• Created a Virtual Launch Party for Lee Holmes’ 2nd Edition Windows PowerShell Cookbook
• Updated my SharpSsh Module (which I wrote about ages ago in Scriptable SSH From PowerShell) to accept PSCredential objects or passwords, use CmdletBinding and have parameter set overrides
• Updated my JSON Module to support Pipeline binding in ConvertFrom-Json and to call out the fact that it properly supports dynamic objects if you specify PSObject as the type.
• Updated (and finally released) my Presentation module

• Updated (and finally released) my PowerTest Module (it now has setup/teardown and supports filtering tests by name and category). This module needs it’s own blog post too, but you can get an idea what it’s about in the first hour of the Live Meeting recording of my Testing with PowerShell presentation.

Now that I mention all that stuff, there’s a few things from last week that bear mentioning too:

• I wrote a sweet little function to wrap the LoreSoft.MathExpressions assembly, which lets you do all sorts of math inline in the PowerShell console.
• I also updated my HttpRest module to work with the latest 2.1 release of MindTouch Dream

• And published my current PowerShell Prompt and PowerShell Profile

And if you haven’t seen them … the week before that I also

• Published a function for invoking Generic Signature Methods from PowerShell which was something I had previously considered impossible.
• Made some very nice updated to ConvertFrom-PropertyString which parses ini files and anything like that…
• Published a trick for getting PowerShell.exe to run in .Net 4 and to allow PowerShell to load binary modules from network paths

• Wrote a function to generate proxy wrappers for OData Services which was closely followed by a full PowerShell OData Module from Doug Finke

So, I’m giving myself a break.

So, in the spirit of “spit it out”, I’m going to just leave this post at that, and just add I’ve been working on PowerBoots, PoshConsole, PoshCode … some OAuth code for authenticating and posting to FriendFeed (which just got bought by Facebook, so maybe my code will work there some day), and some more voice-recognition stuff … posts on all of these are coming soon.

Well, if you download the PDF (and read it with Foxit Reader because Adobe Acrobat and Flash are tied for #2 on Bit9’s list), you’ll find these items, among others, in the criteria for apps making the list:

• Is well-known in the consumer space and frequently downloaded by individuals.
• Contains at least one critical vulnerability that was first reported in January 2008 or after … [and was] given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
• Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

• The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

There are two big problems here:

1. It doesn’t matter how long it takes the vendor to issue the patch.

1. Any application which can be patched by the administrator (or which is patched in WSUS (aka Windows Update)) is automatically excluded from the list — regardless of anything else.

That’s just preposterous.

So preposterous that even The Register couldn’t stand for it.

An application could have a single level 7 vulnerability that was patched within hours, with the patch delivered automatically by the application checking and self-updating … and it would still qualify (this isn’t entirely Hypothetical, THREE of the apps on that list had only a single qualifying vulnerability). But if it uses a patching system that has to be run by a highly paid IT professional instead, it wouldn’t qualify even if it had a level 10 vulnerability that has remained open for years … In point of fact, vulnerabilities that have been open for years are disqualified anyway, but the point is that the only thing that saves an app from this list is not having any vulnerabilites, or being able to hypothetically apply patches remotely (regardless of whether the patches actually exist).

Stop spreading this list

I’m begging you: if you’re a reporter, a blogger, a tweeter — do your research before you help companies spread disinformation… and please note that Bit9’s sole reason for creating this list is to market their enterprise management, patching, and white-listing product.

Related articles by Zemanta

• Patch-blocking bug also stymies Microsoft’s WSUS
• SonicWall blocks WindowsUpdate
• Foxit PDF Reader 3.0 for Windows now works with Firefox
• Microsoft confesses to posting a flawed update

• Ars Technica
• BetaNews
• Beyond Binary

• UX Evangelist

Oh, and don’t forget, you can watch video of every presentation 24 hours after it finishes on channel9.msdn.com

Codeplex has announced Subversion support. They will be running a server-side SvnBridge to allow access to all the projects so you can grab source more easily because it supports anonymous access. Amusingly, it’s actually easier to use than TFS, all you need to know is the project name to get in. E.g.: https://PoshConsole.svn.codeplex.com/svn

Clarius has just released of their T4 template editor for Visual Studio. There’s a free version, and a pro ($99) version. It’s excellent, and if you haven’t gotten into generating code using t4, what are you waiting for?

StackOverflow The new programming question-and-answer forum from CodingHorror Jeff Atwood and Joel Spolsky has launched.

Dave Glover wrote a cool post about how simple it is to create a bootable USB install disc for Vista and Miguel de Icasa created a C# Eval statement and console shell for the Mono Project.

Sir Tim Berners Lee launched the world wide Web Foundation to proactively advance the goals that “a single web” should be “open to any device and software” and to extend the capabilities of the web and ensuring they can be accessed securely by everyone on the planet… Hard to say what this all means, at this point.

