor
2) Doing this would increase the response time between when you hit the shutter button and when the camera could actualy take a picture. When you go to take a picture, the camera would have to finish shifting data off of the ccd before resetting it to take a new picture. This is a non-trivial amount of time. This is also why the response time of most P&S cameras blow and why P&S cameras typically have better response times with the live preview turned off.
When you get right down to it, the viewfinder on DSLRs display all of the information necessary to determine if you're going to get a good exposure or not. It just takes some time to learn what it means.
For a single 8x10 print you should be able to find a price for $2 with $5 s&h. If you only want to print one photo, printing it yourself is the better deal. Anything more than a single print and you're better off finding a place onlinew to do it. I'd recommending checking out mpix.com -- they do an excelling job of packaging the prints and their color calibration/quality is excellent.
It is definately a suprising realization to most people.
The only thing I've found where you can typically get a lower cost per print than sending it off someplace else is on an 8x10 dyesub. And while dyesubs are nice, it just isn't the same as getting something back on real photo paper.
I typically send most of my prints through mpix.com.
The primary reason why you won't ever see a DSLR with a preview LCD is response time. One of the biggest advantages you get with a DSLR is the response time -- the time between when you hit the shutter button to when the picture is taken.
If you had an LCD preview, you would add to that response time -- basically the camera would have to be able to reset the sensor and prepare it to take an image with the settings requried for the exposure. This includes the amount of time to finish reading off the current image (due to the way CCDs work, it typically isn't possible to "flush" the remaining data off; at least not on any sensor I've ever used).
This is why point and shoot cameras typically don't have instant response times, and why some P&S cameras have much better response times with the LCD display turned off, in case anyone was wondering.
Having a live preview would add anywhere from 0-250ms to the response time. The bigger the sensor, the worse it gets. And DSLRs typically have huge sensors compared to what you'll find in point and shoot cameras. 150ms is typically the threshold where people start to notice a lag.
In case anyone is wondering about the state of moderation on Slashdot today (I found it to be quite amusing):
Another flawed biased study, posted to Australian TCO Study: Linux Wins Again, has been moderated Insightful (+1) has been moderated Interesting (+1) has been moderated Overrated (-1) has been moderated Troll (-1) has been moderated Overrated (-1) has been moderated Interesting (+1)
Most organisations need specialist IT consultancy services and for our example organisation, we will allocate the same set cost to both the Windows and Linux models to cover this service provision. Total Cost of Specialist Consultancy Services = $25,000"
The model was not modified to to reflect research by the Robert Frances Group which showed that Linux needed 82 percent fewer staff resources.
Primarily because that it isn't possible to have 0.5 people filling 3 roles.
The costs of malware - viruses, spyware, worms, keyloggers, adware - were not taken into account. Zymaris said every research point found had suggested that this cost was essentially and predominantly a Windows platform cost, resulting in billions lost by business every year.
Except they did factor in some costs related to these items.
Costs which arose when systems need to be pre-emptively rebooted or crashed, resulting in unscheduled downtime, were not taken into account. "All our research indicates that Linux rarely if ever suffers such problems and open source platforms on the whole are extremely robust," Zymaris said.
Which is good, because if you have UNSCHEDULED downtime your admins aren't doing their jobs.
"Finally, because Microsoft has claimed that introducing Linux into an environment will lead to increased reliance on external consultants, we have tripled the amount budgeted for such requirements on the Linux models," he said.
Except they didn't. In fact, they used the exact same figure for both. It wouldn't matter even if they did though, because their cost numbers for external consultants are a work of pure fiction.
In this particular study, the biggest flaw is that decided that they had to pay full retail for the software installed on the machines (as opposed to getting a site license, which would cut costs dramatically; but as the study will later show, all they did was do a few searches on the internet to compile their information before they spent the 10 minutes it took to write this up). Not to mention that they absolutely must have the most expensive version of each package. Especially considering that they don't say what KIND of business it is they are trying to model. It also appears that every person in the company requires direct access to the database. Riight...
