> I personally think that the software update mechanism (where the window pops > up if there are updates) is great under OS X. You would have to be really > retarded to ignore it. Maybe Windows and Linux could do with something like > this ?
Windows has this. (Well, technically it doesn't pop up a window right away, but a *really* annoying thingydoo pops up above the system tray, repeatedly, and refuses to give you any peace until you click on it, at which point the window does pop up then. The average end user can't make it 60 seconds when the thingydoo activates without screaming to the Computer Guy for help.)
Various Linux distros have various sorts of autoupdate facilities. I don't know of any that pop up a window, but it would certainly be possible. Even better IMO would be to just put the updates on a cron job (2am local time or first thing in the morning if the computer was off at 2am seems reasonable; equip it with the ability to only use maybe 25% of available bandwidth).
For security updates, why bother the user? Just *do* it. Security updates aren't supposed to have any incompatibilities or feature changes; just the fix. Unless it's a kernel bug or something like that that requires reboot, the user doesn't even need to *know*. Users who do want to know can read the logs. Users who know enough about what is going on to make their own decisions about security updates will know where to find the config file; everyone else should just receive the updates automagically.
Of course, this kind of default policy would mean you'd have to be very careful about protecting your update servers...
> Unfortunately they never seem to have realized they could avoid the problem > by doing like Opera for example... Dialog:
That would be a pointless guesture for MSIE. Any dialog box with a "Yes" or "Ok" button never gets read anymore (largely because of the many stupid idiotic warning and information messages that have been foisted on users since 1994 or so, such as the one that warns you when you use a search engine that the search terms are not encrypted (horrors)). People see dialog boxes so often, the first part they look at is the buttons; if there's a "good" button that they recognize ("Yes", "Ok",...) or if there's only one button, they just frob the button without any further thought. And, if I used MSIE I'd be tempted to do this too. It cries wolf over some of the stupidest things.
I should note that the feature is not pointless for Opera, because it caters to a different demographic, and more importantly because Opera foists fewer superfluous dialog boxes on the user. Mozilla is also working toward fewer spontaneous dialog boxes. (If the user clicks a UI element to get the dialog box, that's okay (e.g., the prefs dialog), but things like unreachable server errors and whatnot are being changed to error _pages_, that display in the actual content area, to cut down on the number of dialogs.
> The only character that could plausably display as a blank area is the > byte with the value 32
Decimal 32 is not a valid character in a URI. Never has been, never will be, unicode or no unicode. There are important technical reasons for this. If the value decimal 32 needs to be communicated (e.g., in a GET query string), it has to be encoded (usually as %20).
> and even that could show an underscore or something
No! Confusing underscore with space would be Very Bad. The representation for decimal 32 that can be used in a URI is '%20'. This should be displayed in the location bar as '%20'.
> the text "%00" in the url should not cause the rest to disappear.
Heh. Is somebody programming in C and using the lazy kind of strings? But in any case, %00 should be shown in the location bar as %00.
> Display all non-ascii characters in a different color.
If the color is hardcoded, this is a serious accessibility problem. (You *cannot* have hardcoded colors for text. Ever. It's *not* allowed, because it circumvents necessary contrast settings. Some users who don't see well need high contrast, and some whose eyes are sensitive to light need low contrast with the foreground lighter than the background.) Since most platforms do not provide a system color for this, you have basically two choices: use the link color, or add another color option to the prefs. The Evil Anti-Features Jihad will probably not allow you to add a preference based on such flimsy reasons as "it's needed to provide a security feature", at least, not without extensive usability testing, so that leaves you re-using the link color (or perhaps the visited color). Actually, though, this doesn't seem like a bad solution.
> Display as much of the URL that corresponds to a site you have visited > before in a different color.
Now, that would be a nice way to re-use the visited color. But what do you do with a non-ASCII character that's within the part you've visited before? Also, it should be noted that current browsers may need backend support for this; changes to the chrome might not cover it, really, because you need to keep the list of "visited" URIs in such a way that it's easy to look them up based on the first N characters, and they may not currently do this. (I suspect that they do not. They probably use a hash table, for reasons of efficiency. It would be possible to just the domain portion as the basis for calculating the hash and store the list of URIs at that domain in that bucket, which would be efficient enough probably, but I suspect that this is not currently how it is done. This would likely be a significant change and might break some extensions. So somebody in charge of deciding what changes get included would have to be convinced it's important. I'm thinking of Mozilla here, but I suspect other browsers would have similar considerations.)
Actually, I always spot those right away. I'd be slightly less likely to spot a transposition (e.g., slahsdot.org), though I usually notice those if they have a strong impact on pronunciation, especially by moving a consonant. The best bet is probably to transpose a dipthong (e.g., Anonymuos Coward). I *might* miss that, if I wasn't paying attention. But I would never miss e.g. s1ashdot.org, because my preprocessor would split that as s 1 ashdot before I even read it. Numbers and letters are separate categories of symbols entirely; I'd be no more likely to mistake one for the other than to mistake an analog clock for a digital one or an icon for a textual title.
Of course, it probably helps that, being a programmer, I refuse to *ever* use a font that makes different characters look like one another. When I get a new font, The first thing I do is type chars like oO0 iIl|1!: `'"; if any two of them look very similar, I throw out the font; I don't want it on my system, lest I inadvertently select it at some point for something.
> A simple solution is to render characters from a different code page > than the default in a different color in urls.
For my purposes, it would be perfectly satisfactory if the browser had an option (just an option, mind you, off by default) in the preferences to disallow "foreign" characters (i.e., any not from the user's chosen default character set in URIs, or to ask for confirmation before visiting such a URI.
I understand the value for the world in allowing URIs to contain characters from any character set, but I personally have no need to visit any URIs with non-ASCII characters in them. Some users might wish to construct a list of several charsets that URIs are allowed to come from (most likely their native charset plus ASCII (or plus Latin-1 maybe)).
Another possibility would be to use a font that simply does not render any characters outside the user's native charset, but this is undesirable for me because, being a math geek, I'd like to be able to see page content that contains, e.g., Greek letters, though the URI and most of the text on the page would be in ASCII. Really, a confirmation before visiting URIs with characters not from the user's chosen charset would be the best thing IMO.
> I believe Microsoft intentionally has a slightly broken CSS
I doubt they needed to go out of their way. Any implementation is slightly broken at first, and then (if you intend to implement the standard as written) you refine it until it's right. Sometimes things in the standard are quite inconvenient to implement because of the way in which your implementation handles certain things. Mozilla went through this, but it was mostly back in the days when Mozilla was so crashy and buggy that nobody much used it, back when their milestones were numbered with the letter M (for "milestone") and a number, before the switchover to the 0.x naming scheme. By the time 0.9 came around, the most glaring deviations had been ironed out already.
