Please create an account to participate in the Slashdot moderation system


Forgot your password?

Attacking Game Consoles On Corporate Networks 79

A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

Comment Re:I'll follow them here too. :D (Score 4, Interesting) 293

I do have one question. Why, exactly, do you think that this sort of approach is likely to be easier than doing what Apple did and simply exposing a Posix API that is actually useful?

Because, even if we could get a great POSIX experience on Windows, it leaves out Windows developers.

One of my goals is to get Windows developers in the OSS game.

On top of that, there is a hell of a lot of non-POSIX open source software on Windows that needs fixing too.

Look at it this way: Would you respect someone who told you the best way to get FireFox running on Linux was to use some sort of Windows emulation layer... Like WINE? no, because FireFox *can* compile for Linux. Same thing with nearly all Open Source I encounter. I want to get the OSS quality and experience on Windows to exceed commercial developers... it needs the most love.

Like I tell people:
Working as an open source software developer at Microsoft is like being a preacher in Vegas. I figure I'm in the single most important place in the universe that I can be.

Comment Re:I'll follow them here too. :D (Score 4, Interesting) 293

think you had no choice to choose the BSD license instead of the GPL. Had you chosen GPL, it is likely the project would have been immediately rejected by Microsoft.

That's not true actually.

I didn't tell anyone what license I was going to use until a few days ago, by which time they'd already signed the agreement.

In addition to that; as a Microsoft employee for Microsoft, I've contributed code to GPL, LGPL, BSD, PHP and Apache licensed projects.

Comment Re:I'll follow them here too. :D (Score 4, Informative) 293

As for the first five points, yes I'm aware of all of that, and I'm working to solve all of them. Some of them are not possible (mixing compilers has a lot of bad mojo) and some are solvable with some really good best practices.

1/ Microsoft are stopping using WinSxS assemblies for managing the C/C++ runtimes as it is complex to manage and get right;

Ah, Visual Studio is backing away from WinSxS. I read their justification. I didn't buy into it. I think it's a solvable issue.

2/ With XP, Microsoft were selling WinSxS as being able to deploy different versions of the binaries, but for Vista/Win7 they are now saying that WinSxS is for archival purposes (see the Engineering 7 blog)

Uh, what? I've been talking to the maintainer of the WinSxS system. He's fully supportive of my plans.

3/ It does not really work as intended in practice -- e.g. comctl32 version 6 is different in Vista/Win7 than in XP, yet the applications that reference the XP version use the Vista/7 version

It works just fine, as long as you use it correctly; if they didn't, it's not my fault. Some of the tools I'm building will make it easier not to screw up.

Comment Re:I'll follow them here too. :D (Score 2, Informative) 293

Um, then what are you doing wasting your time here on /.? Shouldn't you be locked in a caffeine fueled coding frenzy, programming until your fingers are bleeding? Open source software won't write itself, you know ;-)

I know!!!!

"His name cannot be s (16831)"

Is that a hint? Does that mean it could be one of the other 25 letters? Or maybe one of the 20 remaining consonants?

Well, ya see... with a five-digit slashdot-id I originally had "His name cannot be Spoken" as my name... then they did some database truncation about 12 or so years ago, and I lost some letters.

And ya can't change your name on Slashdot, and I didn't wanna give up my 5 digit ID. :D

Comment Re:wholly native toolchain (Score 3, Informative) 293

All but the last one are fine. I have some windows boxes I have to deal with and I sure as hell do not want to be stuck using some GUI IDE just to build the latest $foobar.

Use of the GUI ain't mandatory... it's just that in order to get Windows devs on board, it'll have to have one.

The core bits will all be able to be command-line driven.

Comment Re:I'll follow them here too. :D (Score 3, Informative) 293

Assuming that you've looked at APT and similar packaging tools, and given that you're still convinced that there's a 'Windows Way' (your term) to handle deployment that differs from Linux best practices, how do you plan to address:

Yes, I've worked with APT and RPM for a very very long time now. The reason I'm convinced there is a 'Windows way' is because it's a different system that Linux; yes, I've learned a lot about PMS from Linux, and I know how to apply that knowledge to Windows.

