I know that the common perception on slashdot is that ODF is the only format we need because of its OO heritage. That is frankly a naïve position. The format was backed by IBM, Oracle and Sun for a reason. Right now MS' selling point for Office is features. Some would call it bloated - but MS Office still has more features than OO. That may not be that important to the vast majority of users, but it is a selling point nontheless.
Imagine a situation where MS could not leverage the feature advantage, because the standard persistence format could not represent the advanced feature set. Ink comes to mind; it's actually part of OXML but there's not anything like it in ODF. Representatives for Microsofts competitors could fight any extension (invoking the "err on side of caution" argument) of the format until OO/StarOffice was prepared to implement the feature as well. But that would actually stiffle innovation and hurt the customers who could actually realize a productivity gain from new features.
By creating a situation where we have two formats and already a situation where one is larger and with more features specified, Microsoft has got a situation where they can let the "conservatives" drive (or not) ODF, and Microsoft can be the primary driver of OXML, although they can now only make suggestions and requests. In short they have a situation where they stand a better chance at exposing the hidden agendas of their competitors representatives should they ever try to hold back Microsoft innovation in Office for compettitive reasons.
I don't believe for a second that the motives of IBM, Oracle and Sun were always free of hidden agendas. Of course they saw their involvement (and influence through merits) in ODF as a way to gain some control over the future of MS Office. Office has always been one of MS' best cash cows.
You can argue that we don't need any more innovation in the office productivity area. But that would be an opinion and not something you should base a standard upon.
The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.
Actually, you could make a case that Vista is in fact better protected than Linux and OS/X in this case. That's because Vista also has this concept of integrity. A normal process will run with "normal" or "user" integrity. It can access files, data etc. that the user would normally have access to. But restricted resources like e.g. registry keys, files in the \program files or in \windows directories are off-limits, even if your ACLs grant you access.
That's why you can run as an administrator and have UAC "prompt" you for elevated rights. UAC prompts you to increase the integrity level of the process to "high".
Now, there is also another level, low integrity, which is presently used for IE *and* any executable tagged as having been downloaded from the Internet. A low integrity process have very, very restricted rights. Basically it can only write files in a specially designated (and deeply buried) cache, the registry is off-limits, it has severe quota limits etc. So, the low integrity actually allows you to run programs under your own account and still deny reading/writing your personal data.
As IE itself runs under these restrictions, it *also* has to use the "hack" (which is actually a best practice) of factoring functionality requiring elevated rights into a seperate service/broker process. That's what the ieuser.exe process is that sometimes shows up in task manager. If IE didn't do this you would not be able to upload/download files using IE. This is effectively a sandbox.
Flash uses a broker process to escape the sandbox as well (don't know why they couldn't just use ieuser.exe). It was a bug in the Flash broker process (i.e. outside the sandbox) that allowed the hacker at the CanSecWest contest to "pwn" the Vista machine.
Wrong. It is the other way around. Flash runs in a less privileged space on Vista. Please check your facts instead of just assuming.
On Vista, IE and all plugins (ActiveX) runs as a low privileged user account which do not have access to write anywhere except for a secluded cache.
On Ubuntu FF and all of its plugins runs under the user account which launched Firefox; which means *you*. If anything, Ubuntu is *less* secure in this regard.
If you read the article I linked to at The Register you will note that the winner said that he would have been able to pull this off on any of the operating systems. Ubuntu (nor OS/X) is in no way immune to this attack.
Now, how did he pull it off? Because Adobe/Macromedia in their wisdom decided they needed escalated privileges (I really don't know for what reason) for some tasks. Because the plugin cannot break out by itself they designed a "broker process" which runs as the currently logged on user. This process talks to the browser plugin and performs privileged tasks on behalf of the plugin. The vuln this guy found was in this broker process.
Adobe is the culprit here. Flash is a POS, securitywise. Check secunia, virtually *all* of the vulns have been "critical" and virtually *all* of them has been multi platform.
But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.
Macaulay was the guy who took home the Vista laptop.
