Well, first, I pay for hotmail... so I have 2GB of space. So that's really not an issue.
Second, I don't get spam. I think they actually use different spam filters for paided users vs non-paid users. That's really the only explanation. I have a couple free hotmail accounts that just get crushed by spam. But my hotmail account gets, at most, 2 spams a day. And it's actually been better recently. I don't think I've had spam in the past couple of days.
Third, I like Hotmail's (beta) interface better. I love the 3 side-by-side pane approach.
I've been using their Windows Live Mail Beta for several months, and while it's still not as good as Yahoo's mail beta, it's MUCH better than regular hotmail... which sucks.
That said, I find myself using Windows Live Mail Desktop more and more. The early betas were pretty bad, but now it's a fairly good, simple e-mail client. Good stuff for those who don't need Outlook.
I'm actually pretty surprised that the Yahoo mail beta doesn't get more press. It is, by FAR, the best web-based e-mail I've ever seen. Check out this review for screenshots.
I challenge you to find a SINGLE Windows "Logo" certified application that does not run on Vista. Just one. (Not counting things like anti-virus, which use file system filters that were dramatically overhauled in Vista.)
The fact of the matter is that the vast majority of backwards compatibility issues with Vista are due to the fact those applications are poorly written.
Microsoft publishes some fairly simple rules that developers should follow to make sure their software is compatible with future (and current) versions of Windows. Rules like "Don't store your freaking user settings in Program Files". Not exactly hard to follow.
Yet most apps that don't follow these rules STILL work on Vista. Microsoft actually wrote code that detects when crappy applications do stupid stuff that violates their Logo rules, and will automatically redirect their output to temp folders under the user's profile.
But there is only so much they can do.
Apple has had more than a year to get their software ready for Vista. In my opinion, the only explanation for them not doing so is because they want to try and influence users to not upgrade to Vista.
I still find it incredible that software that is over 20 years old still runs on Vista.
The creators of Skype got their money from the very popular P2P application, Kazaa.
Kazaa was well known for being a conduit for spyware on to user's machines. Virtually all of the money these guys made from Kazaa was by charging huge per-install fees to makers of spyware and adware. They full well knew what this software did, and they were perfectly happy to take the money.
But paying on a per-install basis means you need to be able to reliably identify a person's machine. This isn't as easy as it sounds. There is really no single piece of information that can uniquely identify a machine.
But doing a dump of the BIOS and gathering a few dozen pieces of information would allow you to fairly accurately identify unique installs.
Now, I'm not saying that Skype is spyware. And I'm not saying that these guys intend for it to become spyware at any point in the future. But I bet that they originally intended Skype to be the next big vehicle for spyware delivery.
Now that Skype is so popular and seems like a legit way to make money, they no longer intend to use it for evil. But old habits die hard, and so does old code.
Actually, the details on implementing anti-virus for Vista, and other low level filters, have been available for well over a year. Some documentation has been avilable for more than 2 years.
That's how companies like Kaspersky and AVG came out with fully Vista compliant versions of their software months ago. Software which works extremely well, by the way. (Kaspersky passed this test. It says so right in the article.)
This has nothing to do with Vista, and everything to do with crappy anti-virus products. Neither OneCare or McAfee for XP have ever tested well, so why would anybody think that they would test well on Vista?
If you read the entire article, you'll notice a little blurb at the end that several vendors passed the test, one of which was Kaspersky. Another excellent vendor for Vista is AVG.
Kaspersky consistantly beats all the other major anti-virus vendors, but I guess the story wouldn't be quite as Slashdot-worthy if it ready "Kaspersky Anti-Virus on Vista Works Great!".
But those same companies are at the mercy of consumers, just like anybody else. If there is enough bad press due to the poor security of the product, the company will be forced to fix things. This is especially true for companies that sell software to large corporations.
Microsoft really is a case in point. They did a lot of what you described, got nailed for it by the press, by consumers, and by corporations, and they really did change their ways. Their Secure Development Lifecycle has turned out some pretty high quality releases. For instance, IIS 6 has far fewer vulnerabilities than Apache. One certainly couldn't say that for IIS 5.
One supposed advantage of open source software is that, well, it's open. Everybody can take a look and see if the code has holes. The idea being that the more eyes that look at something, the greater a chance of somebody seeing bugs.
