``And... SRWare Iron has a proper installer - per default it installs in "C:\Program Files", which is where applications belong.
Unlike Chrome - which installs itself in "C:\Documents and Settings\\...." - argh - duh.''
Well, for the former, you need write permission on system directories. For the latter, you only need write permission on your own directory. The latter has its advantages.
``i sill dont understand whats so great about biodiesel?''
What is great about it is that the CO_2 you realease into the atmosphere when you burn it has first been extracted from the atmosphere while the crops you make it from were growing. In other words, biodiesel is CO_2 neutral: it does not add to the total amount of CO_2 to the atmosphere. It is often also cleaner than regular diesel in other ways, e.g. it contains no sulphur.
``i mean we burn our crops in our cars instead of using the fields to harvest food for people who are starving''
We can do that (and that certainly happens), but we can also make biodiesel from things that don't use up land that could be used for farming food crops. The crops that are best for feeding people and the crops that have the best yield for making bio fuel are not the same. Algae, for example, have very high oil yield and will grow on water, and even on desert land. If we do it right, we can produce bio fuels in addition to food.
``I run XP Pro behind a router. No AV, no anti-malware of any kind. I'm just not a fucking RETARD, hence I don't have a Conficker infection.''
It's nice to be able to point and laugh and feel superior, but keep in mind that the only kind of retard you need to be for malware to hit you is a retard who doesn't know enough about computer security. You can be such a retard and be brilliant in another field. I know I am not an expert in everything I deal with, and I am willing to bet you aren't, either.
Understanding how a computer works and how computer security works takes not only a measure of intelligence, but also the time and dedication to actually study it. Personally, I understand why people don't do so, and I don't think they should be required to do so, either.
Most people who use computers use them as tools to accomplish a task. They have better things to do than becoming computer security experts. The same goes for me and driving cars: I drive almost every day, but I wouldn't know where to begin to service the car, let alone that I would be good enough to keep the car safe. The same goes for many other drivers. Yet, we don't see many people dying or getting injured from failing cars (at least, not in my country). The reason is that (1) cars are required to live up to a certain standard of safety, and (2) cars are serviced by people who do know what they are doing.
Applying the same to computers, I think we can use the same solutions:
- Encourage software vendors to ship more secure software (whether by buying preference, by law, or holding them (partially) liable for damages, or some other means)
- Have computers serviced by knowledgeable people
For example, I could imagine a sort of lease model: pay a monthly fee and get a computer on your desk, with regular maintenance, backups, etc. performed for you.
``Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.''
And that last part is, of course, the real question.
Regardless, though, you are going to have to deal with keeping systems up to date, and you can't rely on users to do it. If you are an administrator in charge of this, it is your responsibility to keep all the machines up to date. I am not sure how much work this is on various versions of Windows compared to the alternatives.
Even if true, it does not invalidate the parent's claim.
But you have a point, and it is that we should be comparing products as shipped. Compare a base install of Windows to a base install of a Linux distribution, then draw conclusions about that version of Windows and that version of that Linux distribution. You can't generalize beyond that. If Apache is included in the base install, you have to count it (though it matters if it is disabled or enabled out of the box, of course).
Yes, it is. That way, you get what the spec says you get.
It can even be argued that doing better than the spec is dangerous. After all, that is what got us this riot: things doing more than the spec said, people relying on that, and then getting angry when another implementation of the spec didn't have the same additional features.
You can only assume that you get what the spec says you get. If you assume more, it's your problem if your assumptions are wrong. If you want more than the spec gives you, you either need to implement it yourself or get a new spec implemented.
``the idea is to get something that works as well, not jump through hoops to cleverly demonstrate that the spec does not protect against all possible bad outcomes.''
I don't think anyone jumped through hoops to cleverly demonstrate that the spec does not protect against all possible bad outcomes. I think they jumped through hoops to get the best possible performance, while still being conformant to the spec. If this breaks applications that rely on behavior that isn't in the spec, it's because those applications are buggy.
``It's the bad outcomes that we're trying to mitigate by having a spec in the first place!''
I agree completely. But we seem to differ in how this is supposed to work.
I say that specifications can be used to avoid bad results by specifying exactly what can be relied on. Everything that is not in the specification is unspecified and thus cannot be relied on. Knowing this helps you write better software, because you know what you can assume, and what you have to write code for.
You seem to be saying that having a specification means we want to avoid bad results, so whomever implements the specification must do their best to avoid bad results, no matter what it says in the specification. I find that completely unreasonable.
