This is just a test, to see if it works - maybe more later.
Tuesday, 23 December 2003
Tuesday, 16 December 2003
Monday, 15 December 2003
"Microsoft expects a beta version of the enhanced development platform to be widely available to MSDN Universal subscribers in 2004."
Looks like the final release might not be until 2005, then.
Sunday, 14 December 2003
We already knew about No Execute protection and some of the enhanced Internet Connection Firewall material, but up until now MS hadn't indicated exactly what was intended for Internet Explorer.
On Friday, I was going to make a post comparing Internet Explorer to a running sore on Microsoft's general reputation, but I think that's now redundant; they clearly are doing something about it. I only hope that IE 6.05 (as the alpha version in Longhorn build 4051 is called) is released for all MS desktop operating systems at the same time (or even earlier if it's completed first).
There's a lot of expansion in other areas, but there's still a lot more to come. Unfortunately there's no subscription link that I can see. This article was posted without fanfare on TechNet.
Saturday, 13 December 2003
Reading back through one of my entries on 1 December, I realise that I've talked about journalled file systems, but didn't explain what one is.
A journalled file system is one which records (on disk) the changes it's about to make before doing so. If the power fails, or an error occurs, while it's making the changes, it can then either reverse the changes made, or read forwards through the log to complete the changes. This allows the system to ensure that its changes are consistent.
These features allow the file system to be both fast, caching writes until a lot of changes can be made at once, and also reliable. Classic UNIX file systems cache writes and rely on a checking tool, fsck (File System ChecKer), to fix the mistakes that happen. Windows 98 FAT and FAT32 work in the same way, relying on scandisk to sort out the corrupted disk. VMS and other reliable systems use serialised access to file system structures: only one process can modify disk structures at a time, but this is s-l-o-w.
One thing that isn't often explained about JFSs is that only the disk structure is journalled. User data is not necessarily preserved. The file will be the right length, but might not have the right contents. If you need transactional behaviour (operations are either completely performed or completely rolled back) you need to implement this yourself. Windows NT does this for its registry, which is why you're less likely to get a trashed registry on this system (and indeed, this is safer than multiple individual configuration files).
According to the big honking Longhorn architecture chart, Longhorn will gain built-in support for transactional access to files, and general transaction support.
Users of Pocket PCs might be surprised to learn that the file system implemented in the device's RAM is also transactional, as is access to the device's registry and property databases. AFAIK, Palm is not. However, the Pocket PC implementation has a 'feature' - changes to a property database appear not to be committed until you close the last handle to it. The CEDB OLE DB provider (which most PPC developers know as 'Pocket Access') doesn't close handles until you've Released the last Connection reference. If the device is suspended with an outstanding Connection open, the device rolls back and loses all your changes.
Unsurprisingly, we don't use ADOCE at work.
A whole bunch of (MS) bloggers are slowly moving over from blogs.gotdotnet.com to other sites (e.g. weblogs.asp.net). Unfortunately they're doing it one-by-one and haven't set up redirects, so I'm subscribing to the new site and removing the old one in NewsGator.
I'll wait 'til things settle down before updating my blogroll.
Microsoft has released a tool for removing the Bookshelf Symbol 7 font from Office 2003. Some customers complained that the font contained unacceptable symbols.
The unacceptable symbols in question were variants of the swastika symbol, which as you all should know, was adopted by the Nazi party of Germany.
To me, this smacks of extreme and excessive censorship. The symbol in itself is not hateful or wrong; it does however conjure up connotations of the regime that adopted the symbol.
Should we also ban the cross, because it was used by the crusaders? Should we ban the six-pointed star due to the actions of Israel?
Wednesday, 10 December 2003
So, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, eh?
I strongly suspect that the acronym (CAN-SPAM) was constructed before the expansion was thought up; in other words, a Backronym.
Tuesday, 9 December 2003
OK, it appears that these issues are not fixed (some of them, at least). Secunia reported on 25 November 2003, basically 10 working days ago, with Thanksgiving in the interim (losing at least two working days between the two).
It doesn't appear that Liu Die Yu is actually reporting these issues directly to Microsoft, expecting them to either know about them or to pick them up from the web (or NTBugTraq. This is highly irresponsible behaviour, IMO.
Maybe I'll fire off an email to securityATmicrosoftDOTcom (which is what you should do if you find a security issue)
Damn, I wish I had said out loud what I was thinking earlier this week...
