About 43% of our electical power in the United States comes from coal power plants.
But coal has several problems. First, there are the obvious environmental issues... although I doubt many people will care about those once oil hits $150 a barrel. (Environmental issues have a tendancy to take the back burner when people can't afford to heat their homes.)
The second problem is that while coal is certainly more plentiful then natural gas and oil, it too is a limited natural resource. Coal production could peak as early as 2035.
As far as oil sands, it is just too expensive to produce sweet crude from oil sands. By too expensive I mean more $100 a barrel. Sure, as peak oil makes itself more clear oil sands may indeed become a viable alternative, but only viable insofar as cheap will be redefined. The economy will still collapse and wars will still be fought over the remaining "cheap" oil supplies. Our current way of life is simply not sustainable.
One hope I do have is for oil shale. Shell has come up with some new techniques to extract sweet crude from oil shale at a cost of about $30 a barrel! This would be absolutely fantastic and would give us at least another 30 years to deal with peak oil... not to mention the fact that the United States has the world's largest deposits of oil shale and it would give us a MASSIVE edge in the global conflicts that are likely to arise over the next few decades regarding oil.
The oil and natural gas we use to generate electricity to power devices that require copper will become too expensive to use long before we run out of the copper we use in the construction of these devices.
Hotmail sucks because of the feature set when compared to Gmail or Yahoo mail, not because it runs on Windows.
The new Windows Live Mail beta is fairly good. Doesn't have the feature set of Gmail or Yahoo yet, but it's getting there.
If it wasn't for the near impossibility of migrating 20,000+ e-mails from Hotmail to Gmail, I probably would have jumped ship long ago... but Live Beta is keeping me interested.
You do, I do, my clients do, everyone who listens to us does, but think of all the worms and spyware that have exploited vulnerabilities that had been patchable for months.
Good point. Hopefully things like auto-updates will mitigate this problem a bit. Since WinXP SP2 comes with auto-updates enabled, I have a feeling this will slowly be changing for the better as more and more people update to SP2 or buy new computers with SP2 pre-installed.
While it is certainly interesting (if true) that Microsoft takes longer to release patches with no known exploits roaming around, I would find it far more interesting to see which causes more harm: the longer patch times or the full disclosure.
Just because Microsoft releases a patch quicker when full disclosure is used doesn't mean this results in less harm to users. It might take Microsoft 200 days to release a patch, but if the only people who know about the bug are the researchers who discovered it and Microsoft, then the end result is that little harm was done to the users.
If, however, an easily understandable exploit is posted before Microsoft has fixed the bug, those 45 days might be a lot more dangerous for those users than the 200 days in the previous example.
Of course, it's very difficult to know if the security researchers who discovered the bug are the only ones with knowledge of that bug. Could other people know about it and be actively using it to compromise machines? Maybe. But I would really like to see some data on this.
I suspect that the vast majority of major worms and viruses take advantage of well known exploits published on the Internet by usually well meaning security researchers. Certainly all of the major worms I can think of off the top of my head follow this pattern. (MYTOB, LOVGATE, NETSKY, SASSER, ZAFI, SOBER, BAGEL, etc.)
If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.
So I guess which approach you take depends on your goal. If your goal is the glory of a 0-day exploit, then post away. But if your goal is the security of the end user, maybe you should keep it to yourself for the time being.
1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.
Examples?
2) They don't submit their code for review by the public.
That's the nature of a company that is closed source. As has been pointed out many times before, there is no concrete evidence that having the source be open results in greater security.
3) They don't follow security best practices, like turning off services by default.
They certainly didn't used to, but they do now. Take a look at their most recent server releases, Windows 2003 SP1 and Windows 2003 R2. (Or 2003 gold, for that matter.) The OS comes with basically nothing turned on that isn't needed. In addition, take a look at IIS 7. It will allow for very selective enabling of fairly low level features.
4) They make their OS less secure by obfuscating design to make it difficult for competitors.
Examples?
5) They use propriety data formats.
And this affects security how? Have an example?
6) They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.
They do both, actually. Windows is fairly obviously the easiest OS to develop applications for. This is a result of a combination of great development tools (Visual Studio comes to mind) and a huge developer community. Visual Basic opened up programming to a huge audience, for better or for worse. The.NET Framework makes it fairly easy to develop enterprise applications... etc.
On the other side, Microsoft certainly has a history of tweaking the OS to make sure that applications ran OK... but this was usually for big time applications that LOTS of people used (Lotus Notes, certain spread sheets, etc) and if Microsoft released an OS that broke those, even if the breaking change was justified, nobody would have upgraded. That said, I don't know of too many recent tweaks. Have any?
Microsoft has made progress, albeit slow. Vista is shaping up to actually a great release, and Windows 2003 has a pretty damn good track record so far. Is it perfect.. nope. But neither are the alternatives.
Statements like "we don't even know how bees fly" are used to justify all sorts of "alternatives" to scientific explanations of the natural world.