All Microsoft did (and yes, they may have made the decision deliberately, based *partly* on the reasons you point out, but also partly on mere lack of desire to work hard on something that didn't matter to them) is not bother to iron out their non-compliance issues. They had (partly for the reasons you point out, and partly because end users don't know the difference) no particular motivation to work very hard at adhering to the standard.
In other words, it is unnecessary to attribute overt malice when plain old garden-variety laziness and ordinary incompetence explain things adequately.
Now, the question of whether Microsoft *would have* deliberatly sabatoged their standards-compliance if circumstances had been such that that were necessary to protect their network effect, that is another question. The answer would probably depend on which person within MS got to make the call.
> Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages > look like shit in IE. And, no I don't bother to make IE-CSS.
Yeah, but if you think they look bad in recent versions of MSIE, try them in Navigator 4.08 (which a few people are still using, especially on Mac OSes prior to X) or (shudder) IE4.
Another tip: just once, spend the time to get a page looking right in MSIE for Windows, and then try it in MSIE for Mac. Or vice versa. Whee.
Out of fairness, I should point out that there are also still serious inadequacies in the CSS support in other browsers, including those based on Gecko, *especially* in regards to printing -- just *try* to get page breaks where you want them, or even just try to keep it from breaking pages in a particularly inconvenient place such as between a header and the paragraph immediately following. *Ugh*.
> The movies, by virtue of being very good movies in this age of visual > information, will in fact become the standard telling of LOTR. The books > will become the "other, harder to absorb" telling
I doubt it. Movies have been made from Tolkein's work before and will be again, and each time the books are used as the primary source, though of course there are copious quantities of deviation, as always happens with movies. The writing in the books is of such quality that people who once read a few paragraphs have soon read the books in their entirety and are discussing finer points excitedly with anyone else they can find who has read them -- which can be contagious if there happens to be anyone else present at the time who has not.
Some tales when retold are improved; Cinderella, for example, is of such poor quality that *several* times it has been retold and the new version became the standard telling subsequently, most recently the Disney animated flick, which will certainly not be the last "standard telling", since it is of such quality (ahem) that it can still stand a large amount of enhancement. However, the retellers neither look back to the oldest *nor* to the newest retelling that they can find; they look to the *best* one. Disney retold mostly from the Perrault story (which was in written form) rather than from one of the many movie versions already extant at the time, because that version was the best version up to that time. The Disney version was embellished and made more interesting than Perrault's, not because it was a movie but because it made actual improvements to the storyline -- that is why virtually all subsequent remakes have been based on the Disney flick.
The latest LOTR movies, though fairly good and certainly better than any previous movie adaptation, are not of higher quality than the original (not, even, of comparable quality really), and so future retellers will look at the original; it's better materiel. They can then make their own modifications and adaptations and, with a lot of work, hope to produce something better than Jackson's version. It is possible that someone will put together at some point a version that does exceed the original and become the standard telling, but this isn't it, not by a longshot, though it's a good deal closer than the previous movie versions.
The figure they give is what it costs you if your IT department is totally incompetent and allows the computers to get infected in the first place. An ounce of prevention is worth a pound of cure. I have a checklist of things I do to every new computer we get at my workplace. Not all of the things are security-related (for example, I make sure all the corefonts are installed). But some of them are. Among these, uninstalling or disabling Outlook is the most important. Setting up the IP settings to go through the NAT gateway instead of sitting directly on the internet also helps. Now, this *does* take some time; by the time I do everything on the list it's 8 or 10 hours I spend with each new PC, getting it set up before it's deployed. Most of that is installing and configuring stuff, but probably 1-2 hours of it is security related. By the time you figure in what I actually make plus the various other costs of having an employee (retirement system and insurances and whatnot) that's probably $50 or more per computer that we spend on preventative maintenance, plus the overhead of maintaining the NAT gateway (which is not that much) and maybe 15 minutes a day (average) that I spend on the clock reading headlines on the web (e.g., on slashdot) to see if there are any major new security issues I should be aware of.
I'm not sure exactly what all that adds up to, but it's a heck of a lot less than $58,000 per virus that we don't catch.
> Mozilla is good. It's not the end all be all of web browsing.
No, of course not. There are at least fifty improvements I personally am wanting to see. (Just check the bugs in bugzilla that I'm on the Cc list for.)
> It has some neat features.
Neat? It has some *compelling* features, features without which many sites (including slashdot) are virtually unusable. Tabbed browsing springs to mind. Then there are other sites that are unusable without the other seriously compelling feature, capability policies.
> It doesn't work with all websites. It renders some things stupid.
This is true of all web browsers. I've virtually given up trying to make layouts look the way I want in MSIE, for example; it's layout engine is simply too lame to handle resolution-independent layouts. In 1996 when everyone was still using 640x480 you could just do a rigid inflexible page design (ultimately, one big imagemap), but with the variety of resolutions people are using these days, you can't do that anymore. You have to do layouts that scale -- and MSIE has a very hard time with these.
> It has a tendancy to ignore css pixel sizes
Pixel sizes are very 1996. Today, a pixel could be anywhere from 1/2400th to 1/640th of the browser's width or even more if the user's not maximizing (e.g., if they like to keep the icons on the left side of their desktop visible, or if they just don't understand how maximize works or don't think it matters). Basically, you have no idea how many pixels you want anything to be, because you have no idea how big a pixel is. So you size things in ems or percentages, or let the layout engine determine the correct size. About the only things I size in pixels anymore are borders.
> It is not without bugs (check bugzilla).
Yeah, but the security bugs in b.m.o are things like, a website could read a cookie set by a different website, or it is possible for a website to pop up an unrequested window by tricking the user into rolling the mouse pointer over something. The security bugs are *not* things like, the browser will show the user a harmless data-only extension such as.pdf but actually will execute the content if the user clicks "open", allowing the code to do quite literally anything it wants with the user's computer.
> I've also done work for free for some people, and they're never happy- to > the point of hassling me every time they see me because they need help with > some piece of software
I've managed thus far to avoid doing any free tech support work for people like that, by my policy of only providing free tech support for a select group of people.
