Working for a small ISP back in '96 or '97... User calls in, has the typical "I can't connect" problem. Go through the paces with him to make sure the software's installed (Windows 3.1 I think), etc. etc. Nothing working. Finally ask the guy, "Is your modem plugged into the phone jack?"
User: "Modem? What the hell is a modem? I don't need one of those. The Internet is supposed to be on these two floppy disks you mailed me."
The site is so slow and half the fucking features broken so often that it's practically impossible for regular users to find people, let alone predators. Seriously, I'm embarrassed for the folks that run that thing... It seems to me that the same 13 year-olds that make up the majority of the user base are also the ones responsible for maintaining the site. You'd think with as much cash as they probably have on hand now they'd be able to get their act together.
I think that it may be a bit of a mischaracterization to say that admins are "avoiding" SP2 -- at least in larger, more security-conscious enterprises. The reality of the matter is that big roll-outs like SP2 take a while to lay the groundwork for.
Only the laziest and most incompetent of system administrators would just blast SP2 out into their environment without testing it first on their systems. That QA process needs to involve all of the environment's different system types and software. For a small shop, that might take a few days or weeks. But for a large organization with potentially dozens of hardware variations and hundreds of pieces of software to QA, that process takes much longer. That's not to mention the fact that any issues with critical software have to be dealt before the roll-out can begin en masse.
According to the folks I've talked to in other large enterprises, it also seems that organizations are tending to combine their SP2 roll-out with other standardization efforts that would also need their own QA-retrodevelopment cycle. At my shop, for example, we're combining our SP2 roll-out with a project removing local users from the "Local Administrators" group on their PCs, leaving them with Power User rights only (combined with SP2, bye-bye spyware). As you might imagine in a 22,000+ client environment with more than 300 apps to QA, it takes a while. Other people I've talked to are combining SP2 with roll-outs of other updates (anti-virus, etc.), too, so that probably helps explain the lag also.
I guess my point is that, yeah, it's been released for quite some time, but there are most likely reasons beyond "Oh no! It might bluescreen my boxes!" that administrators haven't applied it yet.
Amen! I've posted my criticisms of MySQL here before, only to be taken to task by the unwashed masses of MySQL "admins".
The reality of the matter (that you articulated quite eloquently) is that MySQL has never been a true RDBMS due to it's lack of features. The aspect you mentioned of MySQL encouraging poor development habits is one that I hadn't thought to mention, though I deal with it on a daily basis.
Far too often, I find myself assigned to clean up after several developers in another department here who create disasters of database-driven crapplications on MySQL without following the most basic tenets of database design (referential integrity, normalization, etc... If I had a dollar for every time I've come across one of these guys' big, honking, 74-column tables, followed by someone asking me "Why are there so many 'dupes' in this table?"...<deep breath>).
For the longest time, I couldn't figure it out. Were they lazy? No, I had personally witnessed their work-ethic -- which was solid -- and they always got their deliverables in on time, spending lots of extra time in the office (there's a reason for that, of course...). Were they incompetent or unskilled or just dumb? No... All three of them always wrote very stable, elegant (albeit copious) application code. Although, with the shitty DBs they created, I guess they had to write a lot of application code -- lots and lots and lots of it -- to just make their stuff work. Anyway...
Eventually, a position in my department opened up, and my one-table friends decided to apply. In my interviews with them, I discovered that before working here (where they're occasionally exposed to Oracle, Sybase, and SQL Server), they had experience with only one database platform. Take a guess what it was. Think hard...
Needless to say, they didn't get the job (although I now have two of them writing application code ONLY... and they're pretty f'ing good, interestingly enough). Obviously, they're an extreme example, and I can't fairly attribute their shortcomings solely to using MySQL. But it certainly didn't help (I mean why bother creating a normalized schema when you can't ensure referential integrity at the DB level anyway, right?). Sure, they could have found a way to learn the skills somehow or they could have been more curious or driven to learn, and maybe they just aren't interested in DB stuff and maybe they shouldn't be being asked to do it, I dunno. But after seeing their resumes, I haven't hired one person -- not a single one -- who doesn't have database experience outside of MySQL. I just can't see a MySQL-only person fitting into a Oracle or Sybase or, heck, SQL Server world (yet, I guess).
Anyway, rambling aside, I think the moral of the story is that using robust tools lends itself to building robust skills, particularly in the realm of RDBMSs. MySQL isn't evil and it isn't a bad little database platform for happy little applications, and I'm sure a ton of now very-skilled DBAs and developers might have gotten started using it. But a true RDBMS it has not been, for ten freakin' years. And more importantly, MySQL skills do not real DBAs make.