These kinds of defenses are often referred to as "god of the gaps" arguments.
Since we don't know how bees fly, God must have done it.
While I'm certainly happy that we now know how bees fly (I'm sure there are lots of reasons this will be useful as well), it is definitly not required to put any "nails in the coffin" of intelligent design.
Let's see... How about forcing you to run even much of microsoft's own software as local admin in order to get it to work?
I've already addressed this... it's not a design issue.
How about running active X code with the same privileges as the current user? Hundreds of exploits have depended on this... clearly bad design.
It's not bad design anymore than running ANY application with the same privs as the current user is. One could certainly argue that allowing for unmanaged code to be run within a web browser was a bad design... I would probably agree with that, but Microsoft has more or less fixed this issue with XP SP2's method of authorizing ActiveX content.
Instead of closing these ongoing and massive security holes, they have now released anti-spyware as a solution.
I've already given examples of how they've addressed or are addressing these issue. In ADDITION to that, they've provided Windows users with a free too to add even more protect. They know that Windows will never be perfect, so they're attacking the problem from every way possible.
Of course, I could just point out the huge insane flaws in previous versions of windows, such as the screen saver running as local administrator, and so changing the screen saver to cmd.exe would give one administrator access in NT, or a malformed packet to a certain port bluescreening 98, but you would just reply that "they are better now!".
No, I would reply with the fact that those aren't DESIGN flaws... they're implementation flaws. Take a trip to SecurityFocus and do a search for your favorite Linux distro and tell me you see zero implementation flaws.
I rarely surf the web for more than 5 or 6 hours before explorer.exe mysteriously dies and has to restart itself...
Ah yes, so Windows has design flaws because YOUR machine has issues? Well my machine has never crashed, explorer has never crapped out, I run apps for months on end without issue, etc. Therefor, using your "logic", Windows must be perfect!
An since you are accusing me of changing the subject, how does 4 hundred bajillion automated tests have anything to do with Q/A in the sense of vulnerabilities? See: http://www.asp101.com/articles/john/kb887289/defau lt.asp
What you failed to mention here is that is the ONLY KNOW HOLE IN ASP.NET EVER. Both IIS 6.0 and ASP.NET have an INCREDIBLE track record as far as securitt is concerend. Since ASP.NET was released, how many holes has PHP had? JSP? You get the point... or perhaps you don't.
No. The sole and exclusive cause is that IDE (compiler and friends) has to be run as Administrator
This is absolutely false. I develop a wide range of applications using both VS.NET and VC++ and I don't have to run any of them as administrator with one exception: there is no way to debug an ASP.NET 1.0/1.1 application without admin privs. This is primary due to the way the debugger attached to the IIS worker process in 1.1. This has been fixed in VS.NET 2005 / ASP.NET 2.0.
This is the cause for a simple reason: Imagine you're a programmer making an app that runs properly as a less-privileged user. You do a little developing. You log out. You log back in as a less-privileged user. You test the app, using printf as the main debugging tool. You log out. You log back in. You restart the IDE and get everything back like it was. You do a little developing. And so forth. It's a waking nightmare of the type formerly encountered only in H.P. Lovecraft stories.
Except only a fool would debug an application this way. One can attach the debugger running as a high privs users to an application running as a low privs user, or even running in another logged in session.
The primary cause of Windows applications run running properly under low rights scenarios is poor guidelines and a lack of best practices documents from Microsoft early in the Windows lifecycle. This, combined with the fact that Windows shipped with the default accounts being admins, created an environment of lazy programming which is now very difficult to fix.
Microsoft did it to themselves, I'm not denying that.
At any rate, I love how my previous post is now flamebait. Oh well... that's Slashdot for ya.
A bunch of automated tests for one piece of software will prevent bugs which effect *functionality*. They cannot find bugs|vulnerabilities which are the result of poor design.
First there was no Q/A, now there is no design? How about an example of bad design in Windows?
And as for MS making good software, Windows does not even come with a plain text editor which can handle UNIX line termination
Nice job changing the subject instead of answering my points.
There is absolutely no reason to believe that market share is the cause of low security.
It's certainly not the cause of "low security", but it definitely makes Windows a target. This argument has been rehashed here and everywhere else a thousand times. The popularity of Windows makes it a target for more hackers. This says nothing about Microsoft's code quality, nor does it say anything about the quality of other OS's code bases. I'm just saying that it makes sense that the most used operating system would also be the most attacked. More attacks yield more results.
Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going
Why isn't this drivel modded as flamebait? Microsoft's coders are really any shittier than anybody else's coders, or at least I've seen no evidence of this. No Q/A? You have to be kidding me. If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day.