``Funny how the vendor of one of the world's most insecure operating systems now considers that they're going to one-up the competition with the most secure browser / operating system?''
I wonder if Windows is still one of the world's most insecure operating systems. Microsoft have certainly been working hard to improve things, which is more than I can say for many other operating system vendors. Meanwhile, Linux user seem to be content pointing and laughing at Microsoft's efforts and pointing out that Linux is so much more secure.
I won't make any claims about which operating system is more secure than another operating system (because I think it is fundamentally impossible to measure, let alone to know), but if I see that Microsoft is introducing things like address space layout randomization and non-executable stacks, I have to wonder why those features aren't in other mainstream operating systems yet. OpenBSD has done a lot of pioneering work already, but when will we see the day that all of Debian is compiled with -fstack-protector and ships with PaX enabled?
``To be honest, the legacy requirement that you must be root to run applications on ports less than 1024 doesn't make sense in the modern security world and Linux (along with OSX, Solaris, etc.) should dump it. Unix derivitives are the ONLY OS's with such restrictions''
Don't we have capabilities and/or systrace for that nowadays?
``The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread.''
Doesn't that sound like a huge security hole right there? I don't think the problem is really with UAC...
``Is'nt this exactly what modern operating systems do ?''
No, not exactly. You are correct that data will be cached in RAM, so it will be available quickly. But, without doing anything further, you will still be writing to the disk a lot. I am proposing to limit disk writes, too. For example, I would be fine with writing only when I commit, and every couple of minutes.
- Build a computer with flash storage and lots of RAM
- Use RAM to store the code and data you're using for development
- Write commits to flash
- Write to flash occasionally to prevent data loss
Flash drives may be faster than disks, but RAM is still _much_ faster. An extra 4 or 8 GB of RAM doesn't cost that much, and is probably enough to hold the code and some test data for most projects. If you spend a lot of time compiling, you'll probably recover the cost of the RAM in no time, thanks to increased developer productivity.
``If I could get Konqueror without all the KDE baggage I would, for the brief time I used KDE it was always snappy and responsive.''
I run Konqueror as the sole KDE app on my machine. On Debian lenny, the disk space used is a bit larger than for Iceweasel (nee Firefox), but the lower memory usage and a couple of useful features (especially web shortcuts and access keys) make it worth it to me. I still have Iceweasel installed for a number of sites that don't work well in Konqueror, though.
As for Firefox being slower on Linux than on Windows, I wouldn't be surprised if that had something to do with latency of calls to the X server. Many X clients don't really take X's characteristics into account, and perform a lot of serial, blocking requests, causing long delays. Apps that reduce the number of requests that wait on one another (by either reducing the number of requests, or by doing them in parallel) can be really snappy on X. But, as I said, I wouldn't be surprised if Firefox weren't using X right.
I agree, web standards are painfully difficult to implement. Just think about what it would take. It starts with 3 languages (HTML, CSS and JavaScript) that all have different syntax. Even if you'd pull that off, you'd end up with an unusable browser, because it wouldn't be compatible with all the broken HTML out there. And then you need plugins, or the kids won't be able to use their dear Youtube. By the time you have all that done, the standards will have evolved. Meanwhile, meticulously implementing the standards gains you very little, because actual web pages don't use them, or only use them to a very limited extent. The reason? Many people who make web pages don't know any better. Or the tools they use don't know any better. And even those who do are limited by what Microsoft Internet Explorer supports.
In the face of all that, I'm happy to see that we're still _trying_ to be standards-compliant and pushing for others to do the same. Standards are the only way to interoperability. Interoperability is what gives us freedom to use the software we prefer.
Does Windows seriously not come with any way to automate things? I mean, besides batch scripts, which, unless I'm mistaken, allow you to do some of the things you could do under DOS, but that don't actually interface to what you would normally work with under Windows much.
The question, though, is why C# or Java "programming" is so different from "scripting" that you'd expect a sysadmin to know the latter, but not the former.
The parent comment was modded funny, but I think Greenspun's Tenth is still relevant today. And, applied to Unix, it's definitely true. Imagine what Unix would be like if there only were C. But there isn't only C, there is also the shell and various scripting languages. The shell's most important feature is that it's interactive, like Lisp's read-eval-print loop. Todays popular scripting languages on Unix (say, Perl and Python) implement many of the other features of Lisp, allowing programs to be expressed a lot more succinctly and conveniently than in C. But all these are part of the same universe: the shell works mostly by running other programs, and the scripting languages do some of their tasks by going through the shell or C libraries. So, with everything together, you end up with something vaguely like what Lisp offers in a single package.