Anyway, if it is in fact now a competitive product, I guess my collegues and I will have to stop jokingly calling it "Access for Programmers". But if it stacks up and (FINALLY) does what a lot of us need a DB to do, with the speed and stability it's already known for, I'll throw it behind one of my apps tomorrow. I've got my fingers crossed, but after 10 years of persistent let-downs, don't blame me for not holding my breath.
Again you seem more interested in poking semantic holes in what I said than you are in examining or speaking to my actual point, or Martin's.
Since you asked, my point is that your post was entirely trite, ignorant, and had little -- if any -- relevance to the topic at hand... "Nobody outside of Microsoft 'knows' Windows blah blah blah" has no productive value whatsoever to speak of, and has absolutely nothing to do with the meaning of quote that you pasted in yourself. Instead of debating the merits of what Martin had to say or offering your own views on the topics being discussed, or say anything or any value whatsoever, you chose to sophomorically twist a particular sentence to take a shot at commercial software by using a simple semantic device (with a single monosyllabic word). Real good job. With that kind of probing insight, the Slashdot community is lucky to have you.
You or I cannot fix security related bugs in Microsoft Windows within hours after they become publically (sic) known...
And I think that proves what I'm saying. You're missing the entire point (Martin was talking about the number of people available to make things using Windows; you're talking about the number of people available to alter Windows... two very different things indeed). Again. So contrary to what I said above, maybe you're not childish; perhaps you're just ignorant. I can't really be sure. Regardless, just like your first post, that statement demonstrates the same misunderstanding of the topic that you, yourself, brought up.
Oh, and since you seem to enjoy semantics so very very much:
Your claim that I'm having a conversation with myself would be a lot more convincing if you had not replied to what I said.
I merely said you were welcome to have a conversation specifically about "a reasonable definition of knowledge", and that topic is so pointless and irrelevant that you'd be having it with yourself. For someone so eager to make arguments based solely on language, you should probably pay a little closer attention.
Yeah, you're right. As a non-Microsoft employee, I'm entirely incapable of designing, developing, and implementing, say, an enterprise-wide solution based on Windows for a large user population because I haven't seen Windows' source-code. Riiiiiiight...
From a practical standpoint, you or I or any other skilled person can accomplish just about any goal set in front of us using Windows or OSS or whatever as our "tool". The reality that Martin's talking about -- and this extends beyond just Microsoft people -- is that there are a lot more people out there that just get houses built, and don't waste their time dealing with knowing specifically how the concrete in the foundation was made -- only whether it'll support their building or not.
While that's not a perfect metaphor, Martin isn't talking about some abstract theory or guiding philosophy there; he's talking about real people on the street, able to make real things for other real people to pay for (or heck, not pay for).
I think one of the biggest things to take away from Martin's comments is that all this silly Anti-MS vitriol is a pretty big waste of time. It's tired, it's boring, and it's pointless (same as MS's laughable anti-OSS FUD). So you can play the semantics game all day, and sit here and have a conversation with yourself about a "reasonable definition of knowledge" if you want to. In the meantime, I'll be making things using the best tools for the job, and not worrying about things that are -- for most of us -- pointless trivialities.
Without any specific details on the failure or what exactly happened, it seems like this is a huge admin error. My guess is they're using something like Altiris to do their builds, and if an admin were to accidentally "drop" the package meant for the the test group on to the production group, wham-o... every PC starts installing a build that probably isn't meant for them, and won't work. And you can imagine how that would go.
As much as I'm sure the zealots among us would like to make this seem like a Windows failure, it looks like it's more of an example of how outsourcing leads to disconnected, incompetent, and unmotivated IT staff. And that, of course, leads to mishaps like this.
Either way, if you work for a company that brings EDS in house in any way, drop your shit and run. And don't look back. The flash could be blinding.
The scenario above is true. But I have news for you: SQL injection attacks work with more than ASP.NET. Even <gasp> PHP. Anyone who's dumb or lazy enough to dynamically build queries based on user input and still doesn't -- at least -- execute some serious validation of the input should be fired. Period. And it's not hard. A simple regular expression can prevent injection attacks. Also, using parameterized stored procedures (which is quite easy with ASP/ADO.NET) adds a second layer of protection that avoids the vulnerability altogether.
Also, the threat is a lot more serious than you describe. You can do a whole lot more than gain access to a protected site. There's nothing to stop anyone from doing like
' go drop table tbl_whatever go --
If the account used to connect to the DB has sufficient permissions, bye bye table (obviously you'd have to know the name or iterate through them in sysobjects).
