Since Vista, you can't even USE a browser -at all- to use windows update (that is, the actual windows update service. Obviously you can download the updates through the website if you want, but its not the automated stuff).
The browser version of Windows Update's last supported version is XP.
Manipulating the sql backend is a pretty bad idea. Its not quite -THAT- straight forward, since a lot of the elements end up crunched in one table in xml, so you have to be careful with that. Things are pretty duplicated and its not supported, plus it changes drastically between version, making migrations difficult.
WebDav however is indeed the way to go (for documents), especially since Vista lets you map a webdav folder as a drive (letter), and Linux has tools to mount them like any other volume, too. Good stuff.
Big fat enterprise software aside(like the server versions of windows, sql server, Dynamics, etc) when purchased as single licenses, very few products of Microsoft end up being that expensive when bought correctly.
There's always a way. MSDN Subscriptions can be obtained as low as 30% retail price if bought through the proper (legal!!) channels, Exchange licenses can drop to almost free when in bulk, Office can be obtained for near free as I described, etc etc etc.
There's always a (legal!) way with MS products. Heck, its not limited to them. Never buy Photoshop fullprice (assuming you're not a pirate anyway =P). Get a cheap Wacom tablet (except for the plain Bamboo. Though Bamboo Fun works!), register the bundled software, and get Photoshop (legit, full Photoshop C4) as an half price upgrade. Then resell the Wacom.
Retail pricing of big name software companies really mean absolutely nothing.
Less than that at work for the full thing, thanks to volume licensing, including a free copy for home use there too via the professional home usage program that microsoft offers. Oh, and another "free" (to some extent) license of all Office client products from the MSDN subscription.
Some frameworks support Parameters but they're still largely rare (both usage or support) with most people still attempting to write SQL statements with data embedded directly
Are you seriously that clueless? Most relational database APIs have had parameterized query support since before what I'd think is the majority of slashdot had god damn computers. The only mainstream programming language that has lagged in its adoption (they were there, just not as visible as they could until the later versions) is PHP, and even then it was there and robust for years. On top of that, ORMs (which are all built on top of parameterized queries) are mainstream in pretty much all "mainstream in the enteprise" languages aside for the Microsoft produced ones (where parameterized queries have been the norm since like VB4...)
So, the frameworks that support parameters are literally omni-present and are already used by all serious programmers. Just script kiddies with a computer science degree who think they know everything because they know Big O notation screw this up, as this is 10000 times easier to avoid than buffer overflows are in unamanaged languages.
-Especially- since parameterized queries are a requirement to tap into the performance enhancing query caching features of all mainstream RDBMs.
Funnier is something that happened here a while ago. A very large telecom company that everyone here has heard of opened an employee center after being given a rediculous amount of benefits, tax deductions, paid lease, etc for a few years.
They did hire as many people as they said they would. Then came the day when the deductions and all the free stuff ran out, as per the contract. On that very day, they announced they were closing all operations in that area and fired everyone.
C is compiled once, in a long, slow compile that can implement lots of optimisations that your JIT cannot
Those are recognised and embedded in the bytecode at compile time. Java and.NET compilers are quite aggressive in that regard, too. And the overzealous lockings date from older versions of the managed languages. Some do remain (so static variables can actually be useful in multithreaded environment!), but as a whole its done much better. Yes, its a seriously difficult task, but it has been solved.
Don't get me wrong, I'm not blind: I wouldn't write a full featured word processor in Java. Some tasks are just better done in lower level code. But managed languages really perform well now, and for highly dynamic tasks in an ever changing environment, they definately can do at least similarly, and sometimes better. Even more so in.NET where you can drop to the bytecode and do pointer arythmetics as needed, so C loses these advantages.
The main difference is that C is, and always will be, optimized at compile time. Virtual machine languages can dynamically optimize themselves at runtime. Some of the later iteration of the Java and.NET runtimes can notice patterns at runtime (which is an initial performance hit, obviously), and then make assumptions about further calls, and just making sure that they're not messing up (my understanding is that lately Java has made leaps and bounds in that direction).