> All in all, refusing to deal with Windows has saved me countless hours
I support Windows for 1: my employer (while I am on the clock), 2: my parents, 3: my pastor, and 4: one other family I'm close to. At work, I also have the luxury of helping anyone who can bring their problem in to me. (I work at a public library, so helping patrons is part of my job.) But I don't make house calls, except for the people listed above. (Actually, I have made exceptions for two additional people in isolated situations, but not on an ongoing basis.)
I have discovered that most of the problems people have and want my help with turn out not to be such a big emergency if you ask them to bring their PC to you for help. The thing that was such a big deal they really wanted me to come to their house turns out not to be worth their trouble to unplug a couple of cords and bring the computer to me. I now understand why doctors no longer make house calls as a general rule.
MacOS 9 and earlier I support at work *only*.
As for Linux, or any Unix (well, only including OS X if the user's problem is related to the Unix underpinnings), I'd really like to get a users' group started here in Galion, and in that capacity would be pleased to try to help someone, if I could only find anybody else in town that uses *nix. The linuxcounter claims there's another person in Galion, but they don't wish to be listed, so I don't know who they are:-(
As far as people just asking me questions, I don't mind that, especially if the questions are fairly sensible or have fairly straightforward answers.
Sometimes I get questions that I'm not able to answer in the way the person hoped, though. The two most common of these are which ISP is best and which brand of computer is best. Perhaps my least favorite question like this, though, is whether some figure is a "good price" for a computer. (Me: "Well, it depends on the computer..." Them: "It's a [some brand that comes in 512 different models]" Me: "Yeah, but whether it's a good price depends on the technical details like how much RAM it has and what video card chipset it uses and so on..." Them: "It's a [brand name]". Me: "I don't know.") I get this question a lot, and I hate it, because there's no decent answer. It's like asking whether $14,699 is a good price for a vehicle and when asked for more details about the vehicle saying, "It's a General Motors."
Re:We've gotta do something about Russia
on
More MyDoom Gloom
·
· Score: 1
> doesent east asia account for 99.985% of all viruses?
Dunno, but they account for roughly that percentage of all the spam I get. Heck, a full third of the spam I get is in Asian character sets; then there's the spam that's UTF8 but uses ideographic characters. Then there's the English-language spam that comes from the same Asian mailservers...
Most of the spam I get that's *not* from Asia is 419 stuff.
Re:We've gotta do something about Russia
on
More MyDoom Gloom
·
· Score: 1
> but the line between organized crime and government power seems blurriest > in Russia at the moment.
Um, the *really* corrupt governments are mostly in the third world. Nigeria, Columbia, and other small podunk bribe-oriented countries are in a league of their own, corruption-wise. Russia has nothing on them. (Yes, bribery is a problem in most countries, if not all. But it's a much BIGGER problem in the third world.)
You take the machine code executable and disassemble it into crude, low-level assembly language. (There is a one-to-one correspondance between individual low-level assembly instructions and machine code.) Now, you still have a mess because you don't know right away what's code and what's data. (The disassembly process pretends it's all code but puts the actual numerical value of the instruction as a comment in case it's data.) So now you step through execution either with a debugger or by hand (the latter is called "desk checking" and takes a while), starting at the beginning, going step by step. Whenever the code pulls data from a certain location, you mark that location as definitely data; when it jumps to or otherwise executes an instruction, you mark that location as definitely code. (Unless the thing was written by Mel, the Real Programmer, no location is likely to be both.) Gradually you puzzle out what the thing is doing. (It's not easy.)
> How does it help determine country of origin?
That's another kind of fornesics, wherein you pick some places that got the thing and figure out where they got it from. If you trace a number of infections from well-separated places around the internet back several steps each and most of them got it from the same general area, it's likely that the thing came from somewhere near there -- though it's hard to be sure.
> How can that lead to finding the writer?
That's harder, but the basic idea is to trace back until you find where the thing was originally introduced into the wild.
> Do virus writers have their own signatures?
Some may; others may not.
> And are they not smart enough to just not include that in the virus that > they distribute?
I suspect that in some cases the virus gets loose into the wild before the writer intends to release it, while they're still testing/revising it.
> in order for worm/spammers to profit from spam, they have to put some > link back to themselves in the spam, don't they?
To themselves? Directly? No. They have to put something in there that has to do with whatever they're selling, but that likely can be traced to a *customer*. A customer who can deny having anything to do with it or any prior knowledge. ("Yeah, *someone* has been sending out this mail that mentions us; we got some of it too. But it wasn't us that sent it.) It in theory is possible to get enough information out of one of these customers to trace it back to the spammer, but then you still have to prove it. There's also of course the approach of using packet logging to watch an infected system and see where the control messages that result in the spam's being sent are coming from. However, they're probably coming from another compromised system. Ultimately they come from the spammer/cracker/loser, but tracing it back can be hard.
I'm not saying they can't be tracked down, only that it's probably not as easy as you make it sound.
> please take note, and block egress port 25 traffic. Otherwise, you are > part of the problem.
I don't block port 25 traffic from my network, and my network is *not* part of the problem. (Of course, I don't allow Outlook on my network either...)
Re:Not to condone writing worms....
on
More MyDoom Gloom
·
· Score: 1
> Wouldn't it be ironic if a worm were to DDoS slashdot.
No, ironic would be if a worm locked down various security holes in the OS, installed a firewall, disabled known-vulnerable software (e.g., Outlook), and so on and so forth.
> It is very interesting that Darl & Co haven't yet mentioned this new worm. > Why? Perhaps Darl & Co put it out there in the first place to make SCO look > even more like a victim
I very much doubt this. It's not that I think they'd have an ethical objection, so much as that I really don't think they're that clever. Much more likely it was created by one of the same losers who created the last six Outlook viruses. The author is obviously *aware* of the SCO lawsuits, but it's probably a cover as has been suggested for the worm's real activities and the author's identity.
If a member of the Linux community were to take the trouble to create an Outlook virus, it would do something more spectacular, such as masquerade as a "Microsoft Security Control Panel" or whatnot and warn the user about various vulnerabilities of their system periodically. "WARNING: Your computer has Windows Messaging service enabled. This service is intended only for use behind a firewall and is not needed for most users, but could provide a point of entry for an attacker to take control of your system. It also allows advertisers to pop up messages on your screen at any time, which could be an invasion of your privacy. Would you like to disable this service? [Disable Messenger Service] [Keep Enabled] [Ask Again Later]".