Ultimately though, this has ZERO to do with ASP.NET, but has everything to do with the person who developed the specific app. If you have an unchecked input that winds up being executed against the DB, you're screwed no matter what language you write it in. And I'd really like to know where exactly you got the 1 in 3 figure. I'm guessing somewhere near the end of your digestive system.
So, if you are a site administrator whose app is vulnerable (be it written in ASP.NET, ASP, PHP, whatever), rewriting your app in a different language isn't indeed a necessary solution. You can ignore the FUD above and simply hire a real developer to add some simple input validation and make the DB access a little smarter, and you're set.
Premium customers generally include very large organizations with large userbases (think 10,000+). My understanding is that you don't necessarily pay "extra" to be a Premium customer, so much as it's negotiated as a part of your entire enterprise-level agreement wtih MS.
The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old/. FUD.
The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.
And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.
Most of the anti-MS FUD on/. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.
These idiots should be more like responsible, Republican activists and get involved. By, say for example, manipulating the system and disingenuously signing petitions to enable a third-party nobody to steal votes from their candidate's opponent. Now that's responsible politics.
UnsaltedButterRules writes: "Somebody's-blog-somewhere-has-gotta have a great article discussing how plain, unsalted butter sold at stores such as Piggly-Wiggly, and the growth of unsalted butter consuption has made unsalted butter a 'key business risk' for our friends in the salted butter industry. The story notes that unsalted butter's market share for bread-buttering alone has already surpassed soy spread's. Says the Unsalted Butter Initiative's H.E. Pennypacker, 'The sinister plan for a buttery -- but all-together saltless! -- world is right on schedule.' All right!"
If nobody's written that article, could someone get on it please? It wouldn't be quite -- quite -- as interesting as this one, but at least it'd be NEW. I'd much rather read that article than "This Week's 2374th Some-People-Bought-Some-Linux-Stuff-Somewhere-So-L et's-Jump-To-Some-Conclusions Article".
And don't ask why I used un/salted butter above. I'm really not sure... <scared>
Re:a few extra notes from someone using OSS
on
Evaluating Open Source
·
· Score: 4, Insightful
While I would say "B", as I'm assuming you would, I don't know that you're right for the reasons you might think you are.
While I'd agree that a Python/Debian/Postgre/Apache developer is probably more adept, I don't think it has to do with the language. It has to do with the fact that (generally speaking, of course) OSS people are more heavily self-taught amateurs-turned-pros. To me, that displays a passion for the craft that others might not have (though to be fair, many MS-based developers are self-taught too, albeit on systems that are much less in-your-face from a learning perspective... OSS developers have to spend a fair bit time learning the systems first, before the development skills, while MS'ers don't necessarily). Add to that my opinion that autodidacts have skills that are generally more flexible and adaptive, and "B" is definitely preferable.
But the differentiator is not the language. In reality, while B is better than A, a developer that can excel at both A and B is better than either an A or B; a truly gifted develeper isn't limited by language. Overall, B is more desirable to me because I know a B has likely invested more time and passion in learning and honing their skills, not because they know <insert language here>.
I'm no expert either, but I would guess that life in prison has it's own deterrent effect. Perhaps sentencing a murderer to life in prison prevents, say, 6 (or maybe 14, if you go the other way) murders. Note that the statistic in the article doesn't compare capital punishment to life in prison; it's only meant to quantitatively demonstrate the deterrent effect of capital punishment in and of itself.
I think it's bull too, to a degree. But that's how economists work... Crazy bastards.;-)
One thing I want to preface my full answer with is that I think people toss a lot of things under the heading "usability", without really knowing what it means. I, not really knowing what "usability" means (I have friends with Masters Degrees in Human-Computer Interaction, and there's no way I'd claim to know as much as them), I'll define it for the purposes of answering the question: "Usability" is the concept of making an application, OS, or other piece of software easier and more efficient to use through employing an intelligent and consistent graphical interface design. While I'm sure it entails more than that, I'll just talk about that much.
There.
Now for my answer: Usability has nothing at all to do in any way with the basic, underlying security of a piece of software, with one exception.
Although the issue gets more difficult to deal with as the complexity of a particular application, if we use the definition of "usability" above, it's pretty simple. An interface design shouldn't really ever be able to make an application less secure (now obviously if the interface application itself has underlying vulnerabilities, that's a different story). How you navigate, manipulate, and "use" an application or OS doesn't affect how secure or insecure the underlying code is. Except in one way...
The one way in which striving for better "usability" could make an OS or application less secure has to do with the interface used to administer security in that OS or application. If the interface design for that piece of the software is not as "usable" as it could or should be, the security of the application or OS could be comprimised.