Then when the pattern "breaks", it reoptimize the piece of code without the assumption. Depending on the system, that can make tremendous performance improvements. As long as things are optimized at compile time only, you won't be able to go that far. Other examples include system wide memory compacting, doing away with useless locks at runtime, etc.
So, I gave my girlfriend a wacom tablet a few years back, and she notices they have a deal to get an half price upgrade from photoshop element to full photoshop CS4 by using her bundled serial number. That sounds like a good deal, photoshop CS4 for 300$...
So, go through the registration process, download photoshop from the site, it asks for the serial of the software we're upgrading from. Doesn't work. After going back and forth through support (who keep saying we don't qualify for the upgrade even though we do), they finally give us the "workaround".
You have to hit a bunch of keys at the same time to make a code pop on the screen, give the code to the support agent, who then give you another code, which you input in the "secret" box, which activates photoshop. And that will have to be done every damn time we reinstall even though we have a legitimate copy we purchased.. Oh yeah, great copy protection you have there, Mr. Adobe.
It kindda still matters. If I'm at the office, and stick my password on my box...well, yeah, everyone has physical access to my machine...but SOMEONE will notice when the receptionist is taking a screwdriver to my workstation. They won't notice her picking a post-it note from it.
Well, like pretty much all current operating systems, really. Unless I did something without realising it, if I type the wrong login name in Windows, it doesn't tell me instantly.
Some systems will intentionally "lag" you on a failed password attempt, or wait some time before the next guess. So you can't even MAKE 64 guesses a minute.
Again -> Microft isn't saying that a netbook cannot ever be more powerful and still get the "microsoft" sticker. Just that the cheaper version of Windows can't be sold with them. There are -already- netbooks sold with Vista -Premium- (you know, the OS that supposingly needs a freagin super computer to run?), and they work well. Sony makes em for North America, and in asia there's a ton of different models. You think that will stop because of this? A lot of people want a full computer in a netbook form factor. They'll make em, they just will cost more than 299.99$ if they come with Windows.
It will, if poorly, though that depends on your definition of a netbook. It probably runs ok on a Sony P Series, but do you consider that a netbook? Thats a bit borderline.
I agree with you 100%. However, it is not a software developer's place to tell me how large mine can be.
And they're not: they're just saying that after a certain size, IF, and only IF, you still want to use Windows, you need to pay more for the software. You know, like how databases and server software cost more once you hit a certain amount of RAM or sockets (including some open source software support contracts!). If its small and low powered, Windows is cheap. If its big, Windows is the same price as it is on a desktop. If you use Linux, it doesn't matter.
I asked in other posts, but I ask again: whats the problem? That some OEMs will push for lower power consumption and smaller devices? Geez, you guys make it sound like its a bad thing. God forbid we save electricity. Plus, its not like someone else can't decide for different specs. If Apple comes out with Netbooks and did the same thing, they could decide the line is drawn at 12 inch. Or no line at all (like for Linux)! And there's nothing Microsoft can do about it.
All they're doing is saying "The cheap version of Windows 7 goes with computers that are small and have low power consumption. Beyond that you have to use the same version of windows as any other computer, that is, if you're gonna use Windows at all"
How is that different exactly from all the products that are, let say, licensed per socket (which even some well respected open source companies use).
If the machine is larger and use more power, then the price of -windows- (and nothing else) goes up. So on bigger netbooks, Linux ends up more competitive. So whats wrong exactly?
Of course, assuming we're talking about Sharepoint Services and not Office Sharepoint Server, "bringing in Sharepoint" in Windows Server 2003 is -> add/remove programs -> windows components -> Sharepoint -> click ok, wait a bit, run the wizard, you're done. (in 2008 you have to download it, so you can't be as lazy). And assuming the Windows servers are already there, it doesn't cost you anything.
NTLM is the basic form of Windows Authentication, which is used when integrated authentication is needed, but Kerberos would be overkill. So its basically how you login to a windows box. Internet Explorer and some (but not all...though Firefox can) other browsers will let you use it for website authentication, but it rests that its a form of network authentication that is not optimized for public networks (it is most commonly used to authenticate users on an intranet so they don't have to enter their password again, just passing their windows tokens).