It could pop up a warning like that every couple of days for several months, warning the user to disable IIS or lock it down a bit, replace Outlook with a safe mailreader, turn off unneeded CIFS and related services, turn on the builtin firewall (if the user has WinXP), et cetera, ad infinitum, ad nauseaum. Or perhaps it would install Mozilla and make it the default browser. Or maybe it would rotate the user's signature through a repertoire of a couple hundred anti-microsoft comments. Or change the homepage to point to OSDN. There are a virtually unlimited number of interesting, creative, mostly-harmless things that could be done. If a member of the OSS community were to write a virus, this is the sort of thing it would do. If we wanted to DDOS SCO, there are easier ways to do that, but what would be the point? It's not as if SCO's ability to advertise or support their products on their website is in any way important to their business model at this point.
That's because you're only bouncing the text parts. I don't mind that quite so much (though it still annoys me, getting hundreds of bounces for messages that I didn't send, just because a bunch of idiots who think it's a good idea to use Outlook have me in their address book). The real problem is the AV packages that bounce the entire message, including the attachment. That adds up to quite a lot of bandwidth. During the last big Outlook virus outbreak I found that my dialup connection was barely able to keep up with retrieving my mail as fast as it was arriving, due to all the huge attachments. (I'm apparently in quite a lot of Outlook users' address books, for some reason.) At least a third of that consisted of bounced copies.
I long for the days when I used to explain to people why it was impossible to get a virus by email. Okay, so a lot of the software we had back then sucked; the browsers sucked quite badly -- but oh, email was better then.
There's no reason to do either. Just drop it into the bit bucket. You don't save any bandwidth by rejecting it, since by the time you've detected the virus you have already incurred the bandwidth burden. So just route it direct to the dustbin.
> For now, I'd settle for enforcing strict compliance with RFCs
Indeed. I'd pay money to get my ISP to block messages that don't have a valid Subject: header.
> helo must be a FQDN that can be forward and reverse dns matched with the > connecting IP would be an excellent start
I've considered merely rejecting mail from sending servers whose IP address has no PTR record whatsoever. The only problem with this is that it blocks approximately 110% of the continent of Asia from sending you mail. (Then again, I'm of two minds about whether that would be bad...)
> I run a mail server with 13000 users! Getting every bounce of these things to > postmaster no matter who sent it would make me route postmaster to/dev/null
Dude, why don't you just route the "Warning: someone forging your address in the From field sent us a virus!" messages to/dev/null? Nobody wants them.
> The original story appears to come from a professional windows admin. By the > nature of ths OS, that is an easier job to be competent at than a UNIX admin.
Actually, I'd say it's much harder to be a *competent* Windows admin. I have more experience with Windows than with *nix (though not as *much* more as I used to have), but I'm definitely more competent with *nix.
> If you need to setup an email / groupware server then go and install MS > Exchange on a Windows 2000 server. I've done it. Click, Click, Click and > you're done.
Heh. Rose-tinted glasses you're wearing. More like Click, click, click, (most of those clicks are on "Next" BTW) and then you're just getting started, because next week you're going to be googling for some obscure error message trying to figure out what the heck it means. (Granted, this happens with Linux too, but less often -- and when it does happen on Linux, it's usually when you were making changes (e.g., installing a new version), not out of the blue. Unless you have a hard drive start to quietly go bad, in which case all *sorts* of weird things happen, as I know from experience.)
> For your clients you can install MS Outlook
Sure, and then your whole network goes down for two days at a time once or twice per quarter. See, that's what I'm talking about; it's easy enough to be a novice Windows admin, but competence is harder; you have to learn things the hard way. For Windows desktops, you install Pegasus Mail for email, or at least Eudora, or Agent, or *something*. No competent admin would install Outlook for a fresh deployment unless directly ordered to do so by management, because Outlook is virtually impossible to keep running smoothly over the medium term. But you don't find that out (unless you're the kind who does research on every piece of software before you deploy it) until you've been running it for a few weeks/months, and by then your users have invested time in learning it that you don't want to take away from them, so you're stuck between a rock and a hard place. So you scour the internet for tips on securing Outlook and Exchange. Now you have to learn five or ten times as much (as you would have needed to learn if you installed a different option), because you have to filter all the mail traffic, removing not only certain content types, but also *any* content-type with certain filename extensions, and you need to block outgoing connections to port 110 and 143 and 220 and maybe 993. So you need to set up a firewall that all of your network's traffic goes through... Now you've branched out into content-filtering *and* firewalls, two relatively technical subjects, just to keep email working properly. This is typical with Windows administration.
> Try and do the same thing on UNIX.
It takes longer to be "done" on *nix, yes, but when you're done your actually mostly done. Say for example you install Postfix. (This is really hard: in rpmdrake you click on the checkbox for postfix and hit the "Install" button.) Now, granted, before you're "done" you have to configure it, because otherwise nothing's going to work. So you fire up a text editor and read through the config file (which is well commented, as virtually all config files are on the major distros these days) and change the options you need to change. Now, this *does* take longer than installing Exchange, *and* it requires more technical knowledge, such as how to use a text editor.
However, once you're done you can hire a chimpanzee to administer it, provided you tie up the chimp so he can't touch anything. Security is mostly a matter of scanning the slashdot headlines once a day just in case there's a big exploit (in which case, you fire up the "update" utility, look for a Postfix update, click its checkbox, and hit "install".)
> What about a web server. Add Remove programs, Windo
I was greatly disappointed when Duke Nukem got redone as 3D but Commander Keen didn't. Keen was a much better game than Nukem in almost every respect and had a lot more vertical action, which would have made for a lot of interesting possibilities in a 3D version -- platforms up above your head and all that would make the game play like more than just another Doom clone, as you'd have to be alert to things going on above (and below) you. Plus, the light, cartooney spirit of Keen is something the FPS world could really use; I mean, aren't you tired of seeing skulls and blood all the time? Wouldn't it be nice to see some weird slugs and neon green slime for a change?
Plus, it would probably be the first FPS to include a pogo stick with exaggerated bounce. Bonus points if you also get to fly the Beans-with-Bacon rocketship.
I don't buy a lot of games, but I think I'd buy Keen3D, if it were done well.
> I personally think that the software update mechanism (where the window pops
> up if there are updates) is great under OS X. You would have to be really
> retarded to ignore it. Maybe Windows and Linux could do with something like
> this ?
Windows has this. (Well, technically it doesn't pop up a window right away,
but a *really* annoying thingydoo pops up above the system tray, repeatedly,
and refuses to give you any peace until you click on it, at which point the
window does pop up then. The average end user can't make it 60 seconds when
the thingydoo activates without screaming to the Computer Guy for help.)
