Bit of a shame, then, that in 1987 it didn't support 32-bit addressing (IIRC instructions were 32 bits wide but the address bus was only 24 bits) and even if it did, it relied on a separate memory controller.
The MEMC1 in the early Archimedes models supported.... oooh, 1MB of RAM. You could upgrade the memory (no SIMM sockets then, you had to have it soldered on), you also had to upgrade the chip to a MEMC1a, which supported 4MB.
(note: much of this is a hazy recollection - constructive correction welcomed!)
There are already perfectly good emulators that run quite happily on x86, but getting hold of RISC OS is rather trickier unless you've bought and paid for a license (which is surprisingly expensive considering it's got very little modern software available, and these days is only really of any interest as an exercise in "how to design a very small OS for a 1980's version of a chip without many of the things we take for granted these days such as multi-user security or protected memory")
If your IT guys are so stupid they're running around physically pressing power switches, they're at least as technologically idiotic as people who run as Admin and run executable files linked to in email.
Hate to say it, but IME a significant number of IT guys are that stupid.
Usually, the excuse given (and I still think it's a lousy excuse) is that they're run off their feet so solidly for 8 hours a day that they literally do not have time to spend 30 seconds Googling for a way to make their life just a little easier. Myself, I think that's bullshit - they'd probably recover a couple of hours every day with that 30 seconds - but hey, what do I know? All of this is going on and I'm replying to/. rather than cleaning up a horrendous mess.
Just as a point of clarification, Outlook is actually a very good e-mail client. Outlook Express however, is not by any stretch of the imagination the same product, and is an insecure PoS, it also doesn't exist in Vista or Windows 7.
Sorry, but I'm going to have to call you out on that one.
Outlook is an outstanding Exchange client. But you mustn't think of Exchange as just email because it's a hell of a lot more than that - plain email doesn't give you shared calendars, it doesn't give you a centralised to-do list, it doesn't give you a group address book, it seldom gives you any form of advanced access control which can be managed from the client to allow, eg. the CEOs PA to send and retrieve email on his behalf without having to log in as the CEO.
If you use Outlook as a plain email client with, eg. IMAP or POP, it's actually pretty lousy.
You don't need to, you can execute a program from anywhere in most operating systems. Hell, remarkably few Linux distributions default to mounting/home and/tmp with the noexec option.
An iPhone may or may not be an appliance, but general-purpose computers and the operating systems designed for them are certainly not appliances.
Why not?
I'm deadly serious here, so don't automatically mark me down as a troll. Obviously it's not appropriate for all, but for a great many computers in organisations up and down the country, the person sat in front of the computer doesn't own it and isn't supposed to use it for non-work related stuff. Why shouldn't the computer be locked down so tight that it is more-or-less impossible to even run a non-approved application, enforced by means of TPM or something very like it?
The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them.
Going back to the original point of this entire topic, why would an application need admin privs in order to send copies of itself to every email address it can find? Bearing in mind that if "requires admin privs" is the only thing you can think of to prevent malware from executing, you're going to be in serious trouble sooner or later.
1. If, as a mail admin, you are still allowing Windows executables of any description through your system, you should be shot. Hell, Microsoft publish a list of potentially dangerous filetypes you might want to block in email, so you've really got zero excuse. Let's face it, if education was going to work it would have done so years ago.
2. If, as a desktop admin, your users are using a mail client that allows them to just randomly open Windows executables and is not/cannot be configured otherwise, you also should be shot. Outlook has gone out of its way to make it difficult to open executable attachments for some time.
3. Of those 9 years:
- 5 or 6 days has been spent teaching that "opening every attachment you see is a Bad Idea".
- 8 years, 361 days have been spent teaching that "the correct way to deal with any popup you see is to click on the first button on it that'll get rid of the thing. No point in reading it, they never say anything useful anyway."
Come on, the movie industry has clearly considered itself above the law for some time. So it's not terribly surprising.
What does surprise me is that someone who claims to have been hired for this will admit it in a public forum. That's odd. Either he's incredibly stupid or he's got an ulterior motive.
I'd be interested to see the news in a weeks' time. "Aiplex Software out of business - because their previous ISP disconnected them and they can't find another prepared to take them on", anyone?
Well, the first thing that would happen is that virtually all Windows applications would have to be rewritten because a compatibility layer (like Apple did with Classic) would break most of what they'd be trying to achieve.
