BrandonLive

Fellow Windows blogger and guy-named-Brandon, Brandon LeBlanc, posted an update outlining the timeline for official availability of the Windows 7 Release Candidate.  We’ve all been working very hard on this for a long, long time now.  I’m really looking forward to hearing what everyone thinks!

Today Microsoft announced the official line-up of Windows 7 editions that will be made available.

Ed Bott does a nice job covering the announcement.

The main changes, which I am very happy about, are:

• Two main Editions for consumers.  Home Premium, and Professional.
• Professional now contains Media Center and everything else in Home Premium, as well as the traditional Pro feature set (Remote Desktop, domain support, etc).

Not only is this simpler, but I think it may constitute a price cut for people who needed to buy the Ultimate version of Vista in order to get both Media Center and Remote Desktop (or Domain support) in the same package.  Now they can get a machine with Pro and be all set.

Here’s the official press release / Q&A with Windows General Manager Mike Ybarra.

I was just reading this article from the Wall Street Journal and was struck by how it butchered an issue very important to everybody who uses the internet.  Mind you, this isn’t a WSJ “blog” post, this is the full-on deal apparently penned by Monica Langley and Jessica E. Vascellaro. 

Here’s where it started to go wrong:

Congress is considering measures that could have an adverse impact on Google’s business, including laws that could limit companies’ ability to deliver personally targeted online advertisements and rules that would allow telecommunications companies to charge different prices for different levels of Internet service.

At first I thought to myself, “what the heck does that mean?  ISPs already charge different prices for different service levels.”  Oh well, whatever, this article is about Schmidt supporting Obama so one goofy line is forgiveable right?  But oh no, it gets much worse.  Speaking as if she/they were an authority on the matter:

Mr. Obama’s stances on some issues important to Google remain unclear. Both the candidate and the company, however, have said they support limiting Internet service providers from charging different rates for different levels of service, saying it would be discriminatory and stifle innovation.

I’m not aware that Obama or anyone else have supported such limitations.  Such limitations make no sense at all.  What Obama and companies like Google, Microsoft, and others all DO support is what has become known as “net neutrality.”  Net neutrality isn’t about price levels for internet service.  It’s about limiting or banning internet service that discriminates against specific endpoints.  The closest thing I can think of to what the WSJ said is that one effect of this could be an ISP charging a higher price level for somebody else’s service.  

It would be like AT&T charging me extra, or intentionally giving me more dropped calls, if I use my iPhone service to call Dominos pizza instead of Pizza Hut, because Pizza Hut made a deal where they pay AT&T to sabotage phone calls to their competitors.

Price levels?  Come on WSJ, I use to respect you guys.

If you’re launching a start-up at Demo or TC50, you need to do better than any of these.

If your home page links to a PDF “info sheet” you fail.

Now, some of these suck for the sole reason that the start-up itself seems to be a pointless idea.  Some combine terrible company and product names with seemingly useless or redundant offerings.  Maybe they do have something compelling to offer, but they aren’t selling me on it.

Others, though, might be interesting but don’t even try.  Some of them look like they installed Community Server or something like it and forgot that you’re actually supposed to customize more than just the name.  One doesn’t even let you in.

Robert also linked to Quantivo, an example of a good website.  Maybe we’ll see more on Monday when the TC50 start-ups are revealed.  So far, though, I don’t expect to ever hear of most of the Demo companies again after this week.

There’s an article over at everybody’s favorite internet tabloid The Register about IE 8’s decision to default to Compatibility View (that is, IE 7 emulation) for INTRAnet sites.  The article lambastes the IE team for “breaking its promise to embrace web standards.”

You might be wondering, “Why does the author of this article care about intranet sites defaulting to Compatibility View?  Doesn’t that make the most sense as it will prevent companies from having unending compatibility problems with IE 8’s new rendering engine, on their sites that were written for IE 6 and which haven’t been updated in years?”

I think the answer is quite simple:  The author doesn’t care.  So why publish the article?

Because Hakon Lie is the CTO of Opera Software, creators of the very unpopular IE and Firefox competitor of the same name.

Yes, Opera, well known as a band of immature cry babies, are now attempting to smear the IE 8 release with sensationalist “articles” posing as news, and blatant lies about the product.

Lies?  Oh yes, like the one about web pages being unable to opt-out of the “broken page icon” that lets users switch to compatibility view for a page.  The truth is that the IE blog and release documentation for Beta 2 has made it very clear that websites can control whether or not that icon is displayed (see the bit about the “IE=EmulateIE8″ tag).  They can also control whether they get the IE 8 engine in an intranet context.

That means that if you’re building a new intranet site and you want to target IE 8’s new more strict standards-mode engine, you just need to add one little header tag in order to override the Compatibility View default.  Of course, this little propaganda piece makes no mention of that.

