Huddled Masses

Posts Tagged ‘News’

Ok, so it’s been awhile since I blogged faithfully. I got really busy leading up to the Scripting Games, and then I got even busier afterward … and then I just got distracted. In fact, I have about 9 “drafts” posts queued up in WordPress that I started and never finished, so what I probably need to do to get myself going again is to stop trying to make every post into the complete documentation of … whatever I was writing about.

So, in the spirit of “spit it out”, I’m going to just leave this post at that, and just add I’ve been working on PowerBoots, PoshConsole, PoshCode … some OAuth code for authenticating and posting to FriendFeed (which just got bought by Facebook, so maybe my code will work there some day), and some more voice-recognition stuff … posts on all of these are coming soon.

There has been a lot of buzz on Twitter (etc.) about the report issued by Bit9 (as reported without details by NeoWin). The list is topped by Firefox, and the top 10 are all non-Microsoft applications … shocker!

Well, if you download the PDF (and read it with Foxit Reader because Adobe Acrobat and Flash are tied for #2 on Bit9’s list), you’ll find these items, among others, in the criteria for apps making the list:

• Is well-known in the consumer space and frequently downloaded by individuals.
• Contains at least one critical vulnerability that was first reported in January 2008 or after … [and was] given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
• Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

• The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

There are two big problems here:

1. It doesn’t matter how long it takes the vendor to issue the patch.

1. Any application which can be patched by the administrator (or which is patched in WSUS (aka Windows Update)) is automatically excluded from the list — regardless of anything else.

That’s just preposterous.

So preposterous that even The Register couldn’t stand for it.

An application could have a single level 7 vulnerability that was patched within hours, with the patch delivered automatically by the application checking and self-updating … and it would still qualify (this isn’t entirely Hypothetical, THREE of the apps on that list had only a single qualifying vulnerability). But if it uses a patching system that has to be run by a highly paid IT professional instead, it wouldn’t qualify even if it had a level 10 vulnerability that has remained open for years … In point of fact, vulnerabilities that have been open for years are disqualified anyway, but the point is that the only thing that saves an app from this list is not having any vulnerabilites, or being able to hypothetically apply patches remotely (regardless of whether the patches actually exist).

Stop spreading this list

I’m begging you: if you’re a reporter, a blogger, a tweeter — do your research before you help companies spread disinformation… and please note that Bit9’s sole reason for creating this list is to market their enterprise management, patching, and white-listing product.

Related articles by Zemanta

• Patch-blocking bug also stymies Microsoft’s WSUS
• SonicWall blocks WindowsUpdate
• Foxit PDF Reader 3.0 for Windows now works with Firefox
• Microsoft confesses to posting a flawed update

This week is Microsoft’s PDC, and I, regrettably, am not there. So I’m following along from a distance, watching the keynotes live from the main site and reading a lot about Microsoft Azure Services Platform and in it’s various incarnations … and trying to follow some of the best coverage:

• Ars Technica
• BetaNews
• Beyond Binary

• UX Evangelist

Oh, and don’t forget, you can watch video of every presentation 24 hours after it finishes on channel9.msdn.com

There’s fun stuff happening lately, so here’s a post full of tidbits you may have missed. Like:

Codeplex has announced Subversion support. They will be running a server-side SvnBridge to allow access to all the projects so you can grab source more easily because it supports anonymous access. Amusingly, it’s actually easier to use than TFS, all you need to know is the project name to get in. E.g.: https://PoshConsole.svn.codeplex.com/svn

Clarius has just released of their T4 template editor for Visual Studio. There’s a free version, and a pro ($99) version. It’s excellent, and if you haven’t gotten into generating code using t4, what are you waiting for?

StackOverflow The new programming question-and-answer forum from CodingHorror Jeff Atwood and Joel Spolsky has launched.

Dave Glover wrote a cool post about how simple it is to create a bootable USB install disc for Vista and Miguel de Icasa created a C# Eval statement and console shell for the Mono Project.

