Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment: Re:Oh boy, another infection vector (Score 2) 230

by His name cannot be s (#48261339) Attached to: Windows 10 Gets a Package Manager For the Command Line

'Approved' isn't the right word.

OneGet has the notion of 'trusted' repositories. We're likely to expand this concept a bit in the future, but for now, that's what it is.

Built-in package sources from reputable sources may be marked as 'trusted' by default, but the majority of sources should be 'untrusted' until the user makes that change.

The real trick is getting package provider plugins to tell OneGet the truth if a repository is trusted or not.

I suspect that we're going to have to introduce a level of trust with the package providers too, and expose this to the user ... somehow.

Comment: Re: Oh boy, another infection vector (Score 1) 230

by His name cannot be s (#48261163) Attached to: Windows 10 Gets a Package Manager For the Command Line

You've got a really good point.

We're tossing around some notions about different factors that make a 'package' or 'repository' trustworthy.

I'm sure we can do some stuff with signed repositories and signed packages to detect when things 'change' and/or keep unsigned repositories 'untrusted'.

Really, our first target for this stuff is developers and admins, not my mom...

Comment: Re: Oh boy, another infection vector (Score 1) 230

by His name cannot be s (#48260817) Attached to: Windows 10 Gets a Package Manager For the Command Line

Well, considering that the chocolatey provider for OneGet points to the community-controlled repository, I'll have to take that as a win :)

The concept of curated repositories is one that we're really trying to come up without screwing it up.

Regardless, with OneGet, the *user* maintains control. Which repositories they connect to, what software they install.

Comment: Re:We can do that thing you like (Score 5, Informative) 230

by His name cannot be s (#48260783) Attached to: Windows 10 Gets a Package Manager For the Command Line

Actually, to be perfectly clear, OneGet isn't really a package manager.

It's a package-manager-manager -- It's a unified way of installing packages of software regardless of the how-it's-implemented-on-the-back-end.

The first real package provider plugin is a Chocolatey one. Why re-invent the wheel when the wheel already works?

The purpose here is to leverage all these different sources of software using a common set of commands and APIs.

Anything that can be represented as a 'source' of software can be plugged in on the back end. I'm aiming for plugins for NPM, Ruby Gems, Python, on top of the expected MSI, Chocolatey, NuGet, etc...

Plugins can be written by anyone, and I'm going to great lengths to make it as simple as possible -- it's about ~15 or so functions to implement and we can plug in virtually any package format or service into OneGet.

Comment: Re:Respect (Score 3, Informative) 230

by His name cannot be s (#48260565) Attached to: Windows 10 Gets a Package Manager For the Command Line

[FYI -- I'm @FearTheCowboy everywhere else, my /. id is so old that my name got trimmed from "His Name Cannot Be Spoken" 15ish years ago when they did a database adjustment... ]

I have had thoughts on how to do this; I suspect that while we may not set up a repo to do that, I may hack out the instructions on how that could be done easily if one wanted to maintain their own.

It really boils down to how much time I can throw at that.

Of course, we also want it to plug into WU and WSUS, but that'll be a bit more down the road.

Communications

'This Is Your Second and Final Notice' Robocallers Revealed 235

Posted by Soulskill
from the hello-sir-madam dept.
nbauman writes "A New York Times consumer columnist tracked down the people who run a 'This is your second and final notice" robocall operation. The calls came from Account Management Assistance, which promises to negotiate lower credit card rates with banks. One woman paid them $1,000, and all they did was give her a limited-time zero-percent credit card that she could have gotten herself. AMA has a post office box in Orlando, Florida. The Better Business Bureau has a page for Your Financial Ladder, which does business as Account Management Assistance, and as Economic Progress. According to a Florida incorporation filing, Economic Progress is operated by Brenda Helfenstine, with her husband Tony. The Arkansas attorney general has sued Your Financial Ladder for violating the Telemarketing Consumer Fraud and Abuse Prevention Act. The Florida Department of Agriculture and Consumer Services investigated Your Financial Ladder, but the investigator went to 1760 Sundance Drive, St. Cloud, which turned out to be a residence, and gave up. The Times notes that you can type their phone number (855-462-3833) into http://800notes.com/ and get lots of reports on them."
Security

Attacking Game Consoles On Corporate Networks 79

Posted by Soulskill
from the waggle-the-wiimote-to-lock-it-down dept.
A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

Comment: Re:I'll follow them here too. :D (Score 4, Interesting) 293

by His name cannot be s (#31785372) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

I do have one question. Why, exactly, do you think that this sort of approach is likely to be easier than doing what Apple did and simply exposing a Posix API that is actually useful?

Because, even if we could get a great POSIX experience on Windows, it leaves out Windows developers.

One of my goals is to get Windows developers in the OSS game.

On top of that, there is a hell of a lot of non-POSIX open source software on Windows that needs fixing too.

Look at it this way: Would you respect someone who told you the best way to get FireFox running on Linux was to use some sort of Windows emulation layer... Like WINE? no, because FireFox *can* compile for Linux. Same thing with nearly all Open Source I encounter. I want to get the OSS quality and experience on Windows to exceed commercial developers... it needs the most love.

Like I tell people:
Working as an open source software developer at Microsoft is like being a preacher in Vegas. I figure I'm in the single most important place in the universe that I can be.

Comment: Re:I'll follow them here too. :D (Score 4, Interesting) 293

by His name cannot be s (#31785036) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

think you had no choice to choose the BSD license instead of the GPL. Had you chosen GPL, it is likely the project would have been immediately rejected by Microsoft.

That's not true actually.

I didn't tell anyone what license I was going to use until a few days ago, by which time they'd already signed the agreement.

In addition to that; as a Microsoft employee for Microsoft, I've contributed code to GPL, LGPL, BSD, PHP and Apache licensed projects.

Comment: Re:I'll follow them here too. :D (Score 4, Informative) 293

by His name cannot be s (#31784892) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

As for the first five points, yes I'm aware of all of that, and I'm working to solve all of them. Some of them are not possible (mixing compilers has a lot of bad mojo) and some are solvable with some really good best practices.

1/ Microsoft are stopping using WinSxS assemblies for managing the C/C++ runtimes as it is complex to manage and get right;

Ah, Visual Studio is backing away from WinSxS. I read their justification. I didn't buy into it. I think it's a solvable issue.

2/ With XP, Microsoft were selling WinSxS as being able to deploy different versions of the binaries, but for Vista/Win7 they are now saying that WinSxS is for archival purposes (see the Engineering 7 blog)

Uh, what? I've been talking to the maintainer of the WinSxS system. He's fully supportive of my plans.

3/ It does not really work as intended in practice -- e.g. comctl32 version 6 is different in Vista/Win7 than in XP, yet the applications that reference the XP version use the Vista/7 version

It works just fine, as long as you use it correctly; if they didn't, it's not my fault. Some of the tools I'm building will make it easier not to screw up.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...