AV-Comparatives recently released their May 2009 Corporate AV Report, which sounds like it may be right up your alley.
It's fairly large, but reviews a large number of AV products with a corporate focus, contains lots of screenshots, and even grades them on their appropriateness for Small, Medium and Large networks. Sounds like it would definitely be worth a look in your case.
Since the first FF 3.0 point release of 2009 (3.0.6), I count:
* A dozen critical security vulnerabilities
* Six high security vulnerabilities
* 32 vulnerabilities in total patched this year
I'm a Firefox user, and have been for years, but I'm not going to pretend that it's the Fort Knox of web-browsers just so I can have some false sense of security superiority over rival browsers, or worse, pretend it is highly secure and be ignorant of the actual realities. I'm guessing you're one of those people who don't read the security advisories for Firefox point releases, you really should; it might deflate your reality distortion bubble.
At this point, Mozilla's advantage isn't so much in secure code but fast patch response times.
Are you confusing open standards with open implementations?
I fully support open standards and think they are the way forward, _especially_ on the Internet where interoperability and platform agnosticism is the very essence of a healthy and vibrant network. But, that doesn't mean the code that implements the standards has to be open by extension. It's fine if it is, go for it, but I see no problem with it being proprietary code either. Of course, if the code doesn't properly implement the standard, then that IS a problem, but open-source software can be guilty of this as well; although, admittedly, closed-source seems to have a much larger black mark against it.
It seems to me that your post is just a knee-jerk reaction against mine purely because I dared suggest that a given _implementation_ doesn't have to be open, I in no way suggested that closed and proprietary software that doesn't conform to open standards is a good thing.
Your argument subtly implies that Firefox's implementation is more secure, without providing any proof of your own assertion. Bluntly, Firefox's security record has been far from top-notch for quite some time now, and while their patch response times tend to be excellent, this doesn't change the fact that security vulnerabilities of varying severity are still frequently occuring; and we're all familiar with Microsoft's security record. I can't conclude which implementation is likely more secure.
Which is irrelevant anyway, as you've missed the point of the GP's post in the first place (did you listen?). His argument was that if the OS supports decoding the video format, which it will if it's a modern consumer OS, why should every browser then implement its own media stack to provide a service that the OS already provides? You just end up with a proliferation of software that all does exactly the same thing. Thus, you end up with more security issues (as each implementation will almost certainly have security flaws throughout its lifetime) and more bloat (code duplication, and increase in code size for each respective browser implementing its own media stack).
You can be surgical here and note that this doesn't necessarily translate to greater exploitation, just more security issues. Lots of different media stacks means different exploits, meaning different exploit code, and incompatibility is high. So, any given exploit might only be able to target a small subdomain of the overall browser market, but this is really just a security through obscurity argument, and good security practices (e.g. sandboxing) should mitigate such concerns, and all browsers should have either implemented such technologies or have it on their roadmap.
I understand the value in having a variety of different options, but implementing a solution for no express reason than to offer an alternative, is inherently pointless. It has to have an advantage (and no, being open-source isn't an advantage for most), so if the OS implementation is up to snuff, then the GP does have a valid point.
Having re-read the entirety of your post, I realise it'd take me several pages to correct the absurdity of everything you say, so instead, I'll just recommend a book for you and anyone else who is interested:
Let us not merely condemn the Iranian government. We must condemn Iranian culture. Its product is the authoritarian state.
Except, the Iranian progressives who are demonstrating/rioting over the likely rigged election result are themselves Iranians and the product of Iranian culture. I can guarantee you they strongly identify with numerous aspects of Iranian culture, and certainly aspects of the broader middle-eastern culture. Do you think all those demonstrating are Harvard educated Iranians who were largely brought up in Western countries, assimilating purely Western ideals, values and culture? Don't be absurd.
It's blanket statements like yours that not only reveal an enormous ignorance of foreign cultures, but were also a trademark of Bush era foreign policy; stupid and ignorant statements that simplify entire countries into nothing more than an undeniable "Axis of Evil". I wonder, how much do you know about Iranian culture? Could you write a brief essay on Iranian culture? A page? A post-it note?
I understand that I'm coming off as aggressive here, but these kinds of statements just give me the shits. You wonder why the West has so much trouble constructively engaging with Arab nations and getting concrete results? Well, look no further than the quote above. Not all countries need to share Western ideals and culture to be decent, moral and prosperous, and countries like Iran have millennia long rich histories of cultural and spiritual development. It's ironic that in many ways where the Western world has progressed, the Muslim would has declined, but it is worth remembering that while what is now the West was going through its medieval dark ages with the Church having complete control of the state, many of these countries were highly inclusive and even academically oriented nations that were in their prime. Much of what enabled them to do so is still thoroughly embedded in their culture, and it's these beliefs that have arguably empowered the demonstrators to rise up against their present government.
Perhaps the ultimate irony is that your statement is exactly what empowers those like Ahmadinejad to continue their anti-Western tirade, and further, exactly what compels Iranians and other Arabs to vote for such political candidates and ideologies.
Functionality wise my understanding is that they are effectively equivalent. My only reason for preferencing IDMU was that my experience has been it is better integrated into the overall OS, and possibly as a result, its installation and configuration was smoother.
Last time I used SFU was many years ago, but effectively I had some serious trouble installing it on a Windows Server 2003 box that was only setup weeks ago and was for all good and intent vanilla. It culminated in having to do several modifications to the AD LDAP through ADSI Edit, by adding/tweaking numerous attributes, in order to get things moving. I did find some useful KB articles to MS's credit, but some forum trawling was required, and it overall resulted in probably about a day of what should have been very unnecessary fiddling to get it to work. Some other times I've had to install and configure SFU I've also run into minor configuration oddities of less significance. That, and having IDMU as a base component of the OS is convenient, it's readily available for installation at any given time and also patched if required alongside any other OS component with Windows Update.
I've never had any such issues with IDMU, it's all worked a dream for me since initial installations, but then again, it's entirely possible that my SFU experiences were just some bad luck, and this is all anecdotal. Overall, I think they are both good products, and my IDMU preference is primarily just from a slightly smoother experience of its usage.
