Apparently this was recently published: http://www.securityinnovation.com/resources/linux_windows.shtml

To summarize, RedHat Enterprise Linux 3 had 132 security issues (with a minimal configuration), whereas Windows 2003 had 52 for calendar year 2004, *when configured as web servers*. This includes a webserver (Apache/IIS), app platform (PHP/ASP.NET), and DB (MySQL/MSSQL). Only issues fixed in 2004 were counted.

A few points:
 - They took a default install of Windows 2003, stating that it's too hard to get rid of stuff like IE. Thus, any patches applying to Windows2003 were included, regardless of if they could be exploited or not. This of course affects Windows' rating.

 - Same for RHEL. RHEL installs a lot of stuff that might not be in use and not exploitable. I'm guessing that what accounts for the very high numbers on RHEL. Then again, it's a fair comparison for average users (like myself, who just installs RHEL/Windows out of the box and doesn't really screw around with a lot of stuff).

 - However, assuming super-competent admins on both platforms, I'd expect the exploitable vulnerabilities to be close to zero on both platforms. I.e., if admins took precautions to install patches quickly as well as lock down services/systems as soon as a vulnerability was discovered. However, that's not realistic at all, and that's why a study that just takes a standard install is needed.

 - They used MySQL on RHEL. While this might be correct since people use it... MySQL is junk. Seeing as how it could be barely considered a DB and how poor it is overall, I wouldn't be surprised if MySQL accounted for a large amounts of vulnerabilities.

I think the study should have broken down where the vulnerabilities were in the product. Not knowing what was the fault of IIS, or MySQL, etc. makes it hard for people to compare the products for their own usage.

The study also mentioned the “Days of Risk“, i.e., from when the vulnerability was first publically reported to when it was fixed. RHEL will always have an instrinsic disadvantage here. Since most issues are related to open source, it's harder to do private reporting.

Second, there are vulnerabilities in Microsoft software that are fixed, but never reported. For instance, IIRC, the “GIF Integer Overflow” problem that was found after some Windows source was leaked was fixed in newer versions of IE/Windows, but never reported (until the source was leaked). I also know that from personal experience, you can report a bug to MS, and if you don't go public with it, they'll roll it up in an SP or next release. These issues are just [almost] intrinsics of open vs. closed source.

Some might say, “Oh no, there are issues in Windows 2000 that aren't publically published!“, but the same exists for RHEL. The difference is that some of these “private“ issues can get fixed in newer versions without ever becoming public, while in open source, it is much harder to do so.

Now, some people are up in arms since it was not disclosed that the funding came from Microsoft. Bruce Schneier, for instance, is saying that people will just ignore the results and focus on this possible bias. That's BS. Since the methodology is published, it's not exceedingly difficult to recreate the results. People should do that instead of bitching about who funded the research. My guess is that people who are satisfied with the results don't care to go recreate them, and those who aren't are afraid that they'll find the same results and thus have no argument.

I just read that Visual Studio Express will be $49. This is what... $30 less than the usual “Standard” edition (which I can't imagine anyone can actually use :P)?

Why bother charging $49 for the product? $49 isn't much, but it's a huge jump from free. Why free? That way, to evangelise, you can just throw a bunch of free DVDs at people and let them use them. Say, for instance, academia.

With the standard line at $99, doesn't seem like there's much reason at all for an Express version...

I'm doing my own realtime support for Asterisk, in an attempt to make it scale. Asterisk is nice software, but straight out-of-CVS, the performance for high volume (say, over 20,000 clients) sucks. There are also other inconviences with using a file-based store to determine how to route calls. Mainly, it's inflexible and hard to achieve high-perf when everything is based on a large .conf file. Not to mention that Asterisk uses linked lists for everything so looking up any user is an O(N) op (and parsing the users file is O(N*N) by default!). So, I'm going to put my own logic as a replacement for some of the critical parts.

One of my concerns was performance. Since I'll have multiple Asterisk clusters banging on my .NET code (via SOAP), I wanted to ensure the whole end-to-end process was fast enough.

I used gSOAP to create the C code on Linux. gSOAP is seriously nice. At least an order of magnitude easier to use than I expected any SOAP library that works on Linux would be.

I created a simple test. I made a database with phone numbers and codecs. The idea is that when an incoming call comes in, Asterisk will use my code to SOAP over to my Windows machines, get the data, and then go on its merry way.