"I bet there aren't any patches this month"
This is something of a watershed moment for Microsoft - nothing critical seems to have happened this month.
The Inquirer is claiming that there are seven outstanding IE exploits (see the Secunia advisory) but I've just tried them all on Windows XP Home SP1, including last month's patch and none of the exploits work. I believe that last month's patch has actually eliminated these exploits. Secunia's page was last updated on the 8th of October.
Saturday, 6 December 2003
My parents are out of town this weekend, so I thought I'd move my XBOX down from the room I normally play in, down to the living room. The semi-crappy TV I normally use is a 14" 4:3 set that only supports PAL at 50Hz.
The main set is a practically-brand-new 28" 16:9 widescreen stereo set that supports PAL at 60Hz (actually, I think it natively supports SECAM and NTSC too).
So I start up the console, and go into settings: audio to Stereo, video to Widescreen, PAL-60. I put Project Gotham Racing in the drive, wait for the annoying title sequence to go away (bashing A lots to get it to go away quicker - I swear, the A button will be the first thing on the controller to break), choose Load Existing Driver, From Hard Disk, Mike - annoying buzzing sound.
I look at the screen, and there at the bottom in red: Frequency: 50Hz
Apparently, if I created this driver at 50Hz, I can't play at 60Hz! I can't see any logical reason for this. So, to play, I had to go back into Dashboard's Settings option, and change back to PAL-50.
I hope they don't do this on PGR2.
Linux guru: Move quickly to new kernel (via Ian)
I'm not going to comment heavily on this, but basically the intention is to immediately shift the current stable version of the Linux kernel into security-patch-only mode, as soon as the new version 2.6.0 is released. That immediately puts users of the older version at a disadvantage. Also, historically, the first few releases of a new kernel have been poor - I recall that early 2.2 releases had terrible problems with disk corruption on some IDE drives.
Of course, you've got the source - you could back-port changes from the new kernel to the old one. If you're a programmer. And you're familiar with the kernel. And you have the time and the inclination. Oh, and the kernel developers haven't completely changed the interface to that part of the kernel. And you'd have to do that every time the main kernel got updated. No apt-get or rpm for you.
Now, OK, Microsoft hasn't released a full Service Pack for Windows NT 4.0 since October 1999, a full four months before Windows 2000 was released. But the software is still supported, and fixes are still being produced for it, more than seven years after initial release. It's just about to go out of mainstream support.
Windows 2000 has already had a service pack released after the release of Windows Server 2003 (SP4, released in June 2003), and it appears that a service pack 5 is planned (although no release date has been announced). We might expect SP5 to include some of the same security measures as XP Service Pack 2, although that could be wishful thinking on my part.
CNet reports that the reason this information came to light is that Silicon Graphics wanted to include their XFS journalled file system in 2.4, but it's only just completed. The original decision was that it wouldn't be included - after all, there are already three journalled file systems in Linux.
The trouble is, two of them - ext3 and ReiserFS - are widely regarded as a joke - they tend to lose data, or still require a lengthy fsck when rebooting. Keenspot lost many days of comics - particularly from Keenspace - due to ReiserFS on Linux 2.5. They also lost months of forum posts.
I'll admit I hadn't heard of IBM's JFS until reading this article. Maybe it actually works.
I'll just note here that if you want to add a new file system to Windows, you can get hold of the Installable File System Kit, which currently costs $899. Microsoft isn't yet guaranteeing that file systems written now will work on Longhorn, but I believe that third-party file systems written for NT 4.0 work all the way up to Windows Server 2003 using the same binary. If you want to add a new device driver, the Windows Driver Developers' Kit is free, apart from handling charges.
Oh yeah, and Windows NT has had a journalled file system since the beginning (NTFS).
Thursday, 4 December 2003
Congratulations, you're using Internet Explorer. Google's Deskbar uses the WebBrowser control; Internet Explorer (IEXPLORE.EXE) is merely a frame window which hosts a WebBrowser. I've no doubt that the actual search HTTP access code uses the WinInet library.
Until Mozilla or Konqueror manage to become this embeddable, I don't think we'll see a Mac or Linux deskbar (not to mention that Linux has two major desktop environments, KDE and Gnome, which implement taskbar embedding in different ways).
I find it ironic, since El Reg is heavily in the ABM camp.