It's monopoly abuse. Windows has a desktop monopoly. What Ubuntu or Apple does is not that important, they don't have a monopoly.
Completely disagree. To me, the term "monopoly" (which seems to be bandied about far more than it should be these days) is just code for "your company/product is exceptionally popular and dominates the market". What matters is if 'x' company did something illegal to attain that position, but at this point, the whole monopoly aspect is irrelevant. _ALL_ individuals and companies should be penalized if they break the law, their status as a monopoly is irrelevant. If Microsoft breaks the law, take them to court, but further, apply the same standard to Apple and Ubuntu. Microsoft _DID_ do some pretty dodgy stuff to attain its position, and consequently, has been penalized for it, several times, in several countries; completely fine. But I can not rationalise as fair the notion that a completely different standard should be applied to an entity for no express reason other than its popularity.
If you do want to talk about the situation of Ubuntu and comparing it to Windows. Windows comes with IE and only IE or now maybe no browser at all (even less choice). Ubuntu comes with several terminal programs on the CD/DVD and you can install an other just and just as easily remove the one that was default.
This comparison is in my view invalid. The philosophy behind Ubuntu is completely different to that of Windows and many other proprietary operating systems. Comparisons and debates about superiority/inferiority aside, neither side is fundamentally "wrong", but just different ways of doing things. In Microsoft's case, they develop a product wholly on their own, and as such, wish to distribute it as such without 3rd-party products. I see no problem with this. Further, I can just as easily install another application on a Windows system as a Ubuntu system; what differs is how I do this and the mechanism in place to accomplish it. An Ubuntu user might apt-get it or use Synaptic, a Windows user might browse to the products web-site, download and run the executable. But I have Firefox/Opera/Chrome installed on my Windows box alongside IE, with Firefox as the default browser, and I've yet to find any instance of Windows trying to stop me or inhibit these applications from running to their full capacity. Further, many Linux distributions only install one graphical web-browser, and as such, are in many respects no different to Windows in what they offer out of the box at the GUI level. If you wish to install a different one, go for it, Ubuntu nor Windows will try and stop you.
Yes, IE (until now) can't entirely be removed in full, I'll grant you that. And the original bundling of the browser with the OS is debateably unsound and quite likely illegal as well, depending on your perspective, I'll grant you that as well. Consequently, MS was slapped with fines and various additional oversight requirements. But, the present reality is that there are technical issues with removing IE as a result of the course of history, primarily todo with 3rd-party application compatibility, in the form of programs expecting the IE rendering engine to be present. This being the case, there are considerations involved, and while it can be removed, things will break, and I can guarantee you will witness this in the EU IE-less addition.
It's worth noting that Microsoft also has Services for Unix (applicable for Windows 2000 through Windows Server 2003) and Identity Management for Unix (applicable for Windows Vista through Windows Server 2008).
While Unix boxes can authenticate to an Active Directory domain through the use of Samba and derivatives, the advantage of these services is that they can extend the LDAP schema with NIS attributes to provide native NIS authentication, and also, extend SMB sharing with NFS support to provide native NFS sharing. In both cases, the NIS/NFS support is fully integrated with the native Windows support, and data shared between the two; that is, Windows AD objects can be immediately used with NIS and NFS, they co-exist. I've personally found this a huge convenience as most Unix/Linux distros can authenticate to the domain out-of-the-box and with an absolute minimal amount of configuration, often during the initial installation without even having to dive into configuration files to get the basics done. With some extra work, you can also enable password synchronization in the Unix -> NIS direction and/or the Windows -> NIS direction through the use of a (closed-source) PAM module (the reason for this being that as far as the Unix boxes are concerned they are using NIS, but behind the scenes, it is fundamentally AD with a NIS front-end, and the intricacies of password management and the updating of are very different.)
As admittedly distasteful as it is that Microsoft has an inherent competitive advantage here in that much of their implementation is proprietary and their competitors is not, leaving them free to support NIS/NFS but not necessarily the other way around, my experience is that they have done their implementation quite well. Word to the wise: I've had a FAR better experience with IDMU on Server 2008 than SFU for Server 2003. The former requires a separate download for SFU while the latter has IDMU included as part of the OS and can be installed at any time as an optional component alongside AD/SMB, either at initial installation of those components or as a future addition post-installation. The result is a tighter coupling of the respective services: it feels like communication between the Unix support division and the Windows tech division was far better for Server 2008; I had to spend many hours getting NIS/NFS to work on 2003, but had it up and working perfectly in under an hour on 2008. That being said, both can be made to work fine and will get the job done well, my experience is purely limited to ease of setup and initial impression on the polish and integration of each, functionality wise, they are both almost identical.
Both are free of charge, provided of course you have a Windows licence, with IDMU effectively being a renamed and improved SFU.
I'm not sure it was a mistake, at least not in Microsoft's view, once you consider the reason why it was implemented and the (probable) reason why they've removed the limitation.
The reason why it was implemented according to various sources was to limit the damage of all those infected Windows machines spamming networks looking for new vulnerable hosts to infect, and also, slow down the rate at which they would cause bedlam. By enforcing such a limit, the aim was to impede an infected machines ability to propogate the infection; of course, we're primarily talking the nasty to catastrophic Windows worms we've seen in the past from gaping truck-sized security holes in critical system components.
However, if you look at Vista, you'll note that contrary to what some people would like you to believe, the exploitability of the OS has gone down drastically versus XP, in particular, with regards to worms. This is of course due to several reasons: better OS security architecture, defence-in-depth (DEP/ASLR/etc...), properly enforced user permissions, the list goes on. Take the most recent Conficker worm as an example. Vista infections will almost certainly be a lot lower, for one, the exploit path that uses the MS08-067 vulnerability that forms its primary exploit vector can not be exploited anonymously on Vista and newer machines. The vulnerable code is still present unless patched, but it requires valid user credentials.
At a guess, I'd say Microsoft came to the conclusion that the TCP limit was no longer necessary on Vista, as the improved security of the OS made the need for such connection limitations redundant. On the other hand, I'll be surprised if they ever remove it on XP, because no matter how much you patch it, it is fundamentally more insecure by its architecture than Vista. And if they don't remove the limitation on XP, I'd argue that's quite telling as to the motivation and reasoning behind removing it on Vista only.