Various Linux distros have various sorts of autoupdate facilities. I don't
know of any that pop up a window, but it would certainly be possible. Even
better IMO would be to just put the updates on a cron job (2am local time or
first thing in the morning if the computer was off at 2am seems reasonable;
equip it with the ability to only use maybe 25% of available bandwidth).
For security updates, why bother the user? Just *do* it. Security updates
aren't supposed to have any incompatibilities or feature changes; just the
fix. Unless it's a kernel bug or something like that that requires reboot,
the user doesn't even need to *know*. Users who do want to know can read the
logs. Users who know enough about what is going on to make their own
decisions about security updates will know where to find the config file;
everyone else should just receive the updates automagically.
Of course, this kind of default policy would mean you'd have to be very
careful about protecting your update servers...
> Unfortunately they never seem to have realized they could avoid the problem
...) or if there's only one button,
> by doing like Opera for example... Dialog:
That would be a pointless guesture for MSIE. Any dialog box with a "Yes" or
"Ok" button never gets read anymore (largely because of the many stupid
idiotic warning and information messages that have been foisted on users
since 1994 or so, such as the one that warns you when you use a search engine
that the search terms are not encrypted (horrors)). People see dialog boxes
so often, the first part they look at is the buttons; if there's a "good"
button that they recognize ("Yes", "Ok",
they just frob the button without any further thought. And, if I used MSIE
I'd be tempted to do this too. It cries wolf over some of the stupidest things.
I should note that the feature is not pointless for Opera, because it caters
to a different demographic, and more importantly because Opera foists fewer
superfluous dialog boxes on the user. Mozilla is also working toward fewer
spontaneous dialog boxes. (If the user clicks a UI element to get the dialog
box, that's okay (e.g., the prefs dialog), but things like unreachable server
errors and whatnot are being changed to error _pages_, that display in the
actual content area, to cut down on the number of dialogs.
> The only character that could plausably display as a blank area is the
> byte with the value 32
Decimal 32 is not a valid character in a URI. Never has been, never will be,
unicode or no unicode. There are important technical reasons for this. If the
value decimal 32 needs to be communicated (e.g., in a GET query string), it has
to be encoded (usually as %20).
> and even that could show an underscore or something
No! Confusing underscore with space would be Very Bad. The representation
for decimal 32 that can be used in a URI is '%20'. This should be displayed
in the location bar as '%20'.
> the text "%00" in the url should not cause the rest to disappear.
Heh. Is somebody programming in C and using the lazy kind of strings?
But in any case, %00 should be shown in the location bar as %00.
> Display all non-ascii characters in a different color.
If the color is hardcoded, this is a serious accessibility problem. (You
*cannot* have hardcoded colors for text. Ever. It's *not* allowed, because
it circumvents necessary contrast settings. Some users who don't see well
need high contrast, and some whose eyes are sensitive to light need low
contrast with the foreground lighter than the background.) Since most
platforms do not provide a system color for this, you have basically two
choices: use the link color, or add another color option to the prefs. The
Evil Anti-Features Jihad will probably not allow you to add a preference
based on such flimsy reasons as "it's needed to provide a security feature",
at least, not without extensive usability testing, so that leaves you
re-using the link color (or perhaps the visited color). Actually, though,
this doesn't seem like a bad solution.
> Display as much of the URL that corresponds to a site you have visited
> before in a different color.
Now, that would be a nice way to re-use the visited color. But what do you
do with a non-ASCII character that's within the part you've visited before?
Also, it should be noted that current browsers may need backend support
for this; changes to the chrome might not cover it, really, because you need
to keep the list of "visited" URIs in such a way that it's easy to look them
up based on the first N characters, and they may not currently do this.
(I suspect that they do not. They probably use a hash table, for reasons
of efficiency. It would be possible to just the domain portion as the basis
for calculating the hash and store the list of URIs at that domain in that
bucket, which would be efficient enough probably, but I suspect that this is
not currently how it is done. This would likely be a significant change and
might break some extensions. So somebody in charge of deciding what changes
get included would have to be convinced it's important. I'm thinking of
Mozilla here, but I suspect other browsers would have similar considerations.)
Actually, I always spot those right away. I'd be slightly less likely to spot
a transposition (e.g., slahsdot.org), though I usually notice those if they
have a strong impact on pronunciation, especially by moving a consonant. The
best bet is probably to transpose a dipthong (e.g., Anonymuos Coward). I
*might* miss that, if I wasn't paying attention. But I would never miss
e.g. s1ashdot.org, because my preprocessor would split that as s 1 ashdot
before I even read it. Numbers and letters are separate categories of
symbols entirely; I'd be no more likely to mistake one for the other than
to mistake an analog clock for a digital one or an icon for a textual title.
Of course, it probably helps that, being a programmer, I refuse to *ever*
use a font that makes different characters look like one another. When I
get a new font, The first thing I do is type chars like oO0 iIl|1!: `'"; if
any two of them look very similar, I throw out the font; I don't want it on
my system, lest I inadvertently select it at some point for something.
> A simple solution is to render characters from a different code page
> than the default in a different color in urls.
For my purposes, it would be perfectly satisfactory if the browser had an
option (just an option, mind you, off by default) in the preferences to
disallow "foreign" characters (i.e., any not from the user's chosen default
character set in URIs, or to ask for confirmation before visiting such a URI.
I understand the value for the world in allowing URIs to contain characters
from any character set, but I personally have no need to visit any URIs with
non-ASCII characters in them. Some users might wish to construct a list of
several charsets that URIs are allowed to come from (most likely their
native charset plus ASCII (or plus Latin-1 maybe)).
Another possibility would be to use a font that simply does not render any
characters outside the user's native charset, but this is undesirable for
me because, being a math geek, I'd like to be able to see page content that
contains, e.g., Greek letters, though the URI and most of the text on the
page would be in ASCII. Really, a confirmation before visiting URIs with
characters not from the user's chosen charset would be the best thing IMO.
> I believe Microsoft intentionally has a slightly broken CSS
I doubt they needed to go out of their way. Any implementation is slightly
broken at first, and then (if you intend to implement the standard as written)
you refine it until it's right. Sometimes things in the standard are quite
inconvenient to implement because of the way in which your implementation
handles certain things. Mozilla went through this, but it was mostly back
in the days when Mozilla was so crashy and buggy that nobody much used it,
back when their milestones were numbered with the letter M (for "milestone")
and a number, before the switchover to the 0.x naming scheme. By the time
0.9 came around, the most glaring deviations had been ironed out already.