My Asterisk machine is a P4 2.4GHz, 512MB RAM (but, I have a Gnome session running on it). My Windows XP machine (I tested against my desktop) is a P4 3GHz HT, 1.5GB RAM. I'm running ASP.NET 2 Beta 1 and SQL Server 2000.

The test program consists of a loop (count 5000) that generates a random number, then uses gSOAP to ask for the codec for that number. Simple, tight.

The results on Linux are particularly impressive. Each instance of the test app only used a max of 4% processor, and under 1MB of RAM. The bottleneck was definately inside ASP.NET. To simulate more load from other machines in a cluster, I ran 1, 2, and 4 instances of the test program. Also note that background tasks on the XP machine used up about 10% of the CPU.

Results:
 Single process (5000 total requests): 
  Total time:                   18 seconds (0.0036s/request)
  Requests per second:   277
  ASP.NET/IIS CPU:          30%
  SQL Server CPU:            4%

 Dual process (10,000 total requests):
  Total time:                   23 seconds (0.0048s/request)
  Requests per second:   384
  ASP.NET/IIS CPU:          60%
  SQL Server CPU:            7%

 Quad process (20,000 total requests):
  Total time:                   42 seconds (0.0052s/request)
  Requests per second:   476
  ASP.NET/IIS CPU:          80%
  SQL Server CPU:           10%

These results are encouraging enough that I'm not worried of the performance impact of using SOAP with Asterisk. My target was to have a response in less than 0.1 seconds. Although, anything under 0.5s would be quite unnoticable to a client. Even in tests with more threads, my single request response time was always way under 0.1 seconds.

Also, as far as I know, Whidbey Beta 2 (the version I'll go live with) makes some performance improvements. And also, IIS6 on Windows 2003 is much faster than IIS5.1 on XP. At any rate, a single proc desktop machine serving 476 RPS? That's pretty damn good perf if you ask me!

[OK, this was brought on after a night of fighting with the latest VS2005 “Made For Mort(tm)“ features in VS2005 and after hearing even more about the silly “VB Unmanaged 4Ever Petition“. Yes, I know, there are professional, intelligent, etc. VB programmers who signed. I also started programming in BASIC. And yes, I know this suggestion is as bad as the actual petition.]

Sign by leaving a comment.

A PETITION TO END THE ATROCITIES OF VISUAL BASIC

We would like to suggest a path for the future development of VB6 and similar apps to put an end to the crimes against the world committed by worshipers of Microsoft's product, Visual Basic. This path will help anyone who should be working with computers on a technical level.

OBJECTIVES

We ask that Microsoft stop catering to low-end, “Mort” developers, especially those who cling to past glories achieved through VB6.

1. Preservation of Assets
    Microsoft should not:
        - Force customers to uninstall Visual Basic 6
        - Push a patch out through Windows Update that disables the VB6 runtime
        - In any way, magically make VB6 stop working at the end of March, 2005

2. Discontinued support for Visual Basic
        - Medical trials have shown strong correllation between Visual Basic usage and degration of the brain, notably the areas that deal with change and improvements.
        - Microsoft should take responsibility and make its products harder to use to raise the level of entry.

3. Ease migration of deprecated developers

        - Provide “Career Days” where developers can learn about and get jobs in exciting industries, such as textiles and hospitality
        - Promote local support groups and 12-step programs
        - Sponsor emigrant visas 
        - Provide a VB6-to-C++ reverse engineer tool.

SUGGESTED APPROACH

We believe the best way to meet these objectives is to drop support for VB.NET after Visual Studio 2005 (Codename “Whidbey”). For brevity, we’ll call this “natural selection”.

To quell proponents of “VB.COM”, we suggest explaining that “VB.COM” and “VB.NET” are so completely unlike C# and C++ that it sounds like a bad joke. We also suggest that Visual Studio team members personally make disparaging comments about how silly this is. While personal attacks and racial slurs shouldn’t be used, general stereotypes such as “…people who think architecture means making a wrapper for MsgBox” are fine.

CONCLUSION

With VB.NET out of the picture, less “Morts” will use Visual Studio. Microsoft can then focus on designing a strong framework and toolset that doesn’t worry about people who won’t understand why System.Windows.Forms.MessageBox.Show doesn’t work “as it should” in an ASP.NET page.

Overall, we feel this will enable a better environment, and more robust software being created in the industry today.

So, they're not only asking Microsoft to create a new version of old VB (i.e., not .NET), but they're also asking it to be integrated into the VS.NET v8+. Some have cited C#/C++ as an example of this. 