If we push aside the whole copyright question temporarily, as just a question as it is, there's an even more disturbing element I find to the argument this person and so many others associated with the large media companies, enforcers and copyright lobbyists espouse.
As the internet has developed and evolved, I'd wager all of us Slashdot readers have witnessed and recognised its potential to revolutionise countless aspects of humanity. The Internet provides unique and fundamentally different ways to provide information in all kinds of forms to individuals, often at incredibly rapid speeds, for little to no cost, with a very high degree of accessibility that is only going to improve as Internet connections permeate all aspects of society everywhere around the globe, and consequently, costs further decrease as it becomes even more of a basic and fundamental commodity. The result being that human knowledge and culture is now more readily available and in vaster quantities than at any time in our history.
The extreme copyright and intellectual property protectionism that these people espouse, and the ideas to realise and enforce them that they inevitably generate, if ever implemented, I think would fundamentally alter the way the Internet functions and significantly damage its potential to enrich mankind and further develop. The results of implementing such ideas would turn the Internet in some ways into nothing more than an evolution of TV/Radio/other forms of "content delivery" that the media companies are so familiar with, and so easily able to control. The result would be disastrous for the continuing development of the internet, and devastating in terms of negating the benefits, both short-term and long term, that it currently is and is likely to further provide in the future. The copyright lobby may purely be interested in keeping their pockets lined, but if their ideas were used, they'd have far-reaching consequences across the Internet that would likely spread outside the domain of standard media. The copyright agenda is just how this could happen, but the result would be far greater than the sum of its parts.
I know this post likely comes across as dramatic, but I've grown up on the Internet and witnessed from a young age its potential, and the concepts thrown-about and in some cases being used right now (see: France, etc..) terrify me in their potential ramifications.
Workaround #1: Turn off WebDAV
Turning off WebDAV might be a good option if you are not using it or can live without out until we have a security update available. You can find instructions at http://support.microsoft.com/kb/241520.
Funny. It sounded like "use software with open standards and secure implementations" to me.
I personally use Apache for my web-facing server, but that being said, IIS 6 (Windows Server 2003) has had a very good security track record. Secunia tracks 6 advisories since its release back in 2003 and only one of those is unpatched, that being the vulnerability this story is about.
In contrast, Apache 2.2 was released in late 2005 and has 10 exploits listed, with 2 unpatched and 2 with partial fixes. The exploits seem to be on average less severe, but there's more of them, and some aren't patched.
My point being, you might not want to jump to conclusions;) IIS 5.x and earlier was absolutely shocking for security, but IIS 6.x and above does have significant improvements. It's no coincidence that IIS 6 is not vulnerable to this exploit out of the box while IIS 5 is.
Worth noting that this only affects IIS 5.x and 6.x, which admittedly, accounts for the huge majority of IIS webservers, but IIS 7.x (Windows Server 2008 and above) are not affected.
Next question asked is WHY has Microsoft have to invent one when there are others available already?
I'd suggest several major reasons:
1. Integration with the.NET Environment.
2. Integration with the Visual Studio IDE.
3. Maximise control of the style of the language, featureset and its future direction.
If you check the wikipedia page the parent linked to, there are already stacks of concurrent programming languages available, it's not like there's some universal standard concurrency language out there Microsoft is trying to displace. That, and the above points, particularly with respect to.NET, does give it a unique feature that distinguishes it from other concurrent languages (even if you loathe.NET, it still separates it from the rest).
Probably the answer is "Because they can" and they see a business in locking in people into their environment.
Yes and no. You can take the whole lock-in argument (not entirely unreasonably), but you can also take the argument that for those who don't actually have a need to develop something for multiple platforms, a language fundamentally focused on a Windows-centric design with related tools is probably a huge positive. Why code in a language with a crap toolset/IDE (assuming there is one) and various other potential problems when MS offers one that plugs into.NET, VS, and is guaranteed to work great on Windows out of the box? That, and if you're already familiar with the above, the migration path I suspect is quite easy.
Of course, this being.NET based, Mono may or may not support some of this stuff. No idea.
"Microsoft is effectively giving away Windows 7 free for a year with the launch of the Release Candidate.
It's only free if you don't value bug fixes, security updates, product support and potentially all manner of issues installing software that will be released for Windows 7 RTM on a pre-release version no-one will have done significant product testing on and won't care to help you with if you run into problems.
Keeping all this in mind, and the fact this is pre-release development code, it's not hard to see why this release is free. I do find it odd that it's got such a generous expiration date, but approaching this as a free (time-limited) lunch is probably a fairly bad idea for all the reasons above.
If you like it, but don't want to pay for it, just pirate it. You'll be better off, and so may many others when they don't have to worry about your compromised box congesting their network, because it was exploited by a flaw MS has no intention of fixing in pre-release code.
Normally I'm opposed to Microsoft pushing out feature updates as compulsory (versus security fixes and bug patches), however, in this particular case I'd have to say this is a good move. The benefits are many and the negatives few.
IE might have a bad reputation, and not at all unfairly much of the time, but no matter how much you hate IE, IE8 brings a lot to the table; even if what it brings is long overdue. Improved security, much better standards support, and even some genuine innovative features.
The debate can rage on about the ethics and legality of bundling the browser with and integrating it into the OS, but the reality is this is the case, and the security benefits alone make the upgrade sensible in my view.
However, the upgrade should be done in the background and in no way alter any preferences. Provided no configuration settings the user has set are changed (in particular, default browser), then the background benefits are gained, and the user can check out IE8 at their leisure if they wish, or ignore it completely.
Oh, and finally, this helps to kill off IE6, which really does need to FOAD.
I don't think it's the issue of Windows being more secure, rather of Linux exposing more of underlying hardware.
I'm not sure this is strictly true, but rather, the mechanism with which the OS exposes the underlying hardware.
Whereas Linux often exposes technical hardware functionality and information in user-mode and quite possibly through the file-system, Windows is more likely to expose it through things like the Object Manager (think/dev) and WMI (think/proc) in user-mode, while some functionality that can be accessed through user-mode as root in Linux can only be accessed via kernel mode (quite probably more secure, but also quite possibly at the cost of usability, pissing off people who have a legitimate reason to need to access such functionality easily from user-mode).