Sir Tim Berners Lee launched the world wide Web Foundation to proactively advance the goals that “a single web” should be “open to any device and software” and to extend the capabilities of the web and ensuring they can be accessed securely by everyone on the planet… Hard to say what this all means, at this point.

Present.ly and Yammer launched as attempts at private corporate Twitter implementations. Present.ly looks most promising, they have the concept of “groups” that is missing from twitter, and they have a few different types of posts (questions, urgent messages, group broadcast messages, etc). However, they charge for anything more than the most basic account (ie: no IM without paying). Yammer has a more curious business model (it’s almost like extortion): employees can join for free based on their email address, companies can then pay to take over their (pre-established on-the-fly) corporate network and exert some control over it, but their Jabber/IM is working great already.

This is just a short post to announce that I’ve created a Yahoo! “pipe” aggregating the latest PowerShell related posts (in chronological order) from a whole bunch of different PowerShell blogs. I won’t list them here, because they are listed on the pipe page, and I don’t want to have to maintain the list twice …

PowerShell Bloggers – The Yahoo! Pipe

If you know of a PowerShell blog which you think should be added to our list (even if posts on it are infrequent) please feel free to drop me a line using the comment box. In fact, if you think I’ve linked to the wrong feed for one of the ones I did include, or if you would like to have your blog removed from the list … feel free to drop me a line for that too.

By the way, for those of you who are interested in these sort of things: the rationale for creating and using a pipe rather than simply subscribing to each individual feed is pretty simple:

1. The pipe filters out posts which aren’t about PowerShell, and lists at most two weeks worth of content
2. The pipe merges posts into chronological order for use in web syndication

1. Hypothetically, the pipe gives me the ability to include sites which don’t have RSS feeds (more on that some other time)

So, Privacy International has made official and extremely public what I’ve been muttering about for years: Google doesn’t care about your privacy. A recent study they published rated Google as the worst internet service. In fact, in light of the results, they actually called the study 347=x-347-553961”>A Race to the Bottom – Privacy Ranking of Internet Service Companies.

We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google’s product range and the ability of the company to share extracted data between these tools, and in part it is due to Google’s market dominance and the sheer size of its user base. Google’s status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.

I can’t really add much information that the news and reviewing
magazines, radio, and blogs have written … The bottom line is that Google’s gathering unbelievable amounts of data, and not providing users with any way to have most of that data deleted. According to Privacy International this is because_they don’t believe_ that they are collecting sensitive information ... even though they track your use of blogs, email, maps, and searches, as well as what links you click on, et. On top of that, their corporate culture leads them to mix together the login, cookie, and tracking data from all their different services without explicitly telling you they will do so, and they retain the data for years. Ultimately they have a “track history of ignoring privacy concerns” and their response to this report doesn’t make one think they’re taking it seriously.

Oh, and just as a postscript, this reaction from Kevin Bankston (an attorney at EFF) to Google’s new street view photos (streams of 360° photos taken from vans driving through dozens of major cities across the US):

There are a lot of people on the Web who are, I think, freaked out by this they find it kind of icky and uncomfortable, I don’t think Google has done anything illegal here, but I do think they’ve done something that’s exceptionally rude.

So David Morgenstern over at eWeek has an opinion piece claiming that “PC users should forget their outrage and come to understand that life isn’t fair. The Mac platform is more secure than Windows and will continue to be so.”

Just for fun, I’m not going to try to debate that. It’s absolutely true (as he points out) that practically all of the “in the wild” viruses, trojans, and other malware target Windows. Of course, it’s also true that practically all of the software in the world targets Windows. Yeah, there’s plenty of Mac software, and plenty of Linux software too … but numbers-wise …. Yah, anyway. I said I wasn’t going to debate that … instead, I’m just going to poke fun at his ridiculous arguments.