HAHAHA! Man, if this doesn't show how clueless some VB programmers are, nothing does. I mean, seriously, come on! They actually expect MS to say “ok, sure we'll make VB6.5 v2005 and go away from managed code”? And they think that integrating VB6 right into VS.NET will be a piece of cake? This proves that many VB devs really are clueless when it comes to designing apps and think that there's some magical power that just makes everything work. The sad part of this is that some of these people are MVPs... I thought that MVPs generally had a relatively high knowledge level and wouldn't come up with silliness like this...

Ran into this problem after uninstalling MS SQL Server 2005 beta and trying to open the Enterprise Manager: “SQLDMO has not been registered. Please re-install SQL Server and try again.”

Just go into C:\Program Files\Microsoft SQL Server\80\Tools\Binn\ and run “regsvr32 sqldmo.dll”. Things will work again.

In .NET 2, there's a new System.Transactions.TransactionScope class. It basically allows you to do implicit transactions just by creating a new TransactionScope. It's stored in TLS and things like SqlConnection check it and auto-enlist. A sample:

using (TransactionScope txScope = new TransactionScope)
{
insertSomethingIntoDB();
processCreditCard();
txScope.Complete();
}

I got tired of seeing, smug, designer people used in advertising VS. So I decided to modify the “professionals” you see here: http://lab.msdn.microsoft.com/express/, to something that perhaps more accurately represents the user base of those products:

Control Panel -> Add/Remove Programs
Remove VS.NET 2005, MSDN, J#, Device Emulator, etc., and .NET Framework 2.0.

Then delete VS8, 2.0 Framework folders and registry keys.

That seems to do it. Beta 1 installed, without rebooting, without complaining, right after that. Of course, maybe it'll blow up when I start working, so no guarantees. But it's sure a huge improvement than Beta 1's uninstall.

So, after about 6 hours of trying to install, I've gotten the VS 2005 December CTP installed. I can say that the December CTP has made a lot of progress. Some things are a lot faster (say, ASP.NET building). A lot of stuff feels unpolished (icons). Some things are silly: F7 (“View Code“) is broken... had to manually set it. At any rate, I'm gonna come out and look like a dumbass, since I'm now gonna spend n hours re-installing Beta 1 :P.

One kick ass thing is that the dialogs are FAST now. Before, it seemed like old Windows Forms: you could see things painting (the refactoring dialogs are a good example). Now, it seems like real Windows. There other code editor enhancements (I noticed some new error colours)

Some stuff is just unusable. Like, I don't know... say, building and viewing errors. For some reason, I had to build about 20 times to get through all the errors. And no, they were not errors that stopped a file from compiling that need to have a rebuild, nope. Just simple things dealing with ASP.NET.

I get obsolete warnings, saying I should move to other classes (ConfigurationManager)... but these classes don't exist. So there goes compiling with warnings as errors :). No big deal.

Typed Data Adapters got some changes. Typed data adapters now have Connection[String]? as a protected field (as far as I can tell), breaking my code, forcing me to do changes (subclass the adapter) for no reason, other than to annoy me. Yea, it's all one gigantic cosmic plan to screw up my project ;).

What the hell is the obession with naming a freaking connection when “designing“? Data adapters, web services, etc.: I wanna link all that up at runtime. But no, it insists on having me select a “connection“. Then it dumps it into an app.config (even for library projects). What ever happened to “the developer has some clue of what he's doing, so let him handle it“? I understand that script kiddies are customers too, and sometimes you just drag and drop and presto: a full data app. Hey, I write one-off code sometimes too.

ASP.NET is still in transition here. First, it bitches about having a bin and Application_Assemblies directory, forcing you to rename (since you can't delete the Application_Assemblies dir). Of course, they have now realised this was retarded and fixed it (called it bin) in future builds (Beta 2). They also went though another fit with the directives (CompilesWith, CodeFile, CodeBehind, Inherits, ClassName... wtf?). Fortunately, it looks like they're going a step in the right direction. Of course, since I had so much trouble even getting my project to build, I could be wrong. Even so, it tossed out my old project settings (since Web Projects aren't projects, they're just folders).

There's been a lot of work invested in making it more “Community” accessible. That's all fine and dandy, but I can't envision myself ever, ever, using any of those features. Perhaps for VS Express/Academic/I-learned-VBA-and-thus-am-an-Enterprise-dev versions it makes sense. Just not sure what place it has in “Enterprise Architect” version.

