PHP Not So Safe
PHP may be a popular Web scripting language, but it's far from safe, according
just published by IBM. Tens of millions of Web sites and over
a million Web servers are driven by PHP, making its vulnerabilities cause for
So the next time your Web weenie kids you about patching Windows, ask what
he's done to secure PHP lately.
Apple Gets DNS Security Religion
In the last week or so, Microsoft released a patch to fix a DNS vulnerability
in its software. Shortly thereafter, an AT&T DNS server was compromised
-- reportedly the first
DNS attack ever.
Apple is feeling the heat, as well, and this week released
a patch designed to cure its DNS security ills. This is all well and good,
except some experts claim the fix is incomplete and doesn't fully protect clients.
IT Gone Bad
This is admittedly an old story, but it still serves as a warning for those
in IT to not trust others in IT, and for IT not to abuse its access to corporate
and personal information. According to a survey by Cyber-Ark, a third of IT
on company employees.
I've met with hundreds of security companies and I'd always ask the same question:
What are you doing to prevent internal security breaches? They'd all wax on
about how their software keeps employees from getting at private information.
Then I'd say, "But what about IT itself? What do you do to keep IT insiders
In pretty much every case, the vendor would be dumbfounded. It never occurred
to them that IT would do such a thing.
I decided to find out how big a problem this was and used my usual approach:
Ask you, the Redmond Report reader. I got horror stories of IT snooping into
executive e-mail and using machines to commit fraud, stalk old girlfriends and
commit blackmail. If you want a real eye-opener, check out my story "IT
Gone Bad" here.
Confess your sins by writing to me at firstname.lastname@example.org.
When we run letters, we don't publish last names, so you can admit your wrong-doing
with no consequences (except maybe easing of your guilty conscience).
Mailbag: An OS From Scratch?
After word leaked that Midori would be Microsoft's next,
all-new OS, Doug asked readers whether Microsoft building an OS from scratch
is a good idea. Most of you said yes:
Absolutely! When you're a leader, isn't it better to aggressively compete
against yourself as opposed to aggressively competing with others? Besides,
it sounds like Midori already has a starting code base, or at least architectural
models from the Singularity project.
Absolutely! How refreshing.
Absolutely! I am a former Microsoft software engineer; I worked as a developer
on Microsoft Works and Office. We've learned a great deal about what works
well in an operating system and what doesn't. Hindsight is 20/20, and taking
a look back from where we are today, it's easy to see that there are things
that we would have done differently before if we knew then what we know now.
Given this perspective, I would say that Microsoft engineers can build
a new operating system that is significantly better than our evolutionary
operating system of today when the engineers are free from the historical
baggage that's pent-up in Vista. I think that there is a great potential for
immense improvement and I'm very excited about Microsoft's new OS project!
Yes. A new alternate OS with NO backward portability. Get rid of the
junk, all of the emulation and legacy compatibility layers. Just make it work
exceedingly well on modern hardware, perhaps 64-bit only. Create a subset
of tools in one or more of the popular programming languages for it and call
it done. That would be simplicity at its best.
Although starting from scratch to build a new OS can be extremely time-consuming
and complex, who else but Microsoft could pull it off in a short timeframe?
And I think it is an excellent idea, considering that is basically where Windows
NT came into the picture. Now, when we look back at Win9x, it looks ancient
and very inferior. Now the NT codebase is reaching its limits and is getting
way too bloated. I'd be very interested in seeing where this goes and how
it turns out in the end.
IMHO, a less complex OS which stresses reliability (which includes security
of data) is what MS desparately needs. Vista's market problems are largely
the fault of the success of XP -- Vista is prettier and has cool features
like the sidebar, but I haven't seen a truly useful application that requires
Vista, and I have struggled with device drivers and program compatibility
both at work and at home. Even this far into Vista's life cycle, that's still
a problem. Vista recovers from crashes more gracefully than any previous MS
operating system, but they seem to happen a LOT. If a "killer app"
that requires Vista turns up, then maybe the picture will change, but I'm
not holding my breath.
In this respect, Microsoft's success is its own millstone. Having to maintain
compatibility with prior versions (i.e., Windows 95, 98, ME, NT, 2000 etc.)
makes any improvements extraordinarily clumsy. If indeed Microsoft intends
to offer a from-scratch version, I imagine their priority needs to be on speed,
stability and security. I imagine as well that all the Microsoft apps must
be rewritten or adjusted to work cleanly with the new OS.
If this were a possibility and we could gain a serious improvement in
these three aspects (to me, this is the order of priority, as well) then supporting
prior versions could be a purely secondary issue. Anyway, though I am only
one of millions, a ground-up approach would be worth investing in from my
point of view.
Why not? Didn't they do this with Windows 95, ME to Windows 2000? What
happened to DOS? Using Modori as a foundation, couldn't they then rebuild
Windows around it, redesigning around it? Keeping backward compatibitliy using
virtual technologies transparently. I can keep backward compatiblity using
a VM now, except I need go thorugh a few more hoops than others may be willing
If they're not going to let us continue to buy XP, most definitely! Vista
has been such an administrative nightmare. It's really unacceptable. It's
insane that we're forced to use sub-par technology simply because MS says
so. While UAC is good in concept, I shouldn't have to buy a CAD capable system
in order for a secretary to write Word documents.
As for your statement that "Singularity is designed to be simple
and safe. For instance, components are isolated from one another, and code
is automatically inspected before running to make sure it works with the OS.
And all the components are tested to make sure they interoperate." Let's
ask the real question: Will Microsoft create a new OS from scratch or will
there be a new Linux distro? That quote sounds like Linux to me. MSX, Microsix
or Winix, perhaps? I'm not very creative with names. It would be funny to
hear what other people come up with.
A couple of you expressed some doubts, however:
Start from scratch? Absolutely not! All-new code sounds good, but I hope
they will have an eye toward the "look and feel" of what everyone
is used to. One of the most objectionable parts of Vista and Office 2007 is
that they are different in their user interface. If Microsoft wants a hit,
they better keep their eye on what is really important, and to be user-friendly
means that features are in familiar places. The first time I used Vista, I
had to be shown how to shut down the computer. Does MS think I want to leave
the power on all the time?
The debate can rage on both sides, but a new OS will mean starting over
-- bugs, SPs, security fixes, upgrades, new releases, new "end-of service"
considerations, backward/cross-compatibility concerns, everything. General
uncertainty is not a pretty picture for someone in Microsoft's position or
for its customers. It basically negates all the work that's been done in these
areas to shore up the old Iron Maiden that is Win32.
If you think a "fresh start" is all positive, wait a minute.
MS has spent a lot of time, capital, lawyer fees and blood getting Windows
to the point where it's respected -- even in the eyes of haters. If they think
that dumping the name/concept will untangle and extract certain negative connotations/experiences,
it might be a rude awakening and undo all this perception repair-work. For
this to be effective, it should've been done years ago when the OS' rep was
worse. Sometimes, the better hallmark of your dedication to a cause is not
by abandoning it for another more palatable one (in name or action), but to
press on with what you have; this tends to be better at stifling the "I
told you so"s from the spectators, while letting you say your own "I
told you so"s in vindication.
What do you think? Leave a comment below or send an e-mail to email@example.com.