So, he confirms that it was not a specific Vista vuln, but a generic Flash vuln. To bypass the extra security of IE7 on Vista (protected mode) the vuln have to be in the broker process (a.k.a. the flash "helper" process).
And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?
The rules specifically says that 1) if the exploit was cross platform the same exploit could not be used for another platform and 2) the same person cannot win 2 prices.
Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.
You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.
And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.
The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.
Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.
SIPs are actually already represented in.NET where they are called AppDomains. It is leveraged in both desktop and ASP.NET applications. In the latter an application pool is a pool of processes+threads shared by web applications. Multiple applications can share a process and its threads. When the server handles a request is does so in the context of the AddDomain. So, even though different sites/apps share process (and thus memory space) the managed.NET execution environment ensures the isolation (which is why pointers are disallowed).
Yes, and Microsofts strong focus on multiple languages from the onset also gives the CLR/DLR some clear advantages over the JVM.
The CLR was built around a the notion of a Common Type System (CTS) which means that different languages can share actual objects without having to wrap them. Wrapping cost performance (wrapping and unwrapping when passing between languages). But wrapping is also inherently language-pair oriented, i.e. between 2 pairs of languages such as Java and Jython. Other dynamic language cannot inherently use Jython objects but must also wrap the "canonical" java objects. It is not that it is impossible to achieve on the JVM platform, it's just that Microsoft has a much more mature VM and type system for this kind of job.
Take Java generics. The JVM type system have no notion of "template" or "generics", hence the generics in Java are implemented through the dreaded type erasure. But that means that no other language (e.g. Scala) can share generic types with Java. Contrast that with the CLR where generics are 1st class type citizens, both in their generic form and when all type parameters has been fully bound.
Interestingly, the CLR/CTS seems to have been developed seperately from (but coordinated with) C#. The CLR type system can actually represent types which you cannot describe using C# or VB.NET. The CTS is "bigger" and more generalized if you will. The Java VM was always just aimed at serving the Java bytecode. This is something that is going to haunt the JVM now when they are going all multi-language and dynamic.
This one example totally defeats all of your "security checks". And it is in the wild. You will of course claim that this particular attack was made possible by two factors: A XSS vuln at the banks website and users clicking on a link in an email sent to them. But the domain of that link was the banks domain. The XSS script was obfuscated. Once you arrived at the page everything seemed OK: There's a https:/// at the front of the url, and the domain name is in fact the banks own domain name. Is the bank to blame? yes! Should anyone follow a link sent to them in an email? no! Did it succeed in having users giving up their details? you bet!
Incidently you don't "throw up a deceptive IFRAME". Iframes are embedded into the actual html. You can't tell it is there.
Your address bar only tells you about the "parent" page. If the actual form lives inside an iframe - possibly generated by a XSS vulnerability like in this example, validating the URI means s***.
I really don't know which articles you've read on CardSpace. Do you only read the headlines and when CardSpace and Passport are mentioned together you assume that they are one and the same or that they are intrinsically linked?
Instead of FUDing (referring to "articles" without any concrete references) maybe you would like to point out what the problem with CardSpace is? I mean, apart from the fact that it originated from Microsoft which obviously is very disturbing to you.
Let me summarize CardSpace for you:
CardSpace is a de-centralized, open protocol based on XML. This is totally opposite Passport (although some Passport driven sites now allow you to use CardSpace as well).
CardSpace does not mandate any specific credential store. Not AD, not LDAP or anything. It is a procotol. If you have evidence to the contrary, please share it.
The client need not use AD or Windows or any other MS technology. IE on XP with.NET Framework 3.0 and on Vista already sports an AD free CardSpace card store.
The server/site (relying party) need not use AD or Windows or any other MS technology. There is even a proprosal for inclusion of CardSpace support into Zend Framework for PHP: http://framework.zend.com/wiki/display/ZFPROP/Zend_CardSpace. Google for more projects.
The (if one is used) issuing party need not use AD or Windows or any other MS technology.
Microsoft does not have a central authority. Microsoft is never in on the authentication (unless you authorize at a Microsoft site, of course).
