Great - until the apps won't run, which in my experience is most of them.
Either you are babbling away or you buy only trash. In my experience, the vast majority of applications today work fine in this environment. Only some crap that was ported over from DOS all the way along Windows 3.11, 95 and then into the NT line, and whose developers never read any guidelines, can be problematic. You know, the garage-shop software that still stores settings in.ini files, has the "database" in a subdirectory inside C:\Program Files\Appname, etc etc.
When you bought it, let the developer know what you think of them and move your business elsewhere. When that is really not possible you can normally get around it (on Professional, not Home versions) by setting some extra ACLs in the directories. Of course this compromises security.
Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards
Which is how it works. Apparently you never studied the matter but you still like to comment negatively. Please try it instead of assuming "it is from Microsoft so it has to be bad". You may be surprised about what you can do with ACLs in Windows, it is vastly superior to the file access control in a default Unix/Linux installation.
The problem is easily fixed by: - having users use a least-privileged account that cannot write into C:\WINDOWS and C:\Program Files - installing a service like TrustNoExe that disallows running programs that are not stored in those directories
Users can download whatever they want, they just cannot run it, install it, etc. They will have to log in as an Administrator first (or at least provide the password). In a company environment this works very well. At home it probable does less, because the user and the administrator are the same guy, and so there is less "second evaluation" of the software before installation.
was emailed directly to Sophos from the virus developers... who dutyfully included it in their signature database, so it will be looked for in millions of computers even though it is not in the wild.
meanwhile, our computers get slower and slower. virusscanners eat up lots of resources and become ever slower. I recently noticed clamav takes 13 seconds to scan an infected.scr file of 16kb before deciding that it is safe (because it not yet had the signature).
wouldn't it be time that antivirus companies slim down the signature lists a bit. of course it is cute to boast a "number of signatures" above 100.000, but who is really getting benefit from the scanning of all those hypothetical viruses?
In related news: two weeks ago, Norman (not to be confused with Norton) released an update to its antivirus package, which got automatically installed by the Internet update service for signatures. This update caused many PCs and servers to stop dead, especially in company network environments. Until today, the only thing the Norman company has been able to come up with is a series of patches that are to be manually installed, and a recommendation to turn off the on-access scanner.
A screen that does video processing often has some delay. Feeding the audio through the screen (even when you want to send it to a separate amplifier) has the advantage that the audio can be delayed by the same amount, so it is kept lip-sync. When you feed audio to an amplifier and video to a digital TV separately, you will often find that the audio is visibly ahead of the video.
This is a pointless discussion. The top-end capacity drives always cost more per byte than a lower capacity. When 500GB was the top end, you could make the same statement for a 250 or 300 GB model. And it is also true for top-end CPU speeds, largest memory modules, etc. And that is only within the PC hardware business.
When you are looking for best value for money, don't buy high-end stuff. Easy.
What I find most annoying is that there is no "you have 20% tape capacity left after this backup" message at the end of a backup run. Basically, you are always working blindfolded. Suddenly, the backup tool will ask for a second tape and you never know beforehand when that is going to happen. There are too many factors involved to predict it, with the compression being the worst.
Fortunately we have a site license so WGA is just happy and activation is not required. But still, I don't like the way we have to jump through hoops only to prove that we are not pirates.
(IMHO, Microsoft are fully right that they service only paying customers. Windows is a commercial product, and those who do not want to pay for it can choose Linux or another alternative. I don't mind that they try to keep the pirates out. However, the WGA is mainly a disadvantage for paying customers, and no hindrance at all for pirates)
Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside world programs are trying to access
Apparently you don't understand what BITS is actually downloading. It (usually) downloads from plain HTTP servers. So when you would want to block it in an outgoing firewall, you would need to block connections to port 80.
Bits is like like wget in a server shell. You submit requests to it and it wgets the files in the background. It only writes to places the requester is allowed to write to. And it has some clever feature to only download when the connection is almost idle, so it won't interfere with normal usage.
Quite useful. Linux should have something like this. Let's call it wgetd.
That has already happened! When you install Windows XP, and visit Windows Update, it will first download and install the ActiveX stuff (as before), and then it will tell you that "Windows Update has improved blah blah blah" and it offers WGA for installation. There is no way to remove it, cancel around it, or whatever and still be able to install the critical updates.
The only thing you can still do is enable automatic updates and wait for them to be downloaded and offered for install, then you can skip the WGA when you are careful.
BITS will download files for any user, but it will only download files to directories writable for the user making the request. So, a normal user won't be able to download files into the system32 directory.
Not that it will make any difference, as the average Windows user probably is working as an Administrator all the time.