And why would it?  It’s written by the cry baby CTO of a failing competitor, not an actual, you know, journalist.

Randall Stross, the same guy who recently said Microsoft should abandon Windows, says on the NY Times site that passwords aren’t good because they’re vulnerable to spoofing attacks, and that they should be replaced by “information cards.”  Well, he’s got a point here, and many companies and services already use non-password authentication mechanisms.  Microsoft uses them for lots of the services used by employees - so why not for consumers too?

Well, for one, it’s not exactly a user-friendly system yet.  Maybe that will change soon, who knows.  It isn’t the only way to address the problem of spoofing, though.  My bank’s website makes use of a “site key” (an image tied to a string that I associated with that image) with the goal of assuring me that I’m at a real Bank Of America login page and not some spoofer.  It may not be foolproof, but it’s a lot better than nothing (assuming the user would notice its absence, which is another issue entirely).

Anyway, what bugged me more about this article was the way it ragged on OpenID.  Randall seems to think that OpenID’s only purpose is “single sign-on,” and explains that it works like Microsoft’ Live ID in that you only need one set of credentials.

But that’s not quite true.  Many people like OpenID not for having a single password but simply for a single username (or “identity”).  Some sites may trust an OpenID source to verify your credentials and have that be good enough for them.  Others may impose their own passwords or security restrictions.  And what’s stopping an OpenID identity provider from using a certificate-based or other non-password authentication mechanism?  As far as I can tell, nothing.

Another advantage OpenID has is that my credentials don’t need to be shared with everybody.  If I want to create an account on Zooomr, I can login to my Wordpress account and have it verify my identity to Zooomr.  Since I’ve never heard of Zooomr, I like this approach, because they never get my password.  Only Wordpress does.  They verify it, and then tell Zooomr, “Yup, he is who he says he is.”

I have to admit that I’ve never taken the time to really learn the nitty gritty details about OpenID, but I find it to be a very interesting concept.  I’ve also been very interested in OAuth lately and been meaning to dig more into how that works.  Heck, I don’t even know if it is related to OpenID in any way.

So what do you think of OpenID?  Is it a fad and a distraction from better advances, as Stross seems to suggest?  Or do you think it’s the future of identity on the web?

Flash and Java, I’m looking at you.

You may have heard about the paper released at this week’s Black Hat conference, describing limitations in Windows’ memory protection schemes like ASLR, DEP, etc.  The paper is well-written, very detailed, and I’ve no reason to doubt that it’s pretty accurate.  Some points it makes are things that teams at Microsoft are already aware of and working to remedy (such as DEP not being enabled for IE, for example). 

But reading the paper made it very clear that the most exploitable targets these days aren’t even web browsers, they’re plug-ins like Flash and Java.  The article points out how the Java run-time (“JVM”) was made DEP-compatible with the ingenious change to make all of the memory it allocates be marked as executable.  So yeah, it works with DEP by making DEP irrelevant.  Hilarious.  And sad.

Flash is still not ASLR or DEP compatible.  We’re rapidly approaching two years from the release of Vista.  They’ve had way longer than that to prepare to take advantage of these very helpful security features.  Yet here we are in August 2008 and the most prevalent and successful browser add-ins do virtually nothing to ensure that they aren’t abused by attackers.

Now, to be fair, the attackers also mention .NET as a possible attack vector.  In fact, what they describe is pretty clever.  But that’s the thing, at least they had to be clever.  With Flash and Java they don’t, as those add-ins make no attempt to be secure.  And if you want to make a bet about which of those three (Flash, JVM, .NET) has its issues fixed first, I know where I’m putting my money.

A couple months ago I posted about an article by some guy at Business Week, that made all sorts of rubbish claims about Windows and OS X.

Not to be outdone, Randall Stross at the NY times decided he could use some TechMeme love and wrote basically the same piece.

He says of Windows:

Painfully visible are the inherent design deficiencies of a foundation that was never intended to support such weight.

Yet he fails to mention what any of these deficiencies might be.

He then says the the best solution to any problems with Windows is to “start over.”  You know, because that worked so well for Intel when they tried it.

Stross has a point when he says that the time between XP and Vista was too long.  He probably even has a point when he says that Vista doesn’t look like a product that was in development for 6 years.

Guess what?  It wasn’t.  You see, back in 2001 the Windows division at Microsoft came up with the hair-brained idea to change pretty much everything, as Stross is suggesting now.  Only he’s too late, and Microsoft has already learned that throwing out everything you know about Windows and rocketing into a brave new managed-code-centric world just doesn’t work all that well.