All Microsoft did (and yes, they may have made the decision deliberately,
based *partly* on the reasons you point out, but also partly on mere lack of
desire to work hard on something that didn't matter to them) is not bother to
iron out their non-compliance issues. They had (partly for the reasons you
point out, and partly because end users don't know the difference) no
particular motivation to work very hard at adhering to the standard.
In other words, it is unnecessary to attribute overt malice when plain old
garden-variety laziness and ordinary incompetence explain things adequately.
Now, the question of whether Microsoft *would have* deliberatly sabatoged
their standards-compliance if circumstances had been such that that were
necessary to protect their network effect, that is another question. The
answer would probably depend on which person within MS got to make the call.
> Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages
> look like shit in IE. And, no I don't bother to make IE-CSS.
Yeah, but if you think they look bad in recent versions of MSIE, try them in
Navigator 4.08 (which a few people are still using, especially on Mac OSes
prior to X) or (shudder) IE4.
Another tip: just once, spend the time to get a page looking right in MSIE
for Windows, and then try it in MSIE for Mac. Or vice versa. Whee.
Out of fairness, I should point out that there are also still serious
inadequacies in the CSS support in other browsers, including those based
on Gecko, *especially* in regards to printing -- just *try* to get page
breaks where you want them, or even just try to keep it from breaking
pages in a particularly inconvenient place such as between a header and
the paragraph immediately following. *Ugh*.
> The movies, by virtue of being very good movies in this age of visual
> information, will in fact become the standard telling of LOTR. The books
> will become the "other, harder to absorb" telling
I doubt it. Movies have been made from Tolkein's work before and will be again,
and each time the books are used as the primary source, though of course there
are copious quantities of deviation, as always happens with movies. The writing
in the books is of such quality that people who once read a few paragraphs have
soon read the books in their entirety and are discussing finer points excitedly
with anyone else they can find who has read them -- which can be contagious if
there happens to be anyone else present at the time who has not.
Some tales when retold are improved; Cinderella, for example, is of such poor
quality that *several* times it has been retold and the new version became the
standard telling subsequently, most recently the Disney animated flick, which
will certainly not be the last "standard telling", since it is of such quality
(ahem) that it can still stand a large amount of enhancement. However, the
retellers neither look back to the oldest *nor* to the newest retelling that
they can find; they look to the *best* one. Disney retold mostly from the
Perrault story (which was in written form) rather than from one of the many
movie versions already extant at the time, because that version was the best
version up to that time. The Disney version was embellished and made more
interesting than Perrault's, not because it was a movie but because it made
actual improvements to the storyline -- that is why virtually all subsequent
remakes have been based on the Disney flick.
The latest LOTR movies, though fairly good and certainly better than any
previous movie adaptation, are not of higher quality than the original (not,
even, of comparable quality really), and so future retellers will look at the
original; it's better materiel. They can then make their own modifications
and adaptations and, with a lot of work, hope to produce something better
than Jackson's version. It is possible that someone will put together at
some point a version that does exceed the original and become the standard
telling, but this isn't it, not by a longshot, though it's a good deal
closer than the previous movie versions.
The figure they give is what it costs you if your IT department is totally
incompetent and allows the computers to get infected in the first place. An
ounce of prevention is worth a pound of cure. I have a checklist of things
I do to every new computer we get at my workplace. Not all of the things are
security-related (for example, I make sure all the corefonts are installed).
But some of them are. Among these, uninstalling or disabling Outlook is the
most important. Setting up the IP settings to go through the NAT gateway
instead of sitting directly on the internet also helps. Now, this *does*
take some time; by the time I do everything on the list it's 8 or 10 hours
I spend with each new PC, getting it set up before it's deployed. Most of
that is installing and configuring stuff, but probably 1-2 hours of it is
security related. By the time you figure in what I actually make plus the
various other costs of having an employee (retirement system and insurances
and whatnot) that's probably $50 or more per computer that we spend on
preventative maintenance, plus the overhead of maintaining the NAT gateway
(which is not that much) and maybe 15 minutes a day (average) that I spend
on the clock reading headlines on the web (e.g., on slashdot) to see if there
are any major new security issues I should be aware of.
I'm not sure exactly what all that adds up to, but it's a heck of a lot
less than $58,000 per virus that we don't catch.
> Mozilla is good. It's not the end all be all of web browsing.
.pdf but actually will
No, of course not. There are at least fifty improvements I personally am
wanting to see. (Just check the bugs in bugzilla that I'm on the Cc list for.)
> It has some neat features.
Neat? It has some *compelling* features, features without which many sites
(including slashdot) are virtually unusable. Tabbed browsing springs to mind.
Then there are other sites that are unusable without the other seriously
compelling feature, capability policies.
> It doesn't work with all websites. It renders some things stupid.
This is true of all web browsers. I've virtually given up trying to make
layouts look the way I want in MSIE, for example; it's layout engine is
simply too lame to handle resolution-independent layouts. In 1996 when
everyone was still using 640x480 you could just do a rigid inflexible page
design (ultimately, one big imagemap), but with the variety of resolutions
people are using these days, you can't do that anymore. You have to do
layouts that scale -- and MSIE has a very hard time with these.
> It has a tendancy to ignore css pixel sizes
Pixel sizes are very 1996. Today, a pixel could be anywhere from 1/2400th
to 1/640th of the browser's width or even more if the user's not maximizing
(e.g., if they like to keep the icons on the left side of their desktop
visible, or if they just don't understand how maximize works or don't think
it matters). Basically, you have no idea how many pixels you want anything
to be, because you have no idea how big a pixel is. So you size things in
ems or percentages, or let the layout engine determine the correct size.
About the only things I size in pixels anymore are borders.
> It is not without bugs (check bugzilla).
Yeah, but the security bugs in b.m.o are things like, a website could read a
cookie set by a different website, or it is possible for a website to pop up
an unrequested window by tricking the user into rolling the mouse pointer
over something. The security bugs are *not* things like, the browser will
show the user a harmless data-only extension such as
execute the content if the user clicks "open", allowing the code to do quite
literally anything it wants with the user's computer.
> I've also done work for free for some people, and they're never happy- to
:-(
> the point of hassling me every time they see me because they need help with
> some piece of software
I've managed thus far to avoid doing any free tech support work for people like
that, by my policy of only providing free tech support for a select group of
people.