On the web, usually people will use form based authentication (the windows world way of saying "username and password backed by a custom system"). In the Unix world (though it can be used in Windows too), some form of single sign-on framework (like SiteMinder) is often used too.
So basically, exposing NTLM over the public internet would mean your web site will work in most, but not all browsers, and people will be asked to enter a windows login name and password (as in Active Directory or machine user). That is very infrequent.
The only times this is really done is for Sharepoint and Exchange, and those use a custom security mechanism which is not vulnerable to this exploit (because they serve "virtual" directories such as files from a content management systems or a email database, as opposed to a real file system).
And like if all that wasn't enough, exposing NTLM over the net is confusing to users (sometimes they have to type in the domain name, depending on configuration... talk about ewww) and doesn't integrate well in web pages (it will pop that ugly gray login box instead of being integrated in the site), thus why even braindead sysadmins won't make the mistake, because users bitch and moan.
If a university got hacked through this, when even our straight-out-of-associate junior MCSE didn't make the mistake, they really need to rethink their IT department.
How do you know this, is IIS shiped by default with this 'safe' configuration?
More so than that: not only is the feature not activated by default, its not even installed. And NTLM on a public facing web site means someone made the conscious decision of disabling anonymous and form authentication (as those would always kick in first, thus almost closing down NTLM access in the first place). If you have a firewall, the appropriate port may need to be opened, too, in some cases.
It is not the default by any stretch of the imagination, and you actually need to sorta know what you're doing. At work we have douzens of distinct IIS setup and configurations, stretching from very common to extremely obscure, and we looked at all of them one by one, only to find out that exactly zero had the correct setup for this vulnerability, and no one actually tried to lock down NTLM + WebDav. Its just that the only time you'd go through the trouble of making it available, is for Exchange, Sharepoint, etc, and those setups are not vulnerable.
But Exchange and Sharepoint exposed through webdav are not vulnerable to this exploit, only file systems are, and its a different ballpark altogether. As soon as there's some form of indirect authentication layer in between, instead of straight NTLM, it doesn't work anymore.
Slashdot Mirror
Since Vista, you can't even USE a browser -at all- to use windows update (that is, the actual windows update service. Obviously you can download the updates through the website if you want, but its not the automated stuff).
The browser version of Windows Update's last supported version is XP.
Then please tell me what it was designed for, since a large portion of the default feature involve pure document management.
Manipulating the sql backend is a pretty bad idea. Its not quite -THAT- straight forward, since a lot of the elements end up crunched in one table in xml, so you have to be careful with that. Things are pretty duplicated and its not supported, plus it changes drastically between version, making migrations difficult.
WebDav however is indeed the way to go (for documents), especially since Vista lets you map a webdav folder as a drive (letter), and Linux has tools to mount them like any other volume, too. Good stuff.
Big fat enterprise software aside(like the server versions of windows, sql server, Dynamics, etc) when purchased as single licenses, very few products of Microsoft end up being that expensive when bought correctly.
There's always a way. MSDN Subscriptions can be obtained as low as 30% retail price if bought through the proper (legal!!) channels, Exchange licenses can drop to almost free when in bulk, Office can be obtained for near free as I described, etc etc etc.
There's always a (legal!) way with MS products. Heck, its not limited to them. Never buy Photoshop fullprice (assuming you're not a pirate anyway =P). Get a cheap Wacom tablet (except for the plain Bamboo. Though Bamboo Fun works!), register the bundled software, and get Photoshop (legit, full Photoshop C4) as an half price upgrade. Then resell the Wacom.
Retail pricing of big name software companies really mean absolutely nothing.
150$ for 3 licenses for personal use
Less than that at work for the full thing, thanks to volume licensing, including a free copy for home use there too via the professional home usage program that microsoft offers. Oh, and another "free" (to some extent) license of all Office client products from the MSDN subscription.
You've never tried implementing a w3c spec I think. HELLOOOOO SWISS CHEEZE!
Are you seriously that clueless? Most relational database APIs have had parameterized query support since before what I'd think is the majority of slashdot had god damn computers. The only mainstream programming language that has lagged in its adoption (they were there, just not as visible as they could until the later versions) is PHP, and even then it was there and robust for years. On top of that, ORMs (which are all built on top of parameterized queries) are mainstream in pretty much all "mainstream in the enteprise" languages aside for the Microsoft produced ones (where parameterized queries have been the norm since like VB4...)