Other than that, "usability" as a discipline isn't to blame for vulnerabilities. Microsoft does play the usability game really well. While a lot of it is subjective, it generally does a good job at making the interface consistent, efficient, and intuitive. Windows is also insecure. But that has only to do with more underlying, structural problems with the OS. Let's not confuse things like the Administrator rights requirement, for example, with "usability" issues; things like that are software design flaws, not interface design flaws, and I think acknowledging the difference helps in attacking the problems.
Better usability != less security. At least not always. If anything, it's my opinion that improved usability makes software more secure, in that it can make it easier to make software more secure with improved interface design. But that's just me.
Why has Microsoft's marketing team picked the name of an animal that was proven in the marketplace to be 1. difficult to transport (picture horns sticking out of cattle cars or OS boxes sticking out of Fed Ex trucks) 2. difficult to maneuver without being gored?
While I know your post is meant to be funny, I thought I'd point out that MS's recent projects have been named after skiing destinations: Blackcomb, Longhorn, Yukon, Whidbey(not sure about that one), etc... Though it's definitely not as funny as the image of somebody getting run down and gored by a software box, I just thought I'd point that out as an FYI.
I agree. I'd say that this agreement is one of just a few small steps to bringing Linux to the masses.
The two big things I still hold against Linux aren't huge hurdles, but they're big enough to keep it out of the mass-market. One you mentioned: driver support. The HP agreement should make for a big step forward in that area, in that -- as you said -- when HP ships the system, it'll have to work when the customer opens the box (in as much as any other HP PC does;-). That means that customers that purchase an HP system with Linux generally won't encounter driver issues. That's a big plus in the perception arena. I'm sure many people get turned off by Linux the first time they experience the lack of a driver for a key component -- and it's probably the last time they give Linux a chance. This deal should at least help to change all that.
The other thing is something you touched on a part of: Usability (not to be confused with functionality... usability in the design/psychology sense). You mentioned software installation, which is very true, but that's just one specific example of how Linux generally falls short compared to Windows and OS X in the area of usability. Things like interface consistency, standardized package installation, and practical aesthetics are key, and Microsoft and Apple spend lots of time and money on making their products more "usable", from an interface design perspective. And so far they've succeeded -- comparatively, anyway.
So the HP deal is the first step in jumping the first hurdle. I'm sure that coming releases and the community in general will address the second, and that you're right: the days of lock-in are numbered. And thankfully so.
It seems to me to be a bit foolish to rely on such an outdated infrastructure to supply broadband service. While the telco infrastructure isn't much better, I've experienced fewer instances of losing dialtone than I have power in the last few years. And not only that, the power infrastructure is much more prone to wide-spread, catastrophic failure than is the phone infrastructure (Hello, east coast outage last fall?).
IMHO, wireless seems to be the answer from both consumer and business perspectives. While the consumer enjoys the added flexibility wireless broadband affords them, providers enjoy a cheaper, easier to support infrastructure. I guess I could sum it up by saying, "Wired broadband is soooo 1990's.";-)
Great, so there's foreign key constraints. My bad! Column, named, and table will "follow shortly". I'll take three-outta-four. How about triggers? What about the backticks? What about the case-sensitivity? Any answers there, kid? Am I WRONG about those issues?
And yeah, they ARE talking about PL/SQL stored procedures. So am I! The point is that real, commercial-grade RDBMSsALL support PL/SQL SPs. Are you not reading what I'm writing? Or have they just not covered that in CompSci I yet?
INNODB tables... blah blah blah
I can't believe you're still missing the point.
InnoDB Hot Backup is a non-free additional tool
I don't see "mySQL" in that product's name. Do you? It's an "additional tool". Maybe I'll look at mySQL when, oh, I dunno, they have integrated online backups like every other real, commercial-grade RDBMS that don't require an "additional tool".
This link says it all when it comes to whatever delusions you have about mySQL being commercial-grade and/or standards-compliant.
And for the last time, I'm not talking about SQL Server specifically. I'm talking about it and every single other major commercial-grade RDBMS. If you're not rational and intelligent enough to not let your Microsoft hatred blind you into believing mySQL is something it just plain isn't, I can't help you.
And finally, if your basis for determining one product's superiority over another is the number of links on Google (and no, I'm not going to click that link, smarty), I don't think I have to say much more. Once again, leave the real DBAs to talking about and dealing with these issues, kid. Stick with other kid stuff like trying to sneak the hackneyed old Google/goatse.cx trick into your posts. Because that really goes to show what children like you know about database administration.
Slashdot Mirror
Working for a small ISP back in '96 or '97... User calls in, has the typical "I can't connect" problem. Go through the paces with him to make sure the software's installed (Windows 3.1 I think), etc. etc. Nothing working. Finally ask the guy, "Is your modem plugged into the phone jack?"