But the quantity of eyes isn't always the issue. I could put the Linux kernel source code in front of 1 million six year olds, and there is very little chance any of them would find a single bug.
Obviously, we're not talking about six year old eyes here, but continue the scenario. There are some types of bugs that even very experienced coders wouldn't necessarily spot. Not every kind of security hole is a simple buffer overflow. Some kinds of issues will really only be spotted by a highly trained and specialized set of eyes.
Now, those highly trained eyes may be looking at the open source code, or they may not. All I'm saying is that the quote "Given enough eyeballs, all bugs are shallow" is not particularly accurate.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/whatever, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread and even required. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement.
The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes Actually, that's probably not the case here. If Microsoft knew about this particular hole, they would have issued a patch for in for previous versions. They probably had no idea about this hole. The reason it doesn't affect Office 2007 is probably because Office 2007's basic approach to handling documents is different from previous versions. They treat all documents as potential threats. In other words, the secure development lifecycle made Office a more secure product, and this prevented a previously unknown hole from affecting it.
It could mean a growing competence by users to compensate for MS failure to provide a secure system. Huh? How so? How do users have anything to do with Office 2007 not being affected by this exploit?
Very true... except that if you're worried about involuntary lock-n, there are 16 file types you can save your documents in, many of which are very widely support. You can also install additional file type support, such as the Open Document Format.
The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.
This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.
Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
There are so many mitigating factors with this that a successful exploit of this "bug" is extremely unlikely.
First of all, as was mentioned in the article, voice recognition cannot bypass User Account Control. So that immediately limits damage to the local profile.
Second, the user would see all of this happening and would have to remain silent for this to work. It's not like a piece of code executing. The commands are not particularly speedy. They would see dialogs flashing, hear the commands being spoken, and decide not to do anything about it. All it would take is the user saying something or turning down their speakers and it would likely be enough to stop things from proceeding.
The danger with this is extremely limited and unlikely. It certainly has some novelty value, though.
The Microsoft stuff is all free as well. All of it runs on either.NET 2.0 (ClickOnce), or.NET 3.0.
But, as the previous poster mentioned,.NET is not on a large number of clients at this point. (Although that's changing quickly.) Windows Server 2003 was the first version of Windows to come with.NET pre-installed. Vista continues that trend.
Of course, this doesn't really help people targeting more than Windows. Mono helps that a bit.
People seem to constantly suggest that the future is either with thin clients or with thick clients, but they never really explain why.
I think this is a false dichotomy. Thin clients and thick clients each have their uses. Thin clients are great as some things (deployment, maintenance, cross-platform capabilities, client security, etc.), where as thick clients are great at others (leveraging the local machine, UI flexibility, speed, privacy, etc.)
The successful applications utilizing AJAX are those applications which really don't need to the capabilities of the local machine. Those that try to do what a local app is much better at are doomed to fail, at least for the time being. (AJAX office suites, for instance.)
I see the line between these two kinds of applications slowly but surely blurring. I really doubt that HTTP/Javascript/XML will take us a whole lot further than we're seeing now. It just wasn't meant for this kinda stuff. While the various implementations of "rich" web applications are quite ingenious, they're hacks, and hacks can only take you so far.
Instead, I see HTTP and the browser being the primarily delivery mechanism for rich applications running inside a sandbox on the client. Essentially the Java model, but done right. (And, perhaps more accurately, done at the right *time*.)
Sorry, but if you are forever locked into a platform because it is what you happen to learn programming on, then you shouldn't be a programmer to begin with.
The tests proposed would not "prove" string theory. They are only testing some of the fundemental assumptions on which string theory is based.
If the test shows that one or more of these assumptions is incorrect, however, then it would probably force a very fundamental rethinking of string theory... essentially disproving it.
From a gaming perspective, Carmack might be right. (Although the fact that Vista's new video driver model supports virtual memory for graphics cards is, in my opinion, reason enough to upgrade to Vista on a gaming machine.)
But aside from gaming, Vista has *tons* of new features, many of which people don't know about. There are certainly more features in this upgrade than there were going from Windows 2000 to XP. So if you made that jump, there are plenty of reasons to make this jump.
Hell, security alone should get most people to move on over.
Slashdot Mirror
Well, first, I pay for hotmail... so I have 2GB of space. So that's really not an issue.
