Mikko, how do you explain the quote you gave: "The only surprise here is that it came so early...It's been eight days since the beta of the operating system was out." Monad has been out for a while, and is not even in the Windows Vista beta. Yet you are obviously implying that someone took the Vista beta and started pounding away and in only eight days found a vulnerability.
I don't see how you can defend this as anything except pure sensationalism.
Right here. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?
You would think from the way it was presented that "these virus writers found a way to gain administrative rights using Monad" but you'd be wrong. All they are, are some shell scripts. You still need to get the user to run them, they run with the same privilege the user has, etc.
This is the verbatim text of one of the five viruses:
$name_array=get-childitem *.msh foreach ($name in $name_array) { if ($name.Length -eq 249) $my_file=$name.Name } }
foreach ($victim in $name_array) { if ($name.Length -ne 249) { copy-item $my_file $name.Name } }
All it does is find every.msh file and replace its contents with itself. That's it. You could do it with a.CMD file in any version of Windows (and of course in any other scripting language).
The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.
No, I have not, although now I am curious as to who the source was for that quote. James Wallace and Jim Erickson were (or are) Seattle Post-Intelligencer reporters, so I should be able to track them down.
That's an interesting quote which I was unaware of (and yes I did just verify in my copy, the quote is there). Especially when combined with this post lower down in this thread: http://slashdot.org/comments.pl?sid=157889&cid=132 27178. So maybe there was a problem with 1-2-3 on DOS 2.0, but it's still very unclear if it was a bug in 1-2-3 or DOS, and proving intent is probably impossible now. The programmer quoted in "Hard Drive" may have heard a mangled version of events from other people (I get this inside Microsoft about events I participated in so I KNOW the story I am hearing is bogus).
The ex-Lotusers I contacted were certainly around Lotus back in the DOS 2.0 days so I would think they would remember intentional sabotage.
Lee Reiswig, the president of the IBM division that developed OS/2 Warp in the early 1990s, styled himself as the "Blue Ninja" in his battle against Microsoft. I think he actually wore a costume a few times.
Search the web for "Reiswig" and "Blue Ninja" for more.
In one sense I can't refute what you say. But I don't know why the *Lotus* people would feel compelled to deny it if it had really happened. Presumably they would have been annoyed about it and looking to vent.
I'll also point out that when I actually researched this article (sent email to the former Lotus employees) I was not working at Microsoft, so I was just random computer user to them.
I don't claim to be an impartial critic of Microsoft, but at the same time Microsoft won't fire me for saying negative things about the company. They will however fire me (correctly) for leaking NDA information or trade secrets.
Apologizes for the lack of updates. We've been heads down getting things things finished up for some deadlines. We'll be dropping a new version on betapace sometime next week. It is about 95+% language complete and interop with existing external programs has greatly improved. We'd love you (and everyone else) to give it a try and let us know what you don't like or how we can make it better. jps
Allow me to recommend a great book for any programmer: Find the Bug. The book has the source code to 50 short programs, each with one single bug hidden within; the challenge for the reader is to find that bug. This combines the problem-solving challenges of a Martin Gardner book with real training in debugging and code reading. Great stuff for propellerheads,
and best of all the book provides enough information about the languages used
(C, Python, Java, Perl, and assembler) that programmers of all stripes can play
along, no matter what their previous experience.
Yeah, I know, it was written by me, but I really think it is a great geek gift.
Failing that, let me recommend the Demon Princes books by Jack Vance (volume 1 and volume 2). The best SF I know. "...the kind of quick, paradox-savoring intelligence -- the capacity, present even among men of power, to forget caution in the love of ironic wit and abstract thought" - Adam Gopnik.
Half-amusing, half-scary piece from kausfiles (from back in June), speculating that different groups of terrorists might favor different candidates: Quote: "The prospect ahead of us might not be just competing ad campaigns for the U.S. presidency but competing terror campaigns for the U.S. presidency, with anti-Bush bombs going off in Baghdad and pro-Bush bombs going off in New York."
Indeed. Part of the interview is interesting, but the parts about Java and Windows are just market-speak. vi is a great editor, but Joy seems to have turned into a giant tool.