Of course, I was forewarned that the CTPs weren't good, and that Betas are real quality, etc. etc. But, hey, I like being hopeful. And it's a good glimpse of the future. Too bad I couldn't use it and file more reports against stuff. I'll have to wait until Beta 2. :(

Well, I'm upgrading from Beta 1 to the December CTP, since my friend (who works on VS) insists that it's 150% better than the Beta. We've run into some issues, and I hope that December CTP will solve them (since no Beta2 was released today, as far as I know :)).

I was getting an error: 1304 Access denied on SdmCompile.dll. It tells me to check the path, but doesn't provide a path. Searching the whole system didn't find it. So, I went into the DVD and tried to install the .NET 2.0 Framework by itself - aha! It said “A previous product is installed....”. Even though I had already uninstalled everything.

All help pointed to a tool called MSIINV.EXE. Well, that's not public, and I didn't feel like calling PSS (why it's such a dangerous tool is beyond me, since MSIZAP is available). Reading some blog posts, I see that the suggestion is to find the .NET Framework, J# redist, etc. etc. for .NET 2 using msiinv.exe, and then msiexec /x or msizap TWA them.

Well, as far as I can tell, it just looks at HKEY_CLASSES_ROOT\Installer\Products. Maybe I'm wrong. But that worked for me. Regedit, goto HKCR\Installer\Products, and then search for anything related to the 2.0 Framework and friend. Find the product code, then run MSIZAP TWA {XXXXXXXXX-XXXX-XXXX-XXXX-...}. The format is important! If you just copy from the registry, and don't do 8-4-4-4-rest, it won't work.

After I've cleaned everything, I think installing the .NET Framework 2.0 and the J# redist (arrrg) separately from the VS install helps.

Just my few bits on getting VS working. A lot of others have posted too, so doing this plus what everyone else suggests might work :).

This is probably gonna be a post where I end up looking like an idiot, but here goes...

I was playing around and wrote a small program to dump the video font table. I started at around 33 bytes, but want to get it as small as possible (to um, learn! :)). Here's what I have so far:

[BITS 16]
[ORG 100h]
[SECTION .text] 
start:
mov al,64   ; Init (but don't clear) video     
INT 10h      ; Need to call int10h to start NT's DOS video emulation I think... 
mov ax,VideoBuffer 
mov es,ax    ; Put video buffer segment into ES
mov ah,007h    ; White text (Attribute 7). AL is already zero from loading the video buffer
mov cl,255    ; All oem chars
charloop:
 stosw 
 inc ax ; Increase char, don't worry about the attribute; it's high
 loop charloop
ret
[SECTION .data] 
VideoBuffer EQU 0B800h

00000000  B040              mov al,0x40
00000002  CD10              int 0x10
00000004  B800B8            mov ax,0xb800
00000007  8EC0              mov es,ax
00000009  B407              mov ah,0x7
0000000B  B1FF              mov cl,0xff
0000000D  AB                stosw
0000000E  40                inc ax
0000000F  E2FC              loop 0xd
00000011  C3                ret

Mike Stall just released a cool tool for doing inline IL in C# (oh, and in VB). It's not full integration with the compiler (so it's not a _msil() block or anything), but it's still very cool.

Wow, here's a cool technique in spam:

.,        ,; .r,                                                  iZ        .              ,  ...7  
@qy      jpp uol                                               peigllf.   @oiatmB          gnjqwgj  
 kd      fq,                                                  au0 pr rk  hac   cna        ia        
 Bym    bpB  WaW  ihjpopc:   igwpkWtk  Wfguvp  @gkbjgS         cu jS     ,,     va        lxpvkk8   
  rj    nv   uyw  yl    uq. Wig.  bly  uxn    yr;   @nS         plkea         @cx        abpX:,qof  
  gpu  ccn   WsW    8xurgl: hv     sv  WsZ      Zegydg@           b@ipl    .qwf2                8uj 
   jh .wx    WkW  xvW:: qr, db     ta  WiW    xbf,i 0sW       Za  dS nhr  jfe            8X     Zlm 
   SjdxgS    WoW ja     cb  vsZ   rds  WoW   gsB    0hZ       hx  pS gui ZdX             wks    pe: 
    xnff     alo  rfbfdvcyc  iprWkoaf  scc    yknxrxpuk0       fjWhbjsb Xkavsnhgib7 cfg   yrfmkks:  
              ,    ,:;i   :        tt   ,       ,;i   .:          jf     .       i   i,             
                            Zkl   aur                             Z,                                
                              hysqd.                                                                
                                                                                                    