When you have DSL, of course you can use a VOIP service to have "landline" service without the dialtone. It will not be as reliable as a normal landline, but for occasional use it should be OK.
When there would be no obligatory phone line for DSL, the cost of a DSL connection would be higher. The DSL requires a copper pair to your house. You are paying for that via your phone line bill. This is not ridiculous, this is commercial enterprise.
Often it is possible to get DSL without phoneline, but it will cost nearly as much as DSL plus the lowest-monthly-rate phoneline.
She called 000 at 7:30pm AEST to say she was lost and her car was stuck on the road. Sergeant Oakes says it took police two-and-a-half hours to find her.
You would think that someone who was guided by a sat nav and got stuck would be able to pinpoint their position quite accurately. When it took two-and-a-half hours to find her, there must be not-so-clever people involved, either in the stuck car or the police.
On systems where it matters, I keep config files etc in RCS. In each directory where config files live that I want to keep, I create an RCS directory and rcs -i the file(s). Nightly, I job runs that finds all files for which an RCS entry exists and that are newer than that entry, and a copy is checked in.
No need to think about checking in/out all the time, no problem that the RCS seems to believe that you don't want to keep the actual file around. It does not save every edit but at least I have a copy of each day's state of the file.
It is too common in IT land to call someone else's good solution to a problem "a fundamentally bad idea". Apparently all solutions have advantages and disadvantages. When you spend your day looking at systems with full disks and having to decide what programs to kill to resolve that, you might have a point. But for me, that does not happen too often.
They aren't unable to program simple things correctly, they just have a different agenda. Microsoft know very well that creating products that work correctly will not bring them any more sales now, and will cost them sales in the future. So why bother?
Unlike the Unix mechanism, where the library is replaced and you would need to voluntary restart your application to make it use the new library, there is no easy way to update a DLL in Windows after it has decided a reboot is required.
Windows update will try to replace each file, and when it succeeds everything is fine. When not, it will put the file on disk under a different name, add a "rename" operation to a list, and continues with the next file. At the end, when the list is not empty, it requests a reboot. At reboot, the list is processed (the new files renamed over the old ones), and the list emptied. But merely stopping an application and closing the file that was in use will not make it rename that file and remove it from the list. You will need to reboot.
The opened and deleted file still has space allocated and it will not be overwritten by other files. Of course when the disk is full, one cannot add data to the file.
This is not a "trick". A file in Unix exists independent of its name(s). Each file has 1 name when created, but you can delete the name or add more names. When the number of names becomes zero, the file is deleted as soon as all processes that have it open do close it. As long as it is open, it is a fully functional file that occupies space and can be read and written to.
There even is a special function in the C library to create a temporary file:
FILE *tmpfile (void);
This creates a file, opens it for read+write and immediately deletes it. It is available as a temp file until it is fclose'ed.
In Unix this is simple to implement. The corresponding function in other systems is tricky and does not work completely correctly.
When you don't believe it, browse to your TEMP directory in a Windows system, usually C:\Documents and Settings\yourusername\Local Settings\Temp. You will find many files with.tmp names or names starting with ~ or $, all meant to be temporary files deleted after use.
It can cause problems when abused, but it has come very nice properties. For example, you can create a temporary file by opening it (with create option), then deleting its name while keeping the file open. Your file will be available as long as you don't close it, and will vanish automatically when you close the file, your program crashes, the system reboots, or whatever.
No more TEMP directory filling with crap, no need for a program that removes old tmpfiles left when a program crashes, etc.
It could become a problem for you when the merchant goes out of business because of accumulated losses due to fraud, or stops accepting credit cards to avoid incurring more losses.
It could be a nuisance for you when the merchant decides to increase prices to cover for losses or to add a service charge. (of course this is already happening, but you are going to pay more and more)
So, it still is your problem, and you want the credit card company to do something about it. E.g. end all service where two-factor authentication is not required. (you cannot use your credit card by only mentioning its number, you must prove physical possession of the card)
You should understand that it is not always possible to do this because of limitations in the devices.
When you want to use a wireless scanner or handheld terminal (as was the case in this shop) you can yell 'use a VPN' but what if the device does not offer that option?
Similarly, when you want to link two offices using a point-to-point wireless link bridging between switches, where do you implement the VPN? You would need to put routers inbetween, an extra purchase.
In a properly administered network, the office users do not have administrator access to their workstation, and the PC cannot connect to random addresses on the Internet on port 25. So, the systems do not get easily infected and when they do, they cannot spam the outside world.
But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser-privileged account.
Slashdot Mirror
Great - until the apps won't run, which in my experience is most of them.
.ini files, has the "database" in a subdirectory inside C:\Program Files\Appname, etc etc.