Even the most powerful features exposed in the Linux filesystem can generally be found somewhere on Windows. A dual example: there is a NT equivalent of/dev/kmem, you can find it in the Object Manager under \Device\PhysicalMemory. In (some?) x86 versions of Windows, you could actually modify its permissions to enable direct read/write to a region of Physical Memory, though it can now only be accessed via kernel mode in x64 Windows. Both more obscure and in this case probably more secure.
I guess what I'm getting at is the difference in how the functionality is exposed, with Linux tending to be more "up-front" and expose the functionality out in the open, while much of it in Windows is hidden away, where you can only find it if you know what you're looking for.
The House of Representatives uses the preferential voting system, which tends to favour major parties.
The Senate uses the proportional representation system, which as you indicated, is far more friendly to minor parties.
The result being the Senate tends to have a more diverse selection of political parties than the HoR.
It is a shame the US's electoral system isn't more friendly to minor parties; I think having a broader variety of views represented in parliament tends to ultimately benefit all.
You don't need to get into government to affect the political process; rather, you need enough seats to be able to have a significant impact on the likelihood of legislation getting through the parliament. I suspect this is what they are aiming for. I'm not sure what the composition is of the American parliament, for instance, but many countries have minor parties with significant representation.
For example, here in Australia the Greens have several seats in the Senate, enough in fact, that the Government can't pass legislation without their support (assuming they don't have the support of the opposition). This usually isn't a problem, as the Greens will generally go along with most of the government legislation. But, for certain pieces, for example, the government is forced to make concessions to appease the Greens if they wish to get the legislation through.
The point being, if you need the support of a party in order to get more controversial legislation through, you may well find you need to make concessions to other parties in areas that aren't core to your political ideology in order to advance your main cause. I suspect this is what The Pirate Party would like to achieve. No real aspirations for government, just enough representation to change the law in the areas they really care about.
I think you don't properly understand how SuperFetch works. It caches in RAM frequently used program data by pre-emptively loading commonly used applications and program data into unused RAM in anticipation of the user intending to run these applications. If he/she does, load times can be greatly reduced.
However, note that the SuperFetch service runs at a very low priority, and will yield system resources to effectively any other process that requests system resources. Further, in the event of a program requesting memory that isn't available, SuperFetch will just dump from its cache a large enough portion of memory to accomodate the program. By your own admission, and correctly, RAM is _FAST_. The process of re-allocating a segment of memory from SuperFetch to your new program is negligible. SuperFetch will also never page to disk memory in use by an actually running program in order to fill the cache. I'm not saying that running programs won't be cached to disk, but it isn't SuperFetch that is the culprit. There are many other mechanisms in place that can result in this occuring, and SuperFetch isn't the only code on the system that plays around with the cache.
Suffice to say, if you dislike SuperFetch, it's easy to disable it. Just go into Windows Services and change the SuperFetch service startup from Automatic to Disabled, and stop the service. You've now disabled the aggressive pre-caching, no harder than any other tweak for any other operating system.
You'll note that Conficker primarily targets NT 5.x operating systems: 2000, XP and 2003. While the vulnerable code is present in Vista and 2008 (and has been patched), the exploit requirements differ, in that it can only be exploited by an authenticated user, whereas on NT 5.x it can be exploited anonymously.
Obviously, exploiting it anonymously without valid crendentials is ridiculously easy and makes for a great worm, but doing so with valid credentials makes exploitation much more difficult. I'd wager the vast majority of Conficker infections are not Vista systems, and the ones that are are unlikely to have been infected via the exploit path, but more likely USB key transmission or another vector.
Seeing as how this article addresses Vista and not XP, I think your comment is invalid.
You're correct, but the distinction is that this is frequently not possible on Windows platforms due to the software ecosystem.
What with the vast majority of Linux software being open-source, Red Hat has the capability to pull up the code for pretty much anything on their distro, even if it isn't their software, get their engineers to go through the code, and fix it.
Windows software tends to be the reverse, with the vast majority being closed-source. That being the case, the best you can do is notify the developer that the program has a problem and provide them with some data of varying quality and detail that may help to expedite a fix.
Microsoft does do these things by the way, and frequently, but when it's neither your product nor do you have access to the code, the ball really is completely out of your court, and it all comes down to whether the developer can be bothered to fix it and how quickly he wishes to do so.
The Million Dollar question will be whether the fact that XP upgrades to Windows 7 requires a clean install will prove to be Microsoft's undoing.
Seriously, how many businesses upgrade Windows installations over an existing previous installed version of Windows? Businesses don't do in-place upgrades of OS's, they re-image the entire machine.
It's faster, more reliable, and gives you a much higher degree of certainty of both what is on the machine and that it's going to work. Upgrading over an existing Windows installation is messy at the best of times, with mess generally being proportional to how many revisions behind the OS you are upgrading to. In the case of 7, that's one major revision and one minor revision. A huge amount changed in Vista between XP, and 7 only widens the gap.
I can only conclude the poster has no idea about how OS upgrades are performed in businesses of any reasonable size. Because only small businesses would even consider an OS upgrade over an existing install if they give a damn about reliability. The time spent ironing out the issues post upgrade will often be less than the time it takes to just reinstall from scratch.
If by secure you mean has a proper security model in place, defence-in-depth (DEP/ASLR/etc...), automatic enablement of operating system updates, firewall, malware protection and reasonable defaults; then yes, I'd say Windows 7 is secure.
If you mean secure against your 13 year old daughter with Admin rights downloading a random program, running it, ignoring the UAC prompts, and installing some malware deep into your system, then no, probably not secure. But, the most secure operating system in the world can't protect against abject stupidity.
If you talk to a Windows user who knows what they are doing, much like a Linux user who knows what they're doing, you'll find they almost certainly have no security problems. I certainly haven't.
Slashdot Mirror
AV-Comparatives recently released their May 2009 Corporate AV Report, which sounds like it may be right up your alley.