Still, no matter how much you might consider this comparison an unfair shot, it is real. The Mac is a better platform when it comes to security and malware attacks.

I’ve used Macs since 1984, and I’ve been infected by some malware twice. Two times.

Now, I’m sure many of you can echo what I’m about to say, but with longer dates. I got my first PC in high school, sometime around 1990. Since then, I’ve been running DOS and Windows. The closest I’ve ever come to being infected was when I put other people’s infected floppies in my PC to run a virus cleaner on them … or maybe when I had a look at the source code for the Melissa and “I love you” javascript bugs… I’ve literally never been infected. Sorry David. That’s not an argument about macs vs. PCs, it just shows you’re not very careful.

By my reckoning of the installed bases for each platform, there should be many more exploits for the Mac. Depending on how you calculate the number—2, 3, 5 or whatever percent—shouldn’t there be that corresponding percentage of viruses on the Mac in these lists?

... Scripting News listed the site’s readers by browser. Firefox was the largest (49.76 percent), and Internet Explorer came in second (23.43 percent). However, Mac-only browsers Safari and Camino were next in line (21.31 and a guesstimate of 2 percent, respectively).

Well, I didn’t want to debate exact numbers … but now you’ve got me riled up. It’s preposterous to even mention the visitor logs of a single website when discussing computer market share … Read the rest of this entry »

Microsoft made several big announcements today at MIX07…

CLR in Silverlight

The most exciting announcement I’ve today is that Silverlight will include the Common Language Runtime (CLR) on both Windows and Mac … which means that it will allow development using any .NET-supported languages. They’re even including the open source Dynamic Language Runtime and thus IronRuby (which like IronPython is also open source).

On top of that, these features, plus support for Language Integrated Query language (LINQ) and cross-platform debugging capabilities, are available now in the Silverlight 1.1 Alpha (and will be released more publicly after Silverlight 1.0 comes out this summer?).

Silverlight Streaming

They also announced today that they will offer a media-hosting service for free called Silverlight Streaming! In a move that targets both Adobe’s flash and other media-hosting sites like YouTube and Revver … they will allow developers to stream high -quality video (up to DVD quality) into their Silverlight apps from Microsoft’s servers without any restrictions on branding or embedding (including use in “rich internet applications” — i.e.: outside the browser).

The current package in pre-release offers only 4GB of storage and unlimited bandwidth delivery of up to DVD quality video (700 Kbps), but their plan calls for Microsoft to provide hosting for unlimited Silverlight content and up to a million minutes of free video streaming at 700 Kpbs per site per month … that’s over 5,000 Gigabytes of bandwidth)+*+700+Kbps)+in+gigabytes of streaming per month, for free! They’ll also offer unlimited streaming for a fee, or free, but supported by advertising…

Jasper and Astoria CTPs

Astoria builds on ADO.NET and WCF to allows you to expose a data service for the web which can be consumed via HTTP and since it uses standard HTTP verbs (GET, POST, DELETE, etc) you can even make it accessible as a REST-style resource collection with unique URIs … and simple formats like JSON or plain XML ...

Jasper is another ADO.NET incubation project … aimed at dynamically typed .Net languages like VB.Net or IronPython … it dynamically generates data classes (instead of requiring manual, static configuration … or even code generation which must be kept up to date). It’s built on the Entity Framework (which was postponed until some time in 2008 … after Orcas ships), so it supports rich queries and object-relational mapping and automatic databinding.

Ozzie speaks on Services and Clients…

The orchestration of announcements has many people buzzing about strong leadership and strategy … and the keynote by Ray Ozzie left no doubt about who’s behind that, highlighting the work Microsoft is doing to integrate all the various aspects of their strategy. Ozzie pitched Software-as-a-Service (SaaS) 2.0: web and hosted services which have “grown to embrace the uniquely valuable role of the client.”

IE 8 will require Standards Mode

In a move that only the undisputed king of browsers could hope to pull off, Microsoft has announced that they’ll be requiring web developers to opt in to standards-compliant web design … feel free to take a moment to check for flying pigs.