I think before micropayments are discussed too much, there should be some agreement on what dollar amount constitutes a micropayment. My argument against micropayments has always been that because processing a micropayment has about the same fixed costs as a regular payment, the cut that processing companies take will be so high that micropayment
systems will be doomed.
For example consider the following
question about minimum credit card charges.
The retailer says that she pays Visa 3 percent of charges PLUS A FLAT 30 CENT FEE PER TRANSACTION. That's why Visa can get away with allowing one cent charges, because in fact the merchant still pays them the 30 cents (and loses 29 cents of course).
And it's not like 30 cents is what it costs Visa. It probably costs them much more than that per transaction. But they make enough money on the percentage of $1000 transactions that they can charge only 30 cents for a very small one. With micropayment systems, however, they have no big transactions to help cover the cost of the small ones.
So my argument is that micropayments can't work because of the fixed overhead. BUT, one thing is that when some people talk about micropayments they can mean some pretty big amounts. I saw one article that defined a "micropayment" as anything under $2.50. Come on, you can buy lots of actual real useful goods for $2.50 today. If you go to a store and buy a magazine for $2.50 is that a "micropayment"? I think not.
So I think there should be some discussion over the boundary line for micropayments.
To me micropayments are so small that you don't even think about them individually, and they are therefore charged a lot -- for example paying something each time you view a page on a site. The per-second charges on cell phones are like that (per-SECOND I said, that is, just pennies at a time) -- nobody really worries about talking for an extra second or not. Personally I would say the micropayment cutoff should be around one cent, certainly under five cents, but that's just me.
This was in the Guiness Book of World Records, I think. They even provided a supposed definition (thieves trying to steal something from a Welsh valley etc).
I learned to touch type back in high school, but now I type with three fingers (two on right hand, one on left). Most people are still amazed how fast I can type. But one thing is, because I learned to touch type first, I know where all the keys are. If you are really "hunting and pecking" then you will be slow. But if you know where the keys are, just use fewer fingers, I doubt it will hurt. After all how often in programming are you thinking faster than you can type?
And for what it's worth, Dave Cutler pounded out most of the NT kernel using two fingers.
I got my stylin' Thumbdrive Touch (with 21st-century-compliant biometric touchpad) just to look bitchin' on my keychain. I didn't store anything on it, what kind of propellor-head would actually do that?
Of course then the cover (the plastic part with the hole that you use to put it on a keyring, which probably costs about 40 cents wholesale) broke and now I can't even find the damn thing.
If you used a Wizard produced by a compiler licensed under the GPL...where obviously the source code that the wizard generates for you is contained *somewhere* in the GPLed source of the compiler...is the resulting code a "work based on the Program" and therefore the whole thing is covered by the GPL?
Can I use GPL-covered editors such as GNU Emacs to develop non-free programs? Can I use PL-covered tools such as GCC to compile them?
Yes, because the copyright on the editors and tools does not cover the code you write. Using them does not place any restrictions, legally, on the license you use for your code.
Some programs copy parts of themselves into the output for technical reasons--for example, Bison copies a standard parser program into its output file. In such cases, the copied text in the output is covered by the same license that covers it in the source code. Meanwhile, the part of the output which is derived from the program's input inherits the copyright status of the input.
As it happens, Bison can also be used to develop non-free programs. This is because we decided to explicitly permit the use of the Bison standard parser program in Bison output files without restriction. We made the decision because there were other tools comparable to Bison which already permitted use for non-free programs.
This makes it pretty unclear. A Wizard is certainly "copy[ing] parts of themselves into the output for technical reasons". It sounds like Bison has an explicit exception for this case, but that's just pragmatism because other comparable tools existed.
You may be overwhelmed by the size of the task ahead of you. One way to help is to set a series of intermediate goals. So you say, "within the next hour I will have the data structures defined" or "by 9 pm I will have coded up the main input routine."
Then you can promise yourself that once that is done, you will give yourself X amount of time to goof off, surf the web, ask questions on slashdot, etc. Then it's back to the next goal. Or you can say that if you finish the goal early, then you will allow yourself to play for the unused time...if you fool around too much in the middle, you won't get the free time allowance.