It's fairly large, but reviews a large number of AV products with a corporate focus, contains lots of screenshots, and even grades them on their appropriateness for Small, Medium and Large networks. Sounds like it would definitely be worth a look in your case.
Proof?
Since the first FF 3.0 point release of 2009 (3.0.6), I count:
* A dozen critical security vulnerabilities
* Six high security vulnerabilities
* 32 vulnerabilities in total patched this year
I'm a Firefox user, and have been for years, but I'm not going to pretend that it's the Fort Knox of web-browsers just so I can have some false sense of security superiority over rival browsers, or worse, pretend it is highly secure and be ignorant of the actual realities. I'm guessing you're one of those people who don't read the security advisories for Firefox point releases, you really should; it might deflate your reality distortion bubble.
At this point, Mozilla's advantage isn't so much in secure code but fast patch response times.
Are you confusing open standards with open implementations?
I fully support open standards and think they are the way forward, _especially_ on the Internet where interoperability and platform agnosticism is the very essence of a healthy and vibrant network. But, that doesn't mean the code that implements the standards has to be open by extension. It's fine if it is, go for it, but I see no problem with it being proprietary code either. Of course, if the code doesn't properly implement the standard, then that IS a problem, but open-source software can be guilty of this as well; although, admittedly, closed-source seems to have a much larger black mark against it.
It seems to me that your post is just a knee-jerk reaction against mine purely because I dared suggest that a given _implementation_ doesn't have to be open, I in no way suggested that closed and proprietary software that doesn't conform to open standards is a good thing.
Your argument subtly implies that Firefox's implementation is more secure, without providing any proof of your own assertion. Bluntly, Firefox's security record has been far from top-notch for quite some time now, and while their patch response times tend to be excellent, this doesn't change the fact that security vulnerabilities of varying severity are still frequently occuring; and we're all familiar with Microsoft's security record. I can't conclude which implementation is likely more secure.
Which is irrelevant anyway, as you've missed the point of the GP's post in the first place (did you listen?). His argument was that if the OS supports decoding the video format, which it will if it's a modern consumer OS, why should every browser then implement its own media stack to provide a service that the OS already provides? You just end up with a proliferation of software that all does exactly the same thing. Thus, you end up with more security issues (as each implementation will almost certainly have security flaws throughout its lifetime) and more bloat (code duplication, and increase in code size for each respective browser implementing its own media stack).
You can be surgical here and note that this doesn't necessarily translate to greater exploitation, just more security issues. Lots of different media stacks means different exploits, meaning different exploit code, and incompatibility is high. So, any given exploit might only be able to target a small subdomain of the overall browser market, but this is really just a security through obscurity argument, and good security practices (e.g. sandboxing) should mitigate such concerns, and all browsers should have either implemented such technologies or have it on their roadmap.
I understand the value in having a variety of different options, but implementing a solution for no express reason than to offer an alternative, is inherently pointless. It has to have an advantage (and no, being open-source isn't an advantage for most), so if the OS implementation is up to snuff, then the GP does have a valid point.
Having re-read the entirety of your post, I realise it'd take me several pages to correct the absurdity of everything you say, so instead, I'll just recommend a book for you and anyone else who is interested:
People Like Us: How Arrogance Is Dividing Islam and the West (Paperback) by Waleed Aly.
Let us not merely condemn the Iranian government. We must condemn Iranian culture. Its product is the authoritarian state.
Except, the Iranian progressives who are demonstrating/rioting over the likely rigged election result are themselves Iranians and the product of Iranian culture. I can guarantee you they strongly identify with numerous aspects of Iranian culture, and certainly aspects of the broader middle-eastern culture. Do you think all those demonstrating are Harvard educated Iranians who were largely brought up in Western countries, assimilating purely Western ideals, values and culture? Don't be absurd.
It's blanket statements like yours that not only reveal an enormous ignorance of foreign cultures, but were also a trademark of Bush era foreign policy; stupid and ignorant statements that simplify entire countries into nothing more than an undeniable "Axis of Evil". I wonder, how much do you know about Iranian culture? Could you write a brief essay on Iranian culture? A page? A post-it note?
I understand that I'm coming off as aggressive here, but these kinds of statements just give me the shits. You wonder why the West has so much trouble constructively engaging with Arab nations and getting concrete results? Well, look no further than the quote above. Not all countries need to share Western ideals and culture to be decent, moral and prosperous, and countries like Iran have millennia long rich histories of cultural and spiritual development. It's ironic that in many ways where the Western world has progressed, the Muslim would has declined, but it is worth remembering that while what is now the West was going through its medieval dark ages with the Church having complete control of the state, many of these countries were highly inclusive and even academically oriented nations that were in their prime. Much of what enabled them to do so is still thoroughly embedded in their culture, and it's these beliefs that have arguably empowered the demonstrators to rise up against their present government.
Perhaps the ultimate irony is that your statement is exactly what empowers those like Ahmadinejad to continue their anti-Western tirade, and further, exactly what compels Iranians and other Arabs to vote for such political candidates and ideologies.
Functionality wise my understanding is that they are effectively equivalent. My only reason for preferencing IDMU was that my experience has been it is better integrated into the overall OS, and possibly as a result, its installation and configuration was smoother.
Last time I used SFU was many years ago, but effectively I had some serious trouble installing it on a Windows Server 2003 box that was only setup weeks ago and was for all good and intent vanilla. It culminated in having to do several modifications to the AD LDAP through ADSI Edit, by adding/tweaking numerous attributes, in order to get things moving. I did find some useful KB articles to MS's credit, but some forum trawling was required, and it overall resulted in probably about a day of what should have been very unnecessary fiddling to get it to work. Some other times I've had to install and configure SFU I've also run into minor configuration oddities of less significance. That, and having IDMU as a base component of the OS is convenient, it's readily available for installation at any given time and also patched if required alongside any other OS component with Windows Update.
I've never had any such issues with IDMU, it's all worked a dream for me since initial installations, but then again, it's entirely possible that my SFU experiences were just some bad luck, and this is all anecdotal. Overall, I think they are both good products, and my IDMU preference is primarily just from a slightly smoother experience of its usage.
Also, sorry for the terribly slow reply!