They’re also planning on making the IE object model more interoperable with other browsers and provide more client-side APIs — including local storage for AJAX apps and more extensibility in the form of a plugin API. Look for it in 2008.

It’s common knowledge that San Jose, San Francisco and New York City are among the highest paying places for software developers to work. And it’s generally common knowledge that these places are also among the most expensive places to live … Delatores has done some interesting math based on the cost of living and salary data and discovered that four of the top five cities (based on the purchasing power of an average software developer’s salary) are in Texas!

Even more interestingly, San Francisco, San Diego, New York and Oakland are all in the bottom five!

Of course, the problem is that these are statistics… You know what Mark Twain used to say about statistics?

You can’t simply take a salary and multiply it by the cost of living … because you don’t spend your whole salary on the cost of living. In most cost of living calculations nearly 30% of your spending is on housing — that includes investments like buying a home even though you will recover most of that money (or even turn a profit) when you move. You also spend some money on items that are basically fixed cost items: computers, phones and internet access, cars, luxury items … and generally speaking — anything you can buy on the internet . You also save some of it (you do save some of your money, right?) and maybe you give some of it away …

Perhaps a better metric would be to find some common ground for what you have to buy to live: an apartment or a mortgage, food, utilities, transportation, health care, and even entertainment … then find the localized cost of that, and subtract it from your average salary numbers. But hey, I’m no economist.

Kaspersky Lab is engaged in the worst form of attention mongering: spreading fear and uncertainty through misleading headlines.

They’ve posted a virus news article which claims that they’ve “discovered” the first virus for the iPod … which has been picked up and further exaggerated in what I consider some of the worst reporting ever.

The horrible TTN article actually states that “researchers at security firm Kaspersky Lab developed a virus which can infect Apple’s popular portable media player, the iPod” and goes on to note that the so-called virus only affects iPods running iPodLinux …

In fact, this is not a virus, but merely a proof of concept of some ELF infection code which, when executed on a linux computer will infect ELF files. The fellow free0n (who does not, as far as I can tell, work at Kaspersky [:-D]) really didn’t do a whole lot more than port the code to iPodLinux and modify the messages being displayed.

Not an iPod virus.

The “iPod Oslo” doesn’t copy itself into ELF files, it merely causes them to display a message instead of behaving as they should, so it barely classifies as an infector, and certainly cannot spread to other files, meaning you must (manually) execute the infector on each machine you want to infect. As a proof of the concept that programs can be written which could infect files on iPodLinux it’s not a bad start … but it’s certainly not what we would consider a virus.

In other words (for those of you not following the technical jargon): it doesn’t copy itself into other files, therefore, it’s not a virus. It’s also not a worm: it doesn’t copy itself to your computer when you plug in and synchronize the iPod (which is certainly something that would be scary). Finally, it’s not a trojan (it doesn’t masquerade as something else), and it doesn’t even include a mechanism for copying the infector onto the iPod from your computer … nor for executing it once it gets there. It’s simply a proof-of-concept: a virus could be written for (iPod) Linux. Yeah. I think we all knew that — the only question there is: do you have to be running as root in order for it to work?

On top of all of those things that it does not do there’s one more thing: It doesn’t run on your iPod. That is, unless you’ve hack your iPod and installed iPodLinux … this program and it’s potential future variants will not even be able to run on your iPod even if you manually copy them onto it.

But Kaspersky said it was

Just to be clear: although TNN made it worse by crediting Kaspersky with developing this program, it’s very clear that both the original blog post by the Kaspersky Lab employee that “discovered” the application and the news release both identified this as an iPod virus … and while they were careful to mention that it doesn’t pose a real threat, and that in fact you have to first install Linux on your iPod … the bottom line is that Kaspersky and TNN created deliberately misleading headlines to draw attention to a story that I wish I hadn’t even bothered to read.