Either you are babbling away or you buy only trash. In my experience, the vast majority of applications today work fine in this environment. Only some crap that was ported over from DOS all the way along Windows 3.11, 95 and then into the NT line, and whose developers never read any guidelines, can be problematic.
You know, the garage-shop software that still stores settings in
When you bought it, let the developer know what you think of them and move your business elsewhere. When that is really not possible you can normally get around it (on Professional, not Home versions) by setting some extra ACLs in the directories. Of course this compromises security.
Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards
Which is how it works. Apparently you never studied the matter but you still like to comment negatively. Please try it instead of assuming "it is from Microsoft so it has to be bad". You may be surprised about what you can do with ACLs in Windows, it is vastly superior to the file access control in a default Unix/Linux installation.
The problem is easily fixed by:
- having users use a least-privileged account that cannot write into C:\WINDOWS and C:\Program Files
- installing a service like TrustNoExe that disallows running programs that are not stored in those directories
Users can download whatever they want, they just cannot run it, install it, etc. They will have to log in as an Administrator first (or at least provide the password).
In a company environment this works very well. At home it probable does less, because the user and the administrator are the same guy, and so there is less "second evaluation" of the software before installation.
was emailed directly to Sophos from the virus developers ... who dutyfully included it in their signature database, so it will be looked for in millions of computers even though it is not in the wild.
.scr file of 16kb before deciding that it is safe (because it not yet had the signature).
meanwhile, our computers get slower and slower. virusscanners eat up lots of resources and become ever slower. I recently noticed clamav takes 13 seconds to scan an infected
wouldn't it be time that antivirus companies slim down the signature lists a bit. of course it is cute to boast a "number of signatures" above 100.000, but who is really getting benefit from the scanning of all those hypothetical viruses?
You must have a very dumb monitoring app when you cannot specify a maximum alert rate!
In related news: two weeks ago, Norman (not to be confused with Norton) released an update to its antivirus package, which got automatically installed by the Internet update service for signatures.
This update caused many PCs and servers to stop dead, especially in company network environments.
Until today, the only thing the Norman company has been able to come up with is a series of patches that are to be manually installed, and a recommendation to turn off the on-access scanner.
A screen that does video processing often has some delay. Feeding the audio through the screen (even when you want to send it to a separate amplifier) has the advantage that the audio can be delayed by the same amount, so it is kept lip-sync.
When you feed audio to an amplifier and video to a digital TV separately, you will often find that the audio is visibly ahead of the video.
This is a pointless discussion. The top-end capacity drives always cost more per byte than a lower capacity. When 500GB was the top end, you could make the same statement for a 250 or 300 GB model.
And it is also true for top-end CPU speeds, largest memory modules, etc. And that is only within the PC hardware business.
When you are looking for best value for money, don't buy high-end stuff. Easy.
What I find most annoying is that there is no "you have 20% tape capacity left after this backup" message at the end of a backup run.
Basically, you are always working blindfolded. Suddenly, the backup tool will ask for a second tape and you never know beforehand when that is going to happen.
There are too many factors involved to predict it, with the compression being the worst.
Fortunately we have a site license so WGA is just happy and activation is not required.
But still, I don't like the way we have to jump through hoops only to prove that we are not pirates.
(IMHO, Microsoft are fully right that they service only paying customers. Windows is a commercial product, and those who do not want to pay for it can choose Linux or another alternative. I don't mind that they try to keep the pirates out. However, the WGA is mainly a disadvantage for paying customers, and no hindrance at all for pirates)
Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside world programs are trying to access
Apparently you don't understand what BITS is actually downloading. It (usually) downloads from plain HTTP servers. So when you would want to block it in an outgoing firewall, you would need to block connections to port 80.
Bits is like like wget in a server shell. You submit requests to it and it wgets the files in the background. It only writes to places the requester is allowed to write to. And it has some clever feature to only download when the connection is almost idle, so it won't interfere with normal usage.
Quite useful. Linux should have something like this. Let's call it wgetd.
That has already happened!
When you install Windows XP, and visit Windows Update, it will first download and install the ActiveX stuff (as before), and then it will tell you that "Windows Update has improved blah blah blah" and it offers WGA for installation. There is no way to remove it, cancel around it, or whatever and still be able to install the critical updates.
The only thing you can still do is enable automatic updates and wait for them to be downloaded and offered for install, then you can skip the WGA when you are careful.
BITS will download files for any user, but it will only download files to directories writable for the user making the request.
So, a normal user won't be able to download files into the system32 directory.
Not that it will make any difference, as the average Windows user probably is working as an Administrator all the time.
When you have DSL, of course you can use a VOIP service to have "landline" service without the dialtone.