It's monopoly abuse. Windows has a desktop monopoly. What Ubuntu or Apple does is not that important, they don't have a monopoly.
Completely disagree. To me, the term "monopoly" (which seems to be bandied about far more than it should be these days) is just code for "your company/product is exceptionally popular and dominates the market". What matters is if 'x' company did something illegal to attain that position, but at this point, the whole monopoly aspect is irrelevant. _ALL_ individuals and companies should be penalized if they break the law, their status as a monopoly is irrelevant. If Microsoft breaks the law, take them to court, but further, apply the same standard to Apple and Ubuntu. Microsoft _DID_ do some pretty dodgy stuff to attain its position, and consequently, has been penalized for it, several times, in several countries; completely fine. But I can not rationalise as fair the notion that a completely different standard should be applied to an entity for no express reason other than its popularity.
If you do want to talk about the situation of Ubuntu and comparing it to Windows. Windows comes with IE and only IE or now maybe no browser at all (even less choice). Ubuntu comes with several terminal programs on the CD/DVD and you can install an other just and just as easily remove the one that was default.
This comparison is in my view invalid. The philosophy behind Ubuntu is completely different to that of Windows and many other proprietary operating systems. Comparisons and debates about superiority/inferiority aside, neither side is fundamentally "wrong", but just different ways of doing things. In Microsoft's case, they develop a product wholly on their own, and as such, wish to distribute it as such without 3rd-party products. I see no problem with this. Further, I can just as easily install another application on a Windows system as a Ubuntu system; what differs is how I do this and the mechanism in place to accomplish it. An Ubuntu user might apt-get it or use Synaptic, a Windows user might browse to the products web-site, download and run the executable. But I have Firefox/Opera/Chrome installed on my Windows box alongside IE, with Firefox as the default browser, and I've yet to find any instance of Windows trying to stop me or inhibit these applications from running to their full capacity. Further, many Linux distributions only install one graphical web-browser, and as such, are in many respects no different to Windows in what they offer out of the box at the GUI level. If you wish to install a different one, go for it, Ubuntu nor Windows will try and stop you.
Yes, IE (until now) can't entirely be removed in full, I'll grant you that. And the original bundling of the browser with the OS is debateably unsound and quite likely illegal as well, depending on your perspective, I'll grant you that as well. Consequently, MS was slapped with fines and various additional oversight requirements. But, the present reality is that there are technical issues with removing IE as a result of the course of history, primarily todo with 3rd-party application compatibility, in the form of programs expecting the IE rendering engine to be present. This being the case, there are considerations involved, and while it can be removed, things will break, and I can guarantee you will witness this in the EU IE-less addition.
It's worth noting that Microsoft also has Services for Unix (applicable for Windows 2000 through Windows Server 2003) and Identity Management for Unix (applicable for Windows Vista through Windows Server 2008).
While Unix boxes can authenticate to an Active Directory domain through the use of Samba and derivatives, the advantage of these services is that they can extend the LDAP schema with NIS attributes to provide native NIS authentication, and also, extend SMB sharing with NFS support to provide native NFS sharing. In both cases, the NIS/NFS support is fully integrated with the native Windows support, and data shared between the two; that is, Windows AD objects can be immediately used with NIS and NFS, they co-exist. I've personally found this a huge convenience as most Unix/Linux distros can authenticate to the domain out-of-the-box and with an absolute minimal amount of configuration, often during the initial installation without even having to dive into configuration files to get the basics done. With some extra work, you can also enable password synchronization in the Unix -> NIS direction and/or the Windows -> NIS direction through the use of a (closed-source) PAM module (the reason for this being that as far as the Unix boxes are concerned they are using NIS, but behind the scenes, it is fundamentally AD with a NIS front-end, and the intricacies of password management and the updating of are very different.)
As admittedly distasteful as it is that Microsoft has an inherent competitive advantage here in that much of their implementation is proprietary and their competitors is not, leaving them free to support NIS/NFS but not necessarily the other way around, my experience is that they have done their implementation quite well. Word to the wise: I've had a FAR better experience with IDMU on Server 2008 than SFU for Server 2003. The former requires a separate download for SFU while the latter has IDMU included as part of the OS and can be installed at any time as an optional component alongside AD/SMB, either at initial installation of those components or as a future addition post-installation. The result is a tighter coupling of the respective services: it feels like communication between the Unix support division and the Windows tech division was far better for Server 2008; I had to spend many hours getting NIS/NFS to work on 2003, but had it up and working perfectly in under an hour on 2008. That being said, both can be made to work fine and will get the job done well, my experience is purely limited to ease of setup and initial impression on the polish and integration of each, functionality wise, they are both almost identical.
Both are free of charge, provided of course you have a Windows licence, with IDMU effectively being a renamed and improved SFU.
I'm not sure it was a mistake, at least not in Microsoft's view, once you consider the reason why it was implemented and the (probable) reason why they've removed the limitation.
The reason why it was implemented according to various sources was to limit the damage of all those infected Windows machines spamming networks looking for new vulnerable hosts to infect, and also, slow down the rate at which they would cause bedlam. By enforcing such a limit, the aim was to impede an infected machines ability to propogate the infection; of course, we're primarily talking the nasty to catastrophic Windows worms we've seen in the past from gaping truck-sized security holes in critical system components.
However, if you look at Vista, you'll note that contrary to what some people would like you to believe, the exploitability of the OS has gone down drastically versus XP, in particular, with regards to worms. This is of course due to several reasons: better OS security architecture, defence-in-depth (DEP/ASLR/etc...), properly enforced user permissions, the list goes on. Take the most recent Conficker worm as an example. Vista infections will almost certainly be a lot lower, for one, the exploit path that uses the MS08-067 vulnerability that forms its primary exploit vector can not be exploited anonymously on Vista and newer machines. The vulnerable code is still present unless patched, but it requires valid user credentials.
At a guess, I'd say Microsoft came to the conclusion that the TCP limit was no longer necessary on Vista, as the improved security of the OS made the need for such connection limitations redundant. On the other hand, I'll be surprised if they ever remove it on XP, because no matter how much you patch it, it is fundamentally more insecure by its architecture than Vista. And if they don't remove the limitation on XP, I'd argue that's quite telling as to the motivation and reasoning behind removing it on Vista only.