User: "Modem? What the hell is a modem? I don't need one of those. The Internet is supposed to be on these two floppy disks you mailed me."
Good times.
The site is so slow and half the fucking features broken so often that it's practically impossible for regular users to find people, let alone predators. Seriously, I'm embarrassed for the folks that run that thing... It seems to me that the same 13 year-olds that make up the majority of the user base are also the ones responsible for maintaining the site. You'd think with as much cash as they probably have on hand now they'd be able to get their act together.
I think that it may be a bit of a mischaracterization to say that admins are "avoiding" SP2 -- at least in larger, more security-conscious enterprises. The reality of the matter is that big roll-outs like SP2 take a while to lay the groundwork for.
Only the laziest and most incompetent of system administrators would just blast SP2 out into their environment without testing it first on their systems. That QA process needs to involve all of the environment's different system types and software. For a small shop, that might take a few days or weeks. But for a large organization with potentially dozens of hardware variations and hundreds of pieces of software to QA, that process takes much longer. That's not to mention the fact that any issues with critical software have to be dealt before the roll-out can begin en masse.
According to the folks I've talked to in other large enterprises, it also seems that organizations are tending to combine their SP2 roll-out with other standardization efforts that would also need their own QA-retrodevelopment cycle. At my shop, for example, we're combining our SP2 roll-out with a project removing local users from the "Local Administrators" group on their PCs, leaving them with Power User rights only (combined with SP2, bye-bye spyware). As you might imagine in a 22,000+ client environment with more than 300 apps to QA, it takes a while. Other people I've talked to are combining SP2 with roll-outs of other updates (anti-virus, etc.), too, so that probably helps explain the lag also.
I guess my point is that, yeah, it's been released for quite some time, but there are most likely reasons beyond "Oh no! It might bluescreen my boxes!" that administrators haven't applied it yet.
Amen! I've posted my criticisms of MySQL here before, only to be taken to task by the unwashed masses of MySQL "admins".
The reality of the matter (that you articulated quite eloquently) is that MySQL has never been a true RDBMS due to it's lack of features. The aspect you mentioned of MySQL encouraging poor development habits is one that I hadn't thought to mention, though I deal with it on a daily basis.
Far too often, I find myself assigned to clean up after several developers in another department here who create disasters of database-driven crapplications on MySQL without following the most basic tenets of database design (referential integrity, normalization, etc... If I had a dollar for every time I've come across one of these guys' big, honking, 74-column tables, followed by someone asking me "Why are there so many 'dupes' in this table?"...<deep breath>).
For the longest time, I couldn't figure it out. Were they lazy? No, I had personally witnessed their work-ethic -- which was solid -- and they always got their deliverables in on time, spending lots of extra time in the office (there's a reason for that, of course...). Were they incompetent or unskilled or just dumb? No... All three of them always wrote very stable, elegant (albeit copious) application code. Although, with the shitty DBs they created, I guess they had to write a lot of application code -- lots and lots and lots of it -- to just make their stuff work. Anyway...
Eventually, a position in my department opened up, and my one-table friends decided to apply. In my interviews with them, I discovered that before working here (where they're occasionally exposed to Oracle, Sybase, and SQL Server), they had experience with only one database platform. Take a guess what it was. Think hard...
Needless to say, they didn't get the job (although I now have two of them writing application code ONLY... and they're pretty f'ing good, interestingly enough). Obviously, they're an extreme example, and I can't fairly attribute their shortcomings solely to using MySQL. But it certainly didn't help (I mean why bother creating a normalized schema when you can't ensure referential integrity at the DB level anyway, right?). Sure, they could have found a way to learn the skills somehow or they could have been more curious or driven to learn, and maybe they just aren't interested in DB stuff and maybe they shouldn't be being asked to do it, I dunno. But after seeing their resumes, I haven't hired one person -- not a single one -- who doesn't have database experience outside of MySQL. I just can't see a MySQL-only person fitting into a Oracle or Sybase or, heck, SQL Server world (yet, I guess).
Anyway, rambling aside, I think the moral of the story is that using robust tools lends itself to building robust skills, particularly in the realm of RDBMSs. MySQL isn't evil and it isn't a bad little database platform for happy little applications, and I'm sure a ton of now very-skilled DBAs and developers might have gotten started using it. But a true RDBMS it has not been, for ten freakin' years. And more importantly, MySQL skills do not real DBAs make.