The second thing that would happen is that Microsoft would be competing on a much more level playing field - the only thing keeping Windows in lots of small businesses is the applications running on Windows, if they go away then suddenly Apple and most Linux distributors would find it much easier to get taken seriously.
However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf/' everywhere" approach that only exists because Windows security model is broken and unfixable.
No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed. You could argue this is because of history (Applications that were written in the days of '9x and have never been updated to account for a security model), because of laziness (too many software houses giving their devs admin rights) or because it's simply too complicated for its own good, but there's only one of those arguments which might reasonably be translated as meaning that the model is broken and unfixable.
Erm.... actually it wasn't. In fact, I was so concerned my point would be missed I spelled it out explicitly. Maybe putting it in bold will help.
Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root.
All an attacker has to do is persuade something to run arbitrary code. The obvious way that we all know and hate is to trick the user into double-clicking an email attachment - which in Linux doesn't work very well, particularly if the user's on a desktop with every partition they can write to mounted with noexec. But there are other ways to run arbitrary code, and they're ways we see on/. pretty regularly. Some other application (eg. web browser, PDF reader, random library that is linked into lots of applications) is exploited to run it.
I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.
The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.
The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"
I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.
Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.
Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of user interaction issues to resolve, eg:
- How come I can't insert a USB keyfob with a certificate signed by my employer's CA to log onto my PC? How come the same keyfob can't then be used with a mac? Linux? - How come I need to install certificates separately in Firefox to IE on the PC or Safari on the Mac? It's not like Microsoft (or for that matter Apple) make it impossible for third-party applications to use the keystore.
In many ways, it's probably just as well these things haven't been solved. A PC that's got a malicious keylogger on there could have all sorts of other things, and if you think the worlds' malware authors would give up overnight just because the world moved over to key/certificate based authentication, you're in a dreamworld. You think changing a few passwords is awkward, how do you think your bank will react if your account is drained by someone who presented the correct certificate?
Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?
It's not quite as simple as that.
On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.
Now, if something like OpenID were to support certificate-based authentication...
It will be a lawsuit against Google, and I'll tell you what Google do that Microsoft is afraid of.
It's not Google Search. It's Google for Domains.
Seriously, loads of companies are already outsourcing email anyhow - punch "Outsourced exchange" into any search engine and you'll get hundreds of hits. But Google for Domains gives you email, shared calendar, chat, documents, spreadsheets and sites for about a third to a half of what you'll typically pay per user for outsourced Exchange. And as every month goes by, a few more features are added. The current version of docs, for instance, has realtime collaborative editing built right in - that didn't exist a year ago.
Right now, it's still a poor second for many advanced features (you can't do a mailmerge, print labels or envelopes, for instance), but don't expect that to last long. The rate of development is incredible, and it probably won't be long before the entire Office suite is obsolete for most people - and unlike with OpenOffice, it's being obsoleted by a company with a name that people outside of IT know and trust. People on/. go on about "who wants to outsource such confidential information?" but you know what? Lots of businesses already do.
(I'm actually slightly concerned as a sysadmin, because a few more applications like that and for many employers my job will become little more than setting up a router to get them on the Internet, which is hardly a fulltime role - but if I wanted a career that would keep me employed until I was due to retire I shouldn't have gone into IT)
Probably because Microsoft can't handle themselves. Or at least, not without resorting to dirty tricks where any potential threat to their desktop business is concerned.
That's been the case since the very early days - remember the Hallowe'en memos? How about when Microsoft were - with one team - cosying up to IBM and working on OS/2 while another team was hard at work writing a GUI shell to run on top of DOS and then telling ISVs to code for Windows rather than OS/2?
Or how about the FUD concerning DR-DOS? ISTR that Windows wouldn't run on DR-DOS not for any technical reason, but because Microsoft had inserted code that checked to ensure Windows was running on MS-DOS rather than DR-DOS.
Slashdot Mirror
Bit of a shame, then, that in 1987 it didn't support 32-bit addressing (IIRC instructions were 32 bits wide but the address bus was only 24 bits) and even if it did, it relied on a separate memory controller.
The MEMC1 in the early Archimedes models supported.... oooh, 1MB of RAM. You could upgrade the memory (no SIMM sockets then, you had to have it soldered on), you also had to upgrade the chip to a MEMC1a, which supported 4MB.