Of course, the world hasn't stood still, and the Unix universe now offers many features that aren't really present, or at least not standardized, in the Lisp universe.
And, in the meantime, Java has come along, re-inventing and re-implementing tons of features from Lisp and Unix.
The difference between you and Microsoft is that you are not a convicted monopolist effectively dictating part of the actions of a large number of individuals and organizations.
I'm all for you controlling things you've created. I'm also all for you being punished if you have done wrong. I don't see why losing some control over some of the things you have created that you use to wrong the world would be inappropriate. In fact, if you abuse your powers, taking them away sounds very sensible to me.
``I make a competing calculator (hypothetically). I want an icon on the desktop for the Windows Calculator, Maxima, Octave and Mathematica.
I also (again, hypothetically) make a notepad replacement. I want my product, Notepad++, Wordpad, Microsoft Word, and a half dozen scintilla-based knockoffs.
I also hypothetically make an alternative desktop shell. Because Microsoft FORCES you to use theirs, before you even get to see all of the five BILLION other fucking icons, I want a screen to pop up with only a mouse, and a choice of shells. Mine, which doesn't support UAC, separation of privileges, explorer shells (which will confuse the heck out of people,) explorer extensions (bye-bye TortoiseSVN, TortoiseHG, etc,) or other features. Also included should be shells that barely work.
And finally, after booting into Windows becomes a clusterfuck of choosing about eighteen trillion defaults, I as a developer expect my users to have a relatively stable and ubiquitous set of APIs available.''
I think you just described a Linux distro with all packages installed.
``the vast majority of Web sites are still written to work correctly with previous, non-standards-compliant versions of IE.''
Which wouldn't be a Bad Thing if the sites were also standards compliant. However, it seems that I have been part of a very small minority of people who have cared to make them that way in the past decade. Even today, the prevalent attitude seems to be that you "support" one or two browsers, instead of keeping to standards and having your site Just Work in every decent browser.
Slashdot Mirror
``And ... SRWare Iron has a proper installer - per default it installs in "C:\Program Files", which is where applications belong.
Unlike Chrome - which installs itself in "C:\Documents and Settings\\...." - argh - duh.''
Well, for the former, you need write permission on system directories. For the latter, you only need write permission on your own directory. The latter has its advantages.
``i sill dont understand whats so great about biodiesel?''
What is great about it is that the CO_2 you realease into the atmosphere when you burn it has first been extracted from the atmosphere while the crops you make it from were growing. In other words, biodiesel is CO_2 neutral: it does not add to the total amount of CO_2 to the atmosphere. It is often also cleaner than regular diesel in other ways, e.g. it contains no sulphur.
``i mean we burn our crops in our cars instead of using the fields to harvest food for people who are starving''
We can do that (and that certainly happens), but we can also make biodiesel from things that don't use up land that could be used for farming food crops. The crops that are best for feeding people and the crops that have the best yield for making bio fuel are not the same. Algae, for example, have very high oil yield and will grow on water, and even on desert land. If we do it right, we can produce bio fuels in addition to food.
``I run XP Pro behind a router. No AV, no anti-malware of any kind. I'm just not a fucking RETARD, hence I don't have a Conficker infection.''
It's nice to be able to point and laugh and feel superior, but keep in mind that the only kind of retard you need to be for malware to hit you is a retard who doesn't know enough about computer security. You can be such a retard and be brilliant in another field. I know I am not an expert in everything I deal with, and I am willing to bet you aren't, either.
Understanding how a computer works and how computer security works takes not only a measure of intelligence, but also the time and dedication to actually study it. Personally, I understand why people don't do so, and I don't think they should be required to do so, either.
Most people who use computers use them as tools to accomplish a task. They have better things to do than becoming computer security experts. The same goes for me and driving cars: I drive almost every day, but I wouldn't know where to begin to service the car, let alone that I would be good enough to keep the car safe. The same goes for many other drivers. Yet, we don't see many people dying or getting injured from failing cars (at least, not in my country). The reason is that (1) cars are required to live up to a certain standard of safety, and (2) cars are serviced by people who do know what they are doing.
Applying the same to computers, I think we can use the same solutions:
- Encourage software vendors to ship more secure software (whether by buying preference, by law, or holding them (partially) liable for damages, or some other means)
- Have computers serviced by knowledgeable people
For example, I could imagine a sort of lease model: pay a monthly fee and get a computer on your desk, with regular maintenance, backups, etc. performed for you.
Good points, I'd mod up your post if I could.
``Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.''
And that last part is, of course, the real question.