I can make any number of "self-issued" cards, in which case there will be only two parties involved in the authentication; unlike OpenID id I may add.
Even if I use the same card against multiple sites, they don't get an identifier with which to compare my behavior across the sites. Unless of course my card includes something personally identifiable such as a unique email addy. But they don't need my email and I may question the site why the assert that claim.
CardSpace cards contain "claims", such as email adresses, names, etc. Some card you can issue yourself. But the relying party can demand that some cards are signed by a mutually trusted authority, like a bank or creditcard company. This could potentially spell the end (good thing) of handing out CC numbers on the 'net. The relying party can assert a (signed) claim that the bank accepts a withdrawal of a certain amount of $$ for a transaction. The shop never "sees" the CC#, merely a "signed"
Talking about FUD, it seems you are the guilty one here. here is some facts for you:
1) Passport has nothing to do with CardSpace.
2) CardSpace does not rely on Active Directory. Totally false FUD. CardSpace (as implemented in IE) insists on using a seperate "desktop" to avoid potential spoofing when you decide which card to "hand over". The "cards" are NOT kept in AD. Plugins exists for FF as well.
3) CardSpace is a totally open protocol which - unlike OpenID - ensures your anonymity across websites.
4) CardSpace is compatible with OpenID. It is not a competing technology; they complement eachother. In other words your CardSpace card can be OpenID based; it all about the "claims" part.
Kim Cameron actually wrote the "laws of identity". Before being hired by Microsoft. Have you read them? Do you disgagree with any of them. Do you feel they are incomplete? Part of spreading FUD is playing on uncertainty by not being concrete in critisism. That way you can avoid rebuttals. What is your problem with that #7 item here? Please?
If NX is hardware supplied there is apparently no significant overhead. In that case the concern would be compatability. However on architectures where NX is not hardware supported it is emulated, which as I understand, can have considerable overhead.
The NX flag is set on a per-process basis. The application launching the process has to set the flag for it to be effective. Not all processes running in XP SP2 or Vista runs with NX for compatibility and/or performance reasons. IE seems to set this flag (or simulate it using stack canaries), while FF apparently does not.
Photosynth analysez a set of pictures. It uses some sophisticated algorithms to identify interesting "features" which are largely insensitive to resolution, lighting conditions, color correction, sharpness etc. It the pushes all these features into an index from where it can match up the photos. Not only that, it can extrapolate the 3D position relative to eachother from where each photo was shot. Photosynth then builds a 3D space where the photos are represented as transient "frames". You can then navigate this world using the mouse/arrow keys. E.g. "turning left" will navigate to the photo closest to your left in the 3D space. You can walk in/out and turn up/down/left/right.
Imagine having someone walking around you 360 and shooting, say, 12 photos. Photosynth can then take those photos, match them up and place them in the 3D position from where they were shot. Anyone viewing your "synth" can then take the "virtual tour" around you.
Say you create a synth of your home. You may have a special chinese vase. Photosynth will be able to locate other synths which somewhere contains that same vase.
Hell, maybe CIAs going to buy the lot and classify it. It has tremendous potential.
Microsoft sits on this rather impressive technology called Photosynth. I'm sure most of you have seen/tried the demo. If not, go there now (sorry guys, Windows only). MS has now optimized the algorithms sufficiently to allow home users to generate synths at their own machine. A "no comments" comment also hinted that MS is working on a video version of PhotoSynth. If they integrate PhotoSynth into a Flickr competitor they will have a *huge* appeal. It is all about appearance. This way you can allow guests to take virtual tours of your house, car, neighbourhood.
One explanation may be ASP.NET 2.0 which was released in nov. 2005. The 2.0 release was a major upgrade to ASP.NET and saw productivity improvements across the board. If you had project start at that time they would take a few months before finishing.
It is true that godaddy switched parked domains to IIS. Netcraft has noted so in their survey. But that doesn't explain the apparently sustained growth of IIS.
And an XP box with an IIS on it will not make it on the the Netcraft stats, unless it hosts a *site*. On top of that XP does not by default install IIS.