Second, I don't get spam. I think they actually use different spam filters for paided users vs non-paid users. That's really the only explanation. I have a couple free hotmail accounts that just get crushed by spam. But my hotmail account gets, at most, 2 spams a day. And it's actually been better recently. I don't think I've had spam in the past couple of days.
Third, I like Hotmail's (beta) interface better. I love the 3 side-by-side pane approach.
That's why.
I've been using their Windows Live Mail Beta for several months, and while it's still not as good as Yahoo's mail beta, it's MUCH better than regular hotmail... which sucks.
That said, I find myself using Windows Live Mail Desktop more and more. The early betas were pretty bad, but now it's a fairly good, simple e-mail client. Good stuff for those who don't need Outlook.
I'm actually pretty surprised that the Yahoo mail beta doesn't get more press. It is, by FAR, the best web-based e-mail I've ever seen. Check out this review for screenshots.
I challenge you to find a SINGLE Windows "Logo" certified application that does not run on Vista. Just one. (Not counting things like anti-virus, which use file system filters that were dramatically overhauled in Vista.)
The fact of the matter is that the vast majority of backwards compatibility issues with Vista are due to the fact those applications are poorly written.
Microsoft publishes some fairly simple rules that developers should follow to make sure their software is compatible with future (and current) versions of Windows. Rules like "Don't store your freaking user settings in Program Files". Not exactly hard to follow.
Yet most apps that don't follow these rules STILL work on Vista. Microsoft actually wrote code that detects when crappy applications do stupid stuff that violates their Logo rules, and will automatically redirect their output to temp folders under the user's profile.
But there is only so much they can do.
Apple has had more than a year to get their software ready for Vista. In my opinion, the only explanation for them not doing so is because they want to try and influence users to not upgrade to Vista.
I still find it incredible that software that is over 20 years old still runs on Vista.
The creators of Skype got their money from the very popular P2P application, Kazaa.
Kazaa was well known for being a conduit for spyware on to user's machines. Virtually all of the money these guys made from Kazaa was by charging huge per-install fees to makers of spyware and adware. They full well knew what this software did, and they were perfectly happy to take the money.
But paying on a per-install basis means you need to be able to reliably identify a person's machine. This isn't as easy as it sounds. There is really no single piece of information that can uniquely identify a machine.
But doing a dump of the BIOS and gathering a few dozen pieces of information would allow you to fairly accurately identify unique installs.
Now, I'm not saying that Skype is spyware. And I'm not saying that these guys intend for it to become spyware at any point in the future. But I bet that they originally intended Skype to be the next big vehicle for spyware delivery.
Now that Skype is so popular and seems like a legit way to make money, they no longer intend to use it for evil. But old habits die hard, and so does old code.
Actually, the details on implementing anti-virus for Vista, and other low level filters, have been available for well over a year. Some documentation has been avilable for more than 2 years.
That's how companies like Kaspersky and AVG came out with fully Vista compliant versions of their software months ago. Software which works extremely well, by the way. (Kaspersky passed this test. It says so right in the article.)
This has nothing to do with Vista, and everything to do with crappy anti-virus products. Neither OneCare or McAfee for XP have ever tested well, so why would anybody think that they would test well on Vista?
If you read the entire article, you'll notice a little blurb at the end that several vendors passed the test, one of which was Kaspersky. Another excellent vendor for Vista is AVG.
Kaspersky consistantly beats all the other major anti-virus vendors, but I guess the story wouldn't be quite as Slashdot-worthy if it ready "Kaspersky Anti-Virus on Vista Works Great!".
See: http://blogs.msdn.com/michael_howard/archive/2004/ 10/15/242966.aspxi i.html
See: http://rmh.blogs.com/weblog/2005/05/is_microsoft_
Those posts are somewhat old, but the trend apparently continues if you go check Secunia, or your favorite vulnerability lists.
But those same companies are at the mercy of consumers, just like anybody else. If there is enough bad press due to the poor security of the product, the company will be forced to fix things. This is especially true for companies that sell software to large corporations.
Microsoft really is a case in point. They did a lot of what you described, got nailed for it by the press, by consumers, and by corporations, and they really did change their ways. Their Secure Development Lifecycle has turned out some pretty high quality releases. For instance, IIS 6 has far fewer vulnerabilities than Apache. One certainly couldn't say that for IIS 5.