It will not be as reliable as a normal landline, but for occasional use it should be OK.
When there would be no obligatory phone line for DSL, the cost of a DSL connection would be higher.
The DSL requires a copper pair to your house. You are paying for that via your phone line bill. This is not ridiculous, this is commercial enterprise.
Often it is possible to get DSL without phoneline, but it will cost nearly as much as DSL plus the lowest-monthly-rate phoneline.
She called 000 at 7:30pm AEST to say she was lost and her car was stuck on the road.
Sergeant Oakes says it took police two-and-a-half hours to find her.
You would think that someone who was guided by a sat nav and got stuck would be able to pinpoint their position quite accurately.
When it took two-and-a-half hours to find her, there must be not-so-clever people involved, either in the stuck car or the police.
On systems where it matters, I keep config files etc in RCS.
In each directory where config files live that I want to keep, I create an RCS directory and rcs -i the file(s).
Nightly, I job runs that finds all files for which an RCS entry exists and that are newer than that entry, and a copy is checked in.
No need to think about checking in/out all the time, no problem that the RCS seems to believe that you don't want to keep the actual file around.
It does not save every edit but at least I have a copy of each day's state of the file.
It is too common in IT land to call someone else's good solution to a problem "a fundamentally bad idea".
Apparently all solutions have advantages and disadvantages. When you spend your day looking at systems with full disks and having to decide what programs to kill to resolve that, you might have a point. But for me, that does not happen too often.
They aren't unable to program simple things correctly, they just have a different agenda.
Microsoft know very well that creating products that work correctly will not bring them any more sales now, and will cost them sales in the future. So why bother?
Unlike the Unix mechanism, where the library is replaced and you would need to voluntary restart your application to make it use the new library, there is no easy way to update a DLL in Windows after it has decided a reboot is required.
Windows update will try to replace each file, and when it succeeds everything is fine. When not, it will put the file on disk under a different name, add a "rename" operation to a list, and continues with the next file. At the end, when the list is not empty, it requests a reboot. At reboot, the list is processed (the new files renamed over the old ones), and the list emptied.
But merely stopping an application and closing the file that was in use will not make it rename that file and remove it from the list. You will need to reboot.
The opened and deleted file still has space allocated and it will not be overwritten by other files. Of course when the disk is full, one cannot add data to the file.
.tmp names or names starting with ~ or $, all meant to be temporary files deleted after use.
This is not a "trick". A file in Unix exists independent of its name(s). Each file has 1 name when created, but you can delete the name or add more names. When the number of names becomes zero, the file is deleted as soon as all processes that have it open do close it. As long as it is open, it is a fully functional file that occupies space and can be read and written to.
There even is a special function in the C library to create a temporary file:
FILE *tmpfile (void);
This creates a file, opens it for read+write and immediately deletes it. It is available as a temp file until it is fclose'ed.
In Unix this is simple to implement. The corresponding function in other systems is tricky and does not work completely correctly.
When you don't believe it, browse to your TEMP directory in a Windows system, usually C:\Documents and Settings\yourusername\Local Settings\Temp.
You will find many files with
It can cause problems when abused, but it has come very nice properties.
For example, you can create a temporary file by opening it (with create option), then deleting its name while keeping the file open.
Your file will be available as long as you don't close it, and will vanish automatically when you close the file, your program crashes, the system reboots, or whatever.
No more TEMP directory filling with crap, no need for a program that removes old tmpfiles left when a program crashes, etc.
For that kind of money, we get a 2GB/month "fair use policy" (no specified rate above 2GB) here. But that is HSDPA (UMTS).
It could become a problem for you when the merchant goes out of business because of accumulated losses due to fraud, or stops accepting credit cards to avoid incurring more losses.
It could be a nuisance for you when the merchant decides to increase prices to cover for losses or to add a service charge.
(of course this is already happening, but you are going to pay more and more)
So, it still is your problem, and you want the credit card company to do something about it. E.g. end all service where two-factor authentication is not required.
(you cannot use your credit card by only mentioning its number, you must prove physical possession of the card)
You should understand that it is not always possible to do this because of limitations in the devices.
When you want to use a wireless scanner or handheld terminal (as was the case in this shop) you can yell 'use a VPN' but what if the device does not offer that option?
Similarly, when you want to link two offices using a point-to-point wireless link bridging between switches, where do you implement the VPN? You would need to put routers inbetween, an extra purchase.
So it is not always that simple.
In a properly administered network, the office users do not have administrator access to their workstation, and the PC cannot connect to random addresses on the Internet on port 25.
So, the systems do not get easily infected and when they do, they cannot spam the outside world.
But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser-privileged account.