Note also that the same trend is visible when looking at the "active sites".
"...you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways... You may not work around any technical limitations in the software."
I believe that is the relevant clause. The standard, professional and team editions all have a published and enabled API for loading Addins, macros etc. An addin may change the menus, hook into the editors, register new commands etc.
The express edition, however, has explicitly *no* add-in manager. This particular developer found a way to work around this (through custom editors in the properties panel which *is* available for express editions), worm up the hierarchy to find the menus etc and change these to mimic the behaviour of a plugin of the for-pay editions.
Oh, and TestDriven.NET is not free or open source. He *also* has a "free" entry version, but it is crippled in functionality. To have full functionality you pay $$ for the professional version. Sounds familar? It is very much a commercially driven product.
But this guy must be the good guy, right? I mean, he's up against Microsoft, so clearly MS is at fault?
I hope not. The hole that he used to worm in his "extension" is a very cool feature on which many open source and commercial components (which also works for Express) relies. It supports the "design time experience" of custom or 3rd party controls..NET comes with a number of built-in "editors" for properties in the property panel: Simple text editing, date/time picker (though a dropdown calendar), color picker etc. Say, you developed this cool control for ASP.NET which draws diagrams, but you want the users to be able to select line styles. An editor which previews the line styles would be a really cool design time feature when you use that control. Thus, you need a custom editor. Essentially you can develop a class which is invokes by the IDE when someone uses your control.
This developer chose to use this opportunity (having code executed by the IDE) to navigate through the internals of the IDE up to the menus, commands, text editors etc, and modify these. These contained hooks for customization because they are the same components as in the standard, prof. and team editons.
If you read the MS response you would realize that the Express line of products have been stripped of Macros, Addins, extensions etc. MS has in fact not only *disabled* this functionality; they stripped it from the Express products entirely.
What was done here was to leverage a feature of the properties panel as an attach vector to worm in functionality. The property panel supports "custom editors". That a feature open to any.NET developer: If you develop your own class/control/component you can leverage the built-in editors for properties of your class, or you can develop your own editors.
TestDriven.NET used this feature to have his own code run in the context of the Visual Studio Express process. When that happens he hijacks the internals of the application to inject his own menus, commands etc. That is clearly circumventing a restriction explicitly imposed on the Express line. It is also violating the copyright on the product b/c you are now changing the product in ways it was not designed to be changed and to which you have not been granted rights.
Slashdot Mirror
I know that the common perception on slashdot is that ODF is the only format we need because of its OO heritage. That is frankly a naïve position. The format was backed by IBM, Oracle and Sun for a reason. Right now MS' selling point for Office is features. Some would call it bloated - but MS Office still has more features than OO. That may not be that important to the vast majority of users, but it is a selling point nontheless.
Imagine a situation where MS could not leverage the feature advantage, because the standard persistence format could not represent the advanced feature set. Ink comes to mind; it's actually part of OXML but there's not anything like it in ODF. Representatives for Microsofts competitors could fight any extension (invoking the "err on side of caution" argument) of the format until OO/StarOffice was prepared to implement the feature as well. But that would actually stiffle innovation and hurt the customers who could actually realize a productivity gain from new features.
By creating a situation where we have two formats and already a situation where one is larger and with more features specified, Microsoft has got a situation where they can let the "conservatives" drive (or not) ODF, and Microsoft can be the primary driver of OXML, although they can now only make suggestions and requests. In short they have a situation where they stand a better chance at exposing the hidden agendas of their competitors representatives should they ever try to hold back Microsoft innovation in Office for compettitive reasons.
I don't believe for a second that the motives of IBM, Oracle and Sun were always free of hidden agendas. Of course they saw their involvement (and influence through merits) in ODF as a way to gain some control over the future of MS Office. Office has always been one of MS' best cash cows.
You can argue that we don't need any more innovation in the office productivity area. But that would be an opinion and not something you should base a standard upon.
In a word? Yes. Ask Mozilla.
The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.