If we push aside the whole copyright question temporarily, as just a question as it is, there's an even more disturbing element I find to the argument this person and so many others associated with the large media companies, enforcers and copyright lobbyists espouse.
As the internet has developed and evolved, I'd wager all of us Slashdot readers have witnessed and recognised its potential to revolutionise countless aspects of humanity. The Internet provides unique and fundamentally different ways to provide information in all kinds of forms to individuals, often at incredibly rapid speeds, for little to no cost, with a very high degree of accessibility that is only going to improve as Internet connections permeate all aspects of society everywhere around the globe, and consequently, costs further decrease as it becomes even more of a basic and fundamental commodity. The result being that human knowledge and culture is now more readily available and in vaster quantities than at any time in our history.
The extreme copyright and intellectual property protectionism that these people espouse, and the ideas to realise and enforce them that they inevitably generate, if ever implemented, I think would fundamentally alter the way the Internet functions and significantly damage its potential to enrich mankind and further develop. The results of implementing such ideas would turn the Internet in some ways into nothing more than an evolution of TV/Radio/other forms of "content delivery" that the media companies are so familiar with, and so easily able to control. The result would be disastrous for the continuing development of the internet, and devastating in terms of negating the benefits, both short-term and long term, that it currently is and is likely to further provide in the future. The copyright lobby may purely be interested in keeping their pockets lined, but if their ideas were used, they'd have far-reaching consequences across the Internet that would likely spread outside the domain of standard media. The copyright agenda is just how this could happen, but the result would be far greater than the sum of its parts.
I know this post likely comes across as dramatic, but I've grown up on the Internet and witnessed from a young age its potential, and the concepts thrown-about and in some cases being used right now (see: France, etc..) terrify me in their potential ramifications.
Workaround #1: Turn off WebDAV
Turning off WebDAV might be a good option if you are not using it or can live without out until we have a security update available. You can find instructions at http://support.microsoft.com/kb/241520.
Source: http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx
Funny. It sounded like "use software with open standards and secure implementations" to me.
I personally use Apache for my web-facing server, but that being said, IIS 6 (Windows Server 2003) has had a very good security track record. Secunia tracks 6 advisories since its release back in 2003 and only one of those is unpatched, that being the vulnerability this story is about.
;) IIS 5.x and earlier was absolutely shocking for security, but IIS 6.x and above does have significant improvements. It's no coincidence that IIS 6 is not vulnerable to this exploit out of the box while IIS 5 is.
In contrast, Apache 2.2 was released in late 2005 and has 10 exploits listed, with 2 unpatched and 2 with partial fixes. The exploits seem to be on average less severe, but there's more of them, and some aren't patched.
My point being, you might not want to jump to conclusions
Did they give any configuration which is not at risk?
Yes, several: More information about the IIS authentication bypass
Worth noting that this only affects IIS 5.x and 6.x, which admittedly, accounts for the huge majority of IIS webservers, but IIS 7.x (Windows Server 2008 and above) are not affected.
Next question asked is WHY has Microsoft have to invent one when there are others available already?
I'd suggest several major reasons: .NET Environment.
.NET, does give it a unique feature that distinguishes it from other concurrent languages (even if you loathe .NET, it still separates it from the rest).
1. Integration with the
2. Integration with the Visual Studio IDE.
3. Maximise control of the style of the language, featureset and its future direction.
If you check the wikipedia page the parent linked to, there are already stacks of concurrent programming languages available, it's not like there's some universal standard concurrency language out there Microsoft is trying to displace. That, and the above points, particularly with respect to
Probably the answer is "Because they can" and they see a business in locking in people into their environment.
Yes and no. You can take the whole lock-in argument (not entirely unreasonably), but you can also take the argument that for those who don't actually have a need to develop something for multiple platforms, a language fundamentally focused on a Windows-centric design with related tools is probably a huge positive. Why code in a language with a crap toolset/IDE (assuming there is one) and various other potential problems when MS offers one that plugs into .NET, VS, and is guaranteed to work great on Windows out of the box? That, and if you're already familiar with the above, the migration path I suspect is quite easy.
.NET based, Mono may or may not support some of this stuff. No idea.
Of course, this being
"Microsoft is effectively giving away Windows 7 free for a year with the launch of the Release Candidate.
It's only free if you don't value bug fixes, security updates, product support and potentially all manner of issues installing software that will be released for Windows 7 RTM on a pre-release version no-one will have done significant product testing on and won't care to help you with if you run into problems.
Keeping all this in mind, and the fact this is pre-release development code, it's not hard to see why this release is free. I do find it odd that it's got such a generous expiration date, but approaching this as a free (time-limited) lunch is probably a fairly bad idea for all the reasons above.
If you like it, but don't want to pay for it, just pirate it. You'll be better off, and so may many others when they don't have to worry about your compromised box congesting their network, because it was exploited by a flaw MS has no intention of fixing in pre-release code.
Normally I'm opposed to Microsoft pushing out feature updates as compulsory (versus security fixes and bug patches), however, in this particular case I'd have to say this is a good move. The benefits are many and the negatives few.
IE might have a bad reputation, and not at all unfairly much of the time, but no matter how much you hate IE, IE8 brings a lot to the table; even if what it brings is long overdue. Improved security, much better standards support, and even some genuine innovative features.
The debate can rage on about the ethics and legality of bundling the browser with and integrating it into the OS, but the reality is this is the case, and the security benefits alone make the upgrade sensible in my view.
However, the upgrade should be done in the background and in no way alter any preferences. Provided no configuration settings the user has set are changed (in particular, default browser), then the background benefits are gained, and the user can check out IE8 at their leisure if they wish, or ignore it completely.
Oh, and finally, this helps to kill off IE6, which really does need to FOAD.
I don't think it's the issue of Windows being more secure, rather of Linux exposing more of underlying hardware.
I'm not sure this is strictly true, but rather, the mechanism with which the OS exposes the underlying hardware.