Anyway, if it is in fact now a competitive product, I guess my collegues and I will have to stop jokingly calling it "Access for Programmers". But if it stacks up and (FINALLY) does what a lot of us need a DB to do, with the speed and stability it's already known for, I'll throw it behind one of my apps tomorrow. I've got my fingers crossed, but after 10 years of persistent let-downs, don't blame me for not holding my breath.
Since you asked, my point is that your post was entirely trite, ignorant, and had little -- if any -- relevance to the topic at hand... "Nobody outside of Microsoft 'knows' Windows blah blah blah" has no productive value whatsoever to speak of, and has absolutely nothing to do with the meaning of quote that you pasted in yourself. Instead of debating the merits of what Martin had to say or offering your own views on the topics being discussed, or say anything or any value whatsoever, you chose to sophomorically twist a particular sentence to take a shot at commercial software by using a simple semantic device (with a single monosyllabic word). Real good job. With that kind of probing insight, the Slashdot community is lucky to have you.
And I think that proves what I'm saying. You're missing the entire point (Martin was talking about the number of people available to make things using Windows; you're talking about the number of people available to alter Windows... two very different things indeed). Again. So contrary to what I said above, maybe you're not childish; perhaps you're just ignorant. I can't really be sure. Regardless, just like your first post, that statement demonstrates the same misunderstanding of the topic that you, yourself, brought up.
Oh, and since you seem to enjoy semantics so very very much:
I merely said you were welcome to have a conversation specifically about "a reasonable definition of knowledge", and that topic is so pointless and irrelevant that you'd be having it with yourself. For someone so eager to make arguments based solely on language, you should probably pay a little closer attention.
Yeah, you're right. As a non-Microsoft employee, I'm entirely incapable of designing, developing, and implementing, say, an enterprise-wide solution based on Windows for a large user population because I haven't seen Windows' source-code. Riiiiiiight...
From a practical standpoint, you or I or any other skilled person can accomplish just about any goal set in front of us using Windows or OSS or whatever as our "tool". The reality that Martin's talking about -- and this extends beyond just Microsoft people -- is that there are a lot more people out there that just get houses built, and don't waste their time dealing with knowing specifically how the concrete in the foundation was made -- only whether it'll support their building or not.
While that's not a perfect metaphor, Martin isn't talking about some abstract theory or guiding philosophy there; he's talking about real people on the street, able to make real things for other real people to pay for (or heck, not pay for).
I think one of the biggest things to take away from Martin's comments is that all this silly Anti-MS vitriol is a pretty big waste of time. It's tired, it's boring, and it's pointless (same as MS's laughable anti-OSS FUD). So you can play the semantics game all day, and sit here and have a conversation with yourself about a "reasonable definition of knowledge" if you want to. In the meantime, I'll be making things using the best tools for the job, and not worrying about things that are -- for most of us -- pointless trivialities.
Without any specific details on the failure or what exactly happened, it seems like this is a huge admin error. My guess is they're using something like Altiris to do their builds, and if an admin were to accidentally "drop" the package meant for the the test group on to the production group, wham-o... every PC starts installing a build that probably isn't meant for them, and won't work. And you can imagine how that would go.
As much as I'm sure the zealots among us would like to make this seem like a Windows failure, it looks like it's more of an example of how outsourcing leads to disconnected, incompetent, and unmotivated IT staff. And that, of course, leads to mishaps like this.
Either way, if you work for a company that brings EDS in house in any way, drop your shit and run. And don't look back. The flash could be blinding.
The scenario above is true. But I have news for you: SQL injection attacks work with more than ASP.NET. Even <gasp> PHP. Anyone who's dumb or lazy enough to dynamically build queries based on user input and still doesn't -- at least -- execute some serious validation of the input should be fired. Period. And it's not hard. A simple regular expression can prevent injection attacks. Also, using parameterized stored procedures (which is quite easy with ASP/ADO.NET) adds a second layer of protection that avoids the vulnerability altogether.
Also, the threat is a lot more serious than you describe. You can do a whole lot more than gain access to a protected site. There's nothing to stop anyone from doing like If the account used to connect to the DB has sufficient permissions, bye bye table (obviously you'd have to know the name or iterate through them in sysobjects).
Ultimately though, this has ZERO to do with ASP.NET, but has everything to do with the person who developed the specific app. If you have an unchecked input that winds up being executed against the DB, you're screwed no matter what language you write it in. And I'd really like to know where exactly you got the 1 in 3 figure. I'm guessing somewhere near the end of your digestive system.
So, if you are a site administrator whose app is vulnerable (be it written in ASP.NET, ASP, PHP, whatever), rewriting your app in a different language isn't indeed a necessary solution. You can ignore the FUD above and simply hire a real developer to add some simple input validation and make the DB access a little smarter, and you're set.