(note: much of this is a hazy recollection - constructive correction welcomed!)
There are already perfectly good emulators that run quite happily on x86, but getting hold of RISC OS is rather trickier unless you've bought and paid for a license (which is surprisingly expensive considering it's got very little modern software available, and these days is only really of any interest as an exercise in "how to design a very small OS for a 1980's version of a chip without many of the things we take for granted these days such as multi-user security or protected memory")
If your IT guys are so stupid they're running around physically pressing power switches, they're at least as technologically idiotic as people who run as Admin and run executable files linked to in email.
Hate to say it, but IME a significant number of IT guys are that stupid.
Usually, the excuse given (and I still think it's a lousy excuse) is that they're run off their feet so solidly for 8 hours a day that they literally do not have time to spend 30 seconds Googling for a way to make their life just a little easier. Myself, I think that's bullshit - they'd probably recover a couple of hours every day with that 30 seconds - but hey, what do I know? All of this is going on and I'm replying to /. rather than cleaning up a horrendous mess.
Are you aware that there exist mail filtering programs that check any links and disarm those that look like they point at something dodgy?
Just as a point of clarification, Outlook is actually a very good e-mail client. Outlook Express however, is not by any stretch of the imagination the same product, and is an insecure PoS, it also doesn't exist in Vista or Windows 7.
Sorry, but I'm going to have to call you out on that one.
Outlook is an outstanding Exchange client. But you mustn't think of Exchange as just email because it's a hell of a lot more than that - plain email doesn't give you shared calendars, it doesn't give you a centralised to-do list, it doesn't give you a group address book, it seldom gives you any form of advanced access control which can be managed from the client to allow, eg. the CEOs PA to send and retrieve email on his behalf without having to log in as the CEO.
If you use Outlook as a plain email client with, eg. IMAP or POP, it's actually pretty lousy.
You don't need to, you can execute a program from anywhere in most operating systems. Hell, remarkably few Linux distributions default to mounting /home and /tmp with the noexec option.
Dear oh dear.
May I introduce you to MailScanner? It will also scan links and remove any that look like they link to something dodgy.
(And I don't have anything to gain from this - I'm just a very happy user).
An iPhone may or may not be an appliance, but general-purpose computers and the operating systems designed for them are certainly not appliances.
Why not?
I'm deadly serious here, so don't automatically mark me down as a troll. Obviously it's not appropriate for all, but for a great many computers in organisations up and down the country, the person sat in front of the computer doesn't own it and isn't supposed to use it for non-work related stuff. Why shouldn't the computer be locked down so tight that it is more-or-less impossible to even run a non-approved application, enforced by means of TPM or something very like it?
The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them.
Going back to the original point of this entire topic, why would an application need admin privs in order to send copies of itself to every email address it can find? Bearing in mind that if "requires admin privs" is the only thing you can think of to prevent malware from executing, you're going to be in serious trouble sooner or later.
I'd point out a few things here:
1. If, as a mail admin, you are still allowing Windows executables of any description through your system, you should be shot. Hell, Microsoft publish a list of potentially dangerous filetypes you might want to block in email, so you've really got zero excuse. Let's face it, if education was going to work it would have done so years ago.
2. If, as a desktop admin, your users are using a mail client that allows them to just randomly open Windows executables and is not/cannot be configured otherwise, you also should be shot. Outlook has gone out of its way to make it difficult to open executable attachments for some time.
3. Of those 9 years:
- 5 or 6 days has been spent teaching that "opening every attachment you see is a Bad Idea".
- 8 years, 361 days have been spent teaching that "the correct way to deal with any popup you see is to click on the first button on it that'll get rid of the thing. No point in reading it, they never say anything useful anyway."
Actually, I rather suspect it has more to do with printers running a known OS. Not that unusual with large printers.
Printers are seldom (but apparently not never) used as sources of spam.
Come on, the movie industry has clearly considered itself above the law for some time. So it's not terribly surprising.
What does surprise me is that someone who claims to have been hired for this will admit it in a public forum. That's odd. Either he's incredibly stupid or he's got an ulterior motive.
I'd be interested to see the news in a weeks' time. "Aiplex Software out of business - because their previous ISP disconnected them and they can't find another prepared to take them on", anyone?