Stross also uses some funny math and says that Vista is the equivalent of Windows “version 12.”  It’s as if he’s trying to say that somewhere under the pretty UI, the core of Windows hasn’t really changed since Windows 1.0.

Of course that couldn’t be further from the truth.  Windows NT was a completely new OS.  Windows 2000 was nearly a complete rewrite of that.  Server 2003 and XP SP2 saw more major changes under the hood, as did Vista itself.

That is to say, this isn’t your older brother’s Windows (”grandfather” didn’t quite seem appropriate given the time scale).

Even then, I’m still not sure why anyone thinks this “start over” idea has any basis in reality.  Do you really think it would only take a couple of years to write an entirely new OS with all the capabilities of Windows Vista? 

Stross also repeats the dubious claim that Windows is too “monolithic.”  With its NT microkernel, layered and massively componentized architecture, and hardware portability - he can’t be talking about the same Windows that is sold today.

Nobody’s OS is perfect and I’ll gladly accept that Windows has its flaws.  But if you want to get on someone’s back about being monolithic and having a hairy, crufty architecture - perhaps you should direct your attention elsewhere.  But at least Linux doesn’t have bugs or security holes, right?

Lastly, Stross and others seem to be under the mistaken impression that Microsoft is somehow unable to change the existing Windows codebase.  These guys present two options:

1) Build stuff on top of the last version of Windows.

2) Start over.

Why pretend that these are the only two options?  Especially when historically Microsoft has always chosen door number 3:

Take what you have and make it better.
Replace the parts that need replacing.
Don’t break something without a good reason.

• Update: Today a few people started talking about Snow Leopard’s supposed new features, including a report on dramatically reduced file sizes.  I think it’s pretty obvious how they accomplished that - no more fat binaries with PowerPC and PowerPC/64-bit support.

As I read the initial details about Apple’s “Snow Leopard” release (ostensibly called OS X 10.6), I got to thinking… What do they mean that they’ve taken the focus away from new features?

From Apple.com:

Taking a break from adding new features, Snow Leopard — scheduled to ship in about a year — builds on Leopard’s enormous innovations by delivering a new generation of core software technologies that will streamline Mac OS X, enhance its performance, and set new standards for quality.

One word was striking to me, not for its presence, but for its absence.  That word is “security.”  A few years ago Microsoft was more or less caught with its pants down when it came to the wild world of the web.  But a couple years after Windows XP was released, Microsoft “got religion” on security and made some deep changes.  Those culminated in the release of XP SP2 - which consisted of a top-to-bottom review of the XP code and a major security-focused overhaul of its code.  It’s been said many times that certain high-level Windows execs thought XP SP2 should have been an entire OS release instead of a service pack.  That’s how big the changes were.  But who would ship a new OS with basically zero new features?  Well, now we know.

That has me wondering… why is Apple taking the focus off of new features for 10.6.  Especially when Leopard wasn’t exactly brimming with new hotness.  I think there are three reasons:

1) iPhone.  Jobs has shown a great ability to focus the entirety of Apple on a “north star” and drive toward it full-steam-ahead.  That’s what the iPhone is doing now, and to great effect.  However, this is not without cost.  Apple’s focus on the iPhone has left it with fewer resources to devote to other projects, particularly when it comes to software development.  Thus I have a feeling the crew working on OS X these days is a good deal smaller than the group that worked on Panther and Tiger.

2) Embedded devices.  Apple says they’re going to slim-down OS X in 10.6.  That makes sense, especially when you consider their affinity for flash-based devices.  If we’re going to see a Mac sub-tablet / super-sized iPhone device, this will be the OS for it.  It’s also likely a way to leverage some of those iPhone-focused resources in order to ship a version of OS X timed to counter Windows 7.

3) Security.  Apple’s PC marketshare is growing.  This is great for them, but only if they can hold onto it.  An onslaught of security nightmares, like those suffered by Windows XP a few years ago, would be disasterous.  They can’t afford to risk it.  Apple knows that they won’t be spared by attackers for much longer, not when their market is growing.  The untested nature of its software (untested by the “hacker” community) and its increasing prevalence on machines will make it a very tempting target soon enough.

So why is number 3 so important?  Because Apple can’t keep claiming that gaping holes in their software aren’t important.  They have an opportunity to have their XP SP2 without having their MS.Blaster / Code Red / Slasher / etc.  They can do something now to prevent malware from becoming as rampant on Macs as it was on Windows XP systems.  If they aren’t doing this, they’re being foolish, and they’ll get little sympathy from those who keep telling them to get their act together.

So how much time does Apple have left to figure this out?  I think not long.  Heck, the first shots may already have been fired.

If they keep losing people at this rate, you’re bound to be running the place pretty soon.