A secondary flaw is their costing of employees. They don't factor in differences between contracting and hires, benefits, etc. Nor do they mention any cost of living factors for the study. Apparently they did some dumbass search on Dice.com to arrive to this figure. Then they do some handwaving and say that anything that can't be handle by the staff will be handled by consultants.
And those consultants, boy howdy, will be used equally for both operating systems and cost exactly the same. No justification, no research.
I could keep going, but it would just be a waste of time.
Slashdot Mirror
His logic is true if you want to make such a decision before you run the software (which, if you want a secure system, is what ought to happen before you run any software). Without the signature, you don't have any way or knowing where the software came from or if it's been modified since you last looked at it.
How you go about creating and applying that 'signature' may vary, but the concept itself is true.
Code signing isn't about validating what your code does. It is about validating where it came from.
The point he's trying to make is that you don't know if you're really getting Mozilla or not, not that Mozilla is "safe" to use.
Merely having a signature doesn't imply that the software you're using isn't going to do something you don't like. What it does is tell who created the binary. Otherwise you have no way of knowing if the binary is legit, something else entirely, has some sort of backdoor, etc.
So while you may be getting Gator, you know you're getting gator, and can rest at ease knowing that you aren't really getting Microsoft Bob.
Another benefit of a signed binary is that you can (in theory; not sure if Windows allows it in this case and I'm too lazy to look it up) provide a way to treat software as "unsafe" if it has a certain signature.
This isn't so much about the value of the options as it is the cost to the company.
It costs the company $0 when they issue the option, and some amout >0 when the option is exercised.
If the company gave out a million options this year, it didn't cost them anything. However, if they report it cost $2 million, and 3 years later when the options are excercised it actually cost them $30 million, the reporting didn't do a damn bit of good.
What they ought to do is show the number of outstanding options and the Potential cost to the company at various price points, so you can get an idea of a companies obligation and the potential impact of the options. They should also expense options when they are excercised, as they cost the company money at that point in time.
The exploits I've seen depend on url parsing bugs; the exploiter must have some knowledge of the sites in the trusted zone in order to succeed. If you only place a site in the trusted zone long enough to download the control you're interested in, add it to the approved list, then remove that site from the trusted zone there shouldn't be any risk.
.chm, .hta); viewing those types of files ignores any settings you may have set in IE all together, and restricting access to a single directory does not limit the damage they can do.
The other ways to bypass the security zones involve viewing non-html file types (ex:
I haven't seen "dozens" of alerts about these though, nor have I seen many exploits as they are rather difficult to take advantage of. There are lots of problems where "trusted" is listed in the description which has nothing to do with zone settings (most are related to cross site scripting and spoofing).
Of course, if I'm not looking in the right place I'd be interested in reading the information you found.
You can get this same set of functionality by adding 'trusted' sites (ie: sites you are willing to run ActiveX controls on) to the trusted sites zone. Modify the internet zone activex setting which turns on/off activex controls to "administrator approved". If there is an ActiveX control you know is safe and want to be viewable in the "internet zone", add the control to the list of administrator approved controls.
Wish SP2 you also have the ability to disable specific ActiveX controls so that they'll never run.
It isn't quite that bad, though it is a figure higher than 50%. Additionally, the top 5% of Americans earn more than 50% of income generated in this country (not much more, but it is more). The latter figure is not to be confused with TAXABLE income, of which the top 5% earn less than 50% of.
and you asked farmers in the 17th century what they wanted out of their horses, all of them would want a horse that could pull a bit bigger plough, had a bit better endurance, and ate a little less. None of them would have said "Hey, what if we could replace the horse with a tractor".
And if you were doing your job right, you would analyze the farmer's problem. In this particular case, the farmer may be asking for specific attributes in a horse, but what they really want to do is plow more land faster at a lower cost.
If the only way you can solve that problem is breeding a better horse, so be it. But that analasis does not prevent you from coming up with a solution that does not involve a horse.