Yeah. Windows XP caused your hard drive to physically fail.
That's like saying the radio station you were listening to in your car caused your tire to go flat.
You better be careful with VS.NET... You might write something that causes your neighbor's house to catch fire.
Idiot.
Premium customers generally include very large organizations with large userbases (think 10,000+). My understanding is that you don't necessarily pay "extra" to be a Premium customer, so much as it's negotiated as a part of your entire enterprise-level agreement wtih MS.
The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old /. FUD.
/. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.
The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.
And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.
Most of the anti-MS FUD on
These idiots should be more like responsible, Republican activists and get involved. By, say for example, manipulating the system and disingenuously signing petitions to enable a third-party nobody to steal votes from their candidate's opponent. Now that's responsible politics.
UnsaltedButterRules writes: "Somebody's-blog-somewhere-has-gotta have a great article discussing how plain, unsalted butter sold at stores such as Piggly-Wiggly, and the growth of unsalted butter consuption has made unsalted butter a 'key business risk' for our friends in the salted butter industry. The story notes that unsalted butter's market share for bread-buttering alone has already surpassed soy spread's. Says the Unsalted Butter Initiative's H.E. Pennypacker, 'The sinister plan for a buttery -- but all-together saltless! -- world is right on schedule.' All right!"
L et's-Jump-To-Some-Conclusions Article".
If nobody's written that article, could someone get on it please? It wouldn't be quite -- quite -- as interesting as this one, but at least it'd be NEW. I'd much rather read that article than "This Week's 2374th Some-People-Bought-Some-Linux-Stuff-Somewhere-So-
And don't ask why I used un/salted butter above. I'm really not sure... <scared>
While I would say "B", as I'm assuming you would, I don't know that you're right for the reasons you might think you are.
While I'd agree that a Python/Debian/Postgre/Apache developer is probably more adept, I don't think it has to do with the language. It has to do with the fact that (generally speaking, of course) OSS people are more heavily self-taught amateurs-turned-pros. To me, that displays a passion for the craft that others might not have (though to be fair, many MS-based developers are self-taught too, albeit on systems that are much less in-your-face from a learning perspective... OSS developers have to spend a fair bit time learning the systems first, before the development skills, while MS'ers don't necessarily). Add to that my opinion that autodidacts have skills that are generally more flexible and adaptive, and "B" is definitely preferable.
But the differentiator is not the language. In reality, while B is better than A, a developer that can excel at both A and B is better than either an A or B; a truly gifted develeper isn't limited by language. Overall, B is more desirable to me because I know a B has likely invested more time and passion in learning and honing their skills, not because they know <insert language here>.
I'm no expert either, but I would guess that life in prison has it's own deterrent effect. Perhaps sentencing a murderer to life in prison prevents, say, 6 (or maybe 14, if you go the other way) murders. Note that the statistic in the article doesn't compare capital punishment to life in prison; it's only meant to quantitatively demonstrate the deterrent effect of capital punishment in and of itself.
;-)
I think it's bull too, to a degree. But that's how economists work... Crazy bastards.
It was released two weeks ago, rated "critical". From the 10th line of your link: "Maximum Severity Rating: Critical"
How you didn't see that is beyond me.
... but my answer is: it shouldn't.
One thing I want to preface my full answer with is that I think people toss a lot of things under the heading "usability", without really knowing what it means. I, not really knowing what "usability" means (I have friends with Masters Degrees in Human-Computer Interaction, and there's no way I'd claim to know as much as them), I'll define it for the purposes of answering the question: "Usability" is the concept of making an application, OS, or other piece of software easier and more efficient to use through employing an intelligent and consistent graphical interface design. While I'm sure it entails more than that, I'll just talk about that much.
There.
Now for my answer: Usability has nothing at all to do in any way with the basic, underlying security of a piece of software, with one exception.
Although the issue gets more difficult to deal with as the complexity of a particular application, if we use the definition of "usability" above, it's pretty simple. An interface design shouldn't really ever be able to make an application less secure (now obviously if the interface application itself has underlying vulnerabilities, that's a different story). How you navigate, manipulate, and "use" an application or OS doesn't affect how secure or insecure the underlying code is. Except in one way...
The one way in which striving for better "usability" could make an OS or application less secure has to do with the interface used to administer security in that OS or application. If the interface design for that piece of the software is not as "usable" as it could or should be, the security of the application or OS could be comprimised.