Actually, you could make a case that Vista is in fact better protected than Linux and OS/X in this case. That's because Vista also has this concept of integrity. A normal process will run with "normal" or "user" integrity. It can access files, data etc. that the user would normally have access to. But restricted resources like e.g. registry keys, files in the \program files or in \windows directories are off-limits, even if your ACLs grant you access.
That's why you can run as an administrator and have UAC "prompt" you for elevated rights. UAC prompts you to increase the integrity level of the process to "high".
Now, there is also another level, low integrity, which is presently used for IE *and* any executable tagged as having been downloaded from the Internet. A low integrity process have very, very restricted rights. Basically it can only write files in a specially designated (and deeply buried) cache, the registry is off-limits, it has severe quota limits etc. So, the low integrity actually allows you to run programs under your own account and still deny reading/writing your personal data.
As IE itself runs under these restrictions, it *also* has to use the "hack" (which is actually a best practice) of factoring functionality requiring elevated rights into a seperate service/broker process. That's what the ieuser.exe process is that sometimes shows up in task manager. If IE didn't do this you would not be able to upload/download files using IE. This is effectively a sandbox.
Flash uses a broker process to escape the sandbox as well (don't know why they couldn't just use ieuser.exe). It was a bug in the Flash broker process (i.e. outside the sandbox) that allowed the hacker at the CanSecWest contest to "pwn" the Vista machine.
kudos! I just fear that there's not a whole lot of users like you.
Yeah, well. How much revenue have they received from you during those 10 years? Exactly! That's why it's hard.
Wrong. It is the other way around. Flash runs in a less privileged space on Vista. Please check your facts instead of just assuming. On Vista, IE and all plugins (ActiveX) runs as a low privileged user account which do not have access to write anywhere except for a secluded cache. On Ubuntu FF and all of its plugins runs under the user account which launched Firefox; which means *you*. If anything, Ubuntu is *less* secure in this regard. If you read the article I linked to at The Register you will note that the winner said that he would have been able to pull this off on any of the operating systems. Ubuntu (nor OS/X) is in no way immune to this attack. Now, how did he pull it off? Because Adobe/Macromedia in their wisdom decided they needed escalated privileges (I really don't know for what reason) for some tasks. Because the plugin cannot break out by itself they designed a "broker process" which runs as the currently logged on user. This process talks to the browser plugin and performs privileged tasks on behalf of the plugin. The vuln this guy found was in this broker process. Adobe is the culprit here. Flash is a POS, securitywise. Check secunia, virtually *all* of the vulns have been "critical" and virtually *all* of them has been multi platform.
Macaulay was the guy who took home the Vista laptop.
So, he confirms that it was not a specific Vista vuln, but a generic Flash vuln. To bypass the extra security of IE7 on Vista (protected mode) the vuln have to be in the broker process (a.k.a. the flash "helper" process).
I just wanted to add this: On my Vista x64 I have a service called "FlashUtil9e.exe - Adobe Flash Player Helper 9.0 r115". That's the broker process.
It is running as *me*, with my rights. Not for long now, though. Bye Flash.
Oh, and there's also an "Acrotray.exe" - from the same company. Guess what that does?
Read the exchanges on the iebloc here: http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx. It also contains links to documentation.
You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.
And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.
The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.
Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.
SIPs are actually already represented in .NET where they are called AppDomains. It is leveraged in both desktop and ASP.NET applications. In the latter an application pool is a pool of processes+threads shared by web applications. Multiple applications can share a process and its threads. When the server handles a request is does so in the context of the AddDomain. So, even though different sites/apps share process (and thus memory space) the managed .NET execution environment ensures the isolation (which is why pointers are disallowed).
Yes, and Microsofts strong focus on multiple languages from the onset also gives the CLR/DLR some clear advantages over the JVM.
The CLR was built around a the notion of a Common Type System (CTS) which means that different languages can share actual objects without having to wrap them. Wrapping cost performance (wrapping and unwrapping when passing between languages). But wrapping is also inherently language-pair oriented, i.e. between 2 pairs of languages such as Java and Jython. Other dynamic language cannot inherently use Jython objects but must also wrap the "canonical" java objects. It is not that it is impossible to achieve on the JVM platform, it's just that Microsoft has a much more mature VM and type system for this kind of job.