Regardless, though, you are going to have to deal with keeping systems up to date, and you can't rely on users to do it. If you are an administrator in charge of this, it is your responsibility to keep all the machines up to date. I am not sure how much work this is on various versions of Windows compared to the alternatives.
``Linux, the OS, generally includes Apache.''
Even if true, it does not invalidate the parent's claim.
But you have a point, and it is that we should be comparing products as shipped. Compare a base install of Windows to a base install of a Linux distribution, then draw conclusions about that version of Windows and that version of that Linux distribution. You can't generalize beyond that. If Apache is included in the base install, you have to count it (though it matters if it is disabled or enabled out of the box, of course).
``Linux, the OS, generally includes Apache.''
What makes you say that? Most Linux installations I have seen don't include Apache. Do you have any numbers?
``Oh, wait, sales tax would also be 20%?''
That's almost what we pay over here in the Netherlands. We pay 19%, to be exact.
``It's not enough just to be true to spec;''
Yes, it is. That way, you get what the spec says you get.
It can even be argued that doing better than the spec is dangerous. After all, that is what got us this riot: things doing more than the spec said, people relying on that, and then getting angry when another implementation of the spec didn't have the same additional features.
You can only assume that you get what the spec says you get. If you assume more, it's your problem if your assumptions are wrong. If you want more than the spec gives you, you either need to implement it yourself or get a new spec implemented.
``the idea is to get something that works as well, not jump through hoops to cleverly demonstrate that the spec does not protect against all possible bad outcomes.''
I don't think anyone jumped through hoops to cleverly demonstrate that the spec does not protect against all possible bad outcomes. I think they jumped through hoops to get the best possible performance, while still being conformant to the spec. If this breaks applications that rely on behavior that isn't in the spec, it's because those applications are buggy.
``It's the bad outcomes that we're trying to mitigate by having a spec in the first place!''
I agree completely. But we seem to differ in how this is supposed to work.
I say that specifications can be used to avoid bad results by specifying exactly what can be relied on. Everything that is not in the specification is unspecified and thus cannot be relied on. Knowing this helps you write better software, because you know what you can assume, and what you have to write code for.
You seem to be saying that having a specification means we want to avoid bad results, so whomever implements the specification must do their best to avoid bad results, no matter what it says in the specification. I find that completely unreasonable.
Since when is being able to use your hardware in the future an ideological reason?
``Funny how the vendor of one of the world's most insecure operating systems now considers that they're going to one-up the competition with the most secure browser / operating system?''
I wonder if Windows is still one of the world's most insecure operating systems. Microsoft have certainly been working hard to improve things, which is more than I can say for many other operating system vendors. Meanwhile, Linux user seem to be content pointing and laughing at Microsoft's efforts and pointing out that Linux is so much more secure.
I won't make any claims about which operating system is more secure than another operating system (because I think it is fundamentally impossible to measure, let alone to know), but if I see that Microsoft is introducing things like address space layout randomization and non-executable stacks, I have to wonder why those features aren't in other mainstream operating systems yet. OpenBSD has done a lot of pioneering work already, but when will we see the day that all of Debian is compiled with -fstack-protector and ships with PaX enabled?
``To be honest, the legacy requirement that you must be root to run applications on ports less than 1024 doesn't make sense in the modern security world and Linux (along with OSX, Solaris, etc.) should dump it. Unix derivitives are the ONLY OS's with such restrictions''
Don't we have capabilities and/or systrace for that nowadays?
``The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread.''
Doesn't that sound like a huge security hole right there? I don't think the problem is really with UAC...
``Is'nt this exactly what modern operating systems do ?''
No, not exactly. You are correct that data will be cached in RAM, so it will be available quickly. But, without doing anything further, you will still be writing to the disk a lot. I am proposing to limit disk writes, too. For example, I would be fine with writing only when I commit, and every couple of minutes.
Just to float an idea, why not do it like this:
- Build a computer with flash storage and lots of RAM
- Use RAM to store the code and data you're using for development
- Write commits to flash
- Write to flash occasionally to prevent data loss
Flash drives may be faster than disks, but RAM is still _much_ faster. An extra 4 or 8 GB of RAM doesn't cost that much, and is probably enough to hold the code and some test data for most projects. If you spend a lot of time compiling, you'll probably recover the cost of the RAM in no time, thanks to increased developer productivity.
But at least you can get off the train, right? Right?
``If I could get Konqueror without all the KDE baggage I would, for the brief time I used KDE it was always snappy and responsive.''