/dev) and WMI (think /proc) in user-mode, while some functionality that can be accessed through user-mode as root in Linux can only be accessed via kernel mode (quite probably more secure, but also quite possibly at the cost of usability, pissing off people who have a legitimate reason to need to access such functionality easily from user-mode).
/dev/kmem, you can find it in the Object Manager under \Device\PhysicalMemory. In (some?) x86 versions of Windows, you could actually modify its permissions to enable direct read/write to a region of Physical Memory, though it can now only be accessed via kernel mode in x64 Windows. Both more obscure and in this case probably more secure.
Whereas Linux often exposes technical hardware functionality and information in user-mode and quite possibly through the file-system, Windows is more likely to expose it through things like the Object Manager (think
Even the most powerful features exposed in the Linux filesystem can generally be found somewhere on Windows. A dual example: there is a NT equivalent of
I guess what I'm getting at is the difference in how the functionality is exposed, with Linux tending to be more "up-front" and expose the functionality out in the open, while much of it in Windows is hidden away, where you can only find it if you know what you're looking for.
At the federal level we have two voting systems.
The House of Representatives uses the preferential voting system, which tends to favour major parties.
The Senate uses the proportional representation system, which as you indicated, is far more friendly to minor parties.
The result being the Senate tends to have a more diverse selection of political parties than the HoR.
It is a shame the US's electoral system isn't more friendly to minor parties; I think having a broader variety of views represented in parliament tends to ultimately benefit all.
You don't need to get into government to affect the political process; rather, you need enough seats to be able to have a significant impact on the likelihood of legislation getting through the parliament. I suspect this is what they are aiming for. I'm not sure what the composition is of the American parliament, for instance, but many countries have minor parties with significant representation.
For example, here in Australia the Greens have several seats in the Senate, enough in fact, that the Government can't pass legislation without their support (assuming they don't have the support of the opposition). This usually isn't a problem, as the Greens will generally go along with most of the government legislation. But, for certain pieces, for example, the government is forced to make concessions to appease the Greens if they wish to get the legislation through.
The point being, if you need the support of a party in order to get more controversial legislation through, you may well find you need to make concessions to other parties in areas that aren't core to your political ideology in order to advance your main cause. I suspect this is what The Pirate Party would like to achieve. No real aspirations for government, just enough representation to change the law in the areas they really care about.
I think you don't properly understand how SuperFetch works. It caches in RAM frequently used program data by pre-emptively loading commonly used applications and program data into unused RAM in anticipation of the user intending to run these applications. If he/she does, load times can be greatly reduced.
However, note that the SuperFetch service runs at a very low priority, and will yield system resources to effectively any other process that requests system resources. Further, in the event of a program requesting memory that isn't available, SuperFetch will just dump from its cache a large enough portion of memory to accomodate the program. By your own admission, and correctly, RAM is _FAST_. The process of re-allocating a segment of memory from SuperFetch to your new program is negligible. SuperFetch will also never page to disk memory in use by an actually running program in order to fill the cache. I'm not saying that running programs won't be cached to disk, but it isn't SuperFetch that is the culprit. There are many other mechanisms in place that can result in this occuring, and SuperFetch isn't the only code on the system that plays around with the cache.
Suffice to say, if you dislike SuperFetch, it's easy to disable it. Just go into Windows Services and change the SuperFetch service startup from Automatic to Disabled, and stop the service. You've now disabled the aggressive pre-caching, no harder than any other tweak for any other operating system.
You'll note that Conficker primarily targets NT 5.x operating systems: 2000, XP and 2003. While the vulnerable code is present in Vista and 2008 (and has been patched), the exploit requirements differ, in that it can only be exploited by an authenticated user, whereas on NT 5.x it can be exploited anonymously.
Obviously, exploiting it anonymously without valid crendentials is ridiculously easy and makes for a great worm, but doing so with valid credentials makes exploitation much more difficult. I'd wager the vast majority of Conficker infections are not Vista systems, and the ones that are are unlikely to have been infected via the exploit path, but more likely USB key transmission or another vector.
Seeing as how this article addresses Vista and not XP, I think your comment is invalid.
You're correct, but the distinction is that this is frequently not possible on Windows platforms due to the software ecosystem.
What with the vast majority of Linux software being open-source, Red Hat has the capability to pull up the code for pretty much anything on their distro, even if it isn't their software, get their engineers to go through the code, and fix it.
Windows software tends to be the reverse, with the vast majority being closed-source. That being the case, the best you can do is notify the developer that the program has a problem and provide them with some data of varying quality and detail that may help to expedite a fix.
Microsoft does do these things by the way, and frequently, but when it's neither your product nor do you have access to the code, the ball really is completely out of your court, and it all comes down to whether the developer can be bothered to fix it and how quickly he wishes to do so.
The Million Dollar question will be whether the fact that XP upgrades to Windows 7 requires a clean install will prove to be Microsoft's undoing.
Seriously, how many businesses upgrade Windows installations over an existing previous installed version of Windows? Businesses don't do in-place upgrades of OS's, they re-image the entire machine.
It's faster, more reliable, and gives you a much higher degree of certainty of both what is on the machine and that it's going to work. Upgrading over an existing Windows installation is messy at the best of times, with mess generally being proportional to how many revisions behind the OS you are upgrading to. In the case of 7, that's one major revision and one minor revision. A huge amount changed in Vista between XP, and 7 only widens the gap.
I can only conclude the poster has no idea about how OS upgrades are performed in businesses of any reasonable size. Because only small businesses would even consider an OS upgrade over an existing install if they give a damn about reliability. The time spent ironing out the issues post upgrade will often be less than the time it takes to just reinstall from scratch.
Well, it depends what you mean by secure?
If by secure you mean has a proper security model in place, defence-in-depth (DEP/ASLR/etc...), automatic enablement of operating system updates, firewall, malware protection and reasonable defaults; then yes, I'd say Windows 7 is secure.
If you mean secure against your 13 year old daughter with Admin rights downloading a random program, running it, ignoring the UAC prompts, and installing some malware deep into your system, then no, probably not secure. But, the most secure operating system in the world can't protect against abject stupidity.
If you talk to a Windows user who knows what they are doing, much like a Linux user who knows what they're doing, you'll find they almost certainly have no security problems. I certainly haven't.