Chicken and the egg scenario. If the competitor is better, and the only thing they did was copy your product, then how is it a superior product? They obviously did something else other than clone the competition.
Obviously you don't spend 5 minutes with a customer and ask a customer, "hey, what do you want to do" and then go off and do exactly that. You figure out what problem it is they're trying to solve, and get an understanding of the core issues at play. Then you talk to more customers and repeat the process. From there you can organize that information to get an idea of how much need there is for a certain set of functionality. If one customer wants one feature, but 800 want another one, you start working on the solution to the problem 800 of your customers want.
This is customer oriented/focused development.
If you just go out and solve random problems that nobody has a need for, you risk losing focus on what really matters -- the people who buy your software. Nobody upgrades because a package does something new they don't care about -- they upgrade because it solves a problem they're having.
This kind of development isn't "catchup" -- it isn't "bug fixing". It's identifying what people need, and then coming up with a solution for them that solves the problem they're having; this doesn't mean that it solves only that narrowly defined problem. The thing is, when you do this kind of work, you ARE solving problems people have before they encounter them (in addition to solving problems some of your customers already have).
There is plenty of innovation that can occur by doing this, and I personally think you get a lot more useful innovation following this process. You'll certainly do better than copying the features in competing products.
Given a choice between problems your customers currently have, and problems that you think your customers might have in the future, it is generally better to solve the former. And believe me, there is never a shortage of problems your customers want you to solve.
Microsoft is well-known to have labs that run Linux. There was a story, albeit a while ago, of a Linux webserver running on someone's desktop at Microsoft. They are also believed to be the mysterious bulk-purchaser of a large number of Red Hat 9 CD-ROMs in that specific part of Redmond.
.MSN.COM machines run an "unknown OS", which certainly isn't Windows.
How much do you want to bet those labs are not run/managed by their IT department?
Microsoft owns Hotmail, and although some Hotmail machines are Windows, they also use FreeBSD.
Hotmail isn't run by their IT department.
There have been Unix and Linux versions of Windows products, in the past, though they never got much past beta. What did they write these on? Tin foil?
Product development groups are not run by their IT department.
What about the Microsoft Office suite for Apple? MacOS ain't Windows, either.
The Mac BU isn't run by the IT department.
Netcraft reports that a LARGE number of
MSN is not run by the IT department.
Using a product and finding what doesn't work or what it doesn't do is the easiest way to improve it. When was the last time you compared two pieces of software side by side? I'd be willing to bet that you used one piece of software, got frusted at something it didn't do that you wanted to do, THEN tried the other piece of software.
Besides, this is the IT department for crying out loud; ie: not a product development group. If their IT department can't use the software they create, they can't very well go out and tell other companies that it'll solve their problems now can they?
100% Windows? Wow, that must make the Macintosh BU's development efforts pretty hard.
Just because the IT ifrastructure is all Microsoft all the time, it doesn't mean that his comments translate to every other department in the company.
For their SFU (Services for Unix) product. I'm sure the irony or the acronym wasn't lost on the person who came up with the name...
You don't have to compare your offering side by side with your competitors if you listen to what your customers want.
2) No digital preview. This seems to me a horrible and unnecessary flaw in digital SLRs. With a good non-SLR camera I can preview motion blur in my photographs and manually adjust exposure settings for time exposures while seeing the results in real time.
There are two reasons for this:
1) Typically there is a mirror blocking the sensor
2) Doing this would increase the response time between when you hit the shutter button and when the camera could actualy take a picture. When you go to take a picture, the camera would have to finish shifting data off of the ccd before resetting it to take a new picture. This is a non-trivial amount of time. This is also why the response time of most P&S cameras blow and why P&S cameras typically have better response times with the live preview turned off.
When you get right down to it, the viewfinder on DSLRs display all of the information necessary to determine if you're going to get a good exposure or not. It just takes some time to learn what it means.
For a single 8x10 print you should be able to find a price for $2 with $5 s&h. If you only want to print one photo, printing it yourself is the better deal. Anything more than a single print and you're better off finding a place onlinew to do it. I'd recommending checking out mpix.com -- they do an excelling job of packaging the prints and their color calibration/quality is excellent.