This gives you a sense of accomplishment as you realize you have done *something* and you don't spend mental time stressing over your lack of results so far. Don't worry too much about trying to balance each goal to be the same amount of time, etc. just make it something that shows good forward progress.
Now of course setting goals takes time, so it will cost you some time to do this...but the overall result should be more productivity given the work habits you describe. The shorter the time period for the each goal (i.e. is it half a day's work or 15 minutes' work) then the lower your "work to planning" ratio is, but for some things you may really need to do some microplanning to get going.
You also should try to identify what part of the work you find the hardest to get done. For example when I am writing code I find actually typing in the code the first time to be the hardest part...I can design the algorithm/etc OK, and then once I have the first version typed in I can get it compiling no problem, then debugging is a cool mental challenge. But the part where I just type in all the variable declarations and for loops and whatnot is the hardest to avoid procrastinating during.
So if you can figure that out, then you can focus on getting over that hump (set goals of the shortest duration during that time).
The South African proposal says "Where standards used when executing programs are made known, enabling users to develop complementary programs to provide inputs and utilise outputs, they are referred to as open standards.
This is too simplistic a view because it ignores patent and licensing issues. Is PDF open? Is Flash/SWF open? Is MP3 open? Is MPEG open? All those formats are "made known", and users can develop programs...of course they may have to pay a bit or submit to certain restrictions.
Now, ONE of the formats I listed there really is open. Do you know which one? I encourage you all to go to the Open Data Format Initiative site and join the mailing list, where we are hashing out just exactly what an open format should be for government use.
Slashdot Mirror
Mikko, how do you explain the quote you gave: "The only surprise here is that it came so early...It's been eight days since the beta of the operating system was out." Monad has been out for a while, and is not even in the Windows Vista beta. Yet you are obviously implying that someone took the Vista beta and started pounding away and in only eight days found a vulnerability.
I don't see how you can defend this as anything except pure sensationalism.
- adam
- adam
Read Lee's post or my post for more opinion.
- adam
All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).
The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.
- adam
No, I have not, although now I am curious as to who the source was for that quote. James Wallace and Jim Erickson were (or are) Seattle Post-Intelligencer reporters, so I should be able to track them down.
- adam
The ex-Lotusers I contacted were certainly around Lotus back in the DOS 2.0 days so I would think they would remember intentional sabotage.
- adam
Search the web for "Reiswig" and "Blue Ninja" for more.
- adam
I'll also point out that when I actually researched this article (sent email to the former Lotus employees) I was not working at Microsoft, so I was just random computer user to them.
- adam
- adam
I'll quote it for you "I only read at +2 folks":
Apologizes for the lack of updates. We've been heads down getting things things finished up for some deadlines. We'll be dropping a new version on betapace sometime next week. It is about 95+% language complete and interop with existing external programs has greatly improved. We'd love you (and everyone else) to give it a try and let us know what you don't like or how we can make it better. jps
A little respect for the Monad Man, please.
- adam
Yeah, I know, it was written by me, but I really think it is a great geek gift.
Failing that, let me recommend the Demon Princes books by Jack Vance (volume 1 and volume 2). The best SF I know. "...the kind of quick, paradox-savoring intelligence -- the capacity, present even among men of power, to forget caution in the love of ironic wit and abstract thought" - Adam Gopnik.
- adam
- adam
Indeed. Part of the interview is interesting, but the parts about Java and Windows are just market-speak. vi is a great editor, but Joy seems to have turned into a giant tool.
- adam
For example consider the following question about minimum credit card charges. The retailer says that she pays Visa 3 percent of charges PLUS A FLAT 30 CENT FEE PER TRANSACTION. That's why Visa can get away with allowing one cent charges, because in fact the merchant still pays them the 30 cents (and loses 29 cents of course).
And it's not like 30 cents is what it costs Visa. It probably costs them much more than that per transaction. But they make enough money on the percentage of $1000 transactions that they can charge only 30 cents for a very small one. With micropayment systems, however, they have no big transactions to help cover the cost of the small ones.
So my argument is that micropayments can't work because of the fixed overhead. BUT, one thing is that when some people talk about micropayments they can mean some pretty big amounts. I saw one article that defined a "micropayment" as anything under $2.50. Come on, you can buy lots of actual real useful goods for $2.50 today. If you go to a store and buy a magazine for $2.50 is that a "micropayment"? I think not.