One supposed advantage of open source software is that, well, it's open. Everybody can take a look and see if the code has holes. The idea being that the more eyes that look at something, the greater a chance of somebody seeing bugs.
But the quantity of eyes isn't always the issue. I could put the Linux kernel source code in front of 1 million six year olds, and there is very little chance any of them would find a single bug.
Obviously, we're not talking about six year old eyes here, but continue the scenario. There are some types of bugs that even very experienced coders wouldn't necessarily spot. Not every kind of security hole is a simple buffer overflow. Some kinds of issues will really only be spotted by a highly trained and specialized set of eyes.
Now, those highly trained eyes may be looking at the open source code, or they may not. All I'm saying is that the quote "Given enough eyeballs, all bugs are shallow" is not particularly accurate.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/whatever, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread and even required. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement.
Very true... except that if you're worried about involuntary lock-n, there are 16 file types you can save your documents in, many of which are very widely support. You can also install additional file type support, such as the Open Document Format.
So I guess it's not true at all. Never mind.
The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.
This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.
Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
There are so many mitigating factors with this that a successful exploit of this "bug" is extremely unlikely.
First of all, as was mentioned in the article, voice recognition cannot bypass User Account Control. So that immediately limits damage to the local profile.
Second, the user would see all of this happening and would have to remain silent for this to work. It's not like a piece of code executing. The commands are not particularly speedy. They would see dialogs flashing, hear the commands being spoken, and decide not to do anything about it. All it would take is the user saying something or turning down their speakers and it would likely be enough to stop things from proceeding.
The danger with this is extremely limited and unlikely. It certainly has some novelty value, though.
The Microsoft stuff is all free as well. All of it runs on either .NET 2.0 (ClickOnce), or .NET 3.0.
.NET is not on a large number of clients at this point. (Although that's changing quickly.) Windows Server 2003 was the first version of Windows to come with .NET pre-installed. Vista continues that trend.
But, as the previous poster mentioned,
Of course, this doesn't really help people targeting more than Windows. Mono helps that a bit.
Want to perhaps be a bit more specific?
People seem to constantly suggest that the future is either with thin clients or with thick clients, but they never really explain why.
I think this is a false dichotomy. Thin clients and thick clients each have their uses. Thin clients are great as some things (deployment, maintenance, cross-platform capabilities, client security, etc.), where as thick clients are great at others (leveraging the local machine, UI flexibility, speed, privacy, etc.)
The successful applications utilizing AJAX are those applications which really don't need to the capabilities of the local machine. Those that try to do what a local app is much better at are doomed to fail, at least for the time being. (AJAX office suites, for instance.)
I see the line between these two kinds of applications slowly but surely blurring. I really doubt that HTTP/Javascript/XML will take us a whole lot further than we're seeing now. It just wasn't meant for this kinda stuff. While the various implementations of "rich" web applications are quite ingenious, they're hacks, and hacks can only take you so far.
Instead, I see HTTP and the browser being the primarily delivery mechanism for rich applications running inside a sandbox on the client. Essentially the Java model, but done right. (And, perhaps more accurately, done at the right *time*.)
You can see the beginnings of this with technologies like XUL, ClickOnce, XAML, XBAP, and WPF/E.
It's just a matter of time before these things catch on.
Eh, I should have read his other blog posts. His work around doesn't involve PatchGuard at all, nor does it involve running an unsigned driver.
Never mind. My bad.
Administrators can turn PatchGuard off at boot time. He didn't break it.
He turned it off then installed an unsigned driver.
Quiet you. Logical and rational thinking like that has no place on Slashdot.
Sorry, but if you are forever locked into a platform because it is what you happen to learn programming on, then you shouldn't be a programmer to begin with.
I couldn't have said it better myself.
The tests proposed would not "prove" string theory. They are only testing some of the fundemental assumptions on which string theory is based.
If the test shows that one or more of these assumptions is incorrect, however, then it would probably force a very fundamental rethinking of string theory... essentially disproving it.
From a gaming perspective, Carmack might be right. (Although the fact that Vista's new video driver model supports virtual memory for graphics cards is, in my opinion, reason enough to upgrade to Vista on a gaming machine.)
But aside from gaming, Vista has *tons* of new features, many of which people don't know about. There are certainly more features in this upgrade than there were going from Windows 2000 to XP. So if you made that jump, there are plenty of reasons to make this jump.
Hell, security alone should get most people to move on over.