Domain: awe.com
Stories and comments across the archive that link to awe.com.
Comments · 10
-
Re:100 new features, 10000 new bugs, 100000 old bu
On the other hand, RHEL provided hardening since a long time :
http://www.awe.com/mark/blog/200701041544.htmlThat's also a policy in Fedora ( https://fedoraproject.org/wiki/Packaging:Guidelines#PIE ). I guess for Debian, the issue was just to have someone do the job, and that likely mean "make sure this work on all platform", which can slowdown a bit. But as you say in the end, this was deployed.
-
Microsoft desktop == Abetting Terrorists?Only 1.91% of all [Microsoft Desktop] PCs are fully patched!
Microsoft's most widely deployed platform and applications have not been secured.
The XP platform has still has 32 unpatched vulnerabilities,
The latest version of Internet Explorer still has 9 unpatched vulnerabilities,
and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one outstanding unpatched vulnerability ( known since 2004-07-12 ).
Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities which put the desktop at high risk of being infected.Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.
These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.
In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.
Also from a more abstract point of view, read Increased security through open source.
If your using the Microsoft platform, then your abetting the people deploying botnets.
-
Concrete + Abstract rationals for securable LinuxI won't speak for MacOSX, but in terms of Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.
Also from a more abstract point of view, read Increased security through open source.
-
Re:Nothing to see here.
This is why they don't need new keys: http://www.awe.com/mark/blog/200701300906.html (keys are secure in a hardware device)
-
Re:Nothing to see here.
In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages.
Incorrect. The signing key used by Red Hat is inside a hardware security token.
So even though it was possible to use the token to sign packages as soon as access to the token has been removed for the intruder, he is unable to sign any more packages.
Mark Cox of the Red Hat security team explained this setup in a blog post some time ago at http://www.awe.com/mark/blog/200701300906.html.
-
Re:... what?Obviously, the physical survival of the media is not the only worry, we're also aware of the fact that the
.mod file I could play out of my LPT-port-sound-contraption 18 years ago is now useless because mod players and those devices are far from ubiquitous (I found the .mod format converter, but can't find any schematics for that capacitor-LPT-sound-thingy I put together back in the day).Wow. I'd almost forgotten 'bout that player. Good thing I found your schematic here.
Just download the v1.12 and read the included file, Mp112.doc. Look for the section headed "How to make a D/A converter for five pounds" and you'll be in business!
-
An interesting response
-
It gets better
One of the inventors at Microsoft appears to be this gentleman, who works on Apache and is a "founding member of the OpenSSL project". If an OpenSSL guy is unaware of sudo, we're living in Bizarro world.
But that's not how corporate research works. Nobody cares how good the patents you get are. Microsoft cross-licenses with all their competitors, anyway. Modern corporate researchers just produce legal fodder -- a slew of patents, which can be used to prevent new entrants from entering a field -- existing oligopolies are maintained by cross-licensing of patents. -
Re:Parallel Port/PCMCIA sound?
-
Microsoft is a member...See members.
Actually this is not true, only individuals can be members, and if you follow the link to the particular individuals home page, it claim that he works for c2net. Maybe it is a joke.