So, the frameworks that support parameters are literally omni-present and are already used by all serious programmers. Just script kiddies with a computer science degree who think they know everything because they know Big O notation screw this up, as this is 10000 times easier to avoid than buffer overflows are in unamanaged languages.
-Especially- since parameterized queries are a requirement to tap into the performance enhancing query caching features of all mainstream RDBMs.
Funnier is something that happened here a while ago. A very large telecom company that everyone here has heard of opened an employee center after being given a rediculous amount of benefits, tax deductions, paid lease, etc for a few years.
They did hire as many people as they said they would. Then came the day when the deductions and all the free stuff ran out, as per the contract. On that very day, they announced they were closing all operations in that area and fired everyone.
Fun stuff.
Those are recognised and embedded in the bytecode at compile time. Java and .NET compilers are quite aggressive in that regard, too. And the overzealous lockings date from older versions of the managed languages. Some do remain (so static variables can actually be useful in multithreaded environment!), but as a whole its done much better. Yes, its a seriously difficult task, but it has been solved.
Don't get me wrong, I'm not blind: I wouldn't write a full featured word processor in Java. Some tasks are just better done in lower level code. But managed languages really perform well now, and for highly dynamic tasks in an ever changing environment, they definately can do at least similarly, and sometimes better. Even more so in .NET where you can drop to the bytecode and do pointer arythmetics as needed, so C loses these advantages.
The main difference is that C is, and always will be, optimized at compile time. Virtual machine languages can dynamically optimize themselves at runtime. Some of the later iteration of the Java and .NET runtimes can notice patterns at runtime (which is an initial performance hit, obviously), and then make assumptions about further calls, and just making sure that they're not messing up (my understanding is that lately Java has made leaps and bounds in that direction).
Then when the pattern "breaks", it reoptimize the piece of code without the assumption. Depending on the system, that can make tremendous performance improvements. As long as things are optimized at compile time only, you won't be able to go that far. Other examples include system wide memory compacting, doing away with useless locks at runtime, etc.
holy cow. This is making Vista look good for a bit there.
So, I gave my girlfriend a wacom tablet a few years back, and she notices they have a deal to get an half price upgrade from photoshop element to full photoshop CS4 by using her bundled serial number. That sounds like a good deal, photoshop CS4 for 300$...
So, go through the registration process, download photoshop from the site, it asks for the serial of the software we're upgrading from. Doesn't work. After going back and forth through support (who keep saying we don't qualify for the upgrade even though we do), they finally give us the "workaround".
You have to hit a bunch of keys at the same time to make a code pop on the screen, give the code to the support agent, who then give you another code, which you input in the "secret" box, which activates photoshop. And that will have to be done every damn time we reinstall even though we have a legitimate copy we purchased.. Oh yeah, great copy protection you have there, Mr. Adobe.
Makes me want to pirate the damn thing...
It kindda still matters. If I'm at the office, and stick my password on my box...well, yeah, everyone has physical access to my machine...but SOMEONE will notice when the receptionist is taking a screwdriver to my workstation. They won't notice her picking a post-it note from it.
Well, like pretty much all current operating systems, really. Unless I did something without realising it, if I type the wrong login name in Windows, it doesn't tell me instantly.
Some systems will intentionally "lag" you on a failed password attempt, or wait some time before the next guess. So you can't even MAKE 64 guesses a minute.
Others will lock you out after 3-5 attempts.
Kind of stops this flat, hmm?
Again -> Microft isn't saying that a netbook cannot ever be more powerful and still get the "microsoft" sticker. Just that the cheaper version of Windows can't be sold with them. There are -already- netbooks sold with Vista -Premium- (you know, the OS that supposingly needs a freagin super computer to run?), and they work well. Sony makes em for North America, and in asia there's a ton of different models. You think that will stop because of this? A lot of people want a full computer in a netbook form factor. They'll make em, they just will cost more than 299.99$ if they come with Windows.
You're right. no one would make a netbook too good for the slimmed down version of Windows, right?