Take Java generics. The JVM type system have no notion of "template" or "generics", hence the generics in Java are implemented through the dreaded type erasure. But that means that no other language (e.g. Scala) can share generic types with Java. Contrast that with the CLR where generics are 1st class type citizens, both in their generic form and when all type parameters has been fully bound.
Interestingly, the CLR/CTS seems to have been developed seperately from (but coordinated with) C#. The CLR type system can actually represent types which you cannot describe using C# or VB.NET. The CTS is "bigger" and more generalized if you will. The Java VM was always just aimed at serving the Java bytecode. This is something that is going to haunt the JVM now when they are going all multi-language and dynamic.
So, you want to see an actual example of a site with a seemingly perfectly valid SSL certificate but still sporting an exploit? Look no further than here: http://news.netcraft.com/archives/2008/01/08/italian_banks_xss_opportunity_seized_by_fraudsters.html. This is just a recent example.
This one example totally defeats all of your "security checks". And it is in the wild. You will of course claim that this particular attack was made possible by two factors: A XSS vuln at the banks website and users clicking on a link in an email sent to them. But the domain of that link was the banks domain. The XSS script was obfuscated. Once you arrived at the page everything seemed OK: There's a https:/// at the front of the url, and the domain name is in fact the banks own domain name. Is the bank to blame? yes! Should anyone follow a link sent to them in an email? no! Did it succeed in having users giving up their details? you bet!
Incidently you don't "throw up a deceptive IFRAME". Iframes are embedded into the actual html. You can't tell it is there. Your address bar only tells you about the "parent" page. If the actual form lives inside an iframe - possibly generated by a XSS vulnerability like in this example, validating the URI means s***.
I really don't know which articles you've read on CardSpace. Do you only read the headlines and when CardSpace and Passport are mentioned together you assume that they are one and the same or that they are intrinsically linked?
Instead of FUDing (referring to "articles" without any concrete references) maybe you would like to point out what the problem with CardSpace is? I mean, apart from the fact that it originated from Microsoft which obviously is very disturbing to you.
Let me summarize CardSpace for you:
Talking about FUD, it seems you are the guilty one here. here is some facts for you: 1) Passport has nothing to do with CardSpace. 2) CardSpace does not rely on Active Directory. Totally false FUD. CardSpace (as implemented in IE) insists on using a seperate "desktop" to avoid potential spoofing when you decide which card to "hand over". The "cards" are NOT kept in AD. Plugins exists for FF as well. 3) CardSpace is a totally open protocol which - unlike OpenID - ensures your anonymity across websites. 4) CardSpace is compatible with OpenID. It is not a competing technology; they complement eachother. In other words your CardSpace card can be OpenID based; it all about the "claims" part. Kim Cameron actually wrote the "laws of identity". Before being hired by Microsoft. Have you read them? Do you disgagree with any of them. Do you feel they are incomplete? Part of spreading FUD is playing on uncertainty by not being concrete in critisism. That way you can avoid rebuttals. What is your problem with that #7 item here? Please?
If NX is hardware supplied there is apparently no significant overhead. In that case the concern would be compatability. However on architectures where NX is not hardware supported it is emulated, which as I understand, can have considerable overhead.
The NX flag is set on a per-process basis. The application launching the process has to set the flag for it to be effective. Not all processes running in XP SP2 or Vista runs with NX for compatibility and/or performance reasons. IE seems to set this flag (or simulate it using stack canaries), while FF apparently does not.