Present.ly and Yammer launched as attempts at private corporate Twitter implementations. Present.ly looks most promising, they have the concept of “groups” that is missing from twitter, and they have a few different types of posts (questions, urgent messages, group broadcast messages, etc). However, they charge for anything more than the most basic account (ie: no IM without paying). Yammer has a more curious business model (it’s almost like extortion): employees can join for free based on their email address, companies can then pay to take over their (pre-established on-the-fly) corporate network and exert some control over it, but their Jabber/IM is working great already.

PowerShell Bloggers – The Yahoo! Pipe

If you know of a PowerShell blog which you think should be added to our list (even if posts on it are infrequent) please feel free to drop me a line using the comment box. In fact, if you think I’ve linked to the wrong feed for one of the ones I did include, or if you would like to have your blog removed from the list … feel free to drop me a line for that too.

By the way, for those of you who are interested in these sort of things: the rationale for creating and using a pipe rather than simply subscribing to each individual feed is pretty simple:

1. The pipe filters out posts which aren’t about PowerShell, and lists at most two weeks worth of content
2. The pipe merges posts into chronological order for use in web syndication

1. Hypothetically, the pipe gives me the ability to include sites which don’t have RSS feeds (more on that some other time)

We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google’s product range and the ability of the company to share extracted data between these tools, and in part it is due to Google’s market dominance and the sheer size of its user base. Google’s status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.

I can’t really add much information that the news and reviewing
magazines, radio, and blogs have written … The bottom line is that Google’s gathering unbelievable amounts of data, and not providing users with any way to have most of that data deleted. According to Privacy International this is because_they don’t believe_ that they are collecting sensitive information ... even though they track your use of blogs, email, maps, and searches, as well as what links you click on, et. On top of that, their corporate culture leads them to mix together the login, cookie, and tracking data from all their different services without explicitly telling you they will do so, and they retain the data for years. Ultimately they have a “track history of ignoring privacy concerns” and their response to this report doesn’t make one think they’re taking it seriously.

Oh, and just as a postscript, this reaction from Kevin Bankston (an attorney at EFF) to Google’s new street view photos (streams of 360° photos taken from vans driving through dozens of major cities across the US):

There are a lot of people on the Web who are, I think, freaked out by this they find it kind of icky and uncomfortable, I don’t think Google has done anything illegal here, but I do think they’ve done something that’s exceptionally rude.

Just for fun, I’m not going to try to debate that. It’s absolutely true (as he points out) that practically all of the “in the wild” viruses, trojans, and other malware target Windows. Of course, it’s also true that practically all of the software in the world targets Windows. Yeah, there’s plenty of Mac software, and plenty of Linux software too … but numbers-wise …. Yah, anyway. I said I wasn’t going to debate that … instead, I’m just going to poke fun at his ridiculous arguments.

Still, no matter how much you might consider this comparison an unfair shot, it is real. The Mac is a better platform when it comes to security and malware attacks.

I’ve used Macs since 1984, and I’ve been infected by some malware twice. Two times.

Now, I’m sure many of you can echo what I’m about to say, but with longer dates. I got my first PC in high school, sometime around 1990. Since then, I’ve been running DOS and Windows. The closest I’ve ever come to being infected was when I put other people’s infected floppies in my PC to run a virus cleaner on them … or maybe when I had a look at the source code for the Melissa and “I love you” javascript bugs… I’ve literally never been infected. Sorry David. That’s not an argument about macs vs. PCs, it just shows you’re not very careful.

By my reckoning of the installed bases for each platform, there should be many more exploits for the Mac. Depending on how you calculate the number—2, 3, 5 or whatever percent—shouldn’t there be that corresponding percentage of viruses on the Mac in these lists?

... Scripting News listed the site’s readers by browser. Firefox was the largest (49.76 percent), and Internet Explorer came in second (23.43 percent). However, Mac-only browsers Safari and Camino were next in line (21.31 and a guesstimate of 2 percent, respectively).

Well, I didn’t want to debate exact numbers … but now you’ve got me riled up. It’s preposterous to even mention the visitor logs of a single website when discussing computer market share …

It’s certainly true that there’s been growth in Apples market — they set all-time records for sales of Macs in 2006. In fact, they almost tied Gateway for third place in the third quarter … which means they got almost 6% of PC sales in the US. Of course, that was at the tail end of the year we all spent waiting for Vista. This year they were in 5^th place with 5% in the first quarter … at least, in the USA.

Worldwide, however, Apple’s sales suck: last quarter their relatively expensive PCs dropped them right out of the top ten computer makers worldwide for the first time ever and their share of the global market is down from 2003 … to only 1.7%.