I run Konqueror as the sole KDE app on my machine. On Debian lenny, the disk space used is a bit larger than for Iceweasel (nee Firefox), but the lower memory usage and a couple of useful features (especially web shortcuts and access keys) make it worth it to me. I still have Iceweasel installed for a number of sites that don't work well in Konqueror, though.
As for Firefox being slower on Linux than on Windows, I wouldn't be surprised if that had something to do with latency of calls to the X server. Many X clients don't really take X's characteristics into account, and perform a lot of serial, blocking requests, causing long delays. Apps that reduce the number of requests that wait on one another (by either reducing the number of requests, or by doing them in parallel) can be really snappy on X. But, as I said, I wouldn't be surprised if Firefox weren't using X right.
I agree, web standards are painfully difficult to implement. Just think about what it would take. It starts with 3 languages (HTML, CSS and JavaScript) that all have different syntax. Even if you'd pull that off, you'd end up with an unusable browser, because it wouldn't be compatible with all the broken HTML out there. And then you need plugins, or the kids won't be able to use their dear Youtube. By the time you have all that done, the standards will have evolved. Meanwhile, meticulously implementing the standards gains you very little, because actual web pages don't use them, or only use them to a very limited extent. The reason? Many people who make web pages don't know any better. Or the tools they use don't know any better. And even those who do are limited by what Microsoft Internet Explorer supports.
In the face of all that, I'm happy to see that we're still _trying_ to be standards-compliant and pushing for others to do the same. Standards are the only way to interoperability. Interoperability is what gives us freedom to use the software we prefer.
Does Windows seriously not come with any way to automate things? I mean, besides batch scripts, which, unless I'm mistaken, allow you to do some of the things you could do under DOS, but that don't actually interface to what you would normally work with under Windows much.
The question, though, is why C# or Java "programming" is so different from "scripting" that you'd expect a sysadmin to know the latter, but not the former.
The parent comment was modded funny, but I think Greenspun's Tenth is still relevant today. And, applied to Unix, it's definitely true. Imagine what Unix would be like if there only were C. But there isn't only C, there is also the shell and various scripting languages. The shell's most important feature is that it's interactive, like Lisp's read-eval-print loop. Todays popular scripting languages on Unix (say, Perl and Python) implement many of the other features of Lisp, allowing programs to be expressed a lot more succinctly and conveniently than in C. But all these are part of the same universe: the shell works mostly by running other programs, and the scripting languages do some of their tasks by going through the shell or C libraries. So, with everything together, you end up with something vaguely like what Lisp offers in a single package.
Of course, the world hasn't stood still, and the Unix universe now offers many features that aren't really present, or at least not standardized, in the Lisp universe.
And, in the meantime, Java has come along, re-inventing and re-implementing tons of features from Lisp and Unix.
The difference between you and Microsoft is that you are not a convicted monopolist effectively dictating part of the actions of a large number of individuals and organizations.
I'm all for you controlling things you've created. I'm also all for you being punished if you have done wrong. I don't see why losing some control over some of the things you have created that you use to wrong the world would be inappropriate. In fact, if you abuse your powers, taking them away sounds very sensible to me.
``I make a competing calculator (hypothetically). I want an icon on the desktop for the Windows Calculator, Maxima, Octave and Mathematica.
I also (again, hypothetically) make a notepad replacement. I want my product, Notepad++, Wordpad, Microsoft Word, and a half dozen scintilla-based knockoffs.
I also hypothetically make an alternative desktop shell. Because Microsoft FORCES you to use theirs, before you even get to see all of the five BILLION other fucking icons, I want a screen to pop up with only a mouse, and a choice of shells. Mine, which doesn't support UAC, separation of privileges, explorer shells (which will confuse the heck out of people,) explorer extensions (bye-bye TortoiseSVN, TortoiseHG, etc,) or other features. Also included should be shells that barely work.
And finally, after booting into Windows becomes a clusterfuck of choosing about eighteen trillion defaults, I as a developer expect my users to have a relatively stable and ubiquitous set of APIs available.''
I think you just described a Linux distro with all packages installed.
Reading your descriptions of the claims, I'm definitely interested.
I guess it doesn't run on Linux, though. Right?
``the vast majority of Web sites are still written to work correctly with previous, non-standards-compliant versions of IE.''
Which wouldn't be a Bad Thing if the sites were also standards compliant. However, it seems that I have been part of a very small minority of people who have cared to make them that way in the past decade. Even today, the prevalent attitude seems to be that you "support" one or two browsers, instead of keeping to standards and having your site Just Work in every decent browser.