Other than that, "usability" as a discipline isn't to blame for vulnerabilities. Microsoft does play the usability game really well. While a lot of it is subjective, it generally does a good job at making the interface consistent, efficient, and intuitive. Windows is also insecure. But that has only to do with more underlying, structural problems with the OS. Let's not confuse things like the Administrator rights requirement, for example, with "usability" issues; things like that are software design flaws, not interface design flaws, and I think acknowledging the difference helps in attacking the problems.
Better usability != less security. At least not always. If anything, it's my opinion that improved usability makes software more secure, in that it can make it easier to make software more secure with improved interface design. But that's just me.
Why has Microsoft's marketing team picked the name of an animal that was proven in the marketplace to be 1. difficult to transport (picture horns sticking out of cattle cars or OS boxes sticking out of Fed Ex trucks) 2. difficult to maneuver without being gored?
While I know your post is meant to be funny, I thought I'd point out that MS's recent projects have been named after skiing destinations: Blackcomb, Longhorn, Yukon, Whidbey(not sure about that one), etc... Though it's definitely not as funny as the image of somebody getting run down and gored by a software box, I just thought I'd point that out as an FYI.
I agree. I'd say that this agreement is one of just a few small steps to bringing Linux to the masses.
;-). That means that customers that purchase an HP system with Linux generally won't encounter driver issues. That's a big plus in the perception arena. I'm sure many people get turned off by Linux the first time they experience the lack of a driver for a key component -- and it's probably the last time they give Linux a chance. This deal should at least help to change all that.
The two big things I still hold against Linux aren't huge hurdles, but they're big enough to keep it out of the mass-market. One you mentioned: driver support. The HP agreement should make for a big step forward in that area, in that -- as you said -- when HP ships the system, it'll have to work when the customer opens the box (in as much as any other HP PC does
The other thing is something you touched on a part of: Usability (not to be confused with functionality... usability in the design/psychology sense). You mentioned software installation, which is very true, but that's just one specific example of how Linux generally falls short compared to Windows and OS X in the area of usability. Things like interface consistency, standardized package installation, and practical aesthetics are key, and Microsoft and Apple spend lots of time and money on making their products more "usable", from an interface design perspective. And so far they've succeeded -- comparatively, anyway.
So the HP deal is the first step in jumping the first hurdle. I'm sure that coming releases and the community in general will address the second, and that you're right: the days of lock-in are numbered. And thankfully so.
Oh yeah? How do they know? Maybe I got 2.5TB of RAM in my PC too... Yeah.
It seems to me to be a bit foolish to rely on such an outdated infrastructure to supply broadband service. While the telco infrastructure isn't much better, I've experienced fewer instances of losing dialtone than I have power in the last few years. And not only that, the power infrastructure is much more prone to wide-spread, catastrophic failure than is the phone infrastructure (Hello, east coast outage last fall?).
;-)
IMHO, wireless seems to be the answer from both consumer and business perspectives. While the consumer enjoys the added flexibility wireless broadband affords them, providers enjoy a cheaper, easier to support infrastructure. I guess I could sum it up by saying, "Wired broadband is soooo 1990's."
Clever name.
No... This one isn't quite as ridiculous as the "IIS Has More Market Share" study, but it's still junk. A shitty study is a shitty study, period.
Great, so there's foreign key constraints. My bad! Column, named, and table will "follow shortly". I'll take three-outta-four. How about triggers? What about the backticks? What about the case-sensitivity? Any answers there, kid? Am I WRONG about those issues?
And yeah, they ARE talking about PL/SQL stored procedures. So am I! The point is that real, commercial-grade RDBMSs ALL support PL/SQL SPs. Are you not reading what I'm writing? Or have they just not covered that in CompSci I yet?
INNODB tables... blah blah blah
I can't believe you're still missing the point.
I don't see "mySQL" in that product's name. Do you? It's an "additional tool". Maybe I'll look at mySQL when, oh, I dunno, they have integrated online backups like every other real, commercial-grade RDBMS that don't require an "additional tool".
This link says it all when it comes to whatever delusions you have about mySQL being commercial-grade and/or standards-compliant.
And for the last time, I'm not talking about SQL Server specifically. I'm talking about it and every single other major commercial-grade RDBMS. If you're not rational and intelligent enough to not let your Microsoft hatred blind you into believing mySQL is something it just plain isn't, I can't help you.
And finally, if your basis for determining one product's superiority over another is the number of links on Google (and no, I'm not going to click that link, smarty), I don't think I have to say much more. Once again, leave the real DBAs to talking about and dealing with these issues, kid. Stick with other kid stuff like trying to sneak the hackneyed old Google/goatse.cx trick into your posts. Because that really goes to show what children like you know about database administration.
Your definition of "commercial-grade database" is blatantly incorrect.
Okay. My general point still stands.