In the same vein as the Capability Im-Maturity Model, only funnier.
This struck a particular chord because for the last three weeks I've been spelunking around in three ProtoTry projects, two of which were apparently written by a Simpleton.
Tuesday, 2 December 2003
I'm using a shared computer at my parents' house at present (I live with them because it's very expensive to rent or buy around here, buying anything would cost about five times my salary) - it's the only one connected to the 'net (no in-house network).
My Dad (who has worked for ICL since graduating in 1970) has installed Norton Internet Security on this box. Tonight, it's decided to do its periodic trick of continually popping up 'High Risk - A Remote Computer is Trying to Access Your Computer' boxes.
Now, someone probably has a port scanner set up - possibly even a group of compromised computers, since all the requests are coming from different IP addresses. But NIS is telling me that they're trying to access TCP port 3794. There's nothing listening on this port (according to netstat), so setting aside any possible TCP stack problems that can be exploited with the first packet sent, this cannot do any harm (and NIS probably isn't low enough in the stack to catch an attack on the TCP stack anyway).
Normally I run as a non-administrative user, which doesn't give the option to select, but since my Dad, who's in the Administrators group, is also logged in (we use Fast User Switching), NIS is popping the messages. 'Always use this action' seems not to have any effect (maybe it's related to the remote end-point, not the local one?)
Norton Internet Security seems to me to be more trouble than it's worth. Stick to XP's built-in firewall.
Jet Red is the internal Microsoft name for the Jet database engine used by Access. There is/was also Jet Blue, which was used as the database engine for Exchange 4.0 and 5.0. Exchange 5.5 and later use a SQL Server-derived database engine (called ESE97 by Exchange 5.5, ESENT by Windows 2000 Active Directory, and ESE98 by Exchange 2000 - I think ESE stands for Enterprise Storage Engine).
It appears that Jet Red isn't going to be ported to 64-bit Windows, so you'll have to find an alternative for your 64-bit applications (MS would suggest SQL Server or the SQL Server Desktop Engine, known as MSDE). Personally, I think there's still room for an in-process database engine which accesses a single file as a database, although it should be possible to build this from SQL Server components if MS is so inclined.
Monday, 1 December 2003
Actually, one could argue that IIS and Apache don't really compete, except in the 'small' field of static web page serving and CGI (Common Gateway Interface, a way to get external processes to serve pages). I suspect this is where the hosting providers excel, and why they tend to choose Apache - it serves static pages reasonably quickly at very low cost.
Apache offers mainly simple dynamic page technology - mod_perl, PHP, etc, that can be obtained at low cost or for free, catering to the more amateur web developer. Microsoft offers scalable dynamic page technology - ASP with VBScript and JScript, ASP.NET with C# and VB.NET. Finally, you've got Java-based application servers, but these appear to actually have a very low market share.
Of course, you can go outside these boundaries - Apache does offer mod_asp, and some suggest an ASP.NET module too (though you're limited to Windows in this case). Likewise, ActiveState offer a Perl Active Script Engine, so you can write ASP pages for IIS in Perl (not quite the same as mod_perl, though). But these are far less common.
CGI is rarely considered for a new project, because the overhead of spawning a new process for every request is huge; the system simply wouldn't scale. Almost any other technology is simpler. For a University group project, I wrote a CGI-based system in Ada, because writing in Ada was required. I don't think there's any web server plug-in that allows writing pages in Ada (although it might be possible with a CLR-based Ada implementation, I wouldn't like to try it).
I assume that large companies require a strong data-backed dynamic website, probably including a content management system, and for that requirement IIS probably is superior.
Most commentators when referring to web server market share link to Netcraft's Web Server Survey. However, the IIS plugin provider Port80 Software suggest that this survey should be considered carefully. There is a large disconnect between NetCraft's headline figures (last month putting Apache on 67.4% of all domain names with IIS on 21.0%) and Port80's survey of Fortune 1000 companies (IIS 53.8%, Netscape/SunONE 18.0%, Apache 15.4%).
Firstly, discard Netcraft's headline figures. The fact is that one domain name does not equal one machine or one installation of a web server. Many of the domain names on the web are hosted on hosting providers - indeed, Netcraft offers a hosting provider league table. The average in Netcraft's analysis is for one physical server to have 3.4 IP addresses, each hosting 10.6 hosts (with 2.4 children :-D). Many of these sites are merely 'parked' - basically, they're the 'Buy this domain now!' pages that you sometimes see when guessing a domain name incorrectly. Netcraft try to eliminate this effect to produce the Active Sites data.