Photosynth analysez a set of pictures. It uses some sophisticated algorithms to identify interesting "features" which are largely insensitive to resolution, lighting conditions, color correction, sharpness etc. It the pushes all these features into an index from where it can match up the photos. Not only that, it can extrapolate the 3D position relative to eachother from where each photo was shot. Photosynth then builds a 3D space where the photos are represented as transient "frames". You can then navigate this world using the mouse/arrow keys. E.g. "turning left" will navigate to the photo closest to your left in the 3D space. You can walk in/out and turn up/down/left/right. Imagine having someone walking around you 360 and shooting, say, 12 photos. Photosynth can then take those photos, match them up and place them in the 3D position from where they were shot. Anyone viewing your "synth" can then take the "virtual tour" around you. Say you create a synth of your home. You may have a special chinese vase. Photosynth will be able to locate other synths which somewhere contains that same vase. Hell, maybe CIAs going to buy the lot and classify it. It has tremendous potential.
Microsoft sits on this rather impressive technology called Photosynth. I'm sure most of you have seen/tried the demo. If not, go there now (sorry guys, Windows only). MS has now optimized the algorithms sufficiently to allow home users to generate synths at their own machine. A "no comments" comment also hinted that MS is working on a video version of PhotoSynth. If they integrate PhotoSynth into a Flickr competitor they will have a *huge* appeal. It is all about appearance. This way you can allow guests to take virtual tours of your house, car, neighbourhood.
I submitted the article. It is a quote from Netcraft. It is not a ./ quote, nor is it mine. RTFA.
One explanation may be ASP.NET 2.0 which was released in nov. 2005. The 2.0 release was a major upgrade to ASP.NET and saw productivity improvements across the board. If you had project start at that time they would take a few months before finishing.
It is true that godaddy switched parked domains to IIS. Netcraft has noted so in their survey. But that doesn't explain the apparently sustained growth of IIS.
And an XP box with an IIS on it will not make it on the the Netcraft stats, unless it hosts a *site*. On top of that XP does not by default install IIS.
Note also that the same trend is visible when looking at the "active sites".
I believe that is the relevant clause. The standard, professional and team editions all have a published and enabled API for loading Addins, macros etc. An addin may change the menus, hook into the editors, register new commands etc.
The express edition, however, has explicitly *no* add-in manager. This particular developer found a way to work around this (through custom editors in the properties panel which *is* available for express editions), worm up the hierarchy to find the menus etc and change these to mimic the behaviour of a plugin of the for-pay editions.
Oh, and TestDriven.NET is not free or open source. He *also* has a "free" entry version, but it is crippled in functionality. To have full functionality you pay $$ for the professional version. Sounds familar? It is very much a commercially driven product.
But this guy must be the good guy, right? I mean, he's up against Microsoft, so clearly MS is at fault?
I hope not. The hole that he used to worm in his "extension" is a very cool feature on which many open source and commercial components (which also works for Express) relies. It supports the "design time experience" of custom or 3rd party controls. .NET comes with a number of built-in "editors" for properties in the property panel: Simple text editing, date/time picker (though a dropdown calendar), color picker etc. Say, you developed this cool control for ASP.NET which draws diagrams, but you want the users to be able to select line styles. An editor which previews the line styles would be a really cool design time feature when you use that control. Thus, you need a custom editor. Essentially you can develop a class which is invokes by the IDE when someone uses your control.
This developer chose to use this opportunity (having code executed by the IDE) to navigate through the internals of the IDE up to the menus, commands, text editors etc, and modify these. These contained hooks for customization because they are the same components as in the standard, prof. and team editons.
If you read the MS response you would realize that the Express line of products have been stripped of Macros, Addins, extensions etc. MS has in fact not only *disabled* this functionality; they stripped it from the Express products entirely.
.NET developer: If you develop your own class/control/component you can leverage the built-in editors for properties of your class, or you can develop your own editors.
What was done here was to leverage a feature of the properties panel as an attach vector to worm in functionality. The property panel supports "custom editors". That a feature open to any
TestDriven.NET used this feature to have his own code run in the context of the Visual Studio Express process. When that happens he hijacks the internals of the application to inject his own menus, commands etc. That is clearly circumventing a restriction explicitly imposed on the Express line. It is also violating the copyright on the product b/c you are now changing the product in ways it was not designed to be changed and to which you have not been granted rights.