So I think there should be some discussion over the boundary line for micropayments.
To me micropayments are so small that you don't even think about them individually, and they are therefore charged a lot -- for example paying something each time you view a page on a site. The per-second charges on cell phones are like that (per-SECOND I said, that is, just pennies at a time) -- nobody really worries about talking for an extra second or not. Personally I would say the micropayment cutoff should be around one cent, certainly under five cents, but that's just me.
- adam
This was in the Guiness Book of World Records, I think. They even provided a supposed definition (thieves trying to steal something from a Welsh valley etc).
- adam
And for what it's worth, Dave Cutler pounded out most of the NT kernel using two fingers.
- adam
Of course then the cover (the plastic part with the hole that you use to put it on a keyring, which probably costs about 40 cents wholesale) broke and now I can't even find the damn thing.
- adam
- adam
For example consider this from the GPL FAQ:
Can I use GPL-covered editors such as GNU Emacs to develop non-free programs? Can I use PL-covered tools such as GCC to compile them?
Yes, because the copyright on the editors and tools does not cover the code you write. Using them does not place any restrictions, legally, on the license you use for your code.
Some programs copy parts of themselves into the output for technical reasons--for example, Bison copies a standard parser program into its output file. In such cases, the copied text in the output is covered by the same license that covers it in the source code. Meanwhile, the part of the output which is derived from the program's input inherits the copyright status of the input.
As it happens, Bison can also be used to develop non-free programs. This is because we decided to explicitly permit the use of the Bison standard parser program in Bison output files without restriction. We made the decision because there were other tools comparable to Bison which already permitted use for non-free programs.
This makes it pretty unclear. A Wizard is certainly "copy[ing] parts of themselves into the output for technical reasons". It sounds like Bison has an explicit exception for this case, but that's just pragmatism because other comparable tools existed.
- adam
You may be overwhelmed by the size of the task ahead of you. One way to help is to set a series of intermediate goals. So you say, "within the next hour I will have the data structures defined" or "by 9 pm I will have coded up the main input routine."
Then you can promise yourself that once that is done, you will give yourself X amount of time to goof off, surf the web, ask questions on slashdot, etc. Then it's back to the next goal. Or you can say that if you finish the goal early, then you will allow yourself to play for the unused time...if you fool around too much in the middle, you won't get the free time allowance.
This gives you a sense of accomplishment as you realize you have done *something* and you don't spend mental time stressing over your lack of results so far. Don't worry too much about trying to balance each goal to be the same amount of time, etc. just make it something that shows good forward progress.
Now of course setting goals takes time, so it will cost you some time to do this...but the overall result should be more productivity given the work habits you describe. The shorter the time period for the each goal (i.e. is it half a day's work or 15 minutes' work) then the lower your "work to planning" ratio is, but for some things you may really need to do some microplanning to get going.
You also should try to identify what part of the work you find the hardest to get done. For example when I am writing code I find actually typing in the code the first time to be the hardest part...I can design the algorithm/etc OK, and then once I have the first version typed in I can get it compiling no problem, then debugging is a cool mental challenge. But the part where I just type in all the variable declarations and for loops and whatnot is the hardest to avoid procrastinating during.
So if you can figure that out, then you can focus on getting over that hump (set goals of the shortest duration during that time).
- adam
I thought you could use NULL to calculate structure offsets, so with something like
struct _x {
int a;
int b;
}
it was legal to say &(((struct _x *)NULL)->b)
to figure out the offset of b within the structure?
So I agree, it seems like pretty basic tips, not any sort of "best practices" thing.
- adam
This is too simplistic a view because it ignores patent and licensing issues. Is PDF open? Is Flash/SWF open? Is MP3 open? Is MPEG open? All those formats are "made known", and users can develop programs...of course they may have to pay a bit or submit to certain restrictions.
Now, ONE of the formats I listed there really is open. Do you know which one? I encourage you all to go to the Open Data Format Initiative site and join the mailing list, where we are hashing out just exactly what an open format should be for government use.
- adam
Is that private screening room the recreation of Bag End in a New Zealand hillside that he talked about in the FOTR EE director's commentary?
- adam