It is definately a suprising realization to most people.
The only thing I've found where you can typically get a lower cost per print than sending it off someplace else is on an 8x10 dyesub. And while dyesubs are nice, it just isn't the same as getting something back on real photo paper.
I typically send most of my prints through mpix.com.
The primary reason why you won't ever see a DSLR with a preview LCD is response time. One of the biggest advantages you get with a DSLR is the response time -- the time between when you hit the shutter button to when the picture is taken.
If you had an LCD preview, you would add to that response time -- basically the camera would have to be able to reset the sensor and prepare it to take an image with the settings requried for the exposure. This includes the amount of time to finish reading off the current image (due to the way CCDs work, it typically isn't possible to "flush" the remaining data off; at least not on any sensor I've ever used).
This is why point and shoot cameras typically don't have instant response times, and why some P&S cameras have much better response times with the LCD display turned off, in case anyone was wondering.
Having a live preview would add anywhere from 0-250ms to the response time. The bigger the sensor, the worse it gets. And DSLRs typically have huge sensors compared to what you'll find in point and shoot cameras. 150ms is typically the threshold where people start to notice a lag.
In case anyone is wondering about the state of moderation on Slashdot today (I found it to be quite amusing):
Another flawed biased study, posted to Australian TCO Study: Linux Wins Again,
has been moderated Insightful (+1)
has been moderated Interesting (+1)
has been moderated Overrated (-1)
has been moderated Troll (-1)
has been moderated Overrated (-1)
has been moderated Interesting (+1)
It is currently scored Interesting (1).
Pot. Kettle. Black.
They used $45k for Windows and $135k for Linux.
Where did you see that at?
"Specialist Consultancy Services
Most organisations need specialist IT consultancy services and for our example organisation, we will allocate the same set cost to both the Windows and Linux models to cover this service provision. Total Cost of Specialist Consultancy Services = $25,000"
The model was not modified to to reflect research by the Robert Frances Group which showed that Linux needed 82 percent fewer staff resources.
Primarily because that it isn't possible to have 0.5 people filling 3 roles.
The costs of malware - viruses, spyware, worms, keyloggers, adware - were not taken into account. Zymaris said every research point found had suggested that this cost was essentially and predominantly a Windows platform cost, resulting in billions lost by business every year.
Except they did factor in some costs related to these items.
Costs which arose when systems need to be pre-emptively rebooted or crashed, resulting in unscheduled downtime, were not taken into account. "All our research indicates that Linux rarely if ever suffers such problems and open source platforms on the whole are extremely robust," Zymaris said.
Which is good, because if you have UNSCHEDULED downtime your admins aren't doing their jobs.
"Finally, because Microsoft has claimed that introducing Linux into an environment will lead to increased reliance on external consultants, we have tripled the amount budgeted for such requirements on the Linux models," he said.
Except they didn't. In fact, they used the exact same figure for both. It wouldn't matter even if they did though, because their cost numbers for external consultants are a work of pure fiction.
In this particular study, the biggest flaw is that decided that they had to pay full retail for the software installed on the machines (as opposed to getting a site license, which would cut costs dramatically; but as the study will later show, all they did was do a few searches on the internet to compile their information before they spent the 10 minutes it took to write this up). Not to mention that they absolutely must have the most expensive version of each package. Especially considering that they don't say what KIND of business it is they are trying to model. It also appears that every person in the company requires direct access to the database. Riight...
A secondary flaw is their costing of employees. They don't factor in differences between contracting and hires, benefits, etc. Nor do they mention any cost of living factors for the study. Apparently they did some dumbass search on Dice.com to arrive to this figure. Then they do some handwaving and say that anything that can't be handle by the staff will be handled by consultants.
And those consultants, boy howdy, will be used equally for both operating systems and cost exactly the same. No justification, no research.
I could keep going, but it would just be a waste of time.