Want an example? The ASP.NET team had 505,000 test scenarios for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.
along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes
Indeed, 3rd party software, and even Microsoft's own software (try developing an ASP.NET application with VS.NET 2k3 without admin privs), often fails to run correctly as non-admin. Microsoft has made a lot of changes to improve this, but 3rd party support is still lagging. Why? Because Windows is used by basically everybody, and if a patch or new version of Windows suddenly broke 75% of the applications out there nobody would upgrade.
This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin. Microsoft's solutions in Vista are a huge step in the right direction.
Windows doesn't have *bad* security, Windows has no security.
Baloney. The Windows security model is a solid one. Aside from the applications that don't like installing or running as non-admin (mostly ASP.NET development, really), I run Windows as non-admin 100% of the time. The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux. (At least out of the box.) Regardless, Windows gets a bad rap for security not because of design of Windows is bad, but because there have been lots of high profile, highly damaging exploits for Windows over the years. With a few glaring exceptions, such as the WMF exploit, Microsoft has always had patches available for weeks if not months before the bastards out there released their worms or viruses.
Transparency between versions? How does that cause poor security?
As I explained earlier, Microsoft can't just break everybody's applications, even if they're insecure. That's not the way it works when you have 90% of the computer using world running your software.
Yeah, that's great. And you "only" need to pay $3900, $6000 or $25000 *per CPU* to upgrade if your site ever outgrows it.
Which is why you use it for personal sites, not for "real" applications, just as I said. The people who would use SQL Express are the same people who used Access databases for their sites... but this is far better than Access in almost every way.
By the time you find Express won't cut it anymore, it'd probably take quite a while to migrate from it.
Well, perhaps from a financial point of view, but that was poor planning on your part. From a technical point of view, SQL Server Express is a subset of SQL Server, and any application that runs on Express will run on SQL Server after running it though the upgrade wizard, which takes all of 5 seconds and 2 clicks of the mouse button.
An example for Express: no backup, no replication. How are you going to backup your site's DB, take the server down, detach the database and make a copy?
SQL Server Express is not really meant for any serious production environments. I suppose one could use it for a personal web site here and there, but it is a tool primarily meant for developers.
Instead of having to have access to a full fledged SQL Server, you use SQL Server Express to develop your application and then deploy it to a full SQL Server when that server becomes available.
Since SQL Server Express supports the vast majority of the features that a developer might need, it is very useful during the initial development of an application.
In my experience, SQL Server Express is great for basic projects (like a personal web site or blog) and for the initial phases of development of a "real" project. Once you start getting into the realm of serious applications, where one might need finer grained control of isolation and locking, or when you are at the point where you need to do performance testing of your application, you really do need to move up to the full SQL Server box.
At any rate, I'm not really sure this comparison is all that fair. MySQL makes an attempt to be a database server for "real" applications, where as SQL Server Express is more of a development tool / MS Access replacement that is targeted at personal projects.
As usual, Dvorak's knowledge of the topic at hand is shallow and his conclusions are simplistic and short sighted.
Microsoft is not interesting in gaining browser market share outside of the Windows platform. Sure, they might be able to steer more people toward MSN and thereby make more in advertising revenue, but how much more? If 90% of the market already uses Windows, and gaining that extra 10% is fairly difficult for a wide variety of reasons, it may not be worth it to them.
Even if it was, it has nothing to do with why Microsoft dropped support for the Mac. The direction Microsoft is taking IE is different than the direction everybody else is taking web browsers. Microsoft sees IE as an application that will allow users to access both web pages and smart client applications.
They see the future as a mesh of standard web apps and smart client applications created with things like ClickOnce (at first), and eventually IE-hosted Avalon applications. (WPF.) Their hope is that eventually the line between web apps and client apps will blur, and since it will be (they hope) via IE and Avalon, it will draw even more people to using Windows since the UI/functionality experience is so much better than standard web applications. At least that's the business point of view.
It is highly likely that in the near future the price of oil will make shipping goods long distances to consumers economically prohibitive.
Unfourtunatly, this doesn't just affect internet commerce. Chains such as Walmart, which have massive volume and very low prices, will no longer be able to keep their prices low enough to compete with smaller chains that get their goods from more local sources.
In other words, buying the loaf of bread at Walmart will cost more than at your local mom/pop store because Walmart ships that loaf of bread 2000 miles to its store where as the mom/pop store gets it from a more local source.
As the price of oil sky rockets over the next 10 or 20 years there will be a dramatic shift away from the global economy to a more local one. This includes, but is definitly not limited to, internet commerce.
The FCC only has the "power to stop people from saying shit on ABC" for one reason - because people give it to them.
But the people do not have the power to subvert the Constitution. That's why it's there... to help prevent tyranny of the majority.
All of the exclusively cable channels could run any show they want, but the vast majority of them keep the shows very 'family safe', appearantly to appeal to their markets.
This may be true, and I have no problem with that. There are plenty of explicit programs on cable as well, although most require a nominal fee.:)
But my question still stands. Why have attempts to challenge the FCC in the courts no succeeded? What rational do these courts, whose job it is to defend the Constitution against an impulsive and tyrannical majority, use to justify something that apparently flies in the face of the document their support to uphold?