The core argument is completely flawed anyway. X% of computers are macs, therefore x% of viruses should be written for it? Why on earth would you say that? Last time I checked, the primary motivation for virus writers is either fame or profit. You don’t get either by spending time learning how to crack and infect 2% (or even 10%) of the computers in the world. You focus on the big targets because you can only infect a small percentage of the computers that are theoretically susceptible to your attack anyway.

Malware writers want to affects 100% of Fortune 500 companies, to turn 200,000 PCs into zombies every day, or to infects — read this slowly — more computers in one weekend — in China — than Apple sold in that entire record-setting quarter.

You get fame by writing a virus that sends 40 million infected emails to AOL in one day, causes $36 Billion in damages, and gets a $250 million bounty put on your head. And no, you don’t get those kinds of numbers by picking on a platform with less than 2% saturation worldwide.

David, you want to know why the Mac OS is more secure than Windows? It’s not because nobody who owns a mac could possibly want to hurt one (although there is something to be said for pricing poor third-world virus writers out of the market) ... it’s because virus writers really just can’t make money (or fame) attacking such a small fraction of the world’s computers. As long as Apple only gains ground in the US … there’s probably no need to worry about anyone other than security researchers noticing the holes .

CLR in Silverlight

The most exciting announcement I’ve today is that Silverlight will include the Common Language Runtime (CLR) on both Windows and Mac … which means that it will allow development using any .NET-supported languages. They’re even including the open source Dynamic Language Runtime and thus IronRuby (which like IronPython is also open source).

On top of that, these features, plus support for Language Integrated Query language (LINQ) and cross-platform debugging capabilities, are available now in the Silverlight 1.1 Alpha (and will be released more publicly after Silverlight 1.0 comes out this summer?).

Silverlight Streaming

They also announced today that they will offer a media-hosting service for free called Silverlight Streaming! In a move that targets both Adobe’s flash and other media-hosting sites like YouTube and Revver … they will allow developers to stream high -quality video (up to DVD quality) into their Silverlight apps from Microsoft’s servers without any restrictions on branding or embedding (including use in “rich internet applications” — i.e.: outside the browser).

The current package in pre-release offers only 4GB of storage and unlimited bandwidth delivery of up to DVD quality video (700 Kbps), but their plan calls for Microsoft to provide hosting for unlimited Silverlight content and up to a million minutes of free video streaming at 700 Kpbs per site per month … that’s over 5,000 Gigabytes of bandwidth)+*+700+Kbps)+in+gigabytes of streaming per month, for free! They’ll also offer unlimited streaming for a fee, or free, but supported by advertising…

Jasper and Astoria CTPs

Astoria builds on ADO.NET and WCF to allows you to expose a data service for the web which can be consumed via HTTP and since it uses standard HTTP verbs (GET, POST, DELETE, etc) you can even make it accessible as a REST-style resource collection with unique URIs … and simple formats like JSON or plain XML ...

Jasper is another ADO.NET incubation project … aimed at dynamically typed .Net languages like VB.Net or IronPython … it dynamically generates data classes (instead of requiring manual, static configuration … or even code generation which must be kept up to date). It’s built on the Entity Framework (which was postponed until some time in 2008 … after Orcas ships), so it supports rich queries and object-relational mapping and automatic databinding.

Ozzie speaks on Services and Clients…

The orchestration of announcements has many people buzzing about strong leadership and strategy … and the keynote by Ray Ozzie left no doubt about who’s behind that, highlighting the work Microsoft is doing to integrate all the various aspects of their strategy. Ozzie pitched Software-as-a-Service (SaaS) 2.0: web and hosted services which have “grown to embrace the uniquely valuable role of the client.”

IE 8 will require Standards Mode

In a move that only the undisputed king of browsers could hope to pull off, Microsoft has announced that they’ll be requiring web developers to opt in to standards-compliant web design … feel free to take a moment to check for flying pigs.

They’re also planning on making the IE object model more interoperable with other browsers and provide more client-side APIs — including local storage for AJAX apps and more extensibility in the form of a plugin API. Look for it in 2008.

Even more interestingly, San Francisco, San Diego, New York and Oakland are all in the bottom five!

Of course, the problem is that these are statistics… You know what Mark Twain used to say about statistics?

You can’t simply take a salary and multiply it by the cost of living … because you don’t spend your whole salary on the cost of living. In most cost of living calculations nearly 30% of your spending is on housing — that includes investments like buying a home even though you will recover most of that money (or even turn a profit) when you move. You also spend some money on items that are basically fixed cost items: computers, phones and internet access, cars, luxury items … and generally speaking — anything you can buy on the internet . You also save some of it (you do save some of your money, right?) and maybe you give some of it away …

Perhaps a better metric would be to find some common ground for what you have to buy to live: an apartment or a mortgage, food, utilities, transportation, health care, and even entertainment … then find the localized cost of that, and subtract it from your average salary numbers. But hey, I’m no economist.