> All in all, refusing to deal with Windows has saved me countless hours
I support Windows for 1: my employer (while I am on the clock), 2: my parents,
3: my pastor, and 4: one other family I'm close to. At work, I also have the
luxury of helping anyone who can bring their problem in to me. (I work at a
public library, so helping patrons is part of my job.) But I don't make house
calls, except for the people listed above. (Actually, I have made exceptions
for two additional people in isolated situations, but not on an ongoing basis.)
I have discovered that most of the problems people have and want my help with
turn out not to be such a big emergency if you ask them to bring their PC to
you for help. The thing that was such a big deal they really wanted me to
come to their house turns out not to be worth their trouble to unplug a couple
of cords and bring the computer to me. I now understand why doctors no longer
make house calls as a general rule.
MacOS 9 and earlier I support at work *only*.
As for Linux, or any Unix (well, only including OS X if the user's problem is
related to the Unix underpinnings), I'd really like to get a users' group
started here in Galion, and in that capacity would be pleased to try to help
someone, if I could only find anybody else in town that uses *nix. The
linuxcounter claims there's another person in Galion, but they don't wish to
be listed, so I don't know who they are
As far as people just asking me questions, I don't mind that, especially if
the questions are fairly sensible or have fairly straightforward answers.
Sometimes I get questions that I'm not able to answer in the way the person
hoped, though. The two most common of these are which ISP is best and which
brand of computer is best. Perhaps my least favorite question like this,
though, is whether some figure is a "good price" for a computer. (Me:
"Well, it depends on the computer..." Them: "It's a [some brand that comes
in 512 different models]" Me: "Yeah, but whether it's a good price depends
on the technical details like how much RAM it has and what video card chipset
it uses and so on..." Them: "It's a [brand name]". Me: "I don't know.")
I get this question a lot, and I hate it, because there's no decent answer.
It's like asking whether $14,699 is a good price for a vehicle and when
asked for more details about the vehicle saying, "It's a General Motors."
> doesent east asia account for 99.985% of all viruses?
Dunno, but they account for roughly that percentage of all the spam I get.
Heck, a full third of the spam I get is in Asian character sets; then there's
the spam that's UTF8 but uses ideographic characters. Then there's the
English-language spam that comes from the same Asian mailservers...
Most of the spam I get that's *not* from Asia is 419 stuff.
> but the line between organized crime and government power seems blurriest
> in Russia at the moment.
Um, the *really* corrupt governments are mostly in the third world. Nigeria,
Columbia, and other small podunk bribe-oriented countries are in a league of
their own, corruption-wise. Russia has nothing on them. (Yes, bribery is a
problem in most countries, if not all. But it's a much BIGGER problem in the
third world.)
> How do they dissect the virus code?
You take the machine code executable and disassemble it into crude, low-level
assembly language. (There is a one-to-one correspondance between individual
low-level assembly instructions and machine code.) Now, you still have a
mess because you don't know right away what's code and what's data. (The
disassembly process pretends it's all code but puts the actual numerical
value of the instruction as a comment in case it's data.) So now you step
through execution either with a debugger or by hand (the latter is called
"desk checking" and takes a while), starting at the beginning, going step
by step. Whenever the code pulls data from a certain location, you mark
that location as definitely data; when it jumps to or otherwise executes an
instruction, you mark that location as definitely code. (Unless the thing
was written by Mel, the Real Programmer, no location is likely to be both.)
Gradually you puzzle out what the thing is doing. (It's not easy.)
> How does it help determine country of origin?
That's another kind of fornesics, wherein you pick some places that got the
thing and figure out where they got it from. If you trace a number of
infections from well-separated places around the internet back several steps
each and most of them got it from the same general area, it's likely that
the thing came from somewhere near there -- though it's hard to be sure.
> How can that lead to finding the writer?
That's harder, but the basic idea is to trace back until you find where the
thing was originally introduced into the wild.
> Do virus writers have their own signatures?
Some may; others may not.
> And are they not smart enough to just not include that in the virus that
> they distribute?
I suspect that in some cases the virus gets loose into the wild before the
writer intends to release it, while they're still testing/revising it.
> in order for worm/spammers to profit from spam, they have to put some
> link back to themselves in the spam, don't they?
To themselves? Directly? No. They have to put something in there that has
to do with whatever they're selling, but that likely can be traced to a
*customer*. A customer who can deny having anything to do with it or any
prior knowledge. ("Yeah, *someone* has been sending out this mail that
mentions us; we got some of it too. But it wasn't us that sent it.) It in
theory is possible to get enough information out of one of these customers
to trace it back to the spammer, but then you still have to prove it.
There's also of course the approach of using packet logging to watch an
infected system and see where the control messages that result in the spam's
being sent are coming from. However, they're probably coming from another
compromised system. Ultimately they come from the spammer/cracker/loser,
but tracing it back can be hard.
I'm not saying they can't be tracked down, only that it's probably not as
easy as you make it sound.
> please take note, and block egress port 25 traffic. Otherwise, you are
> part of the problem.
I don't block port 25 traffic from my network, and my network is *not* part
of the problem. (Of course, I don't allow Outlook on my network either...)
> Wouldn't it be ironic if a worm were to DDoS slashdot.
No, ironic would be if a worm locked down various security holes in the OS,
installed a firewall, disabled known-vulnerable software (e.g., Outlook),
and so on and so forth.
> It is very interesting that Darl & Co haven't yet mentioned this new worm.
> Why? Perhaps Darl & Co put it out there in the first place to make SCO look
> even more like a victim
I very much doubt this. It's not that I think they'd have an ethical objection,
so much as that I really don't think they're that clever. Much more likely it
was created by one of the same losers who created the last six Outlook viruses.
The author is obviously *aware* of the SCO lawsuits, but it's probably a cover
as has been suggested for the worm's real activities and the author's identity.
If a member of the Linux community were to take the trouble to create an
Outlook virus, it would do something more spectacular, such as masquerade as
a "Microsoft Security Control Panel" or whatnot and warn the user about various
vulnerabilities of their system periodically. "WARNING: Your computer has
Windows Messaging service enabled. This service is intended only for use
behind a firewall and is not needed for most users, but could provide a point
of entry for an attacker to take control of your system. It also allows
advertisers to pop up messages on your screen at any time, which could be an
invasion of your privacy. Would you like to disable this service?
[Disable Messenger Service] [Keep Enabled] [Ask Again Later]".
It could pop up a warning like that every couple of days for several months,
warning the user to disable IIS or lock it down a bit, replace Outlook with
a safe mailreader, turn off unneeded CIFS and related services, turn on the
builtin firewall (if the user has WinXP), et cetera, ad infinitum, ad nauseaum.