Looking at the data for last month, we see that Apache's share goes up to 68.3%, while IIS' climbs to 23.4% (the big loser is SunONE, dropping from 3.39% to 1.01% - about 1.3m sites (over 80%!) hosted on SunONE are parked, according to these statistics). Now, IIS' share has still fallen since last month, but not by as much.
We still don't know how many distinct machines or distinct organisations are in each grouping.
Port80's analysis is quite different: instead of trying to get the largest number of servers, they're trying to consider the 'most significant' servers (my quotes) - the ones run by the largest companies. There don't appear to be any government departments or voluntary organisations in the analysis, though, which could skew the results somewhat.
The difference is striking, and worth considering, though.
I'm a little annoyed that Netcraft don't release the statistics on underlying operating systems, although here the methodology becomes more suspect, and can be swayed by intervening filter/load balancing devices - for example, earlier this year there were a number of misinformed articles about www.microsoft.com running on Linux. Microsoft seem to have recently reverted to hosting the site directly. Anyway, I'd like to see how many of the Apache sites run on Linux - and how many run on a BSD.
Yes, I am aware of the irony of posting information criticising Linux on a Linux-hosted blog. Critical characteristics for me at present are a) free and b) post from anywhere. I'm likely to consider self-hosting, but if anyone's got any good ideas where else to try, please let me know.
Interestingly, BlogSpot was hosted on Win2k before Google bought out Blogger, according to NetCraft.
Debian (a Linux distro, if you've never heard of it) have posted a description of what led to some of their servers being compromised:
Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.
A few things bear noting:
- Linux does have security vulnerabilities. Natch.
- This bug was not caught by many alleged millions of Linux developers inspecting the source code, it was caught after someone broke into a bunch of servers.
- It took two months for Debian, allegedly one of the fastest at releasing new versions, to produce a downloadable source and binary update.
- Kernel 2.4.22 was allowed to be released even though a known serious exploitable information disclosure and root compromise problem existed within it.
Also note that the patch has only been made available for kernel 2.4.18 on Debian, according to this message. I tried looking on www.debian.org to see if any other versions were available, but every page other than the front page comes up in Swedish under IE 6.0. Mozilla 1.4 works fine. Draw your own conclusions.
I don't see how this problem could ever have been rated anything less than Critical, even if not directly remotely exploitable.
I'll post this here in case someone from the IE team reads it (fat chance!)
IE has a bug. OK, well, we knew that. The specific bug in this case is that once the cache gets full (i.e. Temporary Internet Files hits the maximum configured size), IE (6.0, SP1, all platforms AFAICT) corrupts its own index.dat file. Symptoms include red Xs appearing where there should be images, style sheets not being applied, downloaded files failing to open, etc. The only solution I've found is to clear the cache - which seems to take a time proportional to the age of the universe.
So my dilemma is: do I have a large cache, which gets corrupted less often, but takes longer to clean, or do I have a small cache, which gets corrupted more often, but cleans up quicker?
I wonder if it's possible to clear Temporary Internet Files programmatically?
Yesterday was "fun" for a couple of reasons - firstly, I couldn't get to The Register because Norton Internet Security had got it on a blacklist (seems to have gone today, though). Then, I couldn't get into Blogger to blog the fact. Blogger was perfectly capable of telling me I'd entered the wrong password - it just didn't do anything when I entered the right password.
Today's annoyance is in Outlook 2000 and is a general point: toolbars are supposed to offer quick access to features accessible in other ways. I was trying to organise my new Vault Mailing List folder to set Group By Conversation (which I use for my other mailing lists) but couldn't remember how. OK, right-click blank area, choose Group By. I get an area at the top of every folder with a Group section.
Fine, but I don't change my groupings that often - I set it once, then never change it (either I don't want it grouped, or I want it threaded). How do I get rid of the damned Group header?
It turns out that I have to - as in, there is no other discernable way - click the almost invisible Group By Box button in the Advanced toolbar. There's no Close button in the Group By Box, and there's no 'Remove This' in the context menu (indeed, there's no context menu at all for this box).
And now it appears that it's turned it on for all folders, and I have to turn it off for every damned folder. I have 20 email folders and currently 53 subscribed blogs (I use NewsGator).