Ok, so the FCC was given the right to regulate the air waves under the premise that due to the relative lack of choice (back when there were 4 TV channels), and due to the fact that the EM spectrum is a public resource that is leased by private companies.
But now that there are a lot more than 4 channels, how does this continue to fly? Is it simply because the EM spectrum is leased that the FCC somehow has the power to stop people from saying shit on ABC?
What happens if these broadcasting companies start moving over to WiMAX/UWB-style technologies, where a huge part of the spectrum is used and certain frequencies are no longer require to be reserved (or leased) from the government? Will this then finally kill the last argument the government has to continue to limit free speech on TV and radio?
And how can there be proposals to regulate the internet and cable when none of the "justifications" for censorship exist in these mediums?
Seems to me that is a damn good case to be made that the FCC's power to censor, at least in the case of cable/internet/non-leased-EM-Spectrum mediums, is a direct and unjustifiable violation of the 1st Amendment.
For one thing, I'm worried about the "most" in that statement.
By most I meant that it would be just like it is today. Not all drugs that go through FDA approval require prescriptions.
It's a bit like being at the seige of Helm's Deep and saying "hell, we're already under attack - let's open the gates and let all them orcs in. I mean there are a couple over the walls already..."
I'm trying to address a different problem. Sometimes when addressing one problem you end up making another one worse. It's just a matter of determining which is the lesser of two evils.
See, I can't envision a relaxation of the regulations improving that situation. But I can easily imagine how it might make matters worse.
It would make it worse in the sense that drugs that are even less effective than the ones today are available when they might not normally be. But again, that's a different problem and that's a problem that's already happening. "Herbal" remedies often have absolutely no benefit, and enjoy, for the most part, exemption from the FDA rules.
First, for most of these drugs a doctor's prescription would still be required as a buffer to these kinds of tactics.
Second, this happens already. A lot of the drugs you see featured in ads everyday are either marginally effective or have serious side effects that are glossed over during the ad. "Consult your doctor before use. This drug may cause rectal bleeding, nipple infections, or rotting of the skin. Get yours today!"
My cousin is a psychopharmicologist and gets lots of industry journals. Bored one day I flipped through one and found a study of a "promising" new drug to treat depression. This promising drug had a success rate that was less than 1% significant. In other words, it improved a person's condition a hair less than 1% better than placibo. This drug is still pending FDA approval, but I have little doubt that it's ineffectiveness will have any affect on that approval process.
You're advocating letting the stupid/desperate/uneducated/terrifed/gullible become prey for the first unscrupulous doctor or drug company whose path they cross.
We pay a price for all kinds of freedom. We must listen to hate speech to preserve free speech. We presume everybody is innocent until they are proven guilty and put the burden of proof on the accuser, despite the fact that this may lead to guilt people going free... etc.
What I'm saying is that it's better to give sick people as many options as possible than to restrict this freedom under the flag of protecting the stupid/desperate/uneducated/terrified/gullible.
Can we not make the same argument for curtailing free speech as you are for keeping the FDA as it is?
And when some experimental cold medicine interferes with some experimental pain reliever and fries your brain and turns you into a vegatable, who will pay for your healthcare costs?
Again, the FDA would NOT go away... it would simply not have the power to stop a drug from being release. As I said before, the FDA would do the same exact research and testing it does today, but the maker of the drug would always have the option of releasing that drug once the testing was complete and the results were published.
Doctors make these kinds of decisions every single day. Some FDA approved anti-biotics, such as Levaquin, Sipro and related drugs, have HORRIBLE potential side effects for some people. Some of these side effects are permenant, such as tendon and nerve damage. Despite this, doctors have the OPTION of using it when they feel the case warrants their use.
If a person goes to their doctor with a cold and wants a drug to help them, do you think the doctor isn't going to be aware of the potentially bad interactions? There are plenty of drugs that are approved RIGHT NOW that can kill you if you're taking it with certain other drugs, and doctors are aware of this.
The thalidomide tradgedy happened DESPITE the FDA. The FDA approved it in 1960.
It's funny you would pick thalidomide as the example to use to couter my argument. Thalidomide is now being used to treat a wide variety of problems, including leprosy, myeloma, and dexamethasone. It wasn't until 1998 that the FDA finally approved the drug for treatment of these diseases.
But somebody with a life threatening myeloma had essentially no treatment options until 1998, despite the fact that thalidomide was widely known to be at least a partially effective treatment, thanks to the FDA.
Slashdot Mirror
About 43% of our electical power in the United States comes from coal power plants.
But coal has several problems. First, there are the obvious environmental issues... although I doubt many people will care about those once oil hits $150 a barrel. (Environmental issues have a tendancy to take the back burner when people can't afford to heat their homes.)