Well, the first thing that would happen is that virtually all Windows applications would have to be rewritten because a compatibility layer (like Apple did with Classic) would break most of what they'd be trying to achieve.
The second thing that would happen is that Microsoft would be competing on a much more level playing field - the only thing keeping Windows in lots of small businesses is the applications running on Windows, if they go away then suddenly Apple and most Linux distributors would find it much easier to get taken seriously.
However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed. You could argue this is because of history (Applications that were written in the days of '9x and have never been updated to account for a security model), because of laziness (too many software houses giving their devs admin rights) or because it's simply too complicated for its own good, but there's only one of those arguments which might reasonably be translated as meaning that the model is broken and unfixable.
Not if the customers react by taking their business elsewhere.
They haven't yet.
Erm.... actually it wasn't. In fact, I was so concerned my point would be missed I spelled it out explicitly. Maybe putting it in bold will help.
Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root.
All an attacker has to do is persuade something to run arbitrary code. The obvious way that we all know and hate is to trick the user into double-clicking an email attachment - which in Linux doesn't work very well, particularly if the user's on a desktop with every partition they can write to mounted with noexec. But there are other ways to run arbitrary code, and they're ways we see on /. pretty regularly. Some other application (eg. web browser, PDF reader, random library that is linked into lots of applications) is exploited to run it.
I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.
The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.
The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"
I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.
Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.
Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of user interaction issues to resolve, eg:
- How come I can't insert a USB keyfob with a certificate signed by my employer's CA to log onto my PC? How come the same keyfob can't then be used with a mac? Linux?
- How come I need to install certificates separately in Firefox to IE on the PC or Safari on the Mac? It's not like Microsoft (or for that matter Apple) make it impossible for third-party applications to use the keystore.
In many ways, it's probably just as well these things haven't been solved. A PC that's got a malicious keylogger on there could have all sorts of other things, and if you think the worlds' malware authors would give up overnight just because the world moved over to key/certificate based authentication, you're in a dreamworld. You think changing a few passwords is awkward, how do you think your bank will react if your account is drained by someone who presented the correct certificate?
Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?
It's not quite as simple as that.
On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.
Now, if something like OpenID were to support certificate-based authentication...
It will be a lawsuit against Google, and I'll tell you what Google do that Microsoft is afraid of.
It's not Google Search. It's Google for Domains.
Seriously, loads of companies are already outsourcing email anyhow - punch "Outsourced exchange" into any search engine and you'll get hundreds of hits. But Google for Domains gives you email, shared calendar, chat, documents, spreadsheets and sites for about a third to a half of what you'll typically pay per user for outsourced Exchange. And as every month goes by, a few more features are added. The current version of docs, for instance, has realtime collaborative editing built right in - that didn't exist a year ago.
Right now, it's still a poor second for many advanced features (you can't do a mailmerge, print labels or envelopes, for instance), but don't expect that to last long. The rate of development is incredible, and it probably won't be long before the entire Office suite is obsolete for most people - and unlike with OpenOffice, it's being obsoleted by a company with a name that people outside of IT know and trust. People on /. go on about "who wants to outsource such confidential information?" but you know what? Lots of businesses already do.
(I'm actually slightly concerned as a sysadmin, because a few more applications like that and for many employers my job will become little more than setting up a router to get them on the Internet, which is hardly a fulltime role - but if I wanted a career that would keep me employed until I was due to retire I shouldn't have gone into IT)
Probably because Microsoft can't handle themselves. Or at least, not without resorting to dirty tricks where any potential threat to their desktop business is concerned.
That's been the case since the very early days - remember the Hallowe'en memos? How about when Microsoft were - with one team - cosying up to IBM and working on OS/2 while another team was hard at work writing a GUI shell to run on top of DOS and then telling ISVs to code for Windows rather than OS/2?
Or how about the FUD concerning DR-DOS? ISTR that Windows wouldn't run on DR-DOS not for any technical reason, but because Microsoft had inserted code that checked to ensure Windows was running on MS-DOS rather than DR-DOS.
Last time I checked, "Waah!! It's hard!" wasn't sufficient grounds to demand your competition be taken down a peg or two by legal means.
IIRC Ryanair have a fleet where all the aircraft are identical, or as near as dammit - I think they're Boeing 737-800s.
Neither of which is served by Ryanair.