Package Repositories - This is one of the main strengths of Debian and related distros. Do you think it's even possible to replicate this level of community control in Windows? I know you've mentioned decentralisation, but have you considered the implications of such an approach? What is the cost of failure to affect consistent, formalised management of package builds?

I have a plan for allowing any publisher to publish packages in the CoApp ecosystem, provided they meet two qualifications:
- They must be able to host their repository meta-data on an SSL protected connection.
- All packages must be digitally signed with a certificate that chains back to to a commonly-accepted CA.

Dependancy Management - This issue is largely done and dusted on Linux, but remains a dog's breakfast on Windows (albeit not as frustrating today as it was in the mid-90s). In the absence of centralised repositories and the Unix toolchain philosophy, how do you propose to cope better with dependancies?

I'm working with the developer of WiX to ensure that we can trivially build chained MSI packages that have the necessary smarts to properly manage this. Kind-of mixing in something like ldconfig with the Windows SxS library management.

File locations - How do you propose to manage the proper placement of libraries etc. when the conventions concerning where to put such files are not nearly as well defined on Windows? I'm suggesting here that you need cultural leverage rather than technical answers. You need to change perceptions, not toolkits.

Yes. The change starts with PHP, Apache, and Python, and the 40+ packages needed to build them (community members from each are already on board) Half of the project is setting some intelligent standards, and then bootstrapping the ecosystem with packages to enable other software to follow.

Security - Do you think it's even possible to replicate one of the main strengths of Linux package repositories: the ability to curtail security risks such as malware and flawed code?

Yes. By requiring code-signing (and I've got a plan for opening that up without cost for smaller projects) we can replicate the benefits of MD5 and PGP signatures found in the Linux world.

Scripting Interfaces - Say what you like about make and other command-line utilities, but as a busy sysadmin, I consider GUI package management a waste of my valuable time. If I'm going to deploy regular security updates, for example, I want to know that I can script every aspect of the operation. Even the tab-completion features in aptitude make it many times more efficient than a point-and-click interface. What is the potential for scripted deployment/management of packages under your system? Why?

I agree 100%. Scripting interfaces are an absolute requirement, and will likely come well before the GUI.

Think of it as a clean adaptation of the same concepts to the model that will be attractive to Windows developers.

I also think that you're going to need to learn a lot more humility than you've demonstrated so far if you want to achieve something better than a new brand of anarchy in packaging.

I apologize if I'm coming off arrogant. Frankly it's taken an extremely long time to convince the powers-that-be at Microsoft that Linux's package management is stellar compared to Windows. It's also not near as hard or large as it sounds, I'm walking on the shoulders of giants here, both in the Linux and Windows worlds.

Comment Re:Why only open source? (Score 4, Informative) 293

I second the question about limiting to open source. A good package management system that can could make using SxS painless would be awesome in an enterprise environment.

I agree. it ain't really limited to Open Source

Since this is open source and .msi based I assume you will be leveraging WiX somehow?

Yes indeed. The author of WiX is on the mailing list, and a personal friend. He's very excited about all this too.

I hope this isn't going to be a big collection merge modules with duplicated component guids..

Nope. I don't believe in merge modules. I believe in a system that works.

Comment Re:Why only open source? (Score 4, Informative) 293

Why limit this to open source? It would be great if the users could update every program easily and painlessly, at least the ones that use this new system.

I'm Busted. It isn't really restricted to Open Source... but that's my mission. Commercial apps will be able to play just fine in this ecosystem.

I am assuming that this system will allow easy and painless upgrading like on most Linux systems. Is that true? Will it have automatic dependency handling and command line installation?

Yes. Painless and automatic dependency handling, and yes command line tools. You are singing the chorus to my theme song!

Slashdot Top Deals

The rich get rich, and the poor get poorer. The haves get more, the have-nots die.