The second problem is that while coal is certainly more plentiful then natural gas and oil, it too is a limited natural resource. Coal production could peak as early as 2035.
As far as oil sands, it is just too expensive to produce sweet crude from oil sands. By too expensive I mean more $100 a barrel. Sure, as peak oil makes itself more clear oil sands may indeed become a viable alternative, but only viable insofar as cheap will be redefined. The economy will still collapse and wars will still be fought over the remaining "cheap" oil supplies. Our current way of life is simply not sustainable.
One hope I do have is for oil shale. Shell has come up with some new techniques to extract sweet crude from oil shale at a cost of about $30 a barrel! This would be absolutely fantastic and would give us at least another 30 years to deal with peak oil... not to mention the fact that the United States has the world's largest deposits of oil shale and it would give us a MASSIVE edge in the global conflicts that are likely to arise over the next few decades regarding oil.
The oil and natural gas we use to generate electricity to power devices that require copper will become too expensive to use long before we run out of the copper we use in the construction of these devices.
Hotmail sucks because of the feature set when compared to Gmail or Yahoo mail, not because it runs on Windows.
The new Windows Live Mail beta is fairly good. Doesn't have the feature set of Gmail or Yahoo yet, but it's getting there.
If it wasn't for the near impossibility of migrating 20,000+ e-mails from Hotmail to Gmail, I probably would have jumped ship long ago... but Live Beta is keeping me interested.
While there were initial problems migrating to Windows, 100% of Hotmail now runs on Windows.
Also, Exchange was never involved in the migration. Hotmail is a combination of C++ ISAPI filters, COM+ (ATL) Enterprise Components, and SQL Server.
You do, I do, my clients do, everyone who listens to us does, but think of all the worms and spyware that have exploited vulnerabilities that had been patchable for months.
Good point. Hopefully things like auto-updates will mitigate this problem a bit. Since WinXP SP2 comes with auto-updates enabled, I have a feeling this will slowly be changing for the better as more and more people update to SP2 or buy new computers with SP2 pre-installed.
While it is certainly interesting (if true) that Microsoft takes longer to release patches with no known exploits roaming around, I would find it far more interesting to see which causes more harm: the longer patch times or the full disclosure.
Just because Microsoft releases a patch quicker when full disclosure is used doesn't mean this results in less harm to users. It might take Microsoft 200 days to release a patch, but if the only people who know about the bug are the researchers who discovered it and Microsoft, then the end result is that little harm was done to the users.
If, however, an easily understandable exploit is posted before Microsoft has fixed the bug, those 45 days might be a lot more dangerous for those users than the 200 days in the previous example.
Of course, it's very difficult to know if the security researchers who discovered the bug are the only ones with knowledge of that bug. Could other people know about it and be actively using it to compromise machines? Maybe. But I would really like to see some data on this.
I suspect that the vast majority of major worms and viruses take advantage of well known exploits published on the Internet by usually well meaning security researchers. Certainly all of the major worms I can think of off the top of my head follow this pattern. (MYTOB, LOVGATE, NETSKY, SASSER, ZAFI, SOBER, BAGEL, etc.)
If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.
So I guess which approach you take depends on your goal. If your goal is the glory of a 0-day exploit, then post away. But if your goal is the security of the end user, maybe you should keep it to yourself for the time being.
1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.
.NET Framework makes it fairly easy to develop enterprise applications... etc.
Examples?
2) They don't submit their code for review by the public.
That's the nature of a company that is closed source. As has been pointed out many times before, there is no concrete evidence that having the source be open results in greater security.
3) They don't follow security best practices, like turning off services by default.
They certainly didn't used to, but they do now. Take a look at their most recent server releases, Windows 2003 SP1 and Windows 2003 R2. (Or 2003 gold, for that matter.) The OS comes with basically nothing turned on that isn't needed. In addition, take a look at IIS 7. It will allow for very selective enabling of fairly low level features.
4) They make their OS less secure by obfuscating design to make it difficult for competitors.
Examples?
5) They use propriety data formats.
And this affects security how? Have an example?
6) They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.
They do both, actually. Windows is fairly obviously the easiest OS to develop applications for. This is a result of a combination of great development tools (Visual Studio comes to mind) and a huge developer community. Visual Basic opened up programming to a huge audience, for better or for worse. The
On the other side, Microsoft certainly has a history of tweaking the OS to make sure that applications ran OK... but this was usually for big time applications that LOTS of people used (Lotus Notes, certain spread sheets, etc) and if Microsoft released an OS that broke those, even if the breaking change was justified, nobody would have upgraded. That said, I don't know of too many recent tweaks. Have any?
Microsoft has made progress, albeit slow. Vista is shaping up to actually a great release, and Windows 2003 has a pretty damn good track record so far. Is it perfect.. nope. But neither are the alternatives.
Statements like "we don't even know how bees fly" are used to justify all sorts of "alternatives" to scientific explanations of the natural world.