It will, if poorly, though that depends on your definition of a netbook. It probably runs ok on a Sony P Series, but do you consider that a netbook? Thats a bit borderline.
And they're not: they're just saying that after a certain size, IF, and only IF, you still want to use Windows, you need to pay more for the software. You know, like how databases and server software cost more once you hit a certain amount of RAM or sockets (including some open source software support contracts!). If its small and low powered, Windows is cheap. If its big, Windows is the same price as it is on a desktop. If you use Linux, it doesn't matter.
I asked in other posts, but I ask again: whats the problem? That some OEMs will push for lower power consumption and smaller devices? Geez, you guys make it sound like its a bad thing. God forbid we save electricity. Plus, its not like someone else can't decide for different specs. If Apple comes out with Netbooks and did the same thing, they could decide the line is drawn at 12 inch. Or no line at all (like for Linux)! And there's nothing Microsoft can do about it.
All they're doing is saying "The cheap version of Windows 7 goes with computers that are small and have low power consumption. Beyond that you have to use the same version of windows as any other computer, that is, if you're gonna use Windows at all"
How is that different exactly from all the products that are, let say, licensed per socket (which even some well respected open source companies use).
If the machine is larger and use more power, then the price of -windows- (and nothing else) goes up. So on bigger netbooks, Linux ends up more competitive. So whats wrong exactly?
10 inch is already pushing it on netbooks to make them useful for what they're supposed to be, IMO. 12 is just too big.
Of course, assuming we're talking about Sharepoint Services and not Office Sharepoint Server, "bringing in Sharepoint" in Windows Server 2003 is -> add/remove programs -> windows components -> Sharepoint -> click ok, wait a bit, run the wizard, you're done. (in 2008 you have to download it, so you can't be as lazy). And assuming the Windows servers are already there, it doesn't cost you anything.
NTLM is the basic form of Windows Authentication, which is used when integrated authentication is needed, but Kerberos would be overkill. So its basically how you login to a windows box. Internet Explorer and some (but not all...though Firefox can) other browsers will let you use it for website authentication, but it rests that its a form of network authentication that is not optimized for public networks (it is most commonly used to authenticate users on an intranet so they don't have to enter their password again, just passing their windows tokens).
On the web, usually people will use form based authentication (the windows world way of saying "username and password backed by a custom system"). In the Unix world (though it can be used in Windows too), some form of single sign-on framework (like SiteMinder) is often used too.
So basically, exposing NTLM over the public internet would mean your web site will work in most, but not all browsers, and people will be asked to enter a windows login name and password (as in Active Directory or machine user). That is very infrequent.
The only times this is really done is for Sharepoint and Exchange, and those use a custom security mechanism which is not vulnerable to this exploit (because they serve "virtual" directories such as files from a content management systems or a email database, as opposed to a real file system).
And like if all that wasn't enough, exposing NTLM over the net is confusing to users (sometimes they have to type in the domain name, depending on configuration... talk about ewww) and doesn't integrate well in web pages (it will pop that ugly gray login box instead of being integrated in the site), thus why even braindead sysadmins won't make the mistake, because users bitch and moan.
If a university got hacked through this, when even our straight-out-of-associate junior MCSE didn't make the mistake, they really need to rethink their IT department.
More so than that: not only is the feature not activated by default, its not even installed. And NTLM on a public facing web site means someone made the conscious decision of disabling anonymous and form authentication (as those would always kick in first, thus almost closing down NTLM access in the first place). If you have a firewall, the appropriate port may need to be opened, too, in some cases.
It is not the default by any stretch of the imagination, and you actually need to sorta know what you're doing. At work we have douzens of distinct IIS setup and configurations, stretching from very common to extremely obscure, and we looked at all of them one by one, only to find out that exactly zero had the correct setup for this vulnerability, and no one actually tried to lock down NTLM + WebDav. Its just that the only time you'd go through the trouble of making it available, is for Exchange, Sharepoint, etc, and those setups are not vulnerable.
But Exchange and Sharepoint exposed through webdav are not vulnerable to this exploit, only file systems are, and its a different ballpark altogether. As soon as there's some form of indirect authentication layer in between, instead of straight NTLM, it doesn't work anymore.