Or perhaps it would install Mozilla and make it the default browser. Or maybe
it would rotate the user's signature through a repertoire of a couple hundred
anti-microsoft comments. Or change the homepage to point to OSDN. There are
a virtually unlimited number of interesting, creative, mostly-harmless things
that could be done. If a member of the OSS community were to write a virus,
this is the sort of thing it would do. If we wanted to DDOS SCO, there are
easier ways to do that, but what would be the point? It's not as if SCO's
ability to advertise or support their products on their website is in any way
important to their business model at this point.
> I'm not (very) worried about bandwidth
That's because you're only bouncing the text parts. I don't mind that quite
so much (though it still annoys me, getting hundreds of bounces for messages
that I didn't send, just because a bunch of idiots who think it's a good
idea to use Outlook have me in their address book). The real problem is
the AV packages that bounce the entire message, including the attachment.
That adds up to quite a lot of bandwidth. During the last big Outlook virus
outbreak I found that my dialup connection was barely able to keep up with
retrieving my mail as fast as it was arriving, due to all the huge attachments.
(I'm apparently in quite a lot of Outlook users' address books, for some
reason.) At least a third of that consisted of bounced copies.
I long for the days when I used to explain to people why it was impossible to
get a virus by email. Okay, so a lot of the software we had back then sucked;
the browsers sucked quite badly -- but oh, email was better then.
> What is worse, bouncing it, or accepting it?
There's no reason to do either. Just drop it into the bit bucket. You don't
save any bandwidth by rejecting it, since by the time you've detected the
virus you have already incurred the bandwidth burden. So just route it
direct to the dustbin.
> For now, I'd settle for enforcing strict compliance with RFCs
Indeed. I'd pay money to get my ISP to block messages that don't have a
valid Subject: header.
> helo must be a FQDN that can be forward and reverse dns matched with the
> connecting IP would be an excellent start
I've considered merely rejecting mail from sending servers whose IP address
has no PTR record whatsoever. The only problem with this is that it blocks
approximately 110% of the continent of Asia from sending you mail. (Then
again, I'm of two minds about whether that would be bad...)
> I run a mail server with 13000 users! Getting every bounce of these things to /dev/null
/dev/null? Nobody wants them.
> postmaster no matter who sent it would make me route postmaster to
Dude, why don't you just route the "Warning: someone forging your address in
the From field sent us a virus!" messages to
> The original story appears to come from a professional windows admin. By the
> nature of ths OS, that is an easier job to be competent at than a UNIX admin.
Actually, I'd say it's much harder to be a *competent* Windows admin. I have
more experience with Windows than with *nix (though not as *much* more as I
used to have), but I'm definitely more competent with *nix.
> If you need to setup an email / groupware server then go and install MS
> Exchange on a Windows 2000 server. I've done it. Click, Click, Click and
> you're done.
Heh. Rose-tinted glasses you're wearing. More like Click, click, click,
(most of those clicks are on "Next" BTW) and then you're just getting
started, because next week you're going to be googling for some obscure
error message trying to figure out what the heck it means. (Granted, this
happens with Linux too, but less often -- and when it does happen on Linux,
it's usually when you were making changes (e.g., installing a new version),
not out of the blue. Unless you have a hard drive start to quietly go bad,
in which case all *sorts* of weird things happen, as I know from experience.)
> For your clients you can install MS Outlook
Sure, and then your whole network goes down for two days at a time once or
twice per quarter. See, that's what I'm talking about; it's easy enough to
be a novice Windows admin, but competence is harder; you have to learn things
the hard way. For Windows desktops, you install Pegasus Mail for email, or
at least Eudora, or Agent, or *something*. No competent admin would install
Outlook for a fresh deployment unless directly ordered to do so by management,
because Outlook is virtually impossible to keep running smoothly over the
medium term. But you don't find that out (unless you're the kind who does
research on every piece of software before you deploy it) until you've been
running it for a few weeks/months, and by then your users have invested time
in learning it that you don't want to take away from them, so you're stuck
between a rock and a hard place. So you scour the internet for tips on
securing Outlook and Exchange. Now you have to learn five or ten times as
much (as you would have needed to learn if you installed a different option),
because you have to filter all the mail traffic, removing not only certain
content types, but also *any* content-type with certain filename extensions,
and you need to block outgoing connections to port 110 and 143 and 220 and
maybe 993. So you need to set up a firewall that all of your network's
traffic goes through... Now you've branched out into content-filtering
*and* firewalls, two relatively technical subjects, just to keep email
working properly. This is typical with Windows administration.
> Try and do the same thing on UNIX.
It takes longer to be "done" on *nix, yes, but when you're done your
actually mostly done. Say for example you install Postfix. (This is
really hard: in rpmdrake you click on the checkbox for postfix and hit
the "Install" button.) Now, granted, before you're "done" you have to
configure it, because otherwise nothing's going to work. So you fire up
a text editor and read through the config file (which is well commented,
as virtually all config files are on the major distros these days) and
change the options you need to change. Now, this *does* take longer than
installing Exchange, *and* it requires more technical knowledge, such as
how to use a text editor.
However, once you're done you can hire a chimpanzee to administer it, provided
you tie up the chimp so he can't touch anything. Security is mostly a matter
of scanning the slashdot headlines once a day just in case there's a big
exploit (in which case, you fire up the "update" utility, look for a Postfix
update, click its checkbox, and hit "install".)
> What about a web server. Add Remove programs, Windo
> stringing together awk | sed | cut | sort | grep to do things
Ew. I sometimes string together grep and sort with ls, ps, or whatnot, but
when you get the urge to use awk or sed, it's time for a Perl one-liner.
I was greatly disappointed when Duke Nukem got redone as 3D but Commander Keen
didn't. Keen was a much better game than Nukem in almost every respect and
had a lot more vertical action, which would have made for a lot of interesting
possibilities in a 3D version -- platforms up above your head and all that
would make the game play like more than just another Doom clone, as you'd
have to be alert to things going on above (and below) you. Plus, the light,
cartooney spirit of Keen is something the FPS world could really use; I mean,
aren't you tired of seeing skulls and blood all the time? Wouldn't it be nice
to see some weird slugs and neon green slime for a change?
Plus, it would probably be the first FPS to include a pogo stick with
exaggerated bounce. Bonus points if you also get to fly the Beans-with-Bacon
rocketship.
I don't buy a lot of games, but I think I'd buy Keen3D, if it were done well.