These kinds of defenses are often referred to as "god of the gaps" arguments.
Since we don't know how bees fly, God must have done it.
While I'm certainly happy that we now know how bees fly (I'm sure there are lots of reasons this will be useful as well), it is definitly not required to put any "nails in the coffin" of intelligent design.
Intelligent Design was still born.
Let's see... How about forcing you to run even much of microsoft's own software as local admin in order to get it to work?
u lt.asp
I've already addressed this... it's not a design issue.
How about running active X code with the same privileges as the current user? Hundreds of exploits have depended on this... clearly bad design.
It's not bad design anymore than running ANY application with the same privs as the current user is. One could certainly argue that allowing for unmanaged code to be run within a web browser was a bad design... I would probably agree with that, but Microsoft has more or less fixed this issue with XP SP2's method of authorizing ActiveX content.
Instead of closing these ongoing and massive security holes, they have now released anti-spyware as a solution.
I've already given examples of how they've addressed or are addressing these issue. In ADDITION to that, they've provided Windows users with a free too to add even more protect. They know that Windows will never be perfect, so they're attacking the problem from every way possible.
Of course, I could just point out the huge insane flaws in previous versions of windows, such as the screen saver running as local administrator, and so changing the screen saver to cmd.exe would give one administrator access in NT, or a malformed packet to a certain port bluescreening 98, but you would just reply that "they are better now!".
No, I would reply with the fact that those aren't DESIGN flaws... they're implementation flaws. Take a trip to SecurityFocus and do a search for your favorite Linux distro and tell me you see zero implementation flaws.
I rarely surf the web for more than 5 or 6 hours before explorer.exe mysteriously dies and has to restart itself...
Ah yes, so Windows has design flaws because YOUR machine has issues? Well my machine has never crashed, explorer has never crapped out, I run apps for months on end without issue, etc. Therefor, using your "logic", Windows must be perfect!
An since you are accusing me of changing the subject, how does 4 hundred bajillion automated tests have anything to do with Q/A in the sense of vulnerabilities? See: http://www.asp101.com/articles/john/kb887289/defa
What you failed to mention here is that is the ONLY KNOW HOLE IN ASP.NET EVER. Both IIS 6.0 and ASP.NET have an INCREDIBLE track record as far as securitt is concerend. Since ASP.NET was released, how many holes has PHP had? JSP? You get the point... or perhaps you don't.
That's exactly what they're doing in IE 7.
No. The sole and exclusive cause is that IDE (compiler and friends) has to be run as Administrator
This is absolutely false. I develop a wide range of applications using both VS.NET and VC++ and I don't have to run any of them as administrator with one exception: there is no way to debug an ASP.NET 1.0/1.1 application without admin privs. This is primary due to the way the debugger attached to the IIS worker process in 1.1. This has been fixed in VS.NET 2005 / ASP.NET 2.0.
This is the cause for a simple reason: Imagine you're a programmer making an app that runs properly as a less-privileged user. You do a little developing. You log out. You log back in as a less-privileged user. You test the app, using printf as the main debugging tool. You log out. You log back in. You restart the IDE and get everything back like it was. You do a little developing. And so forth. It's a waking nightmare of the type formerly encountered only in H.P. Lovecraft stories.
Except only a fool would debug an application this way. One can attach the debugger running as a high privs users to an application running as a low privs user, or even running in another logged in session.
The primary cause of Windows applications run running properly under low rights scenarios is poor guidelines and a lack of best practices documents from Microsoft early in the Windows lifecycle. This, combined with the fact that Windows shipped with the default accounts being admins, created an environment of lazy programming which is now very difficult to fix.
Microsoft did it to themselves, I'm not denying that.
At any rate, I love how my previous post is now flamebait. Oh well... that's Slashdot for ya.
A bunch of automated tests for one piece of software will prevent bugs which effect *functionality*. They cannot find bugs|vulnerabilities which are the result of poor design.
First there was no Q/A, now there is no design? How about an example of bad design in Windows?
And as for MS making good software, Windows does not even come with a plain text editor which can handle UNIX line termination
Nice job changing the subject instead of answering my points.
Enough said indeed. Shall I find a Linux distro with a stupid default option of some kind and use that to "counter" your "argument".
Notice I put those two words in quotes because I'm mocking your "counter" while also point out how flimsy an argument it really is.
There is absolutely no reason to believe that market share is the cause of low security.
It's certainly not the cause of "low security", but it definitely makes Windows a target. This argument has been rehashed here and everywhere else a thousand times. The popularity of Windows makes it a target for more hackers. This says nothing about Microsoft's code quality, nor does it say anything about the quality of other OS's code bases. I'm just saying that it makes sense that the most used operating system would also be the most attacked. More attacks yield more results.
Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going
Why isn't this drivel modded as flamebait? Microsoft's coders are really any shittier than anybody else's coders, or at least I've seen no evidence of this. No Q/A? You have to be kidding me. If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day.