                                                                                                    
     88ZS     yj             80  :mc                               7wu7       ;Z8             X2a   
  avhtmnsvp   gf             th7 Spe                             8xdqjpsW   8ehbnum         npketqb 
 jha      elj                qa,                                ,ta hb lni Spa   ilk       8dm    qk
 ig       .@8 yt   vqlwjm@   qk, rox  rotjoud                    poXdc            lj       xp2    wp
rn0           tc  ;hZ   ,vb  pu, iod ,ig   vy:                    0wkfW:        Xxh        :ud   Bjl
7a8           am    Xfxfxkx  as, ,ro  xn                            nrZio     ghl0          .dsfrhdq
 pb       Std uo  Bdm:  .rs  og, ,ih   iwvhvi2                  aS  es Smw  Wam;                  fm
 Zks;    adt; uv  ci    ;oe  en, ,do Xs0    py                  sqt jc 0vb  aW              dv.  Bic
   fcrxbimw   pi  Wfcdcuhhxs iuS Swk  caakngm2                   kpjxxqoi  ckraxuonbb Xeb   ,vsjytw 
                           .                                        wn                              
                                                                    ;;                              
                                                                                                    
                                                                                                    
                                                                     ,                              
;tX      Wx                                                         @cs        .s         .pkivk@BZ2
 ch.    ute                                                       ngBcByo      hh         ,bfxvs8ouw
  shb  skX                                                       uh, j  ud   hvwd                kc 
   aoSphZ    aomxljc;  Bglkfocf    tshoub@  euX   tqa             oq7c         er               hg  
    sfe      lx    ev  2ad   Wbw  Zm:   rya  giB yc@               Wmit0       dc              xbW  
   BfWgh      ,lqfbla  Smf    lw    @stcjia   nxrdZ                  j7crW     mj             iaj   
  Wdg rbw   .uhr   yg  Ses    jw  cel   isy   Xumw               BW  n  rw;    oj             rcr   
 mqm   ijm  or     wk  Xqi    js ayq    8mh  qdg mfi             ah  c  mx.    fi            ;it    
dlc     ,sk0 hlrhstdhx Bev   ,xj  oclkeofgfkghe   clg            ,lkmoiqmS     ev     ofn    Spn    
                                                                     ui                             
                                                                     r                              
                                                                                                    
                                                                                                    
                                                                     r                              
Bj        ju.           ty: 7rf                                    ,kuyi       ,v            ,vxi   
8vd      qnr            by; ;xd                                   mvalZmj,    ,ke          7oodlsia 
 wi.    .lc             ct,                                      ys, p  qu   jjbc          be    tyr
 Shd    bgS   uokebif   kx, Skk  rkS   ixk  yxvionB,cclf8         elXc         dm          od    Xv2
  ps    bj   Sx,   rbj  is, :bm  ep:   @u@  ut;  dsj   rs,         @rgsW       pa          yqg   eyS
  Bgs  xxB     gcetvtu  ep, ,wu  pr,   WcW  hd   rxc   vj:           uijld     kh           8wjjrebS
   tf ;bd    xlr   ,eg  wx, ,va  ye    0vW  sy   Sxw   ax,       wj  r  jm7    bj                :nZ
   .fagr.   ,kj    Wjq  eb, ,vv  ula   bdW  ly   Som   dc,       ll  y  nu     qf          pcs   gh 
    tfui     Zsfnwckteb we2 2hc  ,vxvwakms  bp   pji   nj2        eqbhqqar     eo     mpo   pgnqbj  
                                                                     h                              

On an MVP mailing list today, someone posted this link:

A parent's primer to computer slang
Understand how your kids communicate online to help protect them http://www.microsoft.com/athome/security/children/kidtalk.mspx

To which I replied:
... I just felt a disturbance in the force, as if millions of kiddies yelled out in embarrassment as their parents tried to talk leet to them...

M0M [133t!]: d00d, did j00 |-|4/\3 phun 4t sk00l t0d4yz? $c13nc3 is teh

r0x0rs, w00t! D4D 4nd I R g0ing 0ut ToNiGHT, g0nn4 sh0z /\/\y m4d

sk1llz. Th3r3's ph00d in da phridg3.

Son: I'm so embarrassed. Never talk that way again, please.

 I'm surprised they didn't have some sample conversations to test your knowledge. They also left out "r00t".

Steve adds: And M$

Hmm, I wonder, maybe MS will start doing a whole series on slang? Maybe they're working on a paper like that right now? “What does it mean when your son says 'Her? The whole shool's had root access.'”