Want an example? The ASP.NET team had 505,000 test scenarios for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.
along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes
Indeed, 3rd party software, and even Microsoft's own software (try developing an ASP.NET application with VS.NET 2k3 without admin privs), often fails to run correctly as non-admin. Microsoft has made a lot of changes to improve this, but 3rd party support is still lagging. Why? Because Windows is used by basically everybody, and if a patch or new version of Windows suddenly broke 75% of the applications out there nobody would upgrade.
This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin. Microsoft's solutions in Vista are a huge step in the right direction.
Windows doesn't have *bad* security, Windows has no security.
Baloney. The Windows security model is a solid one. Aside from the applications that don't like installing or running as non-admin (mostly ASP.NET development, really), I run Windows as non-admin 100% of the time. The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux. (At least out of the box.) Regardless, Windows gets a bad rap for security not because of design of Windows is bad, but because there have been lots of high profile, highly damaging exploits for Windows over the years. With a few glaring exceptions, such as the WMF exploit, Microsoft has always had patches available for weeks if not months before the bastards out there released their worms or viruses.
Transparency between versions? How does that cause poor security?
As I explained earlier, Microsoft can't just break everybody's applications, even if they're insecure. That's not the way it works when you have 90% of the computer using world running your software.
Yeah, that's great. And you "only" need to pay $3900, $6000 or $25000 *per CPU* to upgrade if your site ever outgrows it.
.MDF file to a safe place.
Which is why you use it for personal sites, not for "real" applications, just as I said. The people who would use SQL Express are the same people who used Access databases for their sites... but this is far better than Access in almost every way.
By the time you find Express won't cut it anymore, it'd probably take quite a while to migrate from it.
Well, perhaps from a financial point of view, but that was poor planning on your part. From a technical point of view, SQL Server Express is a subset of SQL Server, and any application that runs on Express will run on SQL Server after running it though the upgrade wizard, which takes all of 5 seconds and 2 clicks of the mouse button.
An example for Express: no backup, no replication. How are you going to backup your site's DB, take the server down, detach the database and make a copy?
No, you copy/paste the
SQL Server Express is not really meant for any serious production environments. I suppose one could use it for a personal web site here and there, but it is a tool primarily meant for developers.
Instead of having to have access to a full fledged SQL Server, you use SQL Server Express to develop your application and then deploy it to a full SQL Server when that server becomes available.
Since SQL Server Express supports the vast majority of the features that a developer might need, it is very useful during the initial development of an application.
In my experience, SQL Server Express is great for basic projects (like a personal web site or blog) and for the initial phases of development of a "real" project. Once you start getting into the realm of serious applications, where one might need finer grained control of isolation and locking, or when you are at the point where you need to do performance testing of your application, you really do need to move up to the full SQL Server box.
At any rate, I'm not really sure this comparison is all that fair. MySQL makes an attempt to be a database server for "real" applications, where as SQL Server Express is more of a development tool / MS Access replacement that is targeted at personal projects.
As usual, Dvorak's knowledge of the topic at hand is shallow and his conclusions are simplistic and short sighted.
Microsoft is not interesting in gaining browser market share outside of the Windows platform. Sure, they might be able to steer more people toward MSN and thereby make more in advertising revenue, but how much more? If 90% of the market already uses Windows, and gaining that extra 10% is fairly difficult for a wide variety of reasons, it may not be worth it to them.
Even if it was, it has nothing to do with why Microsoft dropped support for the Mac. The direction Microsoft is taking IE is different than the direction everybody else is taking web browsers. Microsoft sees IE as an application that will allow users to access both web pages and smart client applications.
They see the future as a mesh of standard web apps and smart client applications created with things like ClickOnce (at first), and eventually IE-hosted Avalon applications. (WPF.) Their hope is that eventually the line between web apps and client apps will blur, and since it will be (they hope) via IE and Avalon, it will draw even more people to using Windows since the UI/functionality experience is so much better than standard web applications. At least that's the business point of view.
It is highly likely that in the near future the price of oil will make shipping goods long distances to consumers economically prohibitive.
Unfourtunatly, this doesn't just affect internet commerce. Chains such as Walmart, which have massive volume and very low prices, will no longer be able to keep their prices low enough to compete with smaller chains that get their goods from more local sources.
In other words, buying the loaf of bread at Walmart will cost more than at your local mom/pop store because Walmart ships that loaf of bread 2000 miles to its store where as the mom/pop store gets it from a more local source.
As the price of oil sky rockets over the next 10 or 20 years there will be a dramatic shift away from the global economy to a more local one. This includes, but is definitly not limited to, internet commerce.
The FCC only has the "power to stop people from saying shit on ABC" for one reason - because people give it to them.
:)
But the people do not have the power to subvert the Constitution. That's why it's there... to help prevent tyranny of the majority.
All of the exclusively cable channels could run any show they want, but the vast majority of them keep the shows very 'family safe', appearantly to appeal to their markets.
This may be true, and I have no problem with that. There are plenty of explicit programs on cable as well, although most require a nominal fee.
But my question still stands. Why have attempts to challenge the FCC in the courts no succeeded? What rational do these courts, whose job it is to defend the Constitution against an impulsive and tyrannical majority, use to justify something that apparently flies in the face of the document their support to uphold?
Ok, so the FCC was given the right to regulate the air waves under the premise that due to the relative lack of choice (back when there were 4 TV channels), and due to the fact that the EM spectrum is a public resource that is leased by private companies.
But now that there are a lot more than 4 channels, how does this continue to fly? Is it simply because the EM spectrum is leased that the FCC somehow has the power to stop people from saying shit on ABC?
What happens if these broadcasting companies start moving over to WiMAX/UWB-style technologies, where a huge part of the spectrum is used and certain frequencies are no longer require to be reserved (or leased) from the government? Will this then finally kill the last argument the government has to continue to limit free speech on TV and radio?
And how can there be proposals to regulate the internet and cable when none of the "justifications" for censorship exist in these mediums?
Seems to me that is a damn good case to be made that the FCC's power to censor, at least in the case of cable/internet/non-leased-EM-Spectrum mediums, is a direct and unjustifiable violation of the 1st Amendment.
For one thing, I'm worried about the "most" in that statement.
By most I meant that it would be just like it is today. Not all drugs that go through FDA approval require prescriptions.
It's a bit like being at the seige of Helm's Deep and saying "hell, we're already under attack - let's open the gates and let all them orcs in. I mean there are a couple over the walls already..."
I'm trying to address a different problem. Sometimes when addressing one problem you end up making another one worse. It's just a matter of determining which is the lesser of two evils.
See, I can't envision a relaxation of the regulations improving that situation. But I can easily imagine how it might make matters worse.
It would make it worse in the sense that drugs that are even less effective than the ones today are available when they might not normally be. But again, that's a different problem and that's a problem that's already happening. "Herbal" remedies often have absolutely no benefit, and enjoy, for the most part, exemption from the FDA rules.
First, for most of these drugs a doctor's prescription would still be required as a buffer to these kinds of tactics.
Second, this happens already. A lot of the drugs you see featured in ads everyday are either marginally effective or have serious side effects that are glossed over during the ad. "Consult your doctor before use. This drug may cause rectal bleeding, nipple infections, or rotting of the skin. Get yours today!"
My cousin is a psychopharmicologist and gets lots of industry journals. Bored one day I flipped through one and found a study of a "promising" new drug to treat depression. This promising drug had a success rate that was less than 1% significant. In other words, it improved a person's condition a hair less than 1% better than placibo. This drug is still pending FDA approval, but I have little doubt that it's ineffectiveness will have any affect on that approval process.
You're advocating letting the stupid/desperate/uneducated/terrifed/gullible become prey for the first unscrupulous doctor or drug company whose path they cross.
We pay a price for all kinds of freedom. We must listen to hate speech to preserve free speech. We presume everybody is innocent until they are proven guilty and put the burden of proof on the accuser, despite the fact that this may lead to guilt people going free... etc.
What I'm saying is that it's better to give sick people as many options as possible than to restrict this freedom under the flag of protecting the stupid/desperate/uneducated/terrified/gullible.
Can we not make the same argument for curtailing free speech as you are for keeping the FDA as it is?
And when some experimental cold medicine interferes with some experimental pain reliever and fries your brain and turns you into a vegatable, who will pay for your healthcare costs?
Again, the FDA would NOT go away... it would simply not have the power to stop a drug from being release. As I said before, the FDA would do the same exact research and testing it does today, but the maker of the drug would always have the option of releasing that drug once the testing was complete and the results were published.
Doctors make these kinds of decisions every single day. Some FDA approved anti-biotics, such as Levaquin, Sipro and related drugs, have HORRIBLE potential side effects for some people. Some of these side effects are permenant, such as tendon and nerve damage. Despite this, doctors have the OPTION of using it when they feel the case warrants their use.
If a person goes to their doctor with a cold and wants a drug to help them, do you think the doctor isn't going to be aware of the potentially bad interactions? There are plenty of drugs that are approved RIGHT NOW that can kill you if you're taking it with certain other drugs, and doctors are aware of this.
The same would be the case in my scenario.
One word: thalidomide.
The thalidomide tradgedy happened DESPITE the FDA. The FDA approved it in 1960.
It's funny you would pick thalidomide as the example to use to couter my argument. Thalidomide is now being used to treat a wide variety of problems, including leprosy, myeloma, and dexamethasone. It wasn't until 1998 that the FDA finally approved the drug for treatment of these diseases.
But somebody with a life threatening myeloma had essentially no treatment options until 1998, despite the fact that thalidomide was widely known to be at least